[E-voting] NIST recommend decertifying paperless voting machines
jm at jmason.org
Fri Dec 1 14:46:17 GMT 2006
NIST is the main standards body for the US government. This is a pretty
serious smackdown, I think.
NIST Recommends Decertifying Paperless Voting Machines
Friday December 1, 2006 by Ed Felten
In an important development in e-voting policy, NIST has issued a report
recommending that the next-generation federal voting-machine standards
be written to prevent (re-)certification of today's paperless e-voting
systems. (NIST is the National Institute of Standards and Technology,
a government agency, previously called the National Bureau of Standards,
that is a leading source of independent technology expertise in the
U.S. government.) The report is a recommendation to another government
body, the Technical Guidelines Development Committee (TGDC), which
is drafting the 2007 federal voting-machine standards. The new report
is notable for its direct tone and unequivocal recommendation against
unverifiable paperless voting systems, and for being a recommendation
of NIST itself and not just of the report's individual authors.
The key concept in the report is software independence.
A voting system is software-independent if a previously undetected
change or error in its software cannot cause an undetectable
change or error in an election outcome. In other words, it can
be positively determined whether the voting system's (typically,
electronic) CVRs [cast-vote records] are accurate as cast by the
voter or in error.
This gets to the heart of the problem with paperless voting: we can't
be sure the software in the machines on election day will work as
expected. It's difficult to tell for sure which software is present,
and even if we do know which software is there we cannot be sure it
will behave correctly. Today's paperless e-voting systems (known as
DREs) are not software-independent.
NIST does not known how to write testable requirements to make
DREs secure, and NIST's recommendation to the STS [a subcommittee
of the TGDC] is that the DRE in practical terms cannot be made
secure. Consequently, NIST and the STS recommend that [the 2007
federal voting standard] should require voting systems to be
In other words, NIST recommends that the 2007 standard should be
written to exclude DREs.
Though the software-independence requirement and condemnation of DREs as
unsecureable will rightly get most of the attention, the report makes
three other good recommendations. First, attention should be paid to
improving the usability and accessibility of voting systems that use
paper. Second, the 2007 standard should include high-level discussion
of new approaches to software independence, such as fancy cryptographic
methods. Third, more research is needed to develop new kinds of voting
technologies, with special attention paid to improving usability.
Years from now, when we look back on the recent DRE fad with
what-were-we-thinking hindsight, we'll see this NIST report as a
More information about the E-voting