[Federal Register: April 12, 2006 (Volume 71, Number 70)]
[Notices]
[Page 18925-19052]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12ap06-143]
[[Page 18925]]
-----------------------------------------------------------------------
Part III
Election Assistance Commission
-----------------------------------------------------------------------
Technical Guidelines Development Committee (TGDC); Initial Report:
Voluntary Voting System Guidelines Version I; Notice
[[Page 18926]]
-----------------------------------------------------------------------
ELECTION ASSISTANCE COMMISSION
Technical Guidelines Development Committee (TGDC); Initial
Report: Voluntary Voting System Guidelines Version I
agency: United States Election Assistance Commission.
action: Notice; publication of TGDC recommendations for voluntary
voting system guidelines.
-----------------------------------------------------------------------
summary: The Help America Vote Act of 2002 (HAVA) Section 221(f)
directs the Technical Guidelines Development Committee (TGDC) to
publish its recommendations to the Executive Director of the U.S.
Election Assistance Commission (EAC) at the time EAC adopts voluntary
voting system guidelines. In 2004, the EAC formed the TGDC to create an
initial set of recommendations for guidelines as directed by HAVA. The
Director of the National Institute of Standards and Technology (NIST)
chairs the TGDC and NIST staff provides technical support for the
TGDC's work. This committee of fifteen experts began their work in July
2004 and submitted their recommendations, which are published here.
These recommendations were used by the EAC in producing the EAC's
proposed 2005 Voluntary Voting System Guidelines which were published
for public comment in June 2005, 70 FR 37378 (June 29, 2005). Following
revision of its proposed guidelines to reflect the comments received,
the EAC adopted the final 2005 Voluntary Voting System Guidelines on
December 13, 2005. This final document is being concurrently published
as required by HAVA.
for further information contact: Brian Hancock (Election Research
Specialist) Washington, DC, (202) 566-3100, Fax: (202) 566-3127.
Thomas R. Wilkey,
Executive Director, U.S. Election Assistance Commission.
BILLING CODE 6820-KF-P
[[Page 18927]]
[GRAPHIC] [TIFF OMITTED] TN12AP06.011
[[Page 18928]]
Voluntary Voting System Guidelines Version I
Initial Report
May 9, 2005
Product of the Technical Guidelines Development Committee With technical
Assistance From the National Institute of Standards and Technology
------------------------------------------------------------------------
-------------------------------------------------------------------------
Overview:
Volume One, Performance Standards:
Section One: Introduction
Section Two: Functional Capabilities
Section Three: Hardware
Section Four: Software
Section Five: Telecommunications
Section Six: Security
Section Seven: Quality Assurance
Section Eight: Configuration Management
Section Nine: Overview of Qualification Testing
Appendix A: Glossary
Appendix B: Applicable Documents
Appendix C: Best Practices
Appendix D: Independent Dual Verification
Volume Two, Testing Standards:
Section 1: Introduction
Section 2: Technical Data Package
Section 3: Functionality Testing
Section 4: Hardware Testing
Section 5: Software Testing:
Section 6: Systems Integration Testing
Section 7: Configuration Management and Quality Assurance
Appendix A: Qualification Test Plan
Appendix B: Qualification Test Report
Appendix C: Qualification Test Design Criteria
------------------------------------------------------------------------
Voluntary Voting System Guidelines--Overview
This section provides an overview of the Voluntary Voting System
Guidelines (VVSG), Version 1. The VVSG was created in response to the
Help America Vote Act (HAVA) of 2002 and is based on the initial set of
recommendations of the Technical Guidelines Development Committee
(TGDC) mandated by HAVA. The VVSG Version 1 augments the Voting Systems
Standard (VSS) of 2002 (VSS-2002), which was promulgated by the Federal
Election Commission (FEC). This overview serves as an explanation of
how the VVSG Version 1 differs from the VSS-2002 and provides a basis
for further improvements. In addition, it provides a high level
overview of the major sections of the two volumes that make up VVSG
Version 1.
Document Structure
This document presents the voluntary voting system guidelines as a
single document consisting of two volumes: Volume I, the performance
provisions of the guidelines and Volume II, the testing specification.
Sections of this document augment the VSS-2002, by either replacing
VSS-2002 sections or adding new sections. New material is indicated by
distinct header information on each page. The header information is in
a gray shaded box and includes the words ``NEW MATERIAL''. The footer
information also includes the words ``NEW MATERIAL''. Additionally,
line numbers have been added to these pages.
In the new sections that contain requirements or informative
characteristics, each requirement or characteristic is numbered
according to a hierarchical scheme in which higher-level requirements
(such as ``provide accessibility for blind voters'') are supported by
lower level requirements (``provide an audio-tactile interface'').
These sections are: Sections 2.2.7, 6.0.1, 6.0.2, 6.0.3, 6.0.4, and
Appendix D. Additionally, each requirement or characteristic indicates
to whom it applies (i.e., responsible entity) as well as which stage of
the voting process (i.e., pre-voting, voting, post-voting) is affected.
There are three responsible entities: voting system vendor (V), testing
authority (T), and repository (R). To aid the reader, a colored box
with the first letter of the responsible entity, i.e., V, T, or R
accompanies the name of the entity, as follows:
[GRAPHIC] [TIFF OMITTED] TN12AP06.000
The three stages of the voting process are indicated by a
presenting a box with all three stages and using a strikeout font to
indicate the stages that are not applicable, as follows:
[GRAPHIC] [TIFF OMITTED] TN12AP06.001
Indicates the pre-voting stage is the only stage that applies.
[GRAPHIC] [TIFF OMITTED] TN12AP06.002
Indicates all three stages apply.
Background
The Help America Vote Act (HAVA) established the Technical
Guidelines Development Committee to assist the Election Assistance
Commission (EAC) with the development of voluntary voting system
guidelines. HAVA directs the National Institute of Standards and
Technology (NIST) to chair the TGDC and to provide technical support to
the TGDC in the development of these guidelines. The TGDC's initial set
of recommendations for these guidelines were presented to the Election
Assistance Commission in May 2005, in accordance with HAVA's nine-month
deadline.
VVSG Version 1 is intended to assist State election officials in
preparing for the 2006 election. This document augments the VSS-2002 to
address the critical areas of accessibility, usability and computer
security. In addition, the VVSG includes an improved glossary to
promote common understanding, a conformance clause, and an updated
Appendix on error rates.
It is important to note that the VVSG Version 1 is an interim set
of guidelines. The EAC is working with both the TGDC and NIST to create
a redesigned VVSG (called VVSG Version 2) that will address a large
range of issues including rewriting the requirements, if necessary, to
make them more precise and testable and address key human factors and
computer security issues. These new requirements will affect the basic
design of voting systems to such a degree that these types of changes
cannot reasonably be made and tested in time for the 2006 election
cycle.
Brief History of Voting Systems Standards and Guidelines
In 1975, the National Bureau of Standards (now the National
Institute of Standards and Technology) and the Office of the Federal
Elections (the Office of Election Administration's predecessor at the
General Accounting Office) produced a joint report, Effective Use of
Computing Technology in Vote Tallying. This report concluded that a
basic cause of computer-related election problems was the lack of
appropriate technical skills at the state and local level to develop or
implement sophisticated Standards against which voting system hardware
and software could be tested. A subsequent Congressionally-authorized
study produced by the FEC and the National Bureau of Standards detailed
the need for a federal agency to develop national performance Standards
that could be used as a tool by state and local election officials in
the testing, certification, and procurement of computer-based voting
systems.
In 1984, Congress appropriated funds for the FEC to develop
voluntary national Standards for computer-based voting systems. The FEC
formally approved the Performance and Test Standards for Punchcard,
Marksense and Direct Recording Electronic Voting Systems in January
1990. This document is generally referred to as the Voting Systems
Standards, or 1990 VSS.
The national testing effort was developed and overseen by the
National
[[Page 18929]]
Association of State Election Director's Voting Systems Board, which is
composed of election officials and independent technical advisors.
NASED's testing program was initiated in 1994 and more than 30 voting
systems or components of voting systems have gone through the (NASED's)
testing and qualification process. In addition, many systems have
subsequently been certified at the state level using the Standards in
conjunction with functional and technical requirements developed by
state and local policymakers to address the specific needs of their
jurisdictions.
As the qualification process matured and qualified systems were
used in the field, the Voting Systems Board, in consultation with the
testing labs, was able to identify certain testing issues that needed
to be resolved. Moreover, rapid advancements in information and
personal computer technologies introduced new voting system development
and implementation scenarios not contemplated by the 1990 Standards.
In 1997, NASED briefed the FEC on the necessity for continued FEC
involvement, citing the importance of keeping the Standards current in
its reflection of modern and emerging technologies employed by voting
system vendors. Following a Requirements Analysis released in 1999, the
Commission authorized the Office of Election Administration to revise
the Standards to reflect contemporary needs of the elections community.
This resulted in the 2002 Voting Systems Standards.
In 2002, Congress passed HAVA, which created a new process for
improving voluntary voting system guidelines. A new federal entity was
created, the Election Assistance Commission, to oversee the process.
The EAC established the Technical Guidelines Development Committee in
accordance with the requirements of section 221 of HAVA pursuant to the
Federal Advisory Committee Act, 5 U.S.C. App. 2. The TGDC's objectives
and duties were to act in the public interest to assist the EAC in the
development of the voluntary voting system guidelines. The membership,
as defined by HAVA, includes:
The Director of the National Institute of Standards and
Technology (NIST) who shall serve as its chair,
Members of the Standards Board,
Members of the Board of Advisors,
Members of the Architectural and Transportation Barrier,
and Compliance Board (Access Board),
A representative of the American National Standards
Institute,
A representative of the IEEE,
Two representatives of the NASED selected by such
Association who are not members of the Standards Board or Board of
Advisors, and who are not of the same political party, and
Other individuals with technical and scientific expertise
relating to voting systems and voting equipment.
The TGDC first met in August, 2004 and delivered the Voluntary
Voting System Guidelines in May, 2005. This initial set of
recommendations augments the VSS-2002 by including security measures
for auditability, wireless communications and software distribution and
setup, and improvements to the accessibility and usability design
sections of the VSS-2002. The TGDC also recommended that the VSS-2002
be replaced with a far-reaching guideline that would address in-depth
security, performance-based guidelines for usability testing, and an
overhaul of the standards and test methods to meet today's more
rigorous needs for electronic voting systems.
Issues Addressed by the VVSG Version 1
The VVSG Version 1 adds or significantly changes eight technical
topics of the VSS-2002. In addition, there are three organizational
changes in the new sections. All other material remains the same.
Conformance Clause
The VSS-2002 did not include a conformance clause. One has been
written and inserted as Section 1.7. The previous material in Section
1.7, the Outline, has been moved to 1.8.
Conformance is defined as the fulfillment by a product, process, or
service of requirements as specified in a standard or specification.
Conformance testing is the determination of whether an implementation
(i.e., product, process, or service) faithfully satisfies the
requirements and thus, conforms.
The conformance clause of a standard specification is a high-level
description of what is required of implementers and developers. It, in
turn, refers to other parts of the standard. The conformance clause may
specify minimal requirements for certain functions and minimal
requirements for implementation-dependent values. It may also specify
the permissibility of extensions, options, and alternative approaches
and how they are to be handled.
Human Factors
In the VSS-2002 Volume 1 Section 2.2.7 addressed Accessibility and
Section 3.4.9 addressed Human Engineering--Controls and Displays. The
VSS-2002 also contained Appendix C on Usability. The VVSG Version 1
replaces all of these items with a new Section 2.2.7 that addresses
Human Factors including accessibility, usability, and limited English
proficiency. This new sections incorporates the two NASED Technical
Guides (Guide 1 and Guide 2). Future versions of the
VVSG will contain performance-based requirements.
Security Overview and Appendix D
A new security section was added as Section 6.0. It contains four
parts: an Overview and three topic areas. The overview was added to
explain the VVSG approach to security. Future versions of the VVSG will
require independent dual verification. There are many ways known today
to achieve independent dual verification and more ways may be
developed. Current methods include dual process systems, witness
systems, cryptographic-based systems, optical scan systems, and paper
audit trails. A new Appendix D expands on this overview with an in-
depth discussion of independent dual verification systems. Independent
dual verification is a new area in voting systems and it is expected to
evolve significantly in VVSG Version 2. The Security Overview is an
informative (non-normative) section of the VVSG Version 1. Requirements
for voter verified paper audit trail systems, which are a type of
independent dual verification system, are specified in a separate
section. Version 2 of the VVSG will have complete requirements for at
least three additional methods.
Voter Verified Paper Audit Trails
The VSS-2002 contained no requirements for voter verified paper
audit trails. The VVSG Version 1 is providing requirements for voter
verified paper audit trails (VVPAT) so that States that choose to
implement VVPAT or States that are considering implementation can
utilize these requirements to help ensure the effective operation of
these systems. The EAC, TGDC, and NIST are taking no position with
respect to the implementation of VVPAT systems and are neither
requiring nor endorsing voter verified paper audit trails. Methods
other than VVPAT can provide ways to achieve independent dual
verification. These other methods are described in the Security
Overview.
Wireless Technology
The TGDC concluded that the use of wireless technology introduces
risk and
[[Page 18930]]
should be approached with caution. Therefore, the VVSG Version 1
includes a new section on wireless that augments the general
telecommunications requirements in Volume 1, Section 5. in Section 5.
The VVSG Version 1 requires that wireless transmissions be encrypted to
protect against a variety of security problems.
Software Distribution and Setup Validation
The VSS-2002 contains many requirements to help voting officials
validate the software and the setup of voting system software and
hardware. Subsequent to the publication of the VSS-2002, the EAC
invited all voting software vendors to submit their software to a
national software repository maintained by NIST. This section of the
VVSG Version 1 builds on the VSS-2002 to include use of this repository
and other validation mechanisms.
Glossary
This glossary contains terms from the VSS-2002 as well as the
inclusion of additional terms needed to understand voting and related
areas such as security, human factors, and testing. Each term includes
a definition and its source as well as an association as to the domain
for which the term applies. Having a common set of terminology forms
the basis for understanding requirements and for discussing
improvements. The glossary is also available in a web-based on-line
version at http://www.nist.gov/votingglossary.
Error Rates
Volume II, Appendix C addresses error rates. This appendix contains
revised procedures to test that systems meet the indicated error rates.
These apply to errors introduced by the system, defined as a ballot
position error rate, and not by a voter's action. Further research on
human interface and usability issues is needed to enable the
development of Standards for error rates that account for human error.
There were concerns about the VSS-2002 Appendix regarding the
numbers listed in the probability ratio sequential test (PRST) of the
Mean Time Before Failure (MTBF) that (1) the numbers do not correspond
to the numbers for the same table in the 1990 VSS, even though the
stated assumptions do not change, and (2) the numbers from neither the
1990 nor the 2002 tables correspond to numbers that would result from
standard PRST formulas listed in standard references such as the
military handbook MIL-HDBK-781A. To address these concerns, the revised
Appendix has replaced the numbers in the table with those that would
indicated by the truncated PRST design from MIL-HDBK-781A with the
corresponding parameters and made it more clear in the text that a
truncated design was chosen. Using standard theoretical formulas leads
to somewhat different numbers, but the revised Appendix C uses numbers
from the MIL-HDBK-781A because they may be considered more standard and
produce a less drastic change. Also, in the 1990 VSS, there was an
appendix devoted to the definition and use of ``partial failures.''
This appendix was eliminated from the VSS-2002. The new version
eliminated the paragraph and diagram in Appendix C that used partial
failures.
The new version also includes statements reminding users to be
cognizant of the assumptions involved in tests that use time-based
exponential failure times and constant failure rates. Given the
concerns that have been stated about appropriate testing times, note
that the given table is appropriate only for the stated parameters, and
that officials should assess the appropriateness of whatever parameters
are used in testing.
Best Practices for Voting Officials
The VSS-2002 contained requirements for voting systems and for
testing entities. However, requirements for human factors, wireless
communications, VVPAT, software distribution and setup validation
depend not only on voting systems providing specific capabilities but
on voting officials developing and carrying out appropriate procedures.
Consequently, the VVSG Version 1 contains Best Practices for voting
officials. The new sections in VVSG Version 1 define each requirement
as pertaining to voting systems, vendor repository, or test
authorities, or voting officials. The requirements for voting officials
are collected in Appendix C of Volume 1. (Appendix C had previously
been Usability.)
Voting Process
The VSS-2002 defined three major stages of voting: pre-voting,
voting, and post-voting. The stage for each requirement is marked in
the new sections. The VVSG Version 2 will have a more detailed voting
process model and will allow for finer granularity.
Summary of Content of Volume I
Volume I contains performance standards for electronic components
of voting systems. In addition to containing a glossary (Appendix A),
applicable references (Appendix B), Best Practices (Appendix C) and
Security Overview (Appendix D). Volume I is divided into nine sections:
Section 1--Introduction: This section provides an introduction to
the Standards, addressing the following topics:
Objectives and usage of the Standards,
Development history for initial Standards,
Update of the Standards,
Accessibility for individuals with disabilities,
Definitions of key terms,
Application of the Standards and test specifications,
Conformance clause, and
Outline of contents.
Section 2--Functional Capabilities: This section contains Standards
detailing the functional capabilities required of a voting system. This
section sets out precisely what it is that a voting system is required
to do. This section also sets forth the minimum actions a voting system
must be able to perform to be eligible for qualification. For
organizational purposes, functional capabilities are categorized by the
phase of election activity in which they are required:
Overall Capabilities: These functional capabilities apply
throughout the election process. They include security, accuracy,
integrity, system auditability, election management system, vote
tabulation, ballot counters, telecommunications, and data retention.
Pre-voting Capabilities: These functional capabilities are
used to prepare the voting system for voting. They include ballot
preparation, the preparation of election-specific software (including
firmware), the production of ballots or ballot pages, the installation
of ballots and ballot counting software (including firmware), and
system and equipment tests.
Voting Capabilities: These functional capabilities include
all operations conducted at the polling place by voters and officials
including the generation of status messages.
Post-voting Capabilities: These functional capabilities
apply after all votes have been cast. They include closing the polling
place; obtaining reports by voting machine, polling place, and
precinct; obtaining consolidated reports; and obtaining reports of
audit trails.
