[E-voting] NIST recommend decertifying paperless voting machines

Justin Mason jm at jmason.org
Fri Dec 1 14:46:17 GMT 2006

NIST is the main standards body for the US government.  This is a pretty
serious smackdown, I think.



  NIST Recommends Decertifying Paperless Voting Machines
  Friday December 1, 2006 by Ed Felten

  In an important development in e-voting policy, NIST has issued a report
  recommending that the next-generation federal voting-machine standards
  be written to prevent (re-)certification of today's paperless e-voting
  systems. (NIST is the National Institute of Standards and Technology,
  a government agency, previously called the National Bureau of Standards,
  that is a leading source of independent technology expertise in the
  U.S. government.) The report is a recommendation to another government
  body, the Technical Guidelines Development Committee (TGDC), which
  is drafting the 2007 federal voting-machine standards. The new report
  is notable for its direct tone and unequivocal recommendation against
  unverifiable paperless voting systems, and for being a recommendation
  of NIST itself and not just of the report's individual authors.

  The key concept in the report is software independence.

      A voting system is software-independent if a previously undetected
      change or error in its software cannot cause an undetectable
      change or error in an election outcome. In other words, it can
      be positively determined whether the voting system's (typically,
      electronic) CVRs [cast-vote records] are accurate as cast by the
      voter or in error.

  This gets to the heart of the problem with paperless voting: we can't
  be sure the software in the machines on election day will work as
  expected. It's difficult to tell for sure which software is present,
  and even if we do know which software is there we cannot be sure it
  will behave correctly. Today's paperless e-voting systems (known as
  DREs) are not software-independent.

      NIST does not known how to write testable requirements to make
      DREs secure, and NIST's recommendation to the STS [a subcommittee
      of the TGDC] is that the DRE in practical terms cannot be made
      secure. Consequently, NIST and the STS recommend that [the 2007
      federal voting standard] should require voting systems to be
      [software independent].

  In other words, NIST recommends that the 2007 standard should be
  written to exclude DREs.

  Though the software-independence requirement and condemnation of DREs as
  unsecureable will rightly get most of the attention, the report makes
  three other good recommendations. First, attention should be paid to
  improving the usability and accessibility of voting systems that use
  paper. Second, the 2007 standard should include high-level discussion
  of new approaches to software independence, such as fancy cryptographic
  methods. Third, more research is needed to develop new kinds of voting
  technologies, with special attention paid to improving usability.

  Years from now, when we look back on the recent DRE fad with
  what-were-we-thinking hindsight, we'll see this NIST report as a
  turning point.

More information about the E-voting mailing list