WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS22363 February 2, 2009 Congressional Research Service Report RS22363 Federal Voluntary Voting System Guidelines: Issues Eric A. Fischer, Resources, Science, and Industry Division October 6, 2008 Abstract. The federal Voluntary Voting System Guidelines (VVSG) are a set of technical standards for voting systems that use computers to assist in recording or counting votes. The first version went into effect in December 2007, and a draft second version has been developed. The VVSG replaced the federal voluntary Voting Systems Standards (VSS). The 2005 VVSG are a partial revision of the VSS, with revision focused mainly on accessibility, usability, and security. The 2007 draft is a complete rewrite. Several issues have been raised about the VVSG that may require congressional attention. Among them is the question of timing. Some vendors claim that there needs to be more time for technology development before the new guidelines become effective; some activists argue that problems with voting systems, and federal requirements, demand more rapid implementation of the VVSG. The new guidelines did not have much direct impact on voting systems used in 2006. One exception was provisions relating to paperballot audit trails, which several states now require to be used in conjunction with electronic voting machines such as touchscreen systems. Like the VSS, the VVSG are voluntary, but some observers believe that a regulatory approach would be more appropriate given the importance of elections to the democratic process. However, since many states require that voting systems be certified, vendors are expected to treat the VVSG in the same way they have treated the VSS - as effectively mandatory. ¢ ¢ ¢ http://wikileaks.org/wiki/CRS-RS22363 ¢ Prepared for Members and Committees of Congress ¢ ¢ ¢ The federal Voluntary Voting System Guidelines (VVSG) are a set of technical standards for voting systems that use computers to assist in recording or counting votes. The first version went into effect in December 2007, and a draft second version has been developed. The VVSG replaced the federal voluntary Voting Systems Standards (VSS). The 2005 VVSG are a partial revision of the VSS, with revision focused mainly on accessibility, usability, and security. The 2007 draft is a complete rewrite. Several issues have been raised about the VVSG that may require congressional attention. Among them is the question of timing. Some vendors claim that there needs to be more time for technology development before the new guidelines become effective; some activists argue that problems with voting systems, and federal requirements, demand more rapid implementation of the VVSG. The new guidelines did not have much direct impact on voting systems used in 2006. One exception was provisions relating to paper-ballot audit trails, which several states now require to be used in conjunction with electronic voting machines such as touchscreen systems. Like the VSS, the VVSG are voluntary, but some observers believe that a regulatory approach would be more appropriate given the importance of elections to the democratic process. However, since many states require that voting systems be certified, vendors http://wikileaks.org/wiki/CRS-RS22363 are expected to treat the VVSG in the same way they have treated the VSS--as effectively mandatory. ¢ ¢ The Relationship Between the VVSG and the Federal Voting Systems Standards (VSS) .............. 1 How the VVSG Are Used................................................................................................................. 2 Subjects Addressed in the VVSG ..................................................................................................... 2 Major Policy Issues about the VVSG............................................................................................... 3 Author Contact Information ............................................................................................................ 6 http://wikileaks.org/wiki/CRS-RS22363 ¢ ¢ T he Help America Vote Act of 2002 (HAVA, P.L. 107-252) established the federal Election Assistance Commission (EAC) and gave it the responsibility to develop and update a set of Voluntary Voting System Guidelines (VVSG). It established the Technical Guidelines Development Committee (TGDC), chaired by the director of the National Institute of Standards and Technology (NIST), to develop recommended guidelines for consideration by the EAC. The VVSG are a set of technical standards for voting systems that use computers to assist in recording or counting votes. Systems covered include most used in the United States--not only DREs (direct recording electronic systems) such as touchscreen voting machines, but also optical scan and punch card systems. Hand-counted paper-ballot and lever-machine systems, which do not involve computers, are not covered. However, they are used by a small and decreasing number of election jurisdictions. The first version of the VVSG was approved in 2005 and is therefore called the 2005 VVSG in this report. It went into effect in December 2007. A draft of the completely rewritten second version was made available for public comment on October 31, 2007, at http://www.eac.gov/vvsg. That comment period closed in May 2008. http://wikileaks.org/wiki/CRS-RS22363 ¢ The VVSG replaced the federal voluntary VSS originally developed under the auspices of the Federal Election Commission (FEC). The VSS, which remained in effect until the end of 2007, were developed in response to concerns raised in the 1970s