NIST recommends paper ballots

An article by Cameron W. Barr in the Washington Post reports on a draft report on the security of electronic voting from the National Institute of Standards and Technology. A key point is that the correctness of the count should not depend on the correctness of the software.

Paperless electronic voting machines used throughout the Washington region and much of the country "cannot be made secure," according to draft recommendations issued this week by a federal agency that advises the U.S. Election Assistance Commission.

The assessment by the National Institute of Standards and Technology, one of the government's premier research centers, is the most sweeping condemnation of such voting systems by a federal agency.

In a report hailed by critics of electronic voting, NIST said that voting systems should allow election officials to recount ballots independently from a voting machine's software. The recommendations endorse "optical-scan" systems in which voters mark paper ballots that are read by a computer and electronic systems that print a paper summary of each ballot, which voters review and elections officials save for recounts...

NIST says in its report that the lack of a paper trail for each vote "is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections." The report repeats the contention of the computer security community that "a single programmer could 'rig' a major election." ...

NIST says that voting systems should not rely on a machine's software to provide a record of the votes cast.

From the draft report itself:

A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system’s (typically, electronic) CVRs are accurate as cast by the voter or in error. In SI voting systems that are readily available today, the determination can be made via the use of independent audits of the electronic counts or CVRs, and independent voter-verified paper records used as the audit trail...

A voting system is software-dependent if the correctness of the election results is dependent on the correctness of the software and on whatever assurances can be obtained that the software on the voting machine is in fact the software that is supposed to be there. It is, to a much greater extent, more vulnerable to undetected programming errors or malicious code.

The most obvious example of a software-dependent voting system is the DRE, which does not produce an independent voter-verified audit trail. Therefore, audits of its electronic records cannot be against any independent evidence of the voter’s intentions as cast and as a consequence, its electronic records cannot be audited independently. The accuracy of the electronic records has to be ascertained in some other way, which in this case would be by trusting that its software is correct and has remained error-free. Verifying that this is the case is so complex as to be infeasible; current testing methods could not guarantee this...

In its research for writing requirements for electronic voting systems, NIST has investigated a broad range of issues in electronic voting. NIST has held numerous teleconferences with the TGDC and with vendors and election officials. It has visited and inspected voting system testing laboratories. NIST has worked with experts in areas such as voting system security, auditing, reliability, testing, usability, and accessibility, and has looked to other areas of IT computing for input and ideas that would be useful in a voting context (one area, gaming and state lottery systems, has many interesting overlaps with voting system issues). Because NIST is primarily an engineering-based institution, it has taken pains to learn about the realities of elections. NIST voting-team staff have volunteered as poll workers and election judges, and have observed other elections and official canvassing and counting activities.

NIST has researched many issues and irregularities in elections and, as opposed to relying solely on the press and published articles, has gone directly to those election officials
involved. One conclusion drawn by NIST is that the lack of an independent audit capability in DRE voting systems is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections. NIST does not know how to write testable requirements to make DREs secure, and NIST’s recommendation to the STS is that the DRE in practical terms cannot be made secure. Consequently, NIST and the STS recommend that VVSG 2007 should require voting systems to be of the SI “class,” whose readily available (albeit not always optimal) examples include op scan and DRE-VVPAT...

First, this paper repeats the definition of software-independence: A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. Conversely, voting systems that are software-dependent have no recourse but to rely on the correctness and integrity of their software in ways that software-independent systems do not. As noted previously, determining whether complex software programs are correct is extremely difficult and in a practical sense infeasible.

It should be noted that in SI, “software” is really means complex technology, which can be software implemented on hardware, e.g., burned into PROMs or built into ASICs. “Software independence” should be interpreted to really mean complex technology independence.

[Other sources]