Maintenance, Transportation and Storage Capabilities:
These capabilities are necessary to maintain, transport, and store
voting system equipment.
For each functional capability, common standards are specified. In
recognition of the diversity of voting
[[Page 18931]]
systems, some of the standards have additional requirements that apply
only if the system incorporates certain functions (for example, voting
systems employing telecommunications to transmit voting data) or
configurations (for example, a central count component). Where system-
specific standards are appropriate, common standards are followed by
standards applicable to specific technologies (i.e., paper-based or
DRE) or intended use (i.e., central or precinct count).
Section 3--Hardware Standards: This section describes the
performance requirements, physical characteristics, and design,
construction, and maintenance characteristics of the hardware and
related components of a voting system. This section focuses on a broad
range of devices used in the design and manufacture of voting systems,
such as:
For paper ballots: Printers, cards, boxes, transfer boxes,
and readers,
For electronic systems: Ballot displays, ballot recorders,
precinct vote control units,
For voting devices: Punching and marking devices and
electronic recording devices,
Voting booths and enclosures,
Equipment used to prepare ballots, program elections,
consolidate and report votes, and perform other elections management
activities,
Fixed servers and removable electronic data storage media,
and
Printers.
The Standards specify the minimum values for the relevant
attributes of hardware, such as:
Accuracy,
Reliability,
Stability under normal environmental operating conditions
and when equipment is in storage and transit,
Power requirements and ability to respond to interruptions
of power supply,
Susceptibility to interference from static electricity and
magnetic fields,
Product marking, and
Safety.
Section 4--Software Standards: This section describes the design
and performance characteristics of the software embodied in voting
systems, addressing both system level software and voting system
application software. The requirements of this section are intended to
ensure that the overall objectives of accuracy, logical correctness,
privacy, system integrity, and reliability are achieved. Although this
section emphasizes software, the software standards may influence
hardware design in some voting systems.
The requirements of this section apply to all software developed
for use in voting systems, including:
Software provided by the voting system vendor and its
component suppliers, and
Software furnished by an external provider where the
software is potentially used in any way during voting system operation.
The general standards in this section apply to software used to
support the broad range of voting system activities, including pre-
voting, voting and post-voting activities. System specific Standards
are defined for ballot counting, vote processing, the creation of an
unalterable audit trail, and the generation of output reports and
files. Voting system software is also subject to the security
requirements of Section 6.
Section 5--Telecommunications Standards: This section describes the
requirements for the telecommunications components of voting systems.
Additionally, it defines the acceptable levels of performance against
these characteristics. For the purpose of the Standards,
telecommunications is defined as the capability to transmit and receive
data electronically regardless of whether the transmission is localized
within the polling place or the data is transmitted to a geographically
distinct location. The requirements in this section represent
functional and performance requirements for the transmission of data
that are used to operate the system and report official election
results. Where applicable, this section specifies minimum values for
critical performance and functional attributes involving
telecommunications hardware and software components.
This section addresses telecommunications hardware and software
across a broad range of technologies such as dial-up communications
technologies, high-speed telecommunications lines (public and private),
cabling technologies, communications routers, modems, modem drivers,
channel service units (CSU)/data service units (DSU), and dial-up
networking applications software.
Additionally, this section applies to voting-related transmissions
over public networks, such as those provided by regional telephone
companies and long distance carriers. This section also applies to
private networks regardless of whether the network is owned and
operated by the election jurisdiction. For systems that transmit data
over public networks, this section applies to telecommunications
components installed and operated at settings supervised by election
officials, such as polling places or central offices.
Section 6--Security Standards: This section starts with an overview
that provides a description of a new approach to securing voting
systems called independent dual verification. The overview introduces
the concept of independent dual verification and explains several
approaches for achieving it. Appendix D further explores independent
dual verification. Independent dual verification is not required in
VVSG Version 1, but will be required in Version 2. Following the
overview are 3 new sections describing requirements for voter verified
paper audit trails, wireless technology and software distribution and
setup. The remainder of the section is unchanged from VSS-2002 and
describes the security capabilities for a voting system, encompassing
the system's hardware, software, communications, and documentation. The
requirements of this section recognize that no predefined set of
security Standards will address and defeat all conceivable or
theoretical threats. However, the Standards articulate requirements to
achieve acceptable levels of integrity, reliability, and inviolability.
Ultimately, the objectives of the security Standards for voting systems
are to:
Establish and maintain controls that can ensure that
accidents, inadvertent mistakes, and errors are minimized,
Protect the system from intentional manipulation and
fraud,
Protect the system from malicious mischief,
Identify fraudulent or erroneous changes to the system,
and
Protect secrecy in the voting process.
These Standards are intended to address a broad range of risks to
the integrity of a voting system. While it is not possible to identify
all potential risks, the Standards identify several types of risk that
must be addressed, including:
Unauthorized changes to system capabilities for defining
ballot formats, casting and recording votes, calculating vote totals
consistent with defined ballot formats, and reporting vote totals,
Alteration of voting system audit trails,
Altering a legitimately cast vote,
Preventing the recording of a legitimately cast vote,
Introducing data for a vote not cast by a registered
voter,
Changing calculated vote totals,
Preventing access to vote data, including individual votes
and vote totals, to unauthorized individuals, and
[[Page 18932]]
Preventing access to voter identification data and data
for votes cast by the voter such that an individual can determine the
content of specific votes cast by the voter.
Section 7--Quality Assurance: In the Standards, quality assurance
is a vendor function with associated practices that confirms throughout
the system development and maintenance life-cycle that a voting system
conforms with the Standards and other requirements of state and local
jurisdictions. Quality assurance focuses on building quality into a
system and reducing dependence on system tests at the end of the life-
cycle to detect deficiencies.
This section describes the responsibilities of the voting system
vendor for designing and implementing a quality assurance program to
ensure that the design, workmanship, and performance requirements of
the Standards are achieved in all delivered systems and components.
These responsibilities include:
Development of procedures for identifying and procuring
parts and raw materials of the requisite quality, and for their
inspection, acceptance, and control.
Documentation of hardware and software development
processes.
Identification and enforcement of all requirements for in-
process inspection and testing that the manufacturer deems necessary to
ensure proper fabrication and assembly of hardware, as well as
installation and operation of software or firmware.
Procedures for maintaining all data and records required
to document and verify the quality inspections and tests.
Section 8--Configuration Management: This section contains specific
requirements for configuration management of voting systems. For the
purposes of the Standards, configuration management is defined as a set
of activities and associated practices that assures full knowledge and
control of the components of a system, beginning with its initial
development, progressing throughout its development and construction,
and continuing with its ongoing maintenance and enhancement. This
section describes activities in terms of their purpose and outcomes. It
does not describe specific procedures or steps to be employed to
accomplish them--these are left to the vendor to select.
The requirements of this section address a broad set of record
keeping, audit, and reporting activities that include:
Identifying discrete system components,
Creating records of formal baselines of all components,
Creating records of later versions of components,
Controlling changes made to the system and its components,
Submitting new versions of the system to Independent Test
Authorities (ITA)s,
Releasing new versions of the system to customers,
Auditing the system, including its documentation, against
configuration management records,
Controlling interfaces to other systems, and
Identifying tools used to build and maintain the system.
Vendors are required to submit documentation of these procedures to
the ITA as part of the Technical Data Package for system qualification
testing. Additionally, as articulated in state or local election laws,
regulations, or contractual agreements with vendors, authorized
election officials or their representatives reserve the right to
inspect vendor facilities and operations to determine conformance with
the vendor's reported configuration management procedures.
Section 9--Overview of Qualification Tests: This section provides
an overview for the qualification testing of voting systems.
Qualification testing is the process by which a voting system is shown
to comply with the requirements of the Standards and the requirements
of its own design and performance specifications. The testing also
evaluates the completeness of the vendor's developmental test program,
including the sufficiency of vendor tests conducted to demonstrate
compliance with stated system design and performance specifications,
and the vendor's documented quality assurance and configuration
management practices.
The qualification test process is intended to discover errors that,
should they occur in actual election use, could result in failure to
complete election operations in a satisfactory manner. This section
describes the scope of qualification testing, its applicability to
voting system components, documentation that is must be submitted by
the vendor, and the flow of the test process. This section also
describes differences between the test process for initial
qualification testing of a system and the testing for modifications and
re-qualification after a qualified system has been modified.
Since 1994, the testing described in this section has been
performed by an ITA that is certified by NASED. For the future, HAVA
provides for EAC-accredited testing authorities. HAVA tasks the
Director of NIST to assist the EAC by recommending laboratories for EAC
accreditation. NIST's National Voluntary Laboratory Accreditation
Program (NVLAP) is developing a program to evaluate competent
laboratories. While laboratories are being evaluated for recommendation
by the Director, testing will continue to be done by the ITAs
previously certified by NASED. The testing may be conducted by one or
more ITAs for a given system, depending on the nature of tests to be
conducted and the expertise of the certified ITA. The testing process
involves the assessment of, but is not limited to:
Absolute correctness of all ballot processing software,
for which no margin for error exists,
Operational accuracy in the recording and processing of
voting data, as measured by the error rate articulated in Volume I,
Section 3,
Operational failure or the number of unrecoverable
failures under conditions simulating the intended storage, operation,
transportation, and maintenance environments for voting systems, using
an actual time-based period of processing test ballots,
System performance and function under normal and abnormal
conditions, and
Completeness and accuracy of the system documentation and
configuration management records to enable purchasing jurisdictions to
effectively install, test, and operate the system.
Summary of Volume II Content
Section 1--Introduction: This section provides an overview of
Volume II, addressing the following topics:
Objectives of Volume II,
General contents of Volume II,
Qualification testing focus,
Qualification testing sequence,
Evolution of testing, and
Outline of contents.
Section 2--Technical Data Package: This section contains a
description of vendor documentation relating to the voting system that
shall be submitted with the system as a precondition for qualification
testing. These items are necessary to define the product and its method
of operation; to provide the vendor's technical and test data
supporting the its claims of the system's functional capabilities and
performance levels; and to document instructions and procedures
governing system operation and field maintenance. The content of the
Technical Data Package (TDP) shall contain a complete description of
the following information about the system:
[[Page 18933]]
Overall system design, including subsystems, modules, and
interfaces,
Specific functional capabilities,
Performance and design specifications,
Design constraints and compatibility requirements,
Personnel, equipment, and facilities necessary for system
operation, maintenance, and logistical support,
Vendor practices for assuring system quality during the
system's development and subsequent maintenance, and
Vendor practices for managing the configuration of the
system during development and for modifications to the system
throughout its life-cycle.
Section 3--Functionality Testing: This section contains a
description of the testing to be performed by the ITA to confirm the
functional capabilities of a voting system submitted for qualification
testing. It describes the scope and basis for functional testing, the
general sequence of tests within the overall test process, and provides
guidance on testing for accessibility. It also discusses testing of
functionality of systems that operate on personal computers.
Section 4--Hardware Testing: This section contains a description of
the testing to be performed by the ITAs to confirm the proper
functioning of the hardware components of a voting system submitted for
qualification testing. This section requires ITAs to design and perform
procedures that test the voting system hardware for both operating and
non-operating environmental tests. Hardware testing begins with non-
operating tests that require the use of an environmental test facility.
These are followed by operating tests that are performed partly in an
environmental facility and partly in a standard test laboratory or shop
environment. The non-operating tests are intended to evaluate the
ability of the system hardware to withstand exposure to various
environmental conditions incidental to voting system storage,
maintenance, and transportation. The procedures are based on test
methods contained in Military Standards (MIL-STD) 810D, modified where
appropriate, and include such tests as: Bench handling, vibration, low
and high temperature, and humidity.
The operating tests involve running the system for an extended
period of time under varying temperatures and voltages. This ensures
that the hardware meets or exceeds the minimum requirements for
reliability, data reading, and processing accuracy contained in Section
3 of Volume I. Although the procedure emphasizes equipment operability
and data accuracy, it is not an exhaustive evaluation of all system
functions. Moreover, the severity of the test conditions has in most
cases been reduced from that specified in the Military Standards to
reflect commercial, rather than military, practice.
Section 5--Software Testing: This section contains a description of
the testing to be performed by the ITAs to confirm the proper
functioning of the software components of a voting system submitted for
qualification testing. It describes the scope and basis for software
testing, the initial review of documentation to support software
testing, and the review of voting system source code.
The software qualification tests encompass a number of interrelated
examinations. The examinations include selective review of source code
for conformance with the vendor's stated standards, and other system
documentation provided by the vendor. The code inspection is
complemented by a series of functional tests to verify the proper
performance of all system functions controlled by the software.
Section 6--System Level Integration Testing: This section contains
a description of the testing conducted by the ITAs to confirm the
proper functioning of the fully integrated components of a voting
system submitted for qualification testing. It describes the scope and
basis for integration testing, testing of internal and external system
interfaces, testing of security capabilities, testing of accessibility
features, and the configuration audits, including the evaluation of
claims made in the system documentation.
System-level qualification tests address the integrated operation
of hardware, software and telecommunications capabilities (where
applicable) to assess the system's response to a range of both normal
and abnormal conditions in an attempt to compromise the system.
Section 7--Examination of Vendor Practices for Configuration
Management and Quality Assurance: This section contains a description
of examinations conducted by the ITAs to evaluate the extent to which
vendors meet the requirements for configuration management and quality
assurance. It describes the scope and basis for the examinations and
the general sequence of the examinations. It also provides guidance on
the substantive focus of the examinations.
In reviewing configuration management practices, the ITAs examine
the vendor's:
Configuration management policy,
Configuration identification policy,
Baseline, promotion and demotion procedures,
Configuration control procedures,
Release process and procedures, and
Configuration audit procedures.
In reviewing quality assurance practices, the ITAs examine the
vendor's:
Quality assurance policy,
Parts and materials tests and examinations,
Quality conformance plans, procedures and inspection
results, and
Voting system documentation.
Volume I, Section 1
Table of Contents
1 Introduction
1.1 Objectives and Usage of the Voting System Standards
1.2 Development History for Initial Standards
1.3 Update of the Standards
1.4 Accessibility for Individuals with Disabilities
1.5 Definitions
1.5.1 Voting System
1.5.2 Paper-Based Voting System
1.5.3 Direct Record Electronic (DRE) Voting System
1.5.4 Public Network Direct Record Electronic (DRE) Voting
System
1.5.5 Precinct Count Voting System
1.5.6 Central Count Voting System
1.6 Application of the Standards and Test Specifications
1.6.1 Qualification Tests
1.6.2 Certification Tests
1.6.3 Acceptance Tests
1.7 Conformance Clause
1.7.1 Scope and Applicability
1.7.2 Conformance Framework
1.7.2.1 Applicable entities
1.7.2.2 Relationship among entities
1.7.2.3 Conformance designations
1.7.3 Normative Language
1.7.4 Categorizing Requirements
1.7.5 Extensions
1.7.6 Implementation Statement
1.8 Outline of Contents
Introduction
1.1 Objectives and Usage of the Voting System Standards
State and local officials today are confronted with increasingly
complex voting system technology and an increased risk of voting system
failure. Responding to calls for assistance from the states, the United
States Congress authorized the Federal Election Commission (FEC) to
develop voluntary national voting systems standards for computer-based
systems. The resulting FEC Voting System Standards (``the
[[Page 18934]]
Standards'') seek to aid state and local election officials in ensuring
that new voting systems are designed to function accurately and
reliably, thus ensuring the system's integrity. States are free to
adopt the Standards in whole or in part. States may also choose to
enact stricter performance requirements for systems used in their
jurisdictions.
The Standards specify minimum functional requirements, performance
characteristics, documentation requirements, and test evaluation
criteria. For the most part, the Standards address what a voting system
should reliably do, not how system components should be configured to
meet these requirements. It is not the intent of the Standards to
impede the design and development of new, innovative equipment by
vendors. Furthermore, the Standards balance risk and cost by requiring
voting systems to have essential, but not excessive, capabilities.
The Standards are not intended to define appropriate election
administration practices. However, the total integrity of the election
process can only be ensured if implementation of the Standards is
coupled with effective election administration practices.
The Standards are intended for use by multiple audiences to support
their respective roles in the development, testing, and acquisition of
voting systems:
Authorities responsible for the analysis and testing of
such systems in support of qualification and/or certification of
systems for purchase within a designated jurisdiction;
State and local agencies evaluating voting systems to be
procured within their jurisdictions; and
Designers and manufacturers of voting systems.
1.2 Development History for Initial Standards
Much of the groundwork for the Standards' development was laid by a
national study conducted in 1975 by the National Bureau of Standards,
now known as the National Institute of Standards and Technology (NIST).
This study was requested by the FEC's Office of Election
Administrator's predecessor, the Office of Federal Elections of the
General Accounting Office. The report, ``Effective Use of Computing
Technology in Vote-Tallying,'' made a number of recommendations bearing
directly on the Standards project. After analyzing computer-related
election problems encountered in the past, the report concluded that
one of the basic causes for these difficulties was the lack of
appropriate technical skill at the state and local level for developing
or implementing sophisticated and complex standards against which
voting system hardware and software could be tested.
Following the release of this report, Congress mandated that the
FEC, with the cooperation and assistance of the National Bureau of
Standards, study and report on the feasibility of developing
``voluntary engineering and procedural performance standards for voting
systems used in the United States.'' (2 U.S.C. 431 Note) The resulting
1983 study cited a substantial number of technical and managerial
problems that affected the integrity of the vote counting process. It
also asserted the need for a federal agency to develop national
performance standards that could be used as a tool by state and local
election officials in the testing, certification, and procurement of
computer-based voting systems. In 1984, Congress approved initial
funding for the Standards.
The FEC held a series of public hearings in developing the initial
Standards. State and local election officials, election system vendors,
technical consultants, and others reviewed drafts of the proposed
criteria. The FEC considered their many comments and made appropriate
revisions. Before final issuance, the FEC publicly announced the
availability of the latest draft of the Standards in the Federal
Register and requested that all interested parties submit final
comments. The FEC meticulously reviewed all responses to the notice and
incorporated corrections and suitable suggestions. Ultimately, the
final product was the result of considerable deliberation, close
consultation with election officials, and careful consideration of
comments from all interested parties.
