1 / 10

Auditability and VVSG 2.0

Auditability and VVSG 2.0. David Flater, Ph.D. Computer Scientist, Software and Systems Division, ITL http://vote.nist.gov. Rev. 2011-12-08. The story so far. From Independent Verification Systems (IV) to Software Independence (SI) Pushback on SI in VVSG 2.0 Alternatives to SI

kelda
Télécharger la présentation

Auditability and VVSG 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditability and VVSG 2.0 David Flater, Ph.D. Computer Scientist, Software and Systems Division, ITL http://vote.nist.gov Rev. 2011-12-08

  2. The story so far From Independent Verification Systems (IV) to Software Independence (SI) Pushback on SI in VVSG 2.0 Alternatives to SI Auditability Working Group (AWG) Report of the Auditability Working Group 5 options, no silver bullet Question referred back to the TGDC

  3. What went right in 2007 TGDC compromise in 2007 VVSG 2.0, requiring: Auditability comparable to optical scan Accessibility comparable to paperless DRE Specified as performance requirements: Errors must be detectable [via certain kinds of evidence] Voting and verification must be accessible

  4. Pushback on VVSG 2.0 Systems conforming to the VVSG 2.0 (simultaneously auditable and accessible) seemed feasible, but did not yet exist Electronically-assisted ballot markers (EBMs) were not as accessible as paperless DREs For VVPAT, accessible verification from paper not supported Accessibility advocates feared that states would simply take the DREs away, reducing accessibility No clear certification path for paperless systems The innovation class approach tried (failed) to give people confidence that there was a certification path for paperless voting systems Later decision that the SI requirement would be waived for innovation class systems was inconsistent with the VVSG

  5. Standards Board and Board of Advisors Did not want federal mandate for paper ballots Said SI contradicts the accessibility mandate of HAVA Election Technology Council Said "Procedures can easily mitigate both perceived and real threats" in software-dependent systems Pushback on VVSG 2.0

  6. What has changed There now exists at least one EBM device (a version of ImageCast*) that provides accessibility as good as a DRE, and is SI Auto-cast: not paperless, but avoids accessibility problem of need to handle paper ballots Verification read from the ballot of record More states mandate paper ballots DRE market shrinking; innovation in paperless voting within the U.S. focusing on UOCAVA * Commercial equipment is identified in order to cite an example. In no case does such identification imply recommendation or endorsement by NIST, nor does it imply that the equipment identified is necessarily the best available for the purpose.

  7. Remaining part of the problem Although we now have an implementation that satisfies both the accessibility and auditability requirements, there are still concerns about the consequences of having a VVSG that does not include a clear certification path for paperless voting systems Currently, various paperless approaches are satisfactory to different experts, but there is none that satisfies a majority Ideally, when a better approach came along, the VVSG would be revised quickly to keep pace with technology However, there is fear of VVSG 2.0 causing a chilling effect preventing innovative paperless systems from being developed

  8. Remaining part of the problem The VVSG should enable the certification of a good enough (auditable and accessible) paperless system, but no known paperless approach is considered good enough by any majority now Requirements cannot be validated for unknown unknowns; hence, they are probably over- or under-constrained for future innovative systems Divisions over which is worse Over-constrained: auditable paperless systems cannot conform Under-constrained: non-auditable systems do conform

  9. Next steps Goal: TGDC to recommend some objective, technology-independent requirements for auditability (which are consistent with accessibility) Use 2007 VVSG 2.0 + fix-ups as the starting point The high-level goal is auditability + accessibility Paper records + accessible voting + accessible verification of the ballot of record suffices (safe haven) Reconvene AWG to refine the requirements to make them more objective, but avoid analysis paralysis Revisit and discuss what should be done about the potential chilling effect on paperless systems Innovation class vs. VVSG interpretation and maintenance

  10. Discussion/Questions Page 10

More Related