Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #3. Software Independence Demonstration [incomplete] USACM recommends that the VVSG include a step-by-step demonstration of a software independence assessment. An example of such a demonstration is included as Appendix B to these comments. DISCUSSION: The process for demonstrating Software Independence is not clearly delineated in the document, and it is unclear how such an assessment would proceed from the document as it is written. Without such precision, the guidelines are open for a wide variety of interpretation as to what would demonstrate software independence. This would allow for groups to argue the requirement is overly broad, or that it is already demonstrated by existing voting systems — which is currently only true for voting systems with IVVR. Appendix B. SAMPLE Demonstration Procedure for Software Independence This test is meant as a hypothetical example, is for illustrative purposes only, and is not an endorsement of a particular process or technology for use in voting systems. The following example illustrates how IVVR may be determined. We are assuming a single-issue election and a unique Compact Disk (CD) for each voter. By "visible surface," we mean the outside of the CD where, for example, movie titles currently are written or where someone could write information about a CD he or she has recorded. In this voting system, the vote-capture device is an electronic writing pad. A voter display screen lists the candidates and the voter writes his or her selection on the writing pad. The vote capture device captures each vote (recognizing the script) and translates it into an electronic ballot that is written to a CD. The system also prints the written vote in the voter’s handwriting on the visible surface of the CD in view of the voter. The vote is recorded from the signature pad and the CD is retained for audit purposes. The following details apply: 1. The voter is asked to verify and approve what is printed on the outside of the CD before casting the ballot. 2. The device marks the CD as "accepted", in view of the voter, when the voter approves it and the device marks the CD as "rejected", in view of the voter, if the voter rejects it. 3. If the handwriting is not legible, the system will reject the vote and prompt the voter to try again. 4. The printed vote record is durable enough to remain unchanged and legible for a period of 22 months. 5. The CD does not contain any information about the time at which the vote was cast or the ordering of this vote compared to all other votes cast on this voting machine. 6. Information printed on the CD also reveals the polling place, precinct, set of contests the voter was eligible to vote on, and the date of the election. 7. The format of the data stored on the CD is fully disclosed to the public. We start with the IVVR requirements (cf. Section 4.4 of the VVSG). We list the example assessment of whether this system (with the clarifications above) meets that requirement, and some discussion explaining the conclusion. Here the IVVR is the printed copy of the vote, as printed on the outside of the CD. 4.4.1-A.1: Complies. 4.4.1-A.2: Complies. Here we assume that if the device can interpret the voter’s handwriting, then so can an auditor. Alternatively, if the device will accept records that will not be legible to election officials and auditors, then such a system would not comply with 4.4.1-A.2. 4.4.1-A.3: Complies. 4.4.1-A.4: Complies. 4.4.1-A.5: Complies. See durability assumption above. 4.4.1-A.6: Complies. 4.4.1-A.7: Complies. Same issues as VVPAT. 4.4.1-A.8: Complies. Handwriting is a publicly available format. 4.4.1-A.9: Complies, under the assumption that the device prints the additional information listed above. If the CD does not show that additional information in human-readable form, then the device may not comply. 4.4.1-A.10: Complies. 4.4.1-A.11: Complies. IVVRs do not span multiple media. 4.4.1-A.12: Complies. 4.4.1-A.13: Complies. 4.4.1-A.14: Complies. 4.4.1-A.15: Complies. Depending upon how we interpret this requirement, compliance may require the device to include an electronic bitmap image of the scanned handwriting as part of the data stored electronically on the CD, but that should be straightforward to arrange. 4.4.1-A.16: Complies. 4.4.1-A.17: Complies. Based on this analysis, we can conclude that the example voting system satisfies requirement 4.4.1-A (the primary requirement that is specific to IVVR vote-capture devices). Note that there are some additional requirements that must also be met if the device is submitted for approval as an accessible voting system (Acc-VS), e.g., 4.2.4-A, 4.2.4-B. Finally, we can ask whether this system meets the SI requirement. In this case, there is a shortcut: IVVR systems in general qualify as SI (Sections 2.7, 4.1), so as we have determined that the system is an IVVR system it meets the definition of SI. If the system did not meet the requirements for IVVR, we would have to separately determine whether it meets the SI requirement. Here we look to requirement 2.7-A. To determine whether the system complies with 2.7-A, we would have to consider all possible changes or faults in the software to see whether there are any that could cause an undetectable change or error in the election outcome. In this case, all such errors can be detected, via observational testing, post-election statistical audits, recounts, pollbook reconciliation, and/or the official canvass. Note also that the voting system vendor, as part of the submission of the system for certification, must declare what conformance classes to which the vendor wants to claim the system complies. For instance, the vendor must decide whether to claim that the device is an "IVVR vote-capture device", whether to claim that it is an "Acc-VS", etc. The testing that is done is determined by what claims the vendor makes. (See Sections 2.3, 2.4 of the VVSG II.)