In January 1990, the FEC issued the performance standards and
testing procedures for punchcard, marksense, and direct recording
electronic (DRE) voting systems. The Standards did not cover paper
ballot and mechanical lever systems because paper ballots are
sufficiently self-explanatory not to require technical standards and
mechanical lever systems are no longer manufactured or sold in the
United States. The FEC also did not incorporate requirements for
mainframe computer hardware because it was reasonable to assume that
sufficient engineering and performance criteria already governed the
operation of mainframe computers. However, vote tally software
installed on mainframes is covered by the Standards.
1.3 Update of the Standards
Today, over two-thirds of the States have adopted the Standards in
whole or in part. As a result, the voting systems marketed today are
dramatically improved. Election officials are better assured that the
voting systems they procure will work accurately and reliably. Voting
system failures are declining and now primarily involve pre-Standard
equipment, untested equipment configurations, or the mismanagement of
tested equipment. Overall, systems integrity and the election processes
have improved markedly.
However, advances in voting technology, legislative changes, and
the proliferation of electronic voting systems make an update of the
Standards necessary. The industry has been marked by widespread
integration of personal computer technology and non-mainframe servers
into DRE voting systems.
In addition, voting systems need to be responsive to the Americans
with Disabilities Act (ADA) of 1990 and guidelines developed to assist
in implementing the ADA.
1.4 Accessibility for Individuals With Disabilities
Voters and election officials who use voting systems represent a
broad spectrum of the population, and include individuals with
disabilities who may have difficulty using traditional voting systems.
In developing accessibility provisions for the Standards, the FEC
requested assistance from the Access Board, the federal agency in the
forefront of promulgating accessibility provisions. The Access Board
submitted technical standards designed to meet the diverse needs of
voters with a broad range of disabilities. The FEC has adopted the
entirety of the Access Board's recommendations and incorporated them
into the Standards. These recommendations comprise the bulk of the
accessibility provisions found in Section 2.2.7. Implementing these
provisions, however, will not entirely eliminate the need to
accommodate the needs of some disabled voters by human interface.
The FEC anticipates that during the lifetime of this version of the
Standards increased obligations will be placed upon election officials
at every jurisdictional level to provide voting equipment tailored to
meet the needs of voters with disabilities. To facilitate jurisdictions
in meeting accessibility needs, the Standards mandate that every voting
system incorporate some accessible voting capabilities. The
[[Page 18935]]
Standards also mandate that systems incorporating a DRE component meet
specific technological requirements. To do so, it is anticipated that a
vendor will have to either configure all of the system's voting
stations to meet the accessibility specifications or will have to
design a unique station that conforms to the accessibility requirements
and is part of the overall voting system configuration.
Under no circumstances should compliance with requirements for
accessibility be viewed as mutually exclusive from compliance with any
other provision of the Standards. If a voting system contains a machine
uniquely designed to meet the accessibility requirements, such a
machine will be tested for compliance with the accessibility
requirements, as well as for compliance with all of the DRE standards,
in order to ensure that an accessible machine does not unintentionally
abrogate the mandates of the Standards.
1.5 Definitions
The Standards contain terms describing function, design,
documentation, and testing attributes of equipment and computer
programs. Unless otherwise specified, the intended sense of technical
terms is that which is commonly used by the information technology
industry. In some cases terminology is specific to elections or voting
systems, and a glossary of those terms is contained in Appendix A.
Nontechnical terms not listed in Appendix A shall be interpreted
according to their standard dictionary definitions.
Additionally, the following terms are defined below:
Voting system;
Paper-based voting system;
Direct record electronic (DRE) voting system;
Public network direct record electronic (DRE) voting
system;
Precinct count voting system; and
Central count voting system.
1.5.1 Voting System
A voting system is a combination of mechanical, electromechanical,
or electronic equipment. It includes the software required to program,
control, and support the equipment that is used to define ballots; to
cast and count votes; to report and/or display election results; and to
maintain and produce all audit trail information. A voting system may
also include the transmission of results over telecommunication
networks.
Additionally, a voting system includes the associated documentation
used to operate the system, maintain the system, identify system
components and their versions, test the system during its development
and maintenance, maintain records of system errors and defects, and
determine specific changes made after system qualification. By
definition, this includes all documentation required in Section 9.4.
Traditionally, a voting system has been defined by the mechanism
the system uses to cast votes and further categorized by the location
where the system tabulates ballots. However, the Standards recognize
that as the industry develops unique solutions to various challenges
and as voting systems become more responsive to the needs of election
officials and voters, the rigid dichotomies between voting system types
may be blurred. Innovations that use a fluid understanding of system
types can greatly improve the voting system industry, but only if
controls are in place to monitor and control integrity through the
proper evaluation of the system brought for qualification.
As such, vendors that submit a system that integrates components
from more than one traditional system type or a system that includes
components not addressed in this Standard shall submit the results of
all beta tests of the new system. Vendors also shall submit a proposed
test plan to the appropriate independent test authority recognized by
the National Association of State Election Directors (NASED) to conduct
national qualification testing of voting systems. The Standards permit
vendors to produce or utilize interoperable components of a voting
system that are tested within the full voting system configuration.
1.5.2 Paper-Based Voting System
A Paper-Based Voting System, (referred to in the initial Standards
as a Punchcard and Marksense [P&M] Voting System) records votes, counts
votes, and produces a tabulation of the vote count from votes cast on
paper cards or sheets. A punchcard voting system allows a voter to
record votes by means of holes punched in designated voting response
locations. A marksense voting system allows a voter to record votes by
means of marks made by the voter directly on the ballot, usually in
voting response locations. Additionally, a paper based system may
record votes using other approaches whereby the voter's selections are
indicated by marks made on a paper ballot by an electronic input
device, as long as such an input device does not independently record,
store, or tabulate the voters selections.
1.5.3 Direct Record Electronic (DRE) Voting System
A Direct Record Electronic (DRE) Voting System records votes by
means of a ballot display provided with mechanical or electro-optical
components that can be activated by the voter; that processes data by
means of a computer program; and that records voting data and ballot
images in memory components. It produces a tabulation of the voting
data stored in a removable memory component and as printed copy. The
system may also provide a means for transmitting individual ballots or
vote totals to a central location for consolidating and reporting
results from precincts at the central location.
1.5.4 Public Network Direct Record Electronic (DRE) Voting System
A Public Network Direct Record Electronic (DRE) Voting System is an
election system that uses electronic ballots and transmits vote data
from the polling place to another location over a public network as
defined in Section 5.1.2. Vote data may be transmitted as individual
ballots as they are cast, periodically as batches of ballots throughout
the Election Day, or as one batch at the close of voting. For purposes
of the Standards, Public Network DRE Voting Systems are considered a
form of DRE Voting System and are subject to the standards applicable
to DRE Voting Systems. However, because transmitting vote data over
public networks relies on equipment beyond the control of the election
authority, the system is subject to additional threats to system
integrity and availability. Therefore, additional requirements
discussed in Section 5 and 6 apply.
The use of public networks for transmitting vote data must provide
the same level of integrity as other forms of voting systems, and must
be accomplished in a manner that precludes three risks to the election
process: Automated casting of fraudulent votes, automated manipulation
of vote counts, and disruption of the voting process such that the
system is unavailable to voters during the time period authorized for
system use.
1.5.5 Precinct Count Voting System
A Precinct Count Voting System is a voting system that tabulates
ballots at the polling place. These systems typically tabulate ballots
as they are cast and print the results after the close of polling. For
DREs, and for some paper-based systems, these systems provide
[[Page 18936]]
electronic storage of the vote count and may transmit results to a
central location over public telecommunication networks.
1.5.6 Central Count Voting System
A Central Count Voting System is a voting system that tabulates
ballots from multiple precincts at a central location. Voted ballots
are typically placed into secure storage at the polling place. Stored
ballots are transported or transmitted to a central counting place. The
systems produce a printed report of the vote count, and may produce a
report stored on electronic media.
1.6 Application of the Standards and Test Specifications
The Standards apply to all system hardware, software,
telecommunications, and documentation intended for use to:
Prepare the voting system for use in an election;
Produce the appropriate ballot formats;
Test that the voting system and ballot materials have been
properly prepared and are ready for use;
Record and count votes;
Consolidate and report results;
Display results on-site or remotely; and
Maintain and produce all audit trail information.
In general, the Standards define functional requirements and
performance characteristics that can be assessed by a series of defined
tests. Standards are mandatory requirements and are designated by use
of the term ``shall.''
Some voting systems use one or more readily available commercial
off-the-shelf (COTS) devices (such as card readers, printers, or
personal computers) or software products (such as operating systems,
programming language compilers, or database management systems). COTS
devices and software are exempted from certain portions of the
qualification testing process as defined herein, as long as such
products are not modified for use in a voting system.
Generally, voting systems are subject to the following three
testing phases prior to being purchased or leased:
Qualification tests;
State certification tests; and
State and/or local acceptance tests.
1.6.1 Qualification Tests
Qualification tests validate that a voting system meets the
requirements of the Standards and performs according to the vendor's
specifications for the system. Such tests encompass the examination of
software; the inspection and evaluation of system documentation; tests
of hardware under conditions simulating the intended storage,
operation, transportation, and maintenance environments; operational
tests to validate system performance and function under normal and
abnormal conditions; and examination of the vendor's system
development, testing, quality assurance, and configuration management
practices. Qualification tests address individual system components or
elements, as well as the integrated system as a whole.
Since 1994, qualification tests for voting systems have been
performed by Independent Test Authorities (ITAs) certified by the
National Association of State Election Directors (NASED). NASED has
certified an ITA for either the full scope of qualification testing or
a distinct subset of the total scope of testing. To date, ITAs have
been certified only for distinct subsets of testing. Upon the
successful completion of testing by an ITA, the ITA issues a
Qualification Test Report to the vendor and NASED. The qualification
test report remains valid for as long as the voting system remains
unchanged.
Upon receipt of test reports that address the full scope of
testing, NASED issues a Qualification Number that indicates the system
has been tested by certified ITAs for compliance with the Standards and
qualifies for the certification process of states that have adopted the
Standards. The Qualification Number applies to the system as a whole,
and does not apply to individual system components or untested
configurations.
After a system has completed qualification testing, further
examination of a system is required if modifications are made to
hardware, software, or telecommunications, including the installation
of software on different hardware. Vendors request review of
modifications by the appropriate ITA based on the nature and scope of
changes made and the scope of the ITA's role in NASED qualification.
The ITA will determine the extent to which the modified system should
be resubmitted for qualification testing and the extent of testing to
be conducted.
Generally, a voting system remains qualified under the standards
against which it was tested, as long as no modifications not approved
by an ITA are made to the system. However, if a new threat to a
particular voting system is discovered, it is the prerogative of NASED
to determine which qualified voting systems are vulnerable, whether
those systems need to be retested, and the specific tests to be
conducted. In addition, when new standards supersede the standards
under which the system was qualified, it is the prerogative of NASED to
determine when systems that were qualified under the earlier standards
will lose their qualification, unless they are tested to meet current
standards.
Among other things, qualification testing complements and evaluates
the vendor's developmental testing and beta testing. The ITA is
expected to evaluate the completeness of the vendor's developmental
test program, including the sufficiency of vendor tests conducted to
demonstrate compliance with the Standards as well as the system's
performance specifications. The ITA undertakes sample testing of the
vendor's test modules and also designs independent system-level tests
to supplement and check those designed by the vendor. Although some of
the qualification tests are based on those prescribed in the Military
Standards, in most cases the test conditions are less stringent,
reflecting commercial, rather than military, practice.
1.6.2 Certification Tests
Certification tests are performed by individual states, with or
without the assistance of outside consultants, to:
Confirm that the voting system presented is the same as
the one qualified through the Standards;
Test for the proper implementation of state-specific
requirements;
Establish a baseline for future evaluations or tests of
the system, such as acceptance testing or state review after
modifications have been made; and
Define acceptance tests.
Precise certification test scripts are not included in the
Standards, as they must be defined by the state, with its laws,
election practices, and needs in mind. However, it is recommended that
they not duplicate qualification tests, but instead focus on functional
tests and qualitative assessment to ensure that the system operates in
a manner that is acceptable under state law. If a voting system is
modified after state certification, it is recommended that States
reevaluate the system to determine if further certification testing is
warranted.
Certification tests performed by individual states typically rely
on information contained in documentation provided by the vendor for
system design, installation, operations, required facilities and
supplies, personnel support and other aspects of the voting system.
States and jurisdictions may define information and documentation
requirements additional to those defined in the
[[Page 18937]]
Standards. By design, the Standards, and qualification testing of
voting systems for compliance with the Standards, do not address these
additional requirements. However, qualification testing addresses all
capabilities of a voting system stated by the vendor in the system
documentation submitted to an ITA, including additional capabilities
that are not required by the Standards.
1.6.3 Acceptance Tests
Acceptance tests are performed at the state or local jurisdiction
level upon system delivery by the vendor to:
Confirm that the system delivered is the specific system
qualified by NASED and, when applicable, certified by the state;
Evaluate the degree to which delivered units conform to
both the system characteristics specified in the procurement
documentation, and those demonstrated in the qualification and
certification tests; and
Establish a baseline for any future required audits of the
system.
Some of the operational tests conducted during qualification may be
repeated during acceptance testing.
1.7 Conformance Clause
1.7.1 Scope and Applicability
The Voluntary Voting System Guidelines (VVSG) define requirements
for conformance of voting systems. Conformance is defined in terms of
requirements that voting system vendors claiming conformance to these
Guidelines shall meet. The VVSG also provides the framework,
procedures, and requirements that testing authorities responsible for
the qualification of voting systems shall follow in order to qualify a
voting system for EAC certification. The requirements and procedures in
the VVSG may also be used by States to certify voting systems. To
ensure that correct voting system software has been distributed without
modification, the VVSG includes requirements for a national software
repository. Finally, the VVSG provides guidance in the form of best
practices to voting officials. These best practices are not mandated
and are not subject to testing by testing authorities to qualify voting
systems. They are provided as adjuncts to the technical requirements
for voting systems in order to ensure the integrity of the voting
process and to assist States in properly setting up, deploying, and
operating voting systems.
The Voluntary Voting System Guidelines define the minimum
requirements for voting systems and the process of testing voting
systems. The guidelines are intended for use by:
1. Designers and manufacturers of voting systems,
2. Testing authorities responsible for the analysis and testing of
voting systems in support of qualification of systems for purchase
within a designated jurisdiction,
3. National software repositories, either maintained by the
National Institute of Standard and Technology (NIST) or other EAC
designated repository,
4. (Optionally) Voting officials, including election judges, poll
workers, ballot designers and officials responsible for the
installation, operation, and maintenance of voting machines, and
5. (Optionally) testing authorities responsible for the State
certification of voting systems.
Minimum requirements specified in these guidelines include:
Functional requirements,
Performance characteristics,
Documentation requirements,
Test evaluation criteria, and
Procedural requirements.
1.7.2 Conformance Framework
This section provides the framework in which conformance is
defined. It identifies the entities for which these guidelines apply,
the relationship among the various entities and these guidelines,
structure of requirements, and the terminology used to indicate
conformance.
1.7.2.1 Applicable Entities
The requirements, prohibitions, options, and guidance specified in
these guidelines apply to voting systems, voting system vendors,
testing authorities, and repositories.
In general, requirements for designers and manufacturers of voting
systems in these guidelines apply to all voting systems, unless
prefaced with explanatory narrative describing unique applicability.
Other terms in these guidelines shall be construed as synonymous with
``all voting systems.'' They are:
``all systems,''
``systems,''
``the system,''
``the voting system,'' and
``each voting system.''
The term ``voting system vendor'' imposes documentation or testing
requirements on voting systems, via the manufacturer or vendor. Other
terms in these guidelines shall be construed as synonymous with
``voting system vendor. They are:
``vendors,''
``the vendor,''
``manufacturer or vendor,''
``voting system designers,'' and
``implementer.''
The terms used to designate requirements and procedural guidelines
for testing authorities are indicated by referring to Independent
Testing Authority (ITA) and EAC accredited testing authority. Under
HAVA, ITAs have been replaced by EAC accredited testing authorities. In
these guidelines, EAC accredited testing authority and ITA shall be
considered equivalent. In addition, the National Association of State
Election Directors (NASED) activities specified in these guidelines
shall be performed by the Election Assistance Commission (EAC).
The term ``repository'' will be used to designate requirements
levied on the national software repository maintained at NIST or any
other EAC designated repository. The repository maintained at NIST is
called the National Software Reference Library (NSRL).
Guidance and best practices for voting officials are indicated by
the notation ``Best Practices for Voting Officials'' preceding the best
practice statement.
1.7.2.2 Relationship Among Entities
Although conformance is defined for voting systems, it is the
voting system vendor that needs to implement these requirements and
provide the necessary documentation with the system. In order to claim
conformance to the Voluntary Voting Systems Guidelines, the voting
system vendor shall satisfy the minimum requirements specified in the
VVSG, including implementation of functionality, prescribed software
coding and assurance practices, and preparation of the Technical Data
Package (TDP). In order to claim that a voting system is qualified, the
voting system vendor shall satisfy the requirements for qualification
testing and successfully complete the test campaign with an ITA/testing
authority.
An ITA/EAC accredited test authority shall satisfy the requirements
for conducting qualification testing. The ITA/EAC accredited test
authority may use an operational environment that is derived from the
VVSG best practice guidelines for voting officials as part of their
testing to ensure that the voting system can be configured and operated
in a secure and reliable manner according to the voting system vendor's
documentation and as specified by the VVSG. Additionally, the ITA/EAC
accredited test authority shall coordinate and deliver the requisite
documentation to the EAC and copies of voting system software to the
repository. Note that in the VVSG, these
[[Page 18938]]
requirements and the relationship between the ITA/EAC accredited test
authority and the certification authority is with NASED, not the EAC.
The EAC is assuming the responsibility for certification of voting
systems from NASED.
The VVSG provides guidance denoted as ``Best Practices for Voting
Officials.'' This guidance may be used to allow jurisdictions to
incorporate appropriate procedures to help ensure that their voting
systems are reliable, accessible, usable, and secure. Furthermore, this
guidance may be used in training and incorporated into written
procedures for properly conducting the election and operating voting
systems.
Figure 1 provides an illustration of these relationships.
