My comments to the CA SoS's request on AVVPAT regulations...
Our SoS has requested comments from the public on legislation surrounding requirements for AVVPAT in voting systems sold in California. Here is the text of what I submitted...
UPDATE [2005-06-24 16:12:49]: The EFF and CVF have co-authored a comment: "Re: Request for Public Comment on Voting System Audit Trail Standards".
[More:]
As an academic researcher who works with voting systems heavily, I would like to make a few very brief comments about the AVVPAT regulations dated 21 January 2005. I'm also CC'ing Bruce McDannold as he may find these comments useful when the regulations are updated:
In all, I feel that it is imperative that the AVVPAT regulations be allowed to come into effect and that the AVVPAT records are used for all recounts (statutory or judicial). Further, the regulations should be revisited as technology changes to ensure that the independent auditability that is the goal of AVVPAT is not short-circuited and so that legitimate, innovative alternatives to AVVPAT are encouraged and allowed to thrive.
Here are 5 brief comments (in order of interest to you... you've likely heard the last two comments from others already):
Section 2.3.4.1 of the current regulations state, "The AVVPAT-W shall be capable of producing an image in all alternative languages for which the DRE is certified." However, as we noted in a paper of ours, this can lead to a compromise in ballot privacy and secrecy. For example, what if you are the only Chinese-language voter in a polling place? In this case, all one has to do is have access to the AVVPAT records for this polling place (as would be the case in the 1% manual recount or in a full recount), and the one Chinese-language AVVPAT record will expose how you voted.
It might be wise to add a regulation that specified that the AVVPAT should scroll out of view before the next voter is allowed to approach the voting terminal. I have video of the Sequoia AVC Edge as implemented last November in Nevada which shows that the terminal displays the "ready to vote" screen during the 10-15 seconds that it takes the AVVPAT to scroll out of view.
Section 2.1.1.4 of the regulations say, "In the case of a difference between the electronic record and the paper record copy, the paper record copy shall govern[...]". While defining which record of the vote governs in the event of a discrepancy might seem wise from a pragmatic and administrative point of view, it is not wise from a systems security point of view. That is, if an attacker knows that all he has to do is to forge (or what have you) a certain record that will supersede all others in the event of a discrepancy, he can devote all his effort to that one attack. If he succeeds, this kind of regulatory provision will mandate that the forged records govern, even if there is evidence that the paper records have been compromised (but may still appear "accurate" as per the regs.).
In the case of real auditable systems, a "mesh" of audit trails (here we have two... the electronic and paper records) is formed so that discrepancies will be easily discovered. However, knowing that there is, in fact, a discrepancy is only half the battle. The rest is figuring out whether the anomalous audit event is in error or if all the other audit trails are in error and the anomalous one is the one check that our attacker forgot to forge.
There is no specification for the type of paper used in AVVPAT devices. The majority of voting systems on the market with AVVPAT capability use flimsy thermal paper which will not meet the 22 month records storage requirement unless we have sophisticated climate control.
Further, the specifications should provide for some randomization of AVVPAT records in the AVVPAT Storage receptacle. It is troubling that AVVPATs are stored on reel-to-reel mechanism as opposed to separated from each other and at least randomized by chance (for example, if allowed to drop in a bin, like the Avante machine allows).
--
Joseph Lorenzo Hall
UC Berkeley, SIMS PhD Student
http://josephhall.org/