and 1980s about the then largely unregulated voting technology industry. Congress directed the FEC to study the matter but did not establish the VSS specifically by statute (see CRS Report RS21156, Federal Voting Systems Standards and Guidelines: Congressional Deliberations, for more detail). The first version of the VSS was released in 1990, and a testing and certification program began in 1994 under the auspices of the National Association of State Election Directors (NASED). The VSS and the NASED certification program are widely credited with having greatly improved the performance of voting systems in several areas, such as reliability and accuracy. The FEC began a project to update the VSS in 1997 and approved the second version in May 2002, while Congress was debating HAVA. Enacted in October 2002, HAVA provided a statutory basis for the VSS, which the act renamed guidelines, to distinguish them from the act's voting system requirements, which it called standards. HAVA also provided an administrative structure under the EAC for promulgating the guidelines and certifying systems, and also directed NIST to assist in the certification process. Most sections of the 2005 VVSG are virtually identical to those in the 2002 update of the VSS. Major revision focused on usability, accessibility for persons with disabilities, and security; those sections were completely rewritten. The decision to limit the scope of revision resulted from a desire to meet urgent needs while creating a version that could be used in preparation for the 2006 election cycle. HAVA's accessibility requirements went into effect in January 2006, and many states have adopted new security requirements for voting systems, including paper-audit-trail requirements, in the wake of controversies that emerged subsequent to the passage of HAVA (see CRS Report RL33190, The Direct Recording Electronic Voting Machine (DRE) Controversy: FAQs and Misperceptions). The 2007 draft VVSG have been completely rewritten. ¢ ¢ The 2005 VVSG provide a set of specifications and requirements to be used in the development of computer-assisted voting systems and their certification-testing by independent laboratories. The guidelines include descriptions of functional requirements and performance standards, as well as requirements for vendors in quality assurance and in configuration management, which involves ensuring that a system functions in specified ways under various modifications and throughout its life cycle. They provide details of the testing process for certification of voting systems, and also include suggested practices for election officials in some areas covered by the guidelines, and discussion of verification concepts for future design of voting systems. The guidelines are aimed at a broad audience, but most specifically at vendors, testing laboratories, and election officials. Their use is voluntary at the federal level, but many states require that any new voting systems used in the state adhere to them or to state standards that incorporate similar specifications. The practical effect of such state requirements is that voting system vendors can successfully market systems only if they are certified under the VSS or VVSG. In this sense, the provisions have acquired some of the force of regulation, in that they are treated http://wikileaks.org/wiki/CRS-RS22363 by manufacturers as requirements. Nevertheless, HAVA specifically exempts states from being required to adhere to the VVSG as a condition for receipt of payments to meet HAVA requirements. Consequently, when a company develops a new voting system, it typically uses the VVSG as a source of specifications to which the system must adhere. When the vendor submits the system to an independent laboratory for certification, the laboratory uses the VVSG as a source of standards against which it tests the system. The system may also need to be certified against state standards to the extent that they differ from the federal guidelines. State officials may then use the VVSG in their state-level certification tests of systems they are considering for acquisition. Private citizens who might wish to test voting systems cannot ordinarily do so because of contractual restrictions imposed by the vendors. While adherence to some specifications can be assessed by knowledgeable citizens when they vote, many provisions can be assessed only in a laboratory. HAVA does not specifically direct the EAC to include any particular issues in the guidelines. However, in the debate on the House floor before passage of the HAVA conference agreement on October 10, 2002, a colloquy (Congressional Record, daily ed., 148: H7842) stipulated an interpretation that the guidelines specifically address the usability, accuracy, security, accessibility, and integrity of voting systems. Also, the act requires NIST to provide support to the TGDC for development of guidelines relating to security, voter privacy, human factors, remote voting, and fraud detection and prevention. HAVA establishes specific requirements for voting systems, but leaves methods of implementation to the states. The EAC is required to provide guidance for implementing the requirements, but the guidance is not a technical standard and its use is also voluntary. The act is largely silent on the relationship between the VVSG and those requirements, which stipulate that voting systems must provide for auditability, accessibility, and ballot verification and error correction by voters, that states must set standards for what constitutes a vote on a given system, and that machine error