[GRAPHIC] [TIFF OMITTED] TN12AP06.018
1.7.2.3 Structure of Requirements
Sections of this document that augment the VSS-2002, by either
replacing VSS-2002 sections or adding new sections, are indicated by
line numbers, footer information (i.e., New Material, date, etc.) at
the bottom of pages with new material, and hierarchically structured
requirements. Each requirement is numbered according to a hierarchical
scheme in which higher-level requirements (such as ``provide
accessibility for blind voters'') are supported by lower-level
requirements (``provide an audio-tactile interface''). Thus,
requirements are contained (i.e., nested) within other requirements. A
nested requirement or lower-level requirement is a `child' to its
`parent' or higher-level requirement.
Some of these requirements are directly testable and some are not.
The latter tend to be higher-level and are included because (1) they
are testable indirectly insofar as their lower-level, children
requirements are testable, and (2) they often provide the structure and
rationale for the lower-level requirements. Satisfying the lower-level
requirement will result in satisfying its higher-level `parent'
requirement.
1.7.2.4 Conformance Designations
A voting system conforms if all the mandatory requirements that
apply to the voting system are fulfilled. An implementation statement
(see Section 1.7.6) or similar mechanism is used to describe the
capabilities, features and optional functions that have been
implemented and are subject to conformance and qualification testing.
There is no concept of partial conformance, e.g., a voting system is
80% conforming.
1.7.3 Normative Language
The following keywords are used to convey conformance requirements.
Shall--to indicate a mandatory requirement to be followed
(implemented) in order to conform. Synonymous with ``is required to.''
Is prohibited--to indicate a mandatory requirement that
indicates something that is not permitted (allowed), in order to
conform. Synonymous with ``shall not.''
Should, Is encouraged--to indicate an optional recommended
action, one that is particularly suitable, without mentioning or
excluding others. Synonymous with ``is permitted and recommended.''
May--to indicate an optional, permissible action.
Synonymous with ``is permitted.''
Normative text is directly applicable to achieving conformance to
this document. Informative parts of this document include examples,
extended explanations, and other matter that contain information
necessary for proper understanding of the VVSG and conformance to it.
Some sections in the VSSG have narrative text prefixed by the keywords:
Discussion or Best Practices for Voting Officials. This text is
informative and has no bearing on conformance.
[[Page 18939]]
1.7.4 Categorizing Requirements
In addition to defining a common set of requirements that apply to
all voting systems, the VVSG categorizes some requirements into related
groups of functionality to address equipment type, ballot tabulation
location, and voting system component (e.g., election management
system). Hence, not all requirements apply to all voting systems.
Specifically, if a category is not applicable to a voting system, then
the requirements in that category are not applicable. For example,
requirements categorized as ``DRE Systems'' (as in Volume I, Section
2.4.9) are not applicable to paper-based voting systems and thus are
ignored by paper-based systems.
Among the categories defined in the VVSG are two types of voting
systems with respect to mechanisms to cast votes--Paper-Based Voting
Systems and Direct Record Electronic (DRE) Voting Systems.
Additionally, voting systems are further categorized, in these
guidelines, by the locations where ballots are tabulated--Precinct
Count Voting Systems, which tabulate ballots at the polling place, and
Central Count Voting Systems, which tabulate ballots from multiple
precincts at a central location. The VVSG defines specific requirements
for systems that fall within these four categories as well as various
combinations of these categories.
Other categories for which requirements are defined include:
election management systems (EMS), methods of independent verification,
and telecommunication components.
1.7.5 Extensions
Extensions are additional functions, features, and/or capabilities
included in a voting system that are not required by the VVSG. To
accommodate the needs of States that may impose additional requirements
beyond those listed in these guidelines and to accommodate changes in
technology, these guidelines allow extensions. Thus, a voting system
may include extensions and still be conformant to the VVSG. The use of
extensions shall not contradict nor cause the nonconformance of
functionality defined in the VVSG.
1.7.6 Implementation Statement
An implementation statement provides information about a voting
system, by documenting the requirements that have been implemented by
the voting system. It can also be used to highlight optional features
and capabilities supported by the voting system, as well as to document
any extensions (i.e., additional functionality beyond what is required
in the standard). An implementation statement may take the form of a
checklist, to be completed for each voting system for which a claim of
conformance to the VVSG or subset of the VVSG is desired.
An implementation statement provides a concise summary and a quick
overview of requirements that have been implemented. The implementation
statement may also be used to identify the subset of a test suite that
would be applicable to the voting system being tested.
If an implementation statement is provided, it shall include
identifying information about the voting system, including at a minimum
versioning and date information. Additionally, a narrative description
of the voting system shall be included in the implementation statement.
1.8 Outline of Contents
The organization of the Standards has been simplified to facilitate
its use. Volume I, Voting System Performance Standards, is intended for
use by the broadest audience, including voting system developers,
equipment manufacturers and suppliers, independent test authorities,
local agencies that purchase and deploy voting systems, state
organizations that certify a system prior to procurement by a local
jurisdiction, and public interest organizations that have an interest
in voting systems and voting systems standards.
Section 2 describes the functional capabilities required
of voting systems.
Sections 3 through 6 describe specific performance
standards for election system hardware, software, telecommunications
and security, respectively.
Sections 7 and 8 describe practices for quality assurance
and configuration management, respectively, to be used by vendors, and
required information about vendor practices that will be reviewed in
concert with system qualification and certification test processes and
system purchase decisions.
Section 9 provides an overview of the test and measurement
process used by test authorities for qualification and re-qualification
of voting systems.
Appendix A provides a glossary of important terms used in
Volume I.
Appendix B lists the publications that were used for
guidance in the preparation of the Standards. These publications
contain information that is useful in interpreting and complying with
the requirements of the Standards.
Appendix C addresses issues of usability of voting
systems, commonly referred to as ``human factors.'' This appendix does
not represent mandates that voting systems will be tested against, but
rather contain recommendations and best practices on usability issues
designed to provide vendors and election officials with guidance on
designing and procuring systems that are easy and intuitive to use by
voters.
Volume II, Voting System Qualification Testing Standards describes
the standards for the technical information submitted by the vendor to
support testing; the development of test plans by the ITA for initial
system testing and testing of system modifications; the conduct of
system qualification tests by the ITA; and the test reports generated
by the ITA. This volume complements the content of Volume I and is
intended primarily for use by ITAs, state organizations that certify a
system, and vendors.
Volume I, Section 2
Table of Contents
2 Functional Capabilities
2.1 Scope
2.2 Overall System Capabilities
2.2.1 Security
2.2.2 Accuracy
2.2.2.1 Common Standards
2.2.2.2 DRE System Standards
2.2.3 Error Recovery
2.2.4 Integrity
2.2.4.1 Common Standards
2.2.4.2 DRE Systems Standards
2.2.5 System Audit
2.2.5.1 System Audit Purpose and Context
2.2.5.2 Operational Requirements
2.2.5.3 COTS General Purpose Computer System Requirements
2.2.6 Election Management System
2.2.7 Human Factors
2.2.7.1 Accessibility
2.2.7.2 Limited English Proficiency
2.2.7.3 Usability
2.2.7.4 Privacy
2.2.8 Vote Tabulating Program
2.2.8.1 Functions
2.2.8.2 Voting Variations
2.2.9 Ballot Counter
2.2.10 Telecommunications
2.2.11 Data Retention
2.3 Pre-Voting Functions
2.3.1 Ballot Preparation
2.3.1.1 General Capabilities
2.3.1.2 Ballot Formatting
2.3.1.3 Ballot Production
2.3.2 Election Programming
2.3.3 Ballot and Program Installation and Control
2.3.4 Readiness Testing
2.3.4.1 Common Standards
2.3.4.2 Paper-Based Systems
2.3.5 Verification at the Polling Place
2.3.6 Verification at the Central Location
2.4 Voting Functions
2.4.1 Opening the Polls
2.4.1.1 Opening the Polling Place (Precinct Count Systems)
[[Page 18940]]
2.4.1.2 Paper-Based System Standards
2.4.1.3 DRE System Standards
2.4.2 Activating the Ballot (DRE Systems)
2.4.3 Casting a Ballot
2.4.3.1 Common Standards
2.4.3.2 Paper-Based Systems Standards
2.4.3.3 DRE Systems Standards
2.5 Post-Voting Functions
2.5.1 Closing the Polling Place (Precinct Count)
2.5.2 Consolidating Vote Data
2.5.3 Producing Reports
2.5.3.1 Common Standards
2.5.3.2 Precinct Count Systems
2.5.4 Broadcasting Results
2.6 Maintenance, Transportation, and Storage
Functional Capabilities
2.1 Scope
This section contains standards detailing the functional
capabilities required of a voting system. This section sets out
precisely what it is that a voting system is required to do. In
addition, this section sets forth the minimum actions a voting system
must be able to perform to be eligible for qualification.
For organizational purposes, functional capabilities are
categorized by the phase of election activity in which they are
required:
[sdiam] Overall Capabilities: These functional capabilities apply
throughout the election process. They include security, accuracy,
integrity, system auditability, election management system, vote
tabulation, ballot counters, telecommunications, and data retention.
[sdiam] Pre-voting Capabilities: These functional capabilities are
used to prepare the voting system for voting. They include ballot
preparation, the preparation of election-specific software (including
firmware), the production of ballots or ballot pages, the installation
of ballots and ballot counting software (including firmware), and
system and equipment tests.
[sdiam] Voting Capabilities: These functional capabilities include
all operations conducted at the polling place by voters and officials
including the generation of status messages.
[sdiam] Post-voting Capabilities: These functional capabilities
apply after all votes have been cast. They include closing the polling
place; obtaining reports by voting machine, polling place, and
precinct; obtaining consolidated reports; and obtaining reports of
audit trails.
[sdiam] Maintenance, Transportation and Storage Capabilities: These
capabilities are necessary to maintain, transport, and store voting
system equipment.
In recognition of the diversity of voting systems, the Standards
apply specific requirements to specific technologies. Some of the
Standards apply only if the system incorporates certain optional
functions (for example, voting systems employing telecommunications to
transmit voting data). For each functional capability, common standards
are specified. Where necessary, common standards are followed by
standards applicable to specific technologies (i.e., paper-based or
DRE) or intended use (i.e., central or precinct count).
2.2 Overall System Capabilities
This section defines required functional capabilities that are
system-wide in nature and not unique to pre-voting, voting, and post-
voting operations. All voting systems shall provide the following
functional capabilities:
Security;
Accuracy;
Error recovery;
Integrity;
System auditability;
Election management system;
Accessibility:
Vote tabulating;
Ballot counters; and
Data Retention.
Voting systems may also include telecommunications components.
Technical standards for these capabilities are described in Sections 3
through 6 of the Standards.
2.2.1 Security
System security is achieved through a combination of technical
capabilities and sound administrative practices. To ensure security,
all systems shall:
a. Provide security access controls that limit or detect access to
critical system components to guard against loss of system integrity,
availability, confidentiality, and accountability.
b. Provide system functions that are executable only in the
intended manner and order, and only under the intended conditions.
c. Use the system's control logic to prevent a system function from
executing if any preconditions to the function have not been met.
d. Provide safeguards to protect against tampering during system
repair, or interventions in system operations, in response to system
failure.
e. Provide security provisions that are compatible with the
procedures and administrative tasks involved in equipment preparation,
testing, and operation.
f. If access to a system function is to be restricted or
controlled, the system shall incorporate a means of implementing this
capability.
g. Provide documentation of mandatory administrative procedures for
effective system security.
2.2.2 Accuracy
Memory hardware, such as semiconductor devices and magnetic storage
media, must be accurate. The design of equipment in all voting systems
shall provide for the highest possible levels of protection against
mechanical, thermal, and electromagnetic stresses that impact system
accuracy. Section 3 provides additional information on susceptibility
requirements.
2.2.2.1 Common Standards
To ensure vote accuracy, all systems shall:
a. Record the election contests, candidates, and issues exactly as
defined by election officials;
b. Record the appropriate options for casting and recording votes;
c. Record each vote precisely as indicated by the voter and be able
to produce an accurate report of all votes cast;
d. Include control logic and data processing methods incorporating
parity and check-sums (or equivalent error detection and correction
methods) to demonstrate that the system has been designed for accuracy;
and
e. Provide software that monitors the overall quality of data read-
write and transfer quality status, checking the number and types of
errors that occur in any of the relevant operations on data and how
they were corrected.
2.2.2.2 DRE System Standards
As an additional means of ensuring accuracy in DRE systems, voting
devices shall record and retain redundant copies of the original ballot
image. A ballot image is an electronic record of all votes cast by the
voter, including undervotes.
2.2.3 Error Recovery
To recover from a non-catastrophic failure of a device, or from any
error or malfunction that is within the operator's ability to correct,
the system shall provide the following capabilities:
a. Restoration of the device to the operating condition existing
immediately prior to the error or failure, without loss or corruption
of voting data previously stored in the device;
b. Resumption of normal operation following the correction of a
failure in a memory component, or in a data processing component,
including the central processing unit; and
c. Recovery from any other external condition that causes equipment
to become inoperable, provided that catastrophic electrical or
mechanical damage due to external phenomena has not occurred.
[[Page 18941]]
2.2.4 Integrity
Integrity measures ensure the physical stability and function of
the vote recording and counting processes.
2.2.4.1 Common Standards
To ensure system integrity, all systems shall:
a. Protect, by a means compatible with these Standards, against a
single point of failure that would prevent further voting at the
polling place;
b. Protect against the interruption of electronic power;
c. Protect against generated or induced electromagnetic radiation;
d. Protect against ambient temperature and humidity fluctuations;
e. Protect against the failure of any data input or storage device;
f. Protect against any attempt at improper data entry or retrieval;
g. Record and report the date and time of normal and abnormal
events;
h. Maintain a permanent record of all original audit data that
cannot be modified or overridden but may be augmented by designated
authorized officials in order to adjust for errors or omissions (e.g.
during the canvassing process.)
i. Detect and record every event, including the occurrence of an
error condition that the system cannot overcome, and time-dependent or
programmed events that occur without the intervention of the voter or a
polling place operator; and
j. Include built-in measurement, self-test, and diagnostic software
and hardware for detecting and reporting the system's status and degree
of operability.
2.2.4.2 DRE Systems Standards
In addition to the common standards, DRE systems shall:
a. Maintain a record of each ballot cast using a process and
storage location that differs from the main vote detection,
interpretation, processing, and reporting path; and
b. Provide a capability to retrieve ballot images in a form
readable by humans.
2.2.5 System Audit
This section describes the context and purpose of voting system
audits and sets forth specific functional requirements. Additional
technical audit requirements are set forth in Section 4.
2.2.5.1 System Audit Purpose and Context
Election audit trails provide the supporting documentation for
verifying the correctness of reported election results. They present a
concrete, indestructible archival record of all system activity related
to the vote tally, and are essential for public confidence in the
accuracy of the tally, for recounts, and for evidence in the event of
criminal or civil litigation.
The following audit trail requirements are based on the premise
that system-generated creation and maintenance of audit records reduces
the chance of error associated with manually generated audit records.
Because most audit capability is automatic, the system operator has
less information to track and record, and is less likely to make
mistakes or omissions.
The sections that follow present operational requirements critical
to acceptable performance and reconstruction of an election.
Requirements for the content of audit records are described in Section
4 of the Standards.
The requirements for all system types, both precinct and central
count, are described in generic language. Because the actual
implementation of specific characteristics may vary from system to
system, it is the responsibility of the vendor to describe each
system's characteristics in sufficient detail that ITAs and system
users can evaluate the adequacy of the system's audit trail. This
description shall be incorporated in the System Operating Manual, which
is part of the Technical Data Package (TDP).
Documentation of items such as paper ballots delivered and
collected, administrative procedures for system security, and
maintenance performed on voting equipment are also part of the election
audit trail, but are not covered in these technical standards. Future
volumes of the Standards will address these and other system operations
practices. In the interim, useful guidance is provided by the
Innovations in Election Administration #10, Ballot Security and
Accountability, available from the FEC's Office of Election
Administration.
2.2.5.2 Operational Requirements
Audit records shall be prepared for all phases of elections
operations performed using devices controlled by the jurisdiction or
its contractors. These records rely upon automated audit data
acquisition and machine-generated reports, with manual input of some
information. These records shall address the ballot preparation and
election definition phase, system readiness tests, and voting and
ballot-counting operations. The software shall activate the logging and
reporting of audit data as described in the following sections.
2.2.5.2.1 Time, Sequence, and Preservation of Audit Records
The timing and sequence of audit record entries is as important as
the data contained in the record. All voting systems shall meet the
following requirements for time, sequence and preservation of audit
records:
a. Except where noted, systems shall provide the capability to
create and maintain a real-time audit record. This capability records
and provides the operator or precinct official with continuous updates
on machine status. This information allows effective operator
identification of an error condition requiring intervention, and
contributes to the reconstruction of election-related events necessary
for recounts or litigation.
b. All systems shall include a real-time clock as part of the
system's hardware. The system shall maintain an absolute record of the
time and date or a record relative to some event whose time and data
are known and recorded.
c. All audit record entries shall include the time-and-date stamp.
d. The audit record shall be active whenever the system is in an
operating mode. This record shall be available at all times, though it
need not be continually visible.
e. The generation of audit record entries shall not be terminated
or altered by program control, or by the intervention of any person.
The physical security and integrity of the record shall be maintained
at all times.
f. Once the system has been activated for any function, the system
shall preserve the contents of the audit record during any interruption
of power to the system until processing and data reporting have been
completed.
g. The system shall be capable of printing a copy of the audit
record. A separate printer is not required for the audit record, and
the record may be produced on the standard system printer if all the
following conditions are met:
(1) The generation of audit trail records does not interfere with
the production of output reports;
(2) The entries can be identified so as to facilitate their
recognition, segregation, and retention; and
(3) The audit record entries are kept physically secure.
2.2.5.2.2 Error Messages
All voting systems shall meet the following requirements for error
messages:
a. The system shall generate, store, and report to the user all
error messages as they occur;
[[Page 18942]]
b. All error messages requiring intervention by an operator or
precinct official shall be displayed or printed unambiguously in easily
understood language text, or by means of other suitable visual
indicators;
c. When the system uses numerical error codes for trained
technician maintenance or repair, the text corresponding to the code
shall be self-contained, or affixed inside the unit device. This is
intended to reduce inappropriate reactions to error conditions, and to
allow for ready and effective problem correction;
d. All error messages for which correction impacts vote recording
or vote processing shall be written in a manner that is understandable
to an election official who possesses training on system use and
operation, but does not possess technical training on system servicing
and repair;
e. The message cue for all systems shall clearly state the action
to be performed in the event that voter or operator response is
required;
f. System design shall ensure that erroneous responses will not
lead to irreversible error; and
g. Nested error conditions shall be corrected in a controlled
sequence such that system status shall be restored to the initial state
existing before the first error occurred.
