Reply #11: NIST e-voting proposal is rejected.... [View All]

http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005632

Government rejects e-voting paper trail proposal
Government, banking officials claim it's not necessary

December 04, 2006 (IDG News Service) -- A U.S. government board looking at ways to improve the security of electronic voting has rejected one proposal that would have required election officials to use paper-trail ballots or other audit technologies with the machines.

The Technical Guidelines Development Committee (TGDC), an advisory board to the U.S. Elections Assistance Commission (EAC), on Monday failed to pass a proposal to certify only those direct record electronic (DRE) machines that use independent audit technology. Before the 6-6 vote, TGDC members expressed concerns that a requirement would create a costly mandate to local governments.

TGDC members said they will continue debate on ways to improve e-voting security. The TGDC could bring the proposal or an amended one back up at any time, said Michael Newman, a spokesman at the National Institute of Standards and Technology (NIST), the agency that helps the TGDC develop voting standards.

The proposal, advanced by NIST staff and TGDC member Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology, would have required "software independent" DREs with some kind of independent audit mechanism, such as the voter-verified paper trail printouts advocated by some e-voting critics.

One advocate of paper-trail audits for DRE said he was disappointed with the TGDC's vote. The recommendation was a "much-needed step toward making certain that voting systems are secure, useable, and reliable," said Eugene Spafford, chairman of the U.S. policy committee at the Association for Computing Machinery (ACM).

"Software independence avoids reliance on the accuracy and security of the voting machine software in order to verify an election outcome," Spafford said by e-mail. "The ... initial recommendation was well-grounded, carefully balanced, and addressed an issue that is critical to the integrity of our election process."

Rivest and NIST staff members argued that there's no way to recount elections in which DREs were used without an independent audit mechanism, repeating e-voting critiques in a draft e-voting security white paper circulated last month.

"Simply put, the DRE architecture's inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important," the NIST paper said.

But advocates of the software independence approach aren't accusing DREs of being insecure, Rivest said. "What we're saying is we can't tell if they're secure or not," he added. "We don't know how to create requirements to tell if they're secure."

Other committee members said the proposal created new problems, including new requirements for local governments that have already spent their funding from the U.S. government to update election equipment.

"I'm not sure that we've really proven that the processes that state election officials have used for a few decades now of testing and verifying that the systems work ... are failing," said Paul Miller, voting systems manager at the Washington state Secretary of State's Office. "Now we're adding another requirement."

Rivest argued that nearly all software contains bugs, and voting officials shouldn't rely on imperfect software. "When students write software, it's buggy," he said. "When I write software it's buggy."

But Brittain Williams, representing the National Association of State Election Directors, said the U.S. banking industry has largely figured out how to conduct large-scale electronic transactions with few mistakes. "You say all software is buggy," he said. "The question is, can you test it to an acceptable list of security? The banking industry ... moves billions of dollars around every day with this buggy software without ever producing a single piece of paper."