rates of voting systems must conform to the standards set in the ¢ ¢ guidelines. This last is the only direct connection in the act between the requirements and the VVSG, but in practice, the specifications in the guidelines clearly need to conform to the HAVA voting system requirements. The VVSG cover largely the same topics as did the VSS. They include the following: · The functional capabilities a voting system is expected to have. These fall into several categories, including security, accuracy, error recovery, system integrity, auditing, election management, human factors, vote tabulation and reporting, telecommunications, data retention, ballot preparation and control, voting, maintenance, transportation, and storage. · Performance, physical, design, construction, and maintenance requirements for hardware, from printers to voting devices to paper ballots to back-office computer equipment. · Requirements for software, including design and coding, data and document retention, audit record data, and vote secrecy for DREs. http://wikileaks.org/wiki/CRS-RS22363 · Telecommunications requirements for operation and reporting election results, including performance, design, and maintenance characteristics. · Essential security capabilities, including controls to minimize errors and accidents, protect from malicious manipulation, identify fraudulent or erroneous changes, and protect voting secrecy. · Requirements for voter-verified paper trails (VVPAT) used in conjunction with DREs (this is new in the VVSG). · Requirements for quality-assurance programs and configuration management throughout a voting system's life cycle. · Suggested best practices for election officials with respect to usability and security requirements. · Suggested specifications for a class of vote-verification systems (which includes VVPAT) that produce at least two separate, independent ballot records that voters can verify before casting and that can be compared in a post-election audit. · The certification testing process, including planning, testing sequence, specific tests required, exemptions (such as unaltered commercial off-the-shelf software), and vendor requirements. ¢ Several issues have been raised about the VVSG that may require congressional attention. Among them are the following: The degree to which the guidelines are voluntary. HAVA makes the standards voluntary at the federal level and did not give the EAC regulatory authority, but vendors have usually treated the VSS as mandatory because of state requirements. Nevertheless, some observers believe that adherence should be mandatory or at least a condition of receiving any federal grants for voting equipment. Others state that mandatory standards would give too large a role to the federal ¢ ¢ government and reduce the flexibility of state and local governments to respond to their specific needs. What standards can and cannot do. Standards can address only issues that were considered by the developers of those standards, and the way that they are developed and implemented can also affect the way issues are addressed. The VSS and its certification process were criticized for not anticipating the kinds of security weaknesses with DREs that have been discovered in some certified systems, and for limiting testing of systems to controlled laboratory conditions rather than realistically simulated election conditions. The 2005 VVSG strengthened the security requirements, and the 2007 draft completely rewrote them. The 2005 version did not address the second criticism, but the 2007 draft would require more realistic testing. Development and implementation of the VVSG. The development of standards can involve lengthy deliberations under the best of circumstances, and HAVA may have exacerbated that characteristic by creating a complex process for the development of the VVSG. HAVA does not specify an updating cycle for the guidelines, but international standards are often updated on a three- to five- year cycle. Some observers believe that a four-year development cycle is desirable, to permit systems to be used for two federal election cycles without requiring recertification. Others have http://wikileaks.org/wiki/CRS-RS22363 criticized the process for development of the VVSG as being too slow and cumbersome. There appears to be an inherent conflict in responsiveness of the guidelines to, on the one hand, evolving needs and technology and, on the other, time and cost constraints inherent in responding appropriately to such changes. Achieving the right balance is likely to be difficult. Funding has also been an issue. Although HAVA requires NIST to assist in the development of the VVSG and the certification process, it did not authorize any funding specifically for that purpose. Appropriations legislation has been addressing that gap by specifying EAC funds to be transferred to NIST for their support activities. However, funding for the EAC was authorized only through FY2005, and some observers have called for abolishing the EAC. Certification process. The development of plans for certification testing has also raised issues. Some observers believe that the public trust would best be served by open certification testing, whereas others believe that the release of proprietary vendor information that would accompany such open testing would be a strong disincentive for investment and innovation by vendors, and therefore counterproductive. The process for selecting testing laboratories has also been criticized, with some observers arguing that the process does not provide sufficient independence of testing