2.2.5.2.3 Status Messages
The Standards provide latitude in software design so that vendors
can consider various user processing and reporting needs. The
jurisdiction may require some status and information messages to be
displayed and reported in real-time. Messages that do not require
operator intervention may be stored in memory to be recovered after
ballot processing has been completed.
The system shall display and report critical status messages using
unambiguous indicators or English language text. The system need not
display non-critical status messages at the time of occurrence. Systems
may display non-critical status messages (i.e., those that do not
require operator intervention) by means of numerical codes for
subsequent interpretation and reporting as unambiguous text.
Systems shall provide a capability for the status messages to
become part of the real-time audit record. The system shall provide a
capability for a jurisdiction to designate critical status messages.
2.2.5.3 COTS General Purpose Computer System Requirements
Further requirements must be applied to COTS operating systems to
ensure completeness and integrity of audit data for election software.
These operating systems are capable of executing multiple application
programs simultaneously. These systems include both servers and
workstations (or ``PCs''), including the many varieties of UNIX and
Linux, and those offered by Microsoft and Apple. Election software
running on these COTS systems is vulnerable to unintended effects from
other user sessions, applications, and utilities, executing on the same
platform at the same time as the election software.
``Simultaneous processes'' of concern include unauthorized network
connections, unplanned user logins, and unintended execution or
termination of operating system processes. An unauthorized network
connection or unplanned user login can host unintended processes and
user actions, such as the termination of operating system audit, the
termination of election software processes, or the deletion of election
software audit and logging data. The execution of an operating system
process could be a full system scan at a time when that process would
adversely affect the election software processes. Operating system
processes improperly terminated could be system audit or malicious code
detection.
To counter these vulnerabilities, three operating system
protections are required on all such systems on which election software
is hosted. First, authentication shall be configured on the local
terminal (display screen and keyboard) and on all external connection
devices (``network cards'' and ``ports''). This ensures that only
authorized and identified users affect the system while election
software is running.
Second, operating system audit shall be enabled for all session
openings and closings, for all connection openings and closings, for
all process executions and terminations, and for the alteration or
deletion of any memory or file object. This ensures the accuracy and
completeness of election data stored on the system. It also ensures the
existence of an audit record of any person or process altering or
deleting system data or election data.
Third, the system shall be configured to execute only intended and
necessary processes during the execution of election software. The
system shall also be configured to halt election software processes
upon the termination of any critical system process (such as system
audit) during the execution of election software.
2.2.6 Election Management System
The Election Management System (EMS) is used to prepare ballots and
programs for use in casting and counting votes, and to consolidate,
report, and display election results. An EMS shall generate and
maintain a database, or one or more interactive databases, that enables
election officials or their designees to perform the following
functions:
a. Define political subdivision boundaries and multiple election
districts as indicated in the system documentation;
b. Identify contests, candidates, and issues
c. Define ballot formats and appropriate voting options;
d. Generate ballots and election-specific programs for vote
recording and vote counting equipment;
e. Install ballots and election-specific programs;
f. Test that ballots and programs have been properly prepared and
installed;
g. Accumulate vote totals at multiple reporting levels as indicated
in the system documentation;
h. Generate the post-voting reports required by Section 2.5; and
i. Process and produce audit reports of the data indicated in
Section 4.5.
2.2.7 Human Factors
The importance of human factors in the design of voting systems has
become increasingly apparent. It is not sufficient that the internal
operation of these systems be correct; in addition, voters and poll
workers must be able to use them effectively. There are some special
difficulties in the design of usable and accessible voting systems:
The voting task itself can be fairly complex; the voter
may have to navigate an electronic ballot, choose multiple candidates
in a single race or decide on abstrusely worded referenda.
Voting is performed infrequently, so learning and
familiarity are lower than for more frequent tasks, such as use of an
ATM.
Jurisdictions may change voting equipment, thus obviating
whatever familiarity the voter might have acquired.
Once the voting session has been completed by the voter,
there is never a chance for later correction.
Voting must be accessible to all eligible citizens,
whatever their age, physical abilities, language skills, or experience
with technology.
The challenge, then, is to provide a voting system and voting
environment that all voters can use comfortably, efficiently, and with
justified
[[Page 18943]]
confidence that they have cast their votes correctly. The requirements
within this section are intended to serve that goal.
Although there are many detailed requirements, three broad
principles motivate this section on human factors:
1. All Eligible and Potentially Eligible Voters Shall Have Access
to the Voting Process Without Discrimination.
The voting process shall allow eligible voters of whatever age,
condition, or background to be able to go through the entire voting
process with the same degree of independence, privacy, and confidence,
insofar as technology will allow. Note that the voting process includes
access to the polling place, instructions on how to vote, initiating
the voting session, choosing candidates, getting help as needed, review
of the ballot, VVPAT, if applicable, and final submission of the
ballot.
2. Each Cast Ballot Shall Capture the Intent of the Voter Who Cast
That Ballot.
Voters have the right to have the ballot presented to them in a
manner that is clear and usable. Voters should encounter no difficulty
or confusion in recording their choices.
3. The Voting Process Shall Preserve the Secrecy of the Ballot.
The voting process shall preclude anyone else from determining the
content of a voter's ballot, with or without the voter's cooperation.
If such a determination is made against the wishes of the voter, then
his or her privacy has been violated. The process must also preclude
the voter from disclosing the content of the ballot to anyone else.
All the requirements within Section 2.2.7 have the purpose of
improving the quality of interaction between voters and voting systems.
Requirements that are likely to be relevant only to those
with some disability are listed under Section 2.2.7.1, although they
may also assist those not usually described as having a disability,
e.g. voters with poor eyesight or somewhat limited dexterity.
Requirements that are likely to be relevant only to those
with limited English proficiency are listed in Section 2.2.7.2.
Finally, requirements for general usability make up
Section 2.2.7.3 and those for privacy, Section 2.2.7.4.
Certain abbreviations and terms are used extensively throughout
Section 2.2.7:
CIF: Common Industry Format: Refers to the format
described in ANSI/INCITS 354-2001 ``Common Industry Format (CIF) for
Usability Test Reports.''
Acc-VS: Accessible Voting Station--the voting station
equipped for individuals with disabilities referred to in HAVA
301(a)(3)(B).
ATI: Audio-Tactile Interface--a voter interface designed
so as not to require visual reading of a ballot. Audio is used to
convey information to the voter and sensitive tactile controls allow
the voter to convey information to the voting system.
ALVS: Alternative Language Voting Station--a voting
station designed to be usable by voters who have limited English
proficiency.
This section also uses common terms as defined in the updated
Glossary. Note in particular, the distinctions among ``voting system,''
``voting station,'' and ``voting process.''
1. The Voting Process Shall Be Accessible to Voters With Disabilities.
As a Minimum, Every Polling Place Shall Have at Least One Voting
Station Equipped for Individuals With Disabilities, as Provided in HAVA
301 (a)(3)(B). A Station So Equipped Is Referred to Herein as an
Accessible Voting Station (Acc-VS)
HAVA Section 301(a)(3) reads in part:
ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES.--The voting
system shall--
(A) be accessible for individuals with disabilities, including
nonvisual accessibility for the blind and visually impaired, in a
manner that provides the same opportunity for access and
participation (including privacy and independence) as for other
voters;
(B) satisfy the requirement of subparagraph (A) through the use
of at least one direct recording electronic voting system or other
voting system equipped for individuals with disabilities at each
polling place;
The requirements within Section 2.2.7.1 are intended to address
this mandate. Ideally every voter would be able to vote independently
and privately. As a practical matter, there may be a small number of
voters whose disabilities are so severe that they will need personal
assistance. Nonetheless, the requirements of this section are meant to
make the voting system directly accessible to as many voters as
possible.
Note that this section does not replace requirements of other
sections, but adds to them. In particular, the requirements of Section
2.2.7.3 on usability apply either to all voting stations or, in some
cases, to all DRE voting stations; many of these requirements support
accessibility as well as general usability.
Certain accessibility features that are likely to be useful to a
wide range of voters are required on all voting stations, not just the
Acc-VS. Finally, note that the Acc-VS is not necessarily a full-fledged
DRE; for instance, an implementation may provide an ATI that generates
an optiscan ballot.
The outline for Section 2.2.7.1 is:
2.2.7.1 Accessibility
2.2.7.1.1 Voters with Disabilities--General
2.2.7.1.2 Vision
2.2.7.1.2.1 Partial Vision
2.2.7.1.2.2 Blind
2.2.7.1.3 Dexterity
2.2.7.1.4 Mobility
2.2.7.1.5 Hearing
2.2.7.1.6 Speech
2.2.7.1.7 Cognitive
1. The Voting Process Shall Incorporate Features That Are Applicable to
Several Types of Disability
Discussion: These features span the disability categories within
requirement 2.2.7.1 (e.g. vision, dexterity).
1.1 When the Provision of Accessibility Involves an Alternative Format
for Ballot Presentation, Then All the Other Information Presented to
Voters in the Case of Non-Disabled English-Literate Voters (Including
Instructions, Warnings, Messages, and Ballot Choices) Shall Also Be
Presented in That Alternative Format
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is a general principle to be followed for any
alternative format presentation. Two particular cases, (a) audio
formats and (b) non-English formats, are the subject of specific
requirements in later sections.
[Best Practice for Voting Officials] When the provision of
accessibility involves an alternative format for ballot presentation,
then all the other information presented to voters in the case of non-
disabled English-literate voters (including instructions, warnings,
messages, and ballot choices) is also presented in that alternative
format.
1.2 An Acc-VS Shall Provide Direct Accessibility Such That Voters'
Personal Assistive Devices Are Not Required for Voting
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Voters are not to be obliged to supply any special
equipment in order to vote. This requirement does not preclude the Acc-
VS from providing interfaces to assistive technology.
[[Page 18944]]
1.3 When the Primary Means of Voter Identification or Authentication
Uses Biometric Measures That Require a Voter To Possess Particular
Biological Characteristics, the Voting Process Shall Provide a
Secondary Means That Does Not Depend on Those Characteristics
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, if fingerprints were used for
identification, there would have to be another mechanism for voters
without usable fingerprints.
[Best Practice for Voting Officials] When the primary means of
voter identification or authentication uses biometric measures that
require a voter to possess particular biological characteristics, the
voting process provides a secondary means that does not depend on those
characteristics.
[Best Practice for Voting Officials] Polling places are subject to
the appropriate guidelines of the Americans with Disabilities Act (ADA)
of 1990 and of the Architectural Barriers Act (ABA) of 1968. This
requirement does not stem from HAVA, but rather is a reminder of other
legal obligations. For more details, see http://www.access-board.gov/ada-aba.htm and http://www.usdoj.gov/crt/ada/votingck.htm.
ck.htm.
2. The Voting Process Shall Be Accessible to Voters With Visual
Disabilities
Discussion: Note that all aspects of the voting process are to be
accessible, not just the voting station.
2.1 The Acc-VS Shall Be Accessible to Voters With Partial Vision
2.1.1 The Vendor Should Conduct Summative Usability Tests on the Acc-VS
Using Partially Sighted Subjects and Report the Test Results to the
Appropriate Testing Authority According to the Common Industry Format
(CIF)
[GRAPHIC] [TIFF OMITTED] TN12AP06.004
Discussion: This requirement is meant to encourage Acc-VS designers
to conduct some realistic usability tests on the final product. For
now, it is purely a documentation recommendation. Future versions of
the VVSG will include requirements for usability testing to be
conducted by the testing authority, with specific performance
benchmarks.
2.1.2 The Acc-VS and Any Voting Station With an Electronic Image
Display Shall Be Capable of Showing All Information in at Least Two
Font Sizes, (a) 3.0-4.0 mm and (b) 6.3-9.0 mm, Under Control of the
Voter or Poll Worker
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: While larger font sizes may assist most voters with
poor vision, certain disabilities such as tunnel vision are best
addressed by smaller font sizes. It is anticipated that future versions
of the VVSG will require font size to be under the independent control
of the voter.
2.1.3 All Voting Stations Using Paper Ballots Should Make Provisions
for Voters With Poor Reading Vision
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Possible solutions include: (a) providing paper ballots
in at least two font sizes, 3.0-4.0 mm and 6.3-9.0 mm and (b) providing
a magnifying device.
2.1.4 An Acc-VS and Any Voting Station With a Black-and-White-Only
Electronic Image Display Shall Be Capable of Showing All Information in
High Contrast Either by Default or Under the Control of the Voter or
Poll Worker. High Contrast Is a Figure-to-Ground Ambient Contrast Ratio
for Text and Informational Graphics of at Least 6:1
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: It is anticipated that future versions of the VVSG will
require contrast to be under the independent control of the voter.
2.1.5 An Acc-Vs With a Color Electronic Image Display Shall Allow the
Voter or Poll Worker To Adjust the Color or the Figure-to-Ground
Ambient Contrast Ratio
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: See NASED Technical Guide 1 for examples of
how a voting station may meet this requirement by offering a limited
number of discrete choices. In particular, it is not required that the
station offer a continuous range of color or contrast values.
2.1.6 On All Voting Stations, the Default Color Coding Shall Maximize
Correct Perception by Voters and Operators With Color Blindness
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
[Best Practice for Voting Officials] On all voting stations, the
default color coding maximizes correct perception by voters and
operators with color blindness.
2.1.7 On All Voting Stations, Color Coding Shall Not Be Used as the
Sole Means of Conveying Information, Indicating an Action, Prompting a
Response, or Distinguishing a Visual Element
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This implies that although color can be used for
emphasis, some other non-color mode must also be used to convey the
information, such as a shape or text style. For example, red can be
enclosed in an octagon shape.
2.1.8 Buttons and Controls on All Voting Stations Should Be
Distinguishable by Both Shape and Color
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: The redundant cues have been found to be helpful to
those with partial vision.
2.1.9 Any Voting Station Using an Electronic Image Display Should Also
Provide Synchronized Audio Output To Convey the Same Information as
That on the Screen
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Synchronized presentation of information in both visual
and aural modes is a recommendation in this version of the VVSG, but it
is anticipated that this will become a requirement in future versions.
[[Page 18945]]
2.2 The Acc-VS Shall Be Accessible to Voters Who Are Blind
Discussion: Of course, many of the features under this requirement
are also useful for voters with partial vision (see requirement
2.2.7.1.2.1) and for voters who cannot read English for other
reasons (see requirement 2.2.7.2).
2.2.1 The Vendor Should Conduct Summative Usability Tests on the Acc-Vs
Using Subjects Who Are Blind and Report the Test Results to the
Appropriate Testing Authority According to the Common Industry Format
(CIF)
[GRAPHIC] [TIFF OMITTED] TN12AP06.004
Discussion: This requirement is meant to encourage Acc-VS designers
to conduct some realistic usability tests on the final product. For
now, it is purely a documentation recommendation. Future versions of
the VVSG will include requirements for usability testing to be
conducted by the testing authority, with specific performance
benchmarks.
2.2.2 The Acc-VS Shall Provide an Audio-Tactile Interface (ATI) That
Supports the Full Functionality of a Normal Ballot Interface, as
Specified in Section 2.4
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note the necessity of both audio output and tactilely
discernible controls for voter input. Full functionality includes at
least:
Instructions and feedback on initial activation of the
ballot (such as insertion of a smart card), if this is normally
performed by the voter on comparable voting stations,
Instructions and feedback to the voter on how to operate
the Acc-VS, including settings and options (e.g. volume control,
repetition),
Instructions and feedback for navigation of the ballot,
Instructions and feedback for voter selections in races
and referenda, including write-in candidates,
Instructions and feedback on confirming and changing
selections, and
Instructions and feedback on final submission of ballot.
2.2.2.1 The ATI of the Acc-VS Shall Provide the Same Capabilities To
Vote and Cast a Ballot as Are Provided by the Other Voting Stations or
by the Visual Interface of the Acc-VS. Therefore, Functional Features
That Exceed the Requirements of Section 2.4 Must Be Provided on a Non-
Discriminatory Basis
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, if a ``normal'' ballot supports voting a
straight party ticket and then changing the choice in a single race, so
must the ATI. This requirement is a special case of the more general
requirement 2.2.7.1.1.1.
2.2.2.2 The ATI Shall Allow the Voter To Have Any Information Provided
by the System Repeated
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.2.3 The ATI Shall Allow the Voter To Pause and Resume the Audio
Presentation
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.2.4 The ATI Shall Allow the Voter To Skip to the Next Contest or
Return to Previous Contests
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is analogous to the ability of sighted voters to
move on to the next race once they have made a selection or to abstain
from voting on a contest.
2.2.2.5 The ATI Should Allow the Voter To Skip Over the Reading of a
Referendum so as To Be Able To Vote on It Immediately
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is analogous to the ability of sighted voters to
skip over the wording of a referendum on which they have already made a
decision prior to the voting session (e.g. ``Vote yes on proposition
123''). It is anticipated that this recommendation will become
a requirement in future versions of the VVSG.
2.2.3 All Voting Stations That Provide Audio Presentation of the Ballot
Shall Conform to the Following Sub-Requirements
Discussion: These requirements apply to all audio output, not just
to the ATI of an Acc-VS.
2.2.3.1 The Ati Shall Provide Its Audio Signal Through an Industry
Standard Connector for Private Listening Using a 3.5Mm Stereo Headphone
Jack To Allow Voters To Use Their Own Audio Assistive Devices
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.3.2 When a Voting Station Utilizes a Telephone Style Handset/
Headset To Provide Audio Information, It Shall Provide a Wireless T-
Coil Coupling for Assistive Hearing Devices so as To Provide Access to
That Information for Voters With Partial Hearing. That Coupling Shall
Achieve at Least a Category T4 Rating as Defined by American National
Standard for Methods of Measurement of Compatibility Between Wireless
Communications Devices and Hearing Aids, ANSI C63.19
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.3.3 No Voting Station Shall Cause Electromagnetic Interference With
Assistive Hearing Devices That Would Substantially Degrade the
Performance of Those Devices. The Station, Considered as a Wireless
Device (WD) Shall Achieve at Least a Category T4 Rating as Defined by
American National Standard for Methods of Measurement of Compatibility
Between Wireless Communications Devices and Hearing Aids, ANSI C63.19
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: ``Hearing devices'' includes hearing aids and cochlear
implants.
