Testimony of
Mark Skall
National Institute of Standards and Technology
U.S. Department of Commerce

Before the
U.S. Election Assistance Commission

“National Institute of Standards and Technology’s Role in Voluntary Voting System Guidelines and Testing”

October 4, 2007

Introduction

Chair Davidson, Commissioners Hillman, Hunter, and Rodriguez, and assembled members of the public, thank you for the opportunity to testify today.
I will discuss NIST’s efforts in helping to produce the next iteration of the Voluntary Voting System Guidelines (VVSG) and enumerate some of the differences between this version of the VVSG and the 2005 VVSG.

HAVA

NIST plays a significant role in the Help America Vote Act (HAVA) of 2002.

HAVA tasked NIST with chairing and providing technical support to the TGDC in the development of voluntary voting system guidelines. These voluntary guidelines contain requirements for vendors when developing voting systems and for laboratories when testing whether the systems conform to, or meet, the requirements of the guidelines. The TGDC provides technical direction to NIST in the form of TGDC resolutions, and reviews and approves research material written by NIST researchers. NIST performs research for the TGDC; the TGDC is responsible for approving the guidelines and submitting them to the EAC.

Next Iteration of the VVSG

As you know, the TGDC-approved version of the first set of recommendations, in the form of voluntary voting system guidelines, was sent to the EAC in May 2005. Due to the short constraints imposed by HAVA, this first set of recommendations was built upon the strengths of the Voting System Standards of 2002, known as the 2002 VSS. The VVSG 2005 made incremental improvements to the 2002 VSS in areas where the 2002 VSS needed improvement, namely human factors, the addition of requirements for Voter Verified Paper Audit Trails (VVPAT), wireless communications, software distribution and setup validation, and the addition of a conformance section and a glossary.

NIST and the TGDC began working on the next iteration of the VVSG immediately after completing the VVSG 2005. Culminating approximately two years of concentrated effort, the TGDC voted, at its August 17, 2007 meeting, to unanimously approve the draft of the next iteration of the VVSG recommendations subject to additional final edits by NIST staff. On September 4, 2007, the final VVSG recommendations were transmitted to the Election Assistance Commission (EAC). This document was developed to address the next generation of voting equipment. It is a complete re-write of the VVSG 2005 in all areas, including usability, accessibility, security and core requirements. Members of the TGDC, with technical assistance from NIST, worked carefully and diligently to update and create numerous new requirements dealing with expanded types of voting equipment and their use in elections.

This new VVSG builds upon the VVSG 2005 but takes a fresh look at many of the requirements. The new VVSG is a larger, more comprehensive standard, and contains a more structured approach than previous standards. The requirements are structured so as to improve their clarity to vendors and their testability by testing labs. Each requirement is numbered according to a hierarchical scheme. Significant input form usability professionals has resulted in a document that is clearer and easier to read, while still maintaining its precision.

The new VVSG includes updated requirements for accessibility and, for the first time, new requirements for usability based on performance metrics and benchmarks. Usability research was conducted on different voting systems, using a diverse population of human subjects, to examine how accurately these test subjects could cast ballots. The aim was to arrive at benchmark values for various aspects of accuracy; including how many overall votes are cast correctly and how accurately all ranges of voters cast their ballots. The overall goal is not to constrain vendor design by prescribing a specific user interface that may promote greater accuracy, but rather to require a desired accuracy rate via precise performance benchmarks and thus to allow freedom in designing any user interface that meets the required accuracy rate.

The new VVSG includes a number of updated requirements dealing with voting equipment integrity and reliability. The Mean Time Between Failure reliability metric has been replaced with benchmarks used in conjunction with rigorous volume testing to simulate election conditions. The new VVSG includes upgraded software coding standards and software development practices to assist vendors in producing code that is easier to examine and test. To promote quality systems, requirements for vendors to comply with ISO 9000, an internationally recognized software quality standard, have been added. The Commercial Off-the-Shelf-Software (COTS) exemption has been narrowed, which will result in more comprehensive testing of COTS products used in voting systems.

The new VVSG includes many new requirements for improved security, in the areas of access control, cryptography, physical security, open-ended vulnerability testing, and security for electronic pollbooks. The new VVSG prohibits radio frequency wireless communications, which includes the use of wireless local area networks.

In December 2006, the TGDC approved a resolution to include requirements in the new VVSG only for those voting systems that are “software independent.” A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. This means essentially that the system can be audited through the use of Independent Voter-Verified Records (IVVR) so that election fraud and errors that would result in changes to election outcomes can be reliably detected. The voting systems today that meet the requirements for software independence include paper-based IVVR systems, (e.g., optical scan, VVPAT). However, requirements in the VVSG could be met by future forms of IVVR that may not include paper.

In addition, the TGDC has recognized that innovations in voting systems that could produce more usable, accessible, and reliable designs need to be encouraged. Some innovations could result in secure voting systems that do not rely on IVVR, or that use IVVR in ways that are more convenient and simple for voters and election officials to handle. To that end, the TGDC has included an Innovation Class in the new VVSG to assist in the eventual conformance of potential innovative voting system submissions.

We are aware that the EAC plans a very extensive public review period to vet these guidelines. The TGDC and staff at NIST look forward to upcoming reviews of these recommendations by the EAC, the Standards and Advisory Boards and the American public and will provide technical assistance to the EAC during this period. In just a few weeks, NIST will be conducting a training session on the VVSG for voting officials.

NIST is also developing an open, comprehensive set of test suites so that the requirements in the new VVSG can be tested uniformly and consistently by all of the testing laboratories. NIST’s development of this comprehensive set of test suites is a major undertaking and will add significantly to the confidence that voting systems laboratories are able to test voting systems correctly. Test suite development is planned to continue through 2009. NIST plans to release the tests in stages.

Conclusion

NIST is pleased to be working on this matter of national importance with our EAC and TGDC partners. NIST has a long history of writing voluntary standards and guidelines and developing test suites to help ensure compliance to these standards and guidelines. NIST is using its expertise to work with our partners to produce precise, testable voting system guidelines and tests that will reduce voting system errors and increase voter confidence, usability, and accessibility.

Thank you for the opportunity to testify. I would be happy to answer any questions you may have.

Return to the NIST HAVA Page