laboratories from manufacturers and creates concerns about conflicts of interest. However, it is generally recognized that the HAVA process is likely to be superior to the one it replaced, which was criticized as slow and expensive. Nevertheless, no voting systems have been certified by the EAC for use in the 2008 federal election. Until such certifications are in place, election jurisdictions around the country must rely on certifications obtained before the EAC process went into effect. VVSG revisions. The 2005 version of the guidelines partially revised the VSS, and some observers believe that the revisions should have been more comprehensive to address perceived shortcomings of the VSS. Some also believe that the added provisions are inadequate to meet accessibility, alternative language, and security needs and that broader and more stringent requirements are required. Others believe that the limited changes in the 2005 VVSG are more likely to be implementable in the short term. Still others believe that the guidelines have more new requirements for certification than is prudent for an interim document, which was intended to be followed by the more complete revision embodied in the 2007 draft. It is not clear at this point ¢ ¢ what the appropriate balance is among those and other conflicting concerns, and the question of scope is liable to remain contentious at least until the next version of the guidelines is completed and implemented. The extensive revisions in the 2007 draft could cause some states to reconsider their use of the VVSG as a basis for state certification, arguing that they have become too restrictive and costly. The EAC may need to take this kind of concern into account as it deliberates how to revise the draft. The role of the VVSG in the 2006 and 2008 federal elections. Until the VVSG went into effect in late 2007, federal certification of voting systems continued to be based on the 2002 VSS, and the next version of the VVSG will also likely go into effect about two years after they are adopted probably some time in 2009. However, state or local jurisdictions may choose to require vendors to meet some or all of the VVSG requirements sooner. That may be especially important for those jurisdictions that require a voter-verifiable paper audit trail for use with DREs. Some observers have expressed concerns that if states do not follow the VVSG in meeting the requirements, they could be judged not to be in compliance with HAVA, despite the voluntary nature of the guidelines and the stipulation in HAVA that the methods of implementation are left to states. As a result, uncertainties remain about whether systems previously acquired to meet the http://wikileaks.org/wiki/CRS-RS22363 January 2006 deadline for HAVA requirements will be deemed inadequate at some point. Voter registration. HAVA requires NIST to provide technical support for development of guidelines for the computerized statewide voter registration lists that the act mandates. There are currently no widely accepted standards for those lists. That absence has raised concerns about adequate state implementation of the requirement. The 2005 VVSG do not address voter registration, but the 2007 draft does address some aspects of those systems, especially electronic pollbooks. Use of proprietary software. Most if not all voting systems use proprietary software for which the code is not publicly available. Some of that software consists of commercial off-the-shelf (COTS) products, and some is written or modified by the vendor. Some critics argue that all software, including COTS, should be inspected during certification to ensure that it functions properly and does not have any malicious code. They say that such an approach is essential to ensure public trust. Others disagree, arguing that such an approach would stifle innovation, increase costs by prohibiting the use of most COTS software, and would not result in improved software quality. Vote verification, including voter-verified paper audit trails (VVPAT). The possible need for improved vote verification features in voting systems has become a matter of public interest because of the controversy over the security of DREs. While most public attention has been paid to VVPAT for use with DREs, other methods arguably show more promise in terms of usability, accessibility, and verification power. Some observers believe that the VVSG should require VVPAT, but others believe that the verification provided by that method is of questionable value in practice and may create unforeseen problems of its own. The trend at the state level toward requiring the use of paper ballots has also raised questions about whether such restrictions can be reconciled with HAVA accessibility requirements under the constraints imposed by current technology. Several bills have been introduced in recent Congresses that would make the use of paper ballots a federal requirement. The 2007 draft VVSG addresses this issue by requiring voting systems to be "software independent"--that is, by prohibiting the voting system from permitting the software to erroneously change the election results in an undetectable manner. Currently, the only method that would conform to this proposed requirement is the use of voter-verifiable paper ¢ ¢ records of the ballot, such as optical-scan ballots and VVPAT. The proposal has generated controversy and it is unclear what changes to it will be made in the EAC's revisions to the draft. Eric A. Fischer Senior Specialist in Science and Technology efischer@crs.loc.gov, 7-7071 http://wikileaks.org/wiki/CRS-RS22363