ACCURATE Public Comment on the Voluntary Voting System Guidelines (VVSG), Version 1.1

Endre - Aaron Burstein And Joseph Lorenzo Hall

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

29 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Endre
Nombre de lectures	26
Langue	English

Extrait

PUBLIC COMMENT ON
THE VOLUNTARY VOTING SYSTEM GUIDELINES,
∗VERSION 1.1
Submittedto
TheUnitedStatesElectionAssistanceCommission
September28,2009
∗This material is based upon work supported by the National Science Foundation under A Center for Correct, Usable,
Reliable, Auditable and Transparent Elections (ACCURATE), Grant Number CNS 0524745. Any opinions, ﬁndings, and
conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reﬂect the views
oftheNationalScienceFoundation. ThispubliccommentnarrativewaspreparedbyAaronBursteinandJosephLorenzoHall
inconsultationwiththeACCURATEPrincipalInvestigatorsandAdvisoryBoardMembersLillieConey,DavidJefferson,and
WhitneyQuesenbery. ThesecommentsbeneﬁtedfromcontributionsbyAndrewAppel,MattBishop,PacoHope,SeanPeisert,
EricRescorla,GreggVanderheiden,andKa PingYee.ACCURATEPrincipalInvestigators
AvielD.Rubin DanS.Wallach
ACCURATEDirector ACCURATEAssociateDirector
DepartmentofComputerScience DepartmentofComputerScience
JohnsHopkinsUniversity RiceUniversity
rubin@cs.jhu.edu dwallach@cs.rice.edu
http://www.cs.jhu.edu/~rubin/ http://www.cs.rice.edu/~dwallach/
DanBoneh MichaelD.Byrne
DepartmentofComputerScience DepartmentofPsychology
StanfordUniversity RiceUniversity
dabo@cs.stanford.edu byrne@rice.edu
http://crypto.stanford.edu/~dabo/ http://chil.rice.edu/byrne/
DrewDean DavidL.Dill
ComputerScienceLaboratory DepartmentofComputerScience
SRIInternational StanfordUniversity
ddean@csl.sri.com dill@cs.stanford.edu
http://www.csl.sri.com/users/ddean/ http://verify.stanford.edu/dill/
JeremyEpstein DouglasW.Jones
ComputerScienceLaboratory DepartmentofComputerScience
SRIInternational UniversityofIowa
jepstein@csl.sri.com jones@cs.uiowa.edu
http://www.csl.sri.com/people/epstein/ http://www.cs.uiowa.edu/~jones/
DeirdreK.Mulligan
PeterG.Neumann
SchoolofInformation
ComputerScienceLaboratory
UniversityofCalifornia,Berkeley
SRIInternational
dkm@ischool.berkeley.edu
neumann@csl.sri.com
http://www.ischool.berkeley.edu/
http://www.csl.sri.com/users/neumann/
people/faculty/deirdremulligan
DavidA.Wagner
DepartmentofComputerScience
UniversityofCalifornia,Berkeley
daw@cs.berkeley.edu
http://www.cs.berkeley.edu/~daw/Preface
1A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE), a multi
institution, interdisciplinary, academic research center funded by the National Science Foundation’s
2(NSF) “CyberTrust Program,” is pleased to provide these comments on the Voluntary Voting System
GuidelinesVersion1.1(VVSGv1.1)totheElectionAssistanceCommission(EAC).
ACCURATE was established in 2005 to conduct fundamental research into methods for improv
ing voting technology. ACCURATE’s Principal Investigators direct investigating software ar-
chitecture, tamper resistant hardware, cryptographic protocols and veriﬁcation systems as applied to
electronicvotingsystems. Additionally,ACCURATEevaluatesvotingsystemusabilityandhowpublic
policy,incombinationwithtechnology,canbettersupportelections.
Since receiving NSF funding in 2005, ACCURATE has made many important contributions to the
3science and policy of electronic voting. The ACCURATE Center has published groundbreaking re
sults in security, cryptography, usability, and veriﬁcation of voting systems. ACCURATE has also
activelycontributedtothepolicydiscussionthroughregulatoryﬁlings,throughtestimonyandadvising
4decisionmakers as well as conducting policy research. ACCURATE researchers have participated in
runningelectionsandassistingelectionofﬁcialsinactivitiessuchasunprecedentedtechnicalevaluation
5ofvotingsystemsandredesigningelectionprocedures. Finally,theeducationandoutreachmissionof
ACCURATE has ﬂourished through the development of numerous undergraduate and graduate classes
6andthecreationofthepremiervenueforvotingtechnologyresearch.
Withexpertsincomputerscience,systems,security,usability,andtechnologypolicy,andknowledge
of election technology, procedure, law and practice, ACCURATE is uniquely positioned to provide
helpfulguidancetotheEACasitattemptstostrengthenthespeciﬁcationsandrequirementsthatensure
thefunctionality,accessibility,security,privacyandtrustworthinessofourvotingtechnology.
WewelcomethisopportunitytofurtherassisttheEACandhopethisprocesscontinuesthecollabo
rationbetweentheEACandindependent,academicexpertsinordertosustainimprovementsinelection
systemsandprocedures.
1
See: http://www.accurate voting.org/ .
2National Science Foundation Directorate for Computer & Information Science & Engineering, CyberTrust, see: http:
//www.nsf.gov/funding/pgm_summ.jsp?pims_id=13451&org=CISE.
3A Center for Correct, Usable, Reliable, Auditable and Transparent Elections. 2006 Annual Report. Jan. 2007.
URL: http://accurate voting.org/wp content/uploads/2007/02/AR.2007.pdf ; A Center for Correct, Usable, Re
liable, Auditable and Transparent Elections. 2007 Annual Report. Jan. 2008. URL: http://accurate voting.org/
wp content/uploads/2008/01/2007.annual.report.pdf ; A Center for Correct, Usable, Reliable, Auditable and Trans
parent Elections. 2008 Annual Report. Jan.2009. URL: http://accurate voting.org/wp content/uploads/2008/12/
2008annualreport.pdf
4List of ACCURATE Testimony. ACCURATE Website. URL: http://accurate voting.org/pubs/testimony/ ; A
Center for Correct, Usable, Reliable, Auditable and Transparent Elections. Public Comment on the 2005 Voluntary Vot
ing System Guidelines. Sept. 2005. URL: http://accurate voting.org/accurate/docs/2005_vvsg_comment.pdf ; A
Center for Correct, Usable, Reliable, Auditable and Transparent Elections. Public Comment on the Voluntary Voting System
Guidelines, Version II (First Round). May 2008. URL: http://accurate voting.org/wp content/uploads/2008/05/
accurate_vvsg2_comment_final.pdf.
5ACCURATE researchers have participated in voting system evaluations sponsored by the States of California, Florida,
Kentucky,OhioandtheDistrictofColumbia.
6For more on our educational output, please see those sections of our Annual Reports (see note 3). The Electronic Voting
Technologyworkshop(EVT),collocatedwiththeUSENIXSecuritySymposium,wasstartedin2006andcontinuestoattract
thehighestcalibervotingtechnologyresearch. See: http://www.usenix.org/event/evtwote09/.
iiiContents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
1 IntroductionandBackground 1
2 TransitioningFromVVSG2005toVVSGIIviaVVSGv1.1 3
2.1 EffectsoftheTransitionontheMarketforVotingSystems . . . . . . . . . . . . . . . 3
2.2 EffectiveDateofVVSGv1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 TheImportanceOfAuditabilityandStructuredData 4
3.1 ProgressinSupportingAuditabilityandStructuredDataFormats . . . . . . . . . . . . 4
3.2 TheImportanceofStandardizedStructuredData . . . . . . . . . . . . . . . . . . . . 4
3.3 MandatingVotingSystemsSupportEML . . . . . . . . . . . . . . . . . . . . . . . . 6
4 SigniﬁcantButLimitedImprovementsinCryptography 7
4.1 FIPS140 2: aSolidFoundationforImplementingCryptographyinVotingSystems . . 7
4.2 ChangesinCryptographySpeciﬁcationsdonotAddressSystemicIssues . . . . . . . . 8
5 ChangestoSoftwareSecuritydonotObviateSoftwareIndependence 9
5.1 SoftwareDevelopmentandWorkmanshipRequirements . . . . . . . . . . . . . . . . 10
5.2 SoftwareValidationRequirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 NewRequirementsforAccuracyandReliabilityTesting 18
7 TheNeedforPerformance basedUsabilityBenchmarksandTesting 20
8 SystemDocumentationandTechnicalDataPackageRequirements 21
8.1 StandardizedConﬁgurationChecklistsforAssessingAuditingFunctionality . . . . . . 21
8.2 TheBeneﬁtsofMoreCompleteSecuritySpeciﬁcationRequirements . . . . . . . . . . 22
8.3 ExpandedRequirementsforTechnicalDataPackageContentsAreWarranted . . . . . 23
8.4 RequirementsforIdentifyingProtectedandConﬁdentialInformation . . . . . . . . . . 24
9 Conclusion 24
iv1 IntroductionandBackground
The EAC’s proposed revision of VVSG 2005 will require extensive changes to current voting systems,
yetyieldmodestbeneﬁtsonkeyissuesofaccessibility,usability,reliability,accuracy,andsecurity. The
commission claims that its proposal aims to revise technical requirements that do not require changes
1incurrentvotingsystemhardwareor“complexsoftwarechanges,” andtoincludeVVSGIIprovisions
that clarify existing requirements or improve testing; the Commission notes that VVSG II commenters
2were“near[ly]unanimous”inpraisingtheseprovisions. TheEACpositionstheproposedrevisionasa
3setofrelativelyminortechnicalchangesandnon controversialchangesintestingrequirements.
Whiletheinclinationtoproceedincrementallyisunderstandable(althoughwebelieveill advisedas
apolicyandmarketmatter),thechangesproposedinthedraftVVSGv1.1insomeinstanceswillrequire
complex software changes and omit some crucial improvements in testing recommended in the draft
VVSG II. Most importantly, we believe the proposed revisions are not well targeted. In our last public
comment on the draft VVSG II we highlighted four essential improvements—software independence,
adversarial vulnerability testing (OEVT), usability benchmark testing and volume testing—necessary
4to make substantial progress. However, the EAC’S approach is not currently moored in a substantive
prioritization of risks that need be addressed. The impact of th