US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   James C. Johnson III
Organization :   N/A
Post Date :   9/9/2005

General Comments
Comment :  Simple measures such as: ensuring that after certification testing systems  
are closed and cannot be manipulated; disallowing the use of wireless  
(optical and RF) communications on Election Day; use of encryption and  
strong authentication between all communicating components was not  
required; and a written prohibition against allowing software on voting  
system equipment that it did not undergo certification testing with. These  
are examples of some of the precautions that were presented to IEEE and  
the TGDC and rejected by both without justification. I hope that the EAC  
will have the VVSG specification reviewed by security experts and the  
language within the specification strengthened in a manner that compliance  
can be easily determined and enforced.  

It is also a concern that this morning the EAC adopted certification  
procedures based on a model used by the FCC. The FCC procedures are  
inappropriate for certifying voting systems where the threat model is  
considerably different. A more appropriate starting point would have been  
standards used in the gaming and banking industries where there are  
similar threats of fraud by making changes to the data being collected  
and managed by the system. Mr. Berger’s colleague from TEM Consulting even  
pointed out that FCC does not conduct performance testing only for RF  
emissions. It is interesting that the security measures required by these  
standards are much more stringent than the ones used for voting.  

Without access to the vendor’s source code, software escrow at NIST will  
be extremely limited in value. Counting votes is not rocket science and  
does not require complex proprietary procedures that require independent  
discovery by different vendors. Also submitting source to NIST does not  
constitute public disclosure if this is a concern of manufacturers. By  
submitting binaries the possibility of an outside check on the logic is  
all but eliminated.