Toward Self-Certifying Systems 

From: David RR Webber (XML) <"David>
Date: Wed Apr 29 2009 - 11:03:25 CDT

This is not just about simple certification, it is primarily about

Previously we have worked hard to achieve the acceptance
of the principle of the need for paper ballot records. This is now an
equivalent challenge that ultimately leads to legislation to bring about
change. This is also not about replacing certification per say because
ultimately certification is attempting to achieve the same thing which
is trusted election results. Rather it is establishing two alternatives,
either certified systems that meet the current EAC VVSG, or
self-certifying systems that are inherently transparent and verifiable,
as being suitable for use in elections. Legislators and adminstrators
can then choose which is most suitable for their local jurisdictions
(aside: no prizes for guessing which OVC would prefer!).

How do self-certifying systems differ from the current systems that
require certification? Conceptually the principle is simple, to be
self-certifying a system must allow for the independent verification of
an election result by permitting a third party to use the same records
and the same software components to replicate the same numbers, totals,
and outcomes. However there are also important caveats to this to
ensure that the need to meet legal requirements for privacy particularly
are maintained. We have reached a point of maturity of understanding
where this can now all be quantified and detailed as a prelude to
legislative action next.

Defining a self-certify system therefore includes the following:

1) Uses COTS hardware components that are already ISO9001 and MILSPEC
 (or equivalent) conformant. The principle here is that if the
 equipment has already been tested to a significant measure of
 hardware operational requirements and reliability testing,
 there is no need to perform redundant testing because the equipment
 is COTS and will be used without modification from as originally
 approved and certified. This should include removable recording
 devices such as CD-RW media. This should also include conformance
 to exclusions, such as the VVSG ban on use of wireless communication
 capable devices. The configuration and equipment specification list
 should be made public by the supplier(s) so that the components
 compliance claims may be independently verified.

2) Testing is not required for hardware components that are not used
 physically for the software operation that is recording the votes,
 e.g. packing boxes, privacy screens, tables, and so on.

3) Transparency of vote recording by using an accredited open public
 standard specification such as OASIS Election Markup Language (EML)
 that ensures all aspects of the officially recorded vote records,
 totals and results are documented and known.

4) Performs polling place ballot totalling and then central tabulation
 counting using COTS software that is broadly available (more than
 100,000 certified license registrations), or is available as an
 open public license with open source code from a public download
 repository, and uses recording format specifications that are
 publically available, e.g. office products such as Microsoft Excel or
 Open Office spreadsheet software.

5) All digital artifacts used to perform the election counting and
 results should be available in a compressed archive package format
(such as ZIP) that can be downloaded for independent verification
 purposes. Setup and use instructions then allow a third party to
 configure the equivalent COTS software as that used for the election
 itself, to perform the same calculations on their own compatible
 tabulation COTS hardware equipment.

6) The digital artifacts provided in 5) will exclude any artifacts that
 are at the precinct level such as digital copies of paper ballots, such
 as scanned images, that can compromise voter privacy. Also digital
 ballot artifacts from the
 precinct level will be recorded anonymously to preserve voter privacy
(such as avoiding time stamping) but may contain unique random ballot
numbering systems that ensure only approved cast ballots with
matching paper ballot records are being included.

7) A test package and instructions will be provided for public download
 at least 30 days prior to the actual election start date to allow
 those desiring to install and verify the configuration, and also
 optionally follow results published live during the
 election itself (although this is not a requirement, only an option).

8) Any custom software written to perform the actual ballot casting
 process shall be open source and made available 90 days prior to
 the election start date on a publicly accessible download site and
 the link publicized from the election board web site. Open
 source is defined as software written in a commonly understood
 software language that is documented to the VVSG requirements for
 software coding standards (e.g. not cryptic or
 intentionally obfuscated source), along with instructions for its
compilation, dependencies and use.

9) The EAC would be arbiter in case of election boards using systems
 that appeared to not meet self-certification and a public review
 being necessary.

Now anyone using results from self-certifying systems will be able to
replicate the totals and tallying that was officially reported in
the election results.

Also the operation of the actual ballot casting software can be examined
as desired.

Of course there is nothing to prevent certified systems providers also
publishing comparible results and making available software components
to allow independent verification. The track record of such vendors
has been the opposite however to date, and I think that speaks clearly
to the need to have self-certifying systems available.

I'm hoping members here can pick up the baton and carry this forward -
to refine as needed - with a view to actually getting this on the
statue for selected states.

Given the current economic woes, this could be a huge enabler to allow
election boards to replace expensive existing solutions with low cost
alternatives based on COTS components, saving citizens money and
creating local jobs at the same time - since current vendors are
often charging in annual maintenance alone what complete replacement
would cost with COTS!!

Thanks, DW

OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Apr 30 23:17:05 2009

This archive was generated by hypermail 2.1.8 : Thu Apr 30 2009 - 23:17:06 CDT