[[Page 18946]]
2.2.3.4 A Sanitized Headphone or Handset Should Be Made Available to
Each Voter
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This requirement can be achieved in various ways,
including the use of ``throwaway'' headphones, or of sanitary
coverings.
[Best Practice for Voting Officials] A sanitized headphone or
handset is made available to each voter.
2.2.3.5 The Voting Station Shall Set the Initial Volume for Each Voter
Between 40 and 50 dB SPL
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: A voter does not ``inherit'' the volume as set by the
previous user of the voting station.
2.2.3.6 The Voting Station Shall Provide a Volume Control With an
Adjustable Amplification From a Minimum of 20dB SPL Up to a Maximum of
105 dB SPL, in Increments No Greater Than 20dB
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.3.7 The Audio System Shall Be Able To Reproduce Frequencies Over
the Audible Speech Range Of 315 Hz To 10KHz
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.3.8 The Audio System Should Provide Information Via Recorded Human
Speech, Rather Than Synthesized Speech
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Most users prefer real speech over synthesized speech.
2.2.3.9 The Audio System Should Allow Voters To Control, Within
Reasonable Limits, the Rate of Speech
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Many blind voters are accustomed to interacting with
accelerated speech.
2.2.4 If the Normal Procedure Is To Have Voters Initialize the
Activation of the Ballot, the Acc-Vs Shall Provide Features That Enable
Voters Who Are Blind To Perform This Activation
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, smart cards might provide tactile cues so
as to allow correct insertion.
2.2.5 If the Normal Procedure Is for Voters To Submit Their Own
Ballots, Then the Voting Process Should Provide Features That Enable
Voters Who Are Blind To Perform This Submission
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, if voters normally feed their own optiscan
ballots into a reader, blind voters should also be able to do so.
[Best Practice for Voting Officials] If the normal procedure is for
voters to submit their own ballots, then the voting process provides
features that enable voters who are blind to perform this submission.
2.2.6 If the Normal Procedure Includes VVPAT, the Acc-VS Should Provide
Features That Enable Voters Who Are Blind To Perform This Verification
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, the Acc-VS might provide an automated
reader for the paper record that converts the contents of the paper
into audio output. It is anticipated that this recommendation will
become a requirement in future versions of the VVSG.
2.2.7 All Mechanically Operated Controls or Keys on an Acc-VS Shall Be
Tactilely Discernible Without Activating Those Controls or Keys
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
2.2.8 On an Acc-VS, the Status of All Locking or Toggle Controls or
Keys (Such as the ``Shift'' Key) Shall Be Visually Discernible, and
Discernible Either Through Touch or Sound
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
3. The Voting Process Shall Be Accessible to Voters Who Lack Fine Motor
Control or the Use of Their Hands
3.1 The Vendor Should Conduct Summative Usability Tests on the Acc-VS
With Subjects Lacking Fine Motor Control and Report the Test Results to
the Appropriate Testing Authority According to the Common Industry
Format (CIF)
[GRAPHIC] [TIFF OMITTED] TN12AP06.004
Discussion: This requirement is meant to encourage Acc-VS designers
to conduct some realistic usability tests on the final product. For
now, it is purely a documentation recommendation. Future versions of
the VVSG will include requirements for usability testing to be
conducted by the testing authority with specific performance
benchmarks.
3.2 All Keys and Controls on the Acc-VS Shall Be Operable With One Hand
and Shall Not Require Tight Grasping, Pinching, or Twisting of the
Wrist. The Force Required To Activate Controls and Keys Shall Be No
Greater 5 lbs. (22.2 N)
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Controls are to be operable without excessive force.
3.3 The Acc-VS Controls Shall Not Require Direct Bodily Contact or for
the Body To Be Part of Any Electrical Circuit
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This requirement ensures that controls are operable by
individuals using prosthetic devices.
[[Page 18947]]
3.4 The Acc-VS Should Provide a Mechanism To Enable Non-Manual Input
That Is Functionally Equivalent to Tactile Input
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This recommendation ensures that the Acc-VS is operable
by individuals who do not have the use of their hands. All the
functionality of the Acc-VS (e.g. straight party voting, write-in
candidates) that is available through the other forms of input, such as
tactile, must also be available through the input mechanism if it is
provided by the Acc-VS.
4. The Voting Process Shall Be Accessible to Voters Who Use Mobility
Aids, Including Wheelchairs
4.1 The Acc-VS Shall Provide a Clear Floor Space of 30 Inches (760 mm)
Minimum by 48 Inches (1220 mm) Minimum for a Stationary Mobility Aid.
The Clear Floor Space Shall Be Level With No Slope Exceeding 1:48 and
Positioned for a Forward Approach or a Parallel Approach
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
[Best Practice for Voting Officials] The Acc-VS provides a clear
floor space of 30 inches (760 mm) minimum by 48 inches (1220 mm)
minimum for a stationary mobility aid. The clear floor space is level
with no slope exceeding 1:48 and positioned for a forward approach or a
parallel approach.
4.2 All Controls, Keys, Audio Jacks and Any Other Part of the Acc-VS
Necessary for the Voter To Operate the Voting System Shall Be Within
Reach as Specified Under the Following Sub-Requirements
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
Discussion: All dimensions are given in inches. To convert to
millimeters, multiply by 25.4 and then round to the nearest multiple of
5. Note that these sub-requirements have meaningful application mainly
to controls in a fixed location. A hand-held tethered control panel is
another acceptable way of providing reachable controls. All the sub-
requirements inherit the ``responsible entity'' and ``process''
properties.
[Best Practice for Voting Officials] All controls, keys, audio
jacks and any other part of the Acc-VS necessary for the voter to
operate the voting system are within the reach regions as specified in
the VVSG Volume I, Section 2.2.7.1.4.3.
4.2.1 If the Acc-VS Has a Forward Approach With No Forward Reach
Obstruction Then the High Reach Shall Be 48 Inches Maximum and the Low
Reach Shall Be 15 Inches Minimum. See Figure 2.2.7.1-1
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.2 If the Acc-VS Has a Forward Approach With a Forward Reach
Obstruction, the Following Sub-Requirements Apply. See Figure 2.2.7.1-2
4.2.2.1 The Forward Obstruction Shall Be No Greater Than 25 Inches in
Depth, Its Top No Higher Than 34 Inches and Its Bottom Surface No Lower
Than 27 Inches
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.2.2 If the Obstruction Is No More Than 20 Inches in Depth, Then the
Maximum High Reach Shall Be 48 Inches, Otherwise It Shall Be 44 Inches
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.2.3 Space Under the Obstruction Between the Finish Floor or Ground
and 9 Inches (230 mm) Above the Finish Floor or Ground Shall Be
Considered Toe Clearance and Shall Comply With the Following Sub-
Requirements
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
A. Toe clearance shall extend 25 inches (635 mm) maximum under the
obstruction.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
B. The minimum toe clearance under the obstruction shall be either
17 inches (430 mm) or the depth required to reach over the obstruction
to operate the Acc-VS, whichever is greater.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
C. Toe clearance shall be 30 inches (760 mm) wide minimum.
Voting System Vendor
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.2.4 Space Under the Obstruction Between 9 inches (230 mm) and 27
Inches (685 mm) Above the Finish Floor or Ground Shall Be Considered
Knee Clearance and Shall Comply With the Following Sub-Requirements
A. Knee clearance shall extend 25 inches (635 mm) maximum under the
obstruction at 9 inches (230 mm) above the finish floor or ground.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
B. The minimum knee clearance at 9 inches (230 mm) above the finish
floor or ground shall be either 11 inches (280 mm) or 6 inches less
than the toe clearance, whichever is greater.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
C. Between 9 inches (230 mm) and 27 inches (685 mm) above the
finish floor or ground, the knee clearance shall be permitted to reduce
at a rate of 1 inch (25 mm) in depth for each 6 inches (150 mm) in
height.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
Discussion: It follows that the minimum knee clearance at 27 inches
above the finish floor or ground shall be 3 inches less than the
minimum knee clearance at 9 inches above the floor.
D. Knee clearance shall be 30 inches (760 mm) wide minimum.
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
[[Page 18948]]
4.2.3 If the Acc-VS Has a Parallel Approach With No Side Reach
Obstruction Then the Maximum High Reach Shall be 48 Inches and the
Minimum Low Reach Shall be 15 Inches. See Figure 2.2.7.1-3
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.4 If the Acc-VS Has a Parallel Approach With a Side Reach
Obstruction, the Following Sub-Requirements Apply. See Figure 2.2.7.1-4
4.2.4.1 The Side Obstruction Shall Be No Greater Than 24 Inches in
Depth and Its Top No Higher Than 34 Inches
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
4.2.4.2 If the Obstruction Is No More Than 10 inches in Depth, Then the
Maximum High Reach Shall Be 48 Inches, Otherwise It Shall Be 46 Inches
[GRAPHIC] [TIFF OMITTED] TN12AP06.005
Discussion: Since this is a parallel approach, no clearance under
the obstruction is required.
4.2.5 All Labels, Displays, Controls, Keys, Audio Jacks, and Any Other
Part of the Acc-VS Necessary for the Voter To Operate the Voting System
Shall Be Easily Legible and Visible to a Voter in a Wheelchair With
Normal Eyesight (No Worse Than 20/40, Corrected) Who Is in an
Appropriate Position and Orientation with Respect to the Acc-VS
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: There are a number of factors that could make relevant
parts of the Acc-VS difficult to see: small lettering, controls and
labels tilted at an awkward angle from the voter's viewpoint, glare
from overhead lighting, etc.
5. The Voting Process Shall Be Accessible to Voters With Hearing
Disabilities
5.1 The Acc-VS Shall Incorporate the Features Listed Under Requirement
2.2.7.1.2.2.3 (Audio Presentation) To Provide Accessibility
to Voters With Hearing Disabilities
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note especially the requirements for volume
initialization and control.
[Best Practice for Voting Officials] The Acc-VS incorporates the
features listed in the VVSG Volume I, Section 2.2.7.1.2.2.3 (audio
presentation) to provide accessibility to voters with hearing
disabilities.
5.2 If a Voting Station Provides Sound Cues as a Method To Alert the
Voter, the Tone Shall Be Accompanied by a Visual Cue
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For instance, the station might beep if the voter
attempts to overvote. If so, there would have to be an equivalent
visual cue, such as the appearance of an icon, or a blinking element.
6. The Voting Process Shall Be Accessible to Voters With Speech
Disabilities
6.1 No Voting Station Shall Require Voter Speech for its Operation
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This does not preclude a voting station from offering
speech input as an option, but speech must not be the only means of
input.
7. The Voting Process Should Be Accessible to Voters With Cognitive
Disabilities
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: At present there are no design features specifically
aimed at helping those with cognitive disabilities. Section
2.2.7.1.2.1.9, the synchronization of audio with the screen in a DRE,
is helpful for some cognitive disabilities such as dyslexia. Section
2.2.7.3.3 also contains some relevant guidelines.
[Best Practice for Voting Officials] The voting process is made
accessible to voters with cognitive disabilities.
[[Page 18949]]
[GRAPHIC] [TIFF OMITTED] TN12AP06.012
2. The Voting Process Shall Be Accessible to Voters Who Are Not Fully
Literate in English. This Requirement May Be Satisfied by Providing
Voting Stations in a Polling Place That Accommodate Those Without a
Full Command of English. See HAVA 301 (a)(4) and 241 (b)(5). Such a
Facility is Referred to Herein as an Alternative Language Voting
Station (ALVS)
HAVA Section 301 (a)(4) reads:
ALTERNATIVE LANGUAGE ACCESSIBILITY.--The voting system shall
provide alternative language accessibility pursuant to the
requirements of section 203 of the Voting Rights Act of 1965 (42
U.S.C. 1973aa-1a).
The requirements within Section 2.2.7.2 are intended to address
this mandate. Ideally every voter would be able to vote independently
and privately, regardless of language. As a practical matter,
alternative language access is mandated under the Voting Rights Act of
1975, subject to certain thresholds, e.g. if the language group exceeds
5% of the voting age citizens.
Note that the provision of an audio interface for people with
visual disabilities as described in Section 2.2.7.1 may also assist
voters who speak English, but are unable to read it.
The outline for section 2.2.7.2 is:
2.2.7.2. Alternative Languages
2.2.7.2.1 Complete Information
[[Page 18950]]
2.2.7.2.2 Spelling of Names
2.2.7.2.3 Literate Voters
2.2.7.2.4 Illiterate Voters
1. All the Information Presented in the Normal Case of English-literate
Voters (Including Instructions, Warnings, Messages, and Ballot Choices)
Shall Also Be Presented by the ALVS, Whether the Language Is Written or
Spoken
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is in keeping with general requirement
2.2.7.1.1.1.
2. Regardless of the Language, Candidate Names Shall Be Displayed or
Pronounced in English on All Ballots. For Written Languages That Do Not
Use Roman Characters (e.g. Chinese, Japanese, Korean, Arabic), the
Ballot Shall Include Transliteration of Candidate Names Into the
Relevant Language
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
[Best Practice for Voting Officials] Regardless of the language,
candidate names are displayed or pronounced in English on all ballots.
For written languages that do not use Roman characters (e.g., Chinese,
Japanese, Korean, Arabic), the ballot includes transliteration of
candidate names into the relevant language.
3. For Literate Voters, the ALVS Shall Provide Printed or Displayed
Instructions, Messages, and Ballots in Their Preferred Language,
Consistent With State and Federal Law
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
3.1 The Vendor Should Conduct Summative Usability Tests on the ALVS
With Literate Subjects Who Neither Speak Nor Read English and Report
the Test Results According to the Common Industry Format (CIF)
[GRAPHIC] [TIFF OMITTED] TN12AP06.004
Discussion: This requirement is meant to encourage Acc-VS designers
to conduct some realistic usability tests on the final product. For
now, it is purely a documentation recommendation. Future versions of
the VVSG will include requirements for usability testing to be
conducted by the testing authority, with specific performance
benchmarks.
4. For Illiterate Voters, the ALVS Shall Provide Spoken Instructions
and Ballots in the Preferred Language of the Voter, Consistent With
State and Federal Law. The Requirements and Sub-Requirements of
2.2.7.1.2.2.2 (Acc-VS/ATI) Shall Apply to This Mode of
Interaction
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note that some languages have no widely accepted
written form.
3. The Voting Process Shall Provide a High Level of Usability to the
Voters. Accordingly, Voters Shall Be Able to Negotiate the Process
Effectively, Efficiently, and Comfortably
Discussion: The first Voting System Standards codified in HAVA
relate to the interaction between the voter and the voting system. HAVA
Section 301 begins:
SEC. 301. VOTING SYSTEMS STANDARDS.
a. Requirements.--Each voting system used in an election for
Federal office shall meet the following requirements:
1. In general.--
A. Except as provided in subparagraph (B), the voting system
(including any lever voting system, optical scanning voting system, or
direct recording electronic system) shall--
i. Permit the voter to verify (in a private and independent manner)
the votes selected by the voter on the ballot before the ballot is cast
and counted;
ii. Provide the voter with the opportunity (in a private and
independent manner) to change the ballot or correct any error before
the ballot is cast and counted (including the opportunity to correct
the error through the issuance of a replacement ballot if the voter was
otherwise unable to change the ballot or correct any error); and
iii. If the voter selects votes for more than one candidate for a
single office--
I. Notify the voter that the voter has selected more than one
candidate for a single office on the ballot;
II. Notify the voter before the ballot is cast and counted of the
effect of casting multiple votes for the office; and
III. Provide the voter with the opportunity to correct the ballot
before the ballot is cast and counted.
B. A State or jurisdiction that uses a paper ballot voting system,
a punch card voting system, or a central count voting system (including
mail-in absentee ballots and mail-in ballots), may meet the
requirements of subparagraph (A)(iii) by--
i. Establishing a voter education program specific to that voting
system that notifies each voter of the effect of casting multiple votes
for an office; and
ii. Providing the voter with instructions on how to correct the
ballot before it is cast and counted (including instructions on how to
correct the error through the issuance of a replacement ballot if the
voter was otherwise unable to change the ballot or correct any error).
C. The voting system shall ensure that any notification required
under this paragraph preserves the privacy of the voter and the
confidentiality of the ballot.''
The requirements of this section supplement these basic HAVA
mandates and also HAVA's support for improved usability (see Section
243 and Section 221(e)(2)(D)).
Voting and Usability
Usability is defined generally as a measure of the effectiveness,
efficiency, and satisfaction achieved by a specified set of users with
a given product in the performance of specified tasks. In the context
of voting, the primary users are the voters (but also poll workers),
the product is the voting system, and the task is the correct
representation of one's choices in the election. Additional
requirements for task performance are independence and privacy: the
voter should normally be able to complete the voting task without
assistance from others (although the voting system itself may offer
help), and the voter's choices should be private (see Section 2.2.7.4).
Aside from its intrinsic undesirability, lack of independence or
privacy may adversely affect effectiveness (e.g. by possibly inhibiting
the voter's free choice) and efficiency (e.g. by slowing down the
process).
Among the ``bottom-line'' metrics for usability are:
low error rate for marking the ballot (the voter's
intention is correctly conveyed to and represented within the voting
system),
efficient operation (time required to vote is not
excessive), and
satisfaction (voter experience is safe, comfortable, free
of stress, and instills confidence).
These criteria define the core of good voting system usability. The
purpose of the detailed requirements listed below is to help voting
systems meet the core criteria.
[[Page 18951]]
Methodology for Requirements
It is the intention of the TGDC that in forthcoming versions of the
VVSG, usability will be addressed by high-level performance-based
requirements. That is, the requirements will directly address metrics
for effectiveness (e.g. correct capture of voters' intentions),
efficiency (e.g. time taken to vote), and satisfaction. Until the
supporting research is completed, however, the contents of this
subsection are limited to a somewhat basic set of widely accepted
design requirements and lower-level performance requirements. The
reasons for this approach are:
These are to serve as interim requirements, pending the
issuance of high-level performance requirements.
The actual benefit of numerous detailed design guidelines
is difficult to prove or measure.
The technical complexity and costs of a large set of
detailed requirements may not be justified.
Guidelines that are difficult to test because of
insufficient specificity have been omitted.
This is not to say that an extensive set of design guidelines is
without value. But we wish to distinguish between good advice to be
considered by developers and strict requirements that will be enforced
by a regime of formal testing. For more detail on the issue of design
vs. performance standards, see Sections 2.3 and 6.1 et al. of NIST
Special Publication 500-256: Improving the Usability and Accessibility
of Voting Systems and Products (http://vote.nist.gov/ Final%20Human%
20Factors%20 Report%20% 205-04.pdf).
General Issues for the Usability Requirements
As mentioned in Section 2.2.7.1, many of the guidelines in this
section enhance accessibility as well as general usability.
The scope of usability includes the entire voting process, although
the emphasis herein is on the interface between the voter and the
voting station.
The requirements in this sub-section generally assume a visual-
tactile interface, but also see requirements in Sections 2.2.7.1 and
Section 2.2.7.2 for alternative formats, including audio.
The outline for Section 2.2.7.3 is:
2.2.7.3 Usability
2.2.7.3.1 Usability Testing by Vendor
2.2.7.3.2 Functional Capabilities
2.2.7.3.3 Cognitive Issues
2.2.7.3.4 Perceptual Issues
2.2.7.3.5 Interaction Issues
1. The Vendor Should Conduct Summative Usability Tests on the Voting
System Using Subjects Representative of the General Population and
Report the Test Results to the Appropriate Testing Authority According
to the Common Industry Format (CIF)
[GRAPHIC] [TIFF OMITTED] TN12AP06.004
Discussion: This requirement is meant to encourage Acc-VS designers
to conduct some realistic usability tests on the final product. For
now, it is purely a documentation recommendation. Future versions of
the VVSG will include requirements for usability testing to be
conducted by the testing authority, with specific performance
benchmarks.
2. The Voting Process Shall Provide Certain Functional Capabilities To
Support Voter Usability
2.1 As Mandated by HAVA 301(a)(1)(A), the Voting System Shall Support a
Process That Allows the Voter To Review His or Her Completed Ballot
Before Final Submission in Order To Verify That it Correctly Represents
the Intended Vote and To Correct the Ballot if Mistakes Are Detected
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note that this review and correction may be achieved by
procedural means (e.g. in the case of paper ballots), as well as
technical (see HAVA 301(a)(1)(B)). This requirement is a brief
paraphrase of the HAVA language but of course the statutory language is
determinative.
2.2 As Mandated by HAVA 301(a)(1)(A), the Voting System Shall Support a
Process That Notifies the Voter if He or She Has Attempted To Vote for
More Candidates Than the Maximum Permitted in a Given Race and That
Provides the Voter With the Opportunity To Correct the Ballot Before
Final Submission
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note that this notification and correction may be
achieved by procedural means (e.g. in the case of paper ballots), as
well as technical (see HAVA 301(a)(1)(B)). This requirement is a brief
paraphrase of the HAVA language but of course the statutory language is
determinative.
2.3 DRE Voting Stations Shall Allow the Voter To Change a Vote Within a
Race Before Advancing to the Next Race
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: The point here is that voters using a DRE should not
have to wait for the final ballot review in order to change a vote.
2.4 The Voting System Shall Support a Process That Notifies the Voter
if He or She Has Attempted To Vote for Fewer Candidates Than the
Maximum Permitted in a Given Race and That Provides the Voter With the
Opportunity To Change the Ballot Before Final Submission. The Process
Shall Also Notify the Voter That Such an ``Undervote'' Is Permitted and
Shall Accept a Ballot if the Voter so Chooses
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Note that this notification and correction may be
achieved by procedural means (e.g. in the case of paper ballots), as
well as technical (see HAVA 301(a)(1)(B)).
2.5 DRE Voting Stations Should Provide Navigation Controls That Allow
the Voter To Advance to the Next Race or Go Back to the Previous Race
Before Completing a Vote on the Race or Races Currently Being Presented
(Whether Visually or Aurally)
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, the voter should not be forced to proceed
sequentially through all the races and/or candidates before going back
to check the status of a previous race.
[[Page 18952]]
3. The Voting Process Shall Be Designed To Minimize Cognitive
Difficulties for the Voter
3.1 Consistent With Election Law, the Voting System Should Support a
Process That Does Not Introduce Any Bias for or Against Any of the
Choices To Be Made by the Voter. In Both Visual and Aural Formats,
Candidates and Choices Shall Be Presented in an Equivalent Manner
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Certain differences in presentation are unavoidable,
such as the order in which candidates are listed, and write-in
candidates are inherently more difficult to vote for. But comparable
characteristics such as font size or voice volume and speed must be the
same for all choices.
3.2 The Voting System or Related Materials Shall Provide Clear
Instructions and Assistance so as To Allow Voters To Successfully
Execute and Cast Their Ballots Independently
Discussion: Voters should not routinely need to ask for human
assistance.
3.2.1 Voting Stations or Related Materials Shall Provide a Means for
the Voter To Get Help at Any Time During the Voting Session
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: The voter should always be able to get help at the
station if confused. DRE voting stations may provide this with a
distinctive ``help'' button. Any type of voting station may provide
written instructions that are available and separate from the ballot.
Note special requirements for the Acc-VS in requirement
2.2.7.1.2.2.2 (Acc-VS/ATI).
3.2.2 The Voting Station Shall Provide Instructions for All Its Valid
Operations
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: If an operation is available to the voter, it must be
documented. Examples include how to change a vote, how to navigate
among races, how to cast a party-line vote, and how to cast a write-in
vote.
3.3 The Voting System Shall Provide the Capability To Design a Ballot
for Maximum Clarity and Comprehension
3.3.1 The Voting Station Should Not Visually Present a Single Race
Spread Over Two Pages or Two Columns
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Such a visual separation poses the risk that the voter
will perceive the race as two races. Of course, if a race has a very
large number of candidates, it may be infeasible to observe this
guideline.
[Best Practice for Voting Officials] The voting station does not
visually present a single race spread over two pages or two columns.
3.3.2 The Ballot Shall Clearly Indicate the Maximum Number of
Candidates for Which One Can Vote Within a Single Race
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
[Best Practice for Voting Officials] The ballot clearly indicates
the maximum number of candidates for which one can vote within a single
race.
3.3.3 There Shall Be a Consistent Relationship Between the Name of a
Candidate and the Mechanism Used to Vote for That Candidate
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: For example, if the response field where voters
indicate their selections is located to the left of a candidate's name,
then each response field shall be located to the left of the associated
candidate's names.
[Best Practice for Voting Officials] The ballot presents the
relationship between the name of a candidate and the mechanism used to
vote for that candidate in a consistent manner.
3.4 Warnings and Alerts Issued by the Voting Station Should Clearly
State the Nature of the Problem and the Set of Responses Available to
the Voter. The Warning Should Clearly State Whether the Voter Has
Performed or Attempted an Invalid Operation or Whether the Voting
Equipment Itself Has Failed in Some Way
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: In case of an equipment failure, the only action
available to the voter might be to get assistance from a poll worker.
3.5 The Use of Color by the Voting Station Should Agree With Common
Conventions: (a) Green, Blue or White Is Used for General Information
or as a Normal Status Indicator; (b) Amber or Yellow Is Used to
Indicate Warnings or a Marginal Status; (c) Red Is Used to Indicate
Error Conditions or a Problem Requiring Immediate Attention
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
4. The Voting Process Shall Be Designed to Minimize Perceptual
Difficulties for the Voter
4.1 No Display Screen of a Voting Station Shall Flicker With a
Frequency Between 2 Hz and 55 Hz
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Aside from usability concerns, this requirement
protects voters with epilepsy.
4.2 Any Aspect of the Voting Station That is Adjustable by the Voter or
Poll Worker, Including Font Size, Color, Contrast, and Audio Volume,
Shall Automatically Reset to a Standard Default Value Upon Completion
of That Voter's Session
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This implies that the voting station presents the same
initial appearance to every voter (excluding, of course, substantive
differences in the ballot content due to residence or party of the
voter).
[[Page 18953]]
4.3 If Any Aspect of a Voting Station is Adjustable by the Voter, There
Should Be a Mechanism to Reset All Such Aspects to Their Default Values
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: The purpose is to allow a voter who has adjusted the
station into an undesirable state to reset all the aspects so as to get
a fresh start.
4.4 The Minimum Font Size for All Text Intended for the Voter During
the Voting Session Shall Be 3.0mm (Measured as the Height of a Capital
Letter)
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
4.5 All Text Intended for the Voter During the Voting Session Should Be
Presented in a Sans Serif Font
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Experimentation has shown that users prefer such a font
and the legibility of serif and sans serif fonts is equivalent.
4.6 The Minimum Figure-to-Ground Ambient Contrast Ratio for All Text
and Informational Graphics (Including Icons) Intended for the Voter
Shall Be 3:1
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
5. The Voting Process Shall Be Designed to Minimize Interaction
Difficulties for the Voter
5.1 Voting Stations With Electronic Image Displays Shall Not Require
Page Scrolling by the Voter
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is not an intuitive operation for those unfamiliar
with the use of computers. Even those experienced with computers often
do not notice a scroll bar and miss information below the page. DREs
may require voters to move to the next or previous ``page.''
5.2 The Voting Station Shall Provide Unambiguous Feedback Regarding the
Voter's Selection, Such as Displaying a Checkmark Beside the Selected
Option or Conspicuously Changing Its Appearance
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
5.3 If the Voting Station Requires a Response by a Voter Within a
Specific Period of Time, It Shall Issue an Alert at Least 20 Seconds
Before This Time Period Has Expired and Provide a Means by Which the
Voter May Receive Additional Time
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
5.4 Input Mechanisms Shall Be Designed so as to Minimize Accidental
Activation (Also, See Requirement 2.2.7.1.2.2.7 on Tactile
Discernability)
5.4.1 On Touch Screens, the Sensitive Touch Areas Shall Have a Minimum
Height of 0.5 Inches and Minimum Width of 0.7 Inches. The Vertical
Distance Between the Centers of Adjacent Areas Shall Be at Least 0.6
Inches, and the Horizontal Distance at Least 0.8 Inches
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
5.4.2 No Key or Control on a Voting Station Shall Have a Repeat Feature
Enabled
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This is to preclude accidental activation.
4. The Voting Process Shall Preclude Anyone Else From Determining the
Content of a Voter's Ballot, With or Without the Voter's Cooperation
Discussion: Voter privacy is strongly supported by HAVA--see
Sections 221(e)(2)(C) and 301(a)(1). In this subsection, we address
only privacy concerns in relation to human factors issues, but not with
respect to the processing of cast ballots.
Although elections in American history have sometimes been public
(and certain ``town-hall'' questions are still voted openly), the use
of the secret ballot for political office is now universal.
Privacy in this context, including the property of the voter being
unable to disclose his or her vote, ensures that the voter can make
choices based solely on his or her own preferences without intimidation
or inhibition. Among other practices, this forbids the issuance of a
receipt to the voter that would provide proof to another how he or she
voted.
The outline for Section 2.2.7.4 is:
2.2.7.4 Privacy
2.2.7.4.1 Privacy at the polling place
2.2.7.4.2 No preservation of alternative formats
2.2.7.4.3 Absentee Balloting
1. The Voting Station and Polling Place Shall Be Configured so as to
Prevent Others From Learning the Contents of a Voter's Ballot
1.1 The Ballot and Any Input Controls Shall Be Visible Only to the
Voter During the Voting Session and Ballot Submission
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
[Best Practice for Voting Officials] The ballot and any input
controls are visible only to the voter during the voting session and
ballot submission. Poll workers need to take into account such factors
as visual barriers, windows, permitted waiting areas for other voters,
and procedures for ballot submission when not performed at the voting
station, e.g. submission of optiscan ballots to a central reader.
1.2 The Audio Interface Shall Be Audible Only to the Voter
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Voters who are hard of hearing but need to use an audio
interface may also need to increase the volume of the audio. Such
situations require headphones with low sound leakage.
[Best Practice for Voting Officials] The audio interface is audible
only to the voter.
[[Page 18954]]
1.3 As Mandated By HAVA 301(a)(1)(C), the Voting System Shall Notify
the Voter of an Attempted Overvote in a Way That Preserves the Privacy
of the Voter and the Confidentiality of the Ballot
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: This requirement is a brief paraphrase of the HAVA
language but of course the statutory language is determinative.
[Best Practice for Voting Officials] As mandated by HAVA
301(a)(1)(C), the voting system notifies the voter of an attempted
overvote in a way that preserves the privacy of the voter and the
confidentiality of the ballot.
2. Voter Anonymity Shall Be Maintained for Alternative Format Ballot
Presentation
2.1 No Information Shall Be Kept Within a Non-Paper-Based Cast Vote
Record That Identifies Any Accessibility Feature(s) Used by a Voter
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Large-print paper ballots unavoidably preserve such
information.
2.1.1 No Information Shall Be Kept Within a Non-Paper-Based Cast Vote
Record That Identifies Any Alternative Language Feature(s) Used by a
Voter
[GRAPHIC] [TIFF OMITTED] TN12AP06.003
Discussion: Non-English paper ballots unavoidably preserve such
information.
[Best Practice for Voting Officials] Appropriate procedures are
needed to ensure that absentee balloting enable the voter to preserve
privacy. There is no practical means to prevent a voter from revealing
an absentee paper ballot to others. But the procedures should ensure
that if a voter chooses to maintain privacy, it is not violated at a
later stage, in particular when the ballot is received by voting
officials.
2.2.8 Vote Tabulating Program
Each voting system shall have a vote tabulation program that will
meet specific functional requirements.
2.2.8.1 Functions
The vote tabulating program software resident in each voting
device, vote count server, or other devices shall include all software
modules required to:
a. Monitor system status and generate machine-level audit reports;
b. Accommodate device control functions performed by polling place
officials and maintenance personnel;
c. Register and accumulate votes; and
d. Accommodate variations in ballot counting logic.
2.2.8.2 Voting Variations
There are significant variations among the election laws of the 50
states with respect to permissible ballot contents, voting options, and
the associated ballot counting logic. The TDP accompanying the system
shall specifically identify which of the following items can and cannot
be supported by the system, as well as how the system can implement the
items supported:
a. Closed primaries;
b. Open primaries;
c. Partisan offices;
d. Non-partisan offices;
e. Write-in voting;
f. Primary presidential delegation nominations;
g. Ballot rotation;
h. Straight party voting;
i. Cross-party endorsement;
j. Split precincts;
k. Vote for N of M;
l. Recall issues, with options;
m. Cumulative voting;
n. Ranked order voting; and
o. Provisional or challenged ballots.
2.2.9 Ballot Counter
For all voting systems, each device that tabulates ballots shall
provide a counter that:
a. Can be set to zero before any ballots are submitted for tally;
b. Records the number of ballots cast during a particular test
cycle or election;
c. Increases the count only by the input of a ballot;
d. Prevents or disables the resetting of the counter by any person
other than authorized persons at authorized points; and
e. Is visible to designated election officials.
2.2.10 Telecommunications
For all voting systems that use telecommunications for the
transmission of data during pre-voting, voting or post-voting
activities, capabilities shall be provided that ensure data are
transmitted with no alteration or unauthorized disclosure during
transmission. Such transmissions shall not violate the privacy,
secrecy, and integrity demands of the Standards. Section 5 of the
Standards describes telecommunications standards that apply to, at a
minimum, the following types of data transmissions:
Voter Authentication: Coded information that confirms the
identity of a voter for security purposes for a system that transmit
votes individually over a public network;
Ballot Definition: Information that describes to a voting
machine the content and appearance of the ballots to be used in an
election;
Vote Transmission to Central Site: For systems that
transmit votes individually over a public network, the transmission of
a single vote to the county (or contractor) for consolidation with
other county vote data;
Vote Count: Information representing the tabulation of
votes at any one of several levels: polling place, precinct, or central
count; and
List of Voters: A listing of the individual voters who
have cast ballots in a specific election.
2.2.9 Data Retention
United States Code Title 42, Sections 1974 through 1974e, states
that election administrators shall preserve for 22 months ``all records
and paper that came into (their) possession relating to an application,
registration, payment of poll tax, or other act requisite to voting.''
This retention requirement applies to systems that will be used at
anytime for voting of candidates for Federal offices (e.g., Member of
Congress, United States Senator, and/or Presidential Elector).
Therefore, all systems shall provide for maintaining the integrity of
voting and audit data during an election and for a period of at least
22 months thereafter.
Because the purpose of this law is to assist the Federal government
in discharging its law enforcement responsibilities in connection with
civil rights and elections crimes, its scope must be interpreted in
keeping with that objective. The appropriate state or local authority
must preserve all records that may be relevant to the detection and
prosecution of federal civil rights or election crimes for the 22-month
federal retention period, if the records were generated in connection
with an election that was held in whole or in part to select federal
candidates. It is important to note that Section 1974 does not require
that election officials generate any specific type or classification of
election record. However, if a record is generated, Section 1974 comes
into force and the appropriate authority must retain the records for 22
months.
For 22-month document retention, the general rule is that all
printed copy
[[Page 18955]]
records produced by the election database and ballot processing systems
shall be so labeled and archived. Regardless of system type, all audit
trail information spelled out in subsection 4.5 of the Standards shall
be retained in its original format, whether that be real-time logs
generated by the system, or manual logs maintained by election
personnel. The election audit trail includes not only in-process logs
of election-night (and subsequent processing of absentee or provisional
ballots), but also time logs of baseline ballot definition formats, and
system readiness and testing results.
In many voting systems, the source of election-specific data (and
ballot formats) is a database or file. In precinct count systems, this
data is used to program each machine, establish ballot layout, and
generate tallying files. It is not necessary to retain this information
on electronic media if there is an official, authenticatable printed
copy of all final database information. However, it is recommended that
the state or local jurisdiction also retain electronic records of the
aggregate data for each device so that reconstruction of an election is
possible without data re-entry. The same requirement and recommendation
applies to vote results generated by each precinct device or system.
2.3 Pre-Voting Functions
This section defines capabilities required to support functions
performed prior to the opening of polls. All voting systems shall
provide capabilities to support:
Ballot preparation;
Election programming;
Ballot and program installation and control;
Readiness testing;
Verification at the polling place; and
Verification at the central counting place.
The standards also include requirements to ensure compatible
interfaces with the ballot definition process and the reporting of
election results.
2.3.1 Ballot Preparation
Ballot preparation is the process of using election databases to
define the specific contests, questions, and related instructions to be
contained in ballots and to produce all permissible ballot layouts.
Ballot preparation requirements include:
General capabilities for ballot preparation;
Ballot formatting; and
Ballot production.
2.3.1.1 General Capabilities
All systems shall provide the general capabilities for ballot
preparation.
2.3.1.1.1 Common Standards
All systems shall be capable of:
a. Enabling the automatic formatting of ballots in accordance with
the requirements for offices, candidates, and measures qualified to be
placed on the ballot for each political subdivision and election
district;
b. Collecting and maintaining the following data:
(1) Offices and their associated labels and instructions;
(2) Candidate names and their associated labels; and
(3) Issues or measures and their associated text;
c. Supporting the maximum number of potentially active voting
positions as indicated in the system documentation;
d. For a primary election, generating ballots that segregate the
choices in partisan races by party affiliation;
e. Generating ballots that contain identifying codes or marks
uniquely associated with each format; and
f. Ensuring that vote response fields, selection buttons, or
switches properly align with the specific candidate names and/or issues
printed on the ballot display, ballot card or sheet, or separate ballot
pages.
2.3.1.1.2 Paper-Based System Standards
In addition to the common standards, paper-based systems shall meet
the following standards applicable to the technology used:
a. Enable voters to make selections by punching a hole or by making
a mark in areas designated for this purpose upon each ballot card or
sheet;
b. For punchcard systems, ensure that the vote response fields can
be properly aligned with punching devices used to record votes; and
c. For marksense systems, ensure that the timing marks align
properly with the vote response fields.
2.3.1.2 Ballot Formatting
Ballot formatting is the process by which election officials or
their designees use election databases and vendor system software to
define the specific contests and related instructions contained on the
ballot and present them in a layout permitted by state law. All systems
shall provide a capability for:
a. Creation of newly defined elections;
b. Rapid and error-free definition of elections and their
associated ballot layouts;
c. Uniform allocation of space and fonts used for each office,
candidate, and contest such that the voter perceives no active voting
position to be preferred to any other;
d. Simultaneous display of the maximum number of choices for a
single contest as indicated by the vendor in the system documentation;
e. Retention of previously defined formats for an election;
f. Prevention of unauthorized modification of any ballot formats;
and
g. Modification by authorized persons of a previously defined
ballot format for use in a subsequent election.
2.3.1.3 Ballot Production
Ballot production is the process of converting ballot formats to a
media ready for use in the physical ballot production or electronic
presentation.
2.3.1.3.1 Common Standards
The voting system shall provide a means of printing or otherwise
generating a ballot display that can be installed in all system voting
devices for which it is intended. All systems shall provide a
capability to ensure:
a. The electronic display or printed document on which the user
views the ballot is capable of rendering an image of the ballot in any
of the languages required by The Voting Rights Act of 1965, as amended;
b. The electronic display or printed document on which the user
views the ballot does not show any advertising or commercial logos of
any kind, whether public service, commercial, or political, unless
specifically provided for in State law. Electronic displays shall not
provide connection to such material through hyperlink; and
c. The ballot conforms to vendor specifications for type of paper
stock, weight, size, shape, size and location of punch or mark field
used to record votes, folding, bleed through, and ink for printing if
paper ballot documents or paper displays are part of the system.
2.3.1.3.2 Paper-Based System Standards
In addition to the common standards, vendor documentation for
marksense systems shall include specifications for ballot materials to
ensure that vote selections are read from only a single ballot at a
time, without detection of marks from multiple ballots concurrently
(e.g., reading of bleed-through from other ballots).
2.3.2 Election Programming
Election programming is the process by which election officials or
their designees use election databases and vendor system software to
logically define the voter choices associated with
[[Page 18956]]
the contents of the ballots. All systems shall provide for the:
a. Logical definition of the ballot, including the definition of
the number of allowable choices for each office and contest;
b. Logical definition of political and administrative subdivisions,
where the list of candidates or contests varies between polling places;
c. Exclusion of any contest on the ballot in which the voter is
prohibited from casting a ballot because of place of residence, or
other such administrative or geographical criteria;
d. Ability to select from a range of voting options to conform to
the laws of the jurisdiction in which the system will be used; and
e. Generation of all required master and distributed copies of the
voting program, in conformance with the definition of the ballots for
each voting device and polling place, and for each tabulating device.
2.3.3 Ballot and Program Installation and Control
All systems shall provide a means of installing ballots and
programs on each piece of polling place or central count equipment in
accordance with the ballot requirements of the election and the
requirements of the jurisdiction in which the equipment will be used.
All systems shall include the following at the time of ballot and
program installation:
a. A detailed work plan or other documentation providing a schedule
and steps for the software and ballot installation, which includes a
table outlining the key dates, events and deliverables;
b. A capability for automatically verifying that the software has
been properly selected and installed in the equipment or in a
programmable memory devices and for indicating errors; and
c. A capability for automatically validating that software
correctly matches the ballot formats that it is intended to process,
for detecting errors, and for immediately notifying an election
official of detected errors.
2.3.4 Readiness Testing
Election personnel conduct equipment and system readiness tests
prior to the start of an election to ensure that the voting system
functions properly, to confirm that system equipment has been properly
integrated, and to obtain equipment status reports.
2.3.4.1 Common Standards
All systems shall provide the capabilities to:
a. Verify that voting machines or vote recording and data
processing equipment, precinct count equipment, and central count
equipment are properly prepared for an election, and collect data that
verifies equipment readiness;
b. Obtain status and data reports from each set of equipment;
c. Verify the correct installation and interface of all system
equipment;
d. Verify that hardware and software function correctly;
e. Generate consolidated data reports at the polling place and
higher jurisdictional levels; and
f. Segregating test data from actual voting data, either
procedurally or by hardware/software features.
Resident test software, external devices, and special purpose test
software connected to or installed in voting devices to simulate
operator and voter functions may be used for these tests provided that
the following standards are met:
a. These elements shall be capable of being tested separately, and
shall be proven to be reliable verification tools prior to their use;
and
b. These elements shall be incapable of altering or introducing any
residual effect on the intended operation of the voting device during
any succeeding test and operational phase.
2.3.4.2 Paper-Based Systems
Paper-based systems shall:
a. Support conversion testing that uses all potential ballot
positions as active positions; and
b. Support conversion testing of ballots with active position
density for systems without pre-designated ballot positions.
2.3.5 Verification at the Polling Place
Election officials perform verification at the polling place to
ensure that all voting systems and equipment function properly before
and during an election. All systems shall provide a formal record of
the following, in any media, upon verification of the authenticity of
the command source:
a. The election's identification data;
b. The identification of all equipment units;
c. The identification of the polling place;
d. The identification of all ballot formats;
e. The contents of each active candidate register by office and of
each active measure register at all storage locations (showing that
they contain only zeros);
f. A list of all ballot fields that can be used to invoke special
voting options; and
g. Other information needed to confirm the readiness of the
equipment, and to accommodate administrative reporting requirements.
To prepare voting devices to accept voted ballots, all voting
systems shall provide the capability to test each device prior to
opening to verify that each is operating correctly. At a minimum, the
tests shall include:
a. Confirmation that there are no hardware or software failures;
and
b. Confirm that the device is ready to be activated for accepting
votes.
If a precinct count system includes equipment for the consolidation
of polling place data at one or more central counting places, it shall
have means to verify the correct extraction of voting data from
transportable memory devices, or to verify the transmission of secure
data over secure communication links.
2.3.6 Verification at the Central Location
Election officials perform verification at the central location to
ensure that vote counting and vote consolidation equipment and software
function properly before and after an election. Upon verification of
the authenticity of the command source, any system used in a central
count environment shall provide a printed record of the following :
a. The election's identification data;
b. The contents of each active candidate register by office and of
each active measure register at all storage locations (showing that
they contain all zeros); and
c. Other information needed to ensure the readiness of the
equipment and to accommodate administrative reporting requirements.
2.4 Voting Functions
All systems shall support:
[sdiam] Opening the polls; and
[sdiam] Casting a ballot.
Additionally, all DRE systems shall support:
[sdiam] Activating the ballot.
[sdiam] Augmenting the election counter; and
[sdiam] Augmenting the life-cycle counter.
2.4.1 Opening the Polls
The capabilities required for opening the polls are specific to
individual voting system technologies. At a minimum, the systems shall
provide the functional capabilities indicated below.
2.4.1.1 Opening the Polling Place (Precinct Count Systems)
To allow voting devices to be activated for voting, the system
shall provide:
[[Page 18957]]
a. An internal test or diagnostic capability to verify that all of
the polling place tests specified in Section 2.3.5 have been
successfully completed; and
b. Automatic disabling any device that has not been tested until it
has been tested.
2.4.1.2 Paper-Based System Standards
The standards for opening the polling place for paper-based systems
consist of common standards and additional standards that apply to
precinct count paper-based systems.
2.4.1.2.1 All Paper-Based Systems
To facilitate opening the polls, all paper-based systems shall
include:
a. A means of verifying that ballot punching or marking devices are
properly prepared and ready to use;
b. A voting booth or similar facility, in which the voter may punch
or mark the ballot in privacy; and
c. Secure receptacles for holding voted ballots.
2.4.1.2.2 Precinct Count Paper-Based Systems
In addition to the above requirements, all paper-based precinct
count equipment shall include a means of:
a. Activating the ballot counting device;
b. Verifying that the device has been correctly activated and is
functioning properly; and
c. Identifying device failure and corrective action needed.
2.4.1.3 DRE System Standards
To facilitate opening the polls, all DRE systems shall include:
a. A security seal, a password, or a data code recognition
capability to prevent the inadvertent or unauthorized actuation of the
poll-opening function;
b. A means of enforcing the execution of steps in the proper
sequence if more than one step is required;
c. A means of verifying the system has been activated correctly;
and
d. A means of identifying system failure and any corrective action
needed.
2.4.2 Activating the Ballot (DRE Systems)
To activate the ballot, all DRE systems shall:
a. Enable election officials to control the content of the ballot
presented to the voter, whether presented in printed form or electronic
display, such that each voter is permitted to record votes only in
contests in which that voter is authorized to vote;
b. Allow each eligible voter to cast a ballot;
c. Prevent a voter from voting on a ballot to which he or she is
not entitled; and
d. Prevent a voter from casting more than one ballot in the same
election.
e. Activate the casting of a ballot in a general election;
f. Enable the selection of the ballot that is appropriate to the
party affiliation declared by the voter in a primary election;
g. Activate all portions of the ballot upon which the voter is
entitled to vote; and
h. Disable all portions of the ballot upon which the voter is not
entitled to vote.
2.4.3 Casting a Ballot
Some required capabilities for casting a ballot are common to all
systems. Others are specific to individual voting technologies or
intended use. Systems must provide additional functional capabilities
that enable accessibility to disabled voters as defined in Section
2.2.7 of the Standards.
2.4.3.1 Common Standards
To facilitate casting a ballot, all systems shall:
a. Provide text that is at least 3 millimeters high and provide the
capability to adjust or magnify the text to an apparent size of 6.3
millimeters;
b. Protect the secrecy of the vote such that the system cannot
reveal any information about how a particular voter voted, except as
otherwise required by individual State law;
c. Record the selection and non-selection of individual vote
choices for each contest and ballot measure;
d. Record the voter's selection of candidates whose names do not
appear on the ballot, if permitted under State law, and record as many
write-in votes as the number of candidates the voter is allowed to
select;
e. In the event of a failure of the main power supply external to
the voting system, provide the capability for any voter who is voting
at the time to complete casting a ballot, allow for the graceful
shutdown of the voting system without loss or degradation of the voting
and audit data, and allow voters to resume voting once the voting
system has reverted to back-up power; and
f. Provide the capability for voters to continue casting ballots in
the event of a failure of a telecommunications connection within the
polling place or between the polling place and any other location.
2.4.3.2 Paper-Based Systems Standards
The standards for casting a ballot for paper-based systems consist
of common standards and additional standards that apply to precinct
count paper-based systems.
2.4.3.2.1 All Paper-Based Systems
All paper-based systems shall:
a. Allow the voter to easily identify the voting field that is
associated with each candidate or ballot measure response;
b. Allow the voter to punch or mark the ballot to register a vote;
c. Allow either the voter or the appropriate election official to
place the voted ballot into the ballot counting device (for precinct
count systems) or into a secure receptacle (for central count systems);
and
d. Protect the secrecy of the vote throughout the process.
2.4.3.2.2 Precinct Count Paper-Based Systems
In addition to the above requirements, all paper-based precinct
count systems shall:
a. Provide feedback to the voter that identifies specific contests
or ballot issues for which an overvote or undervote is detected;
b. Allow the voter, at the voter's choice, to vote a new ballot or
submit the ballot `as is' without correction; and
c. Allow an authorized election official to turn off the
capabilities defined in `a' and `b' above.
2.4.3.3 DRE Systems Standards
In addition to the above common requirements, DRE systems shall:
a. Prohibit the voter from accessing or viewing any information on
the display screen that has not been authorized by election officials
and preprogrammed into the voting system (i.e., no potential for
display of external information or linking to other information
sources);
b. Enable the voter to easily identify the selection button or
switch, or the active area of the ballot display that is associated
with each candidate or ballot measure response;
c. Allow the voter to select his or her preferences on the ballot
in any legal number and combination;
d. Indicate that a selection has been made or canceled;
e. Indicate to the voter when no selection, or an insufficient
number of selections, has been made in a contest;
f. Prevent the voter from overvoting;
g. Notify the voter when the selection of candidates and measures
is completed;
h. Allow the voter, before the ballot is cast, to review his or her
choices and, if the voter desires, to delete or change his or her
choices before the ballot is cast;
[[Page 18958]]
i. For electronic image displays, prompt the voter to confirm the
voter's choices before casting his or her ballot, signifying to the
voter that casting the ballot is irrevocable and directing the voter to
confirm the voter's intention to cast the ballot;
j. Notify the voter after the vote has been stored successfully
that the ballot has been cast;
k. Notify the voter that the ballot has not been cast successfully
if it is not stored successfully, including storage of the ballot
image, and provide clear instruction as to the steps the voter should
take to cast his or her ballot should this event occur;
l. Provide sufficient computational performance to provide
responses back to each voter entry in no more than three seconds;
m. Ensure that the votes stored accurately represent the actual
votes cast;
n. Prevent modification of the voter's vote after the ballot is
cast;
o. Provide a capability to retrieve ballot images in a form
readable by humans (in accordance with the requirements of Section
2.2.2.2 and 2.2.4.2);
p. Increment the proper ballot position registers or counters;
q. Protect the secrecy of the vote throughout the voting process;
r. Prohibit access to voted ballots until after the close of polls;
s. Provide the ability for election officials to submit test
ballots for use in verifying the end-to-end integrity of the system;
and
t. Isolate test ballots such that they are accounted for accurately
in vote counts and are not reflect in official vote counts for specific
candidates or measures.
2.5 Post-Voting Functions
All systems shall provide capabilities to accumulate and report
results for the jurisdiction and to generate audit trails. In addition,
precinct count systems must provide a means to close the polling place
including generating appropriate reports. If the system provides the
capability to broadcast results, additional standards apply.
2.5.1 Closing the Polling Place (Precinct Count)
These standards for closing the polling place are specific to
precinct count systems. The system shall provide the means for:
a. Preventing the further casting of ballots once the polling place
has closed;
b. Providing an internal test that verifies that the prescribed
closing procedure has been followed, and that the device status is
normal;
c. Incorporating a visible indication of system status;
d. Producing a diagnostic test record that verifies the sequence of
events, and indicates that the extraction of voting data has been
activated; and
e. Precluding the unauthorized reopening of the polls once the poll
closing has been completed for that election.
2.5.2 Consolidating Vote Data
All systems shall provide a means to consolidate vote data from all
polling places, and optionally from other sources such as absentee
ballots, provisional ballots, and voted ballots requiring human review
(e.g., write-in votes).
2.5.3 Producing Reports
All systems shall be able to create reports summarizing the data on
multiple levels.
2.5.3.1 Common Standards
All systems shall provide capabilities to:
a. Support geographic reporting, which requires the reporting of
all results for each contest at the precinct level and additional
jurisdictional levels;
b. Produce a printed report of the number of ballots counted by
each tabulator;
c. Produce a printed report for each tabulator of the results of
each contest that includes the votes cast for each selection, the count
of undervotes, and the count of overvotes;
d. Produce a consolidated printed report of the results for each
contest of all votes cast (including the count of ballots from other
sources supported by the system as specified by the vendor) that
includes the votes cast for each selection, the count of undervotes,
and the count of overvotes;
e. Be capable of producing a consolidated printed report of the
combination of overvotes for any contest that is selected by an
authorized official (e.g.; the number of overvotes in a given contest
combining candidate A and candidate B, combining candidate A and
candidate C, etc.);
f. Produce all system audit information required in Section 4.5 in
the form of printed reports, or in electronic memory for printing
centrally; and
g. Prevent data from being altered or destroyed by report
generation, or by the transmission of results over telecommunications
lines.
2.5.3.2 Precinct Count Systems
In addition to the common reporting requirements, all precinct
count voting systems shall:
a. Prevent the printing of reports and the unauthorized extraction
of data prior to the official close of the polling place;
b. Provide a means to extract information from a transportable
programmable memory device or data storage medium for vote
consolidation;
c. Consolidate the data contained in each unit into a single report
for the polling place when more than one voting machine or precinct
tabulator is used; and
d. Prevent data in transportable memory from being altered or
destroyed by report generation, or by the transmission of results over
telecommunications lines.
2.5.4 Broadcasting Results
Some voting systems offer the capability to make unofficial results
available to external organizations such as the news media, political
party officials, and others. Although this capability is not required,
systems that make unofficial results available shall:
a. Provide only aggregated results, and not data from individual
ballots;
b. Provide no access path from unofficial electronic reports or
files to the storage devices for official data; and
c. Clearly indicate on each report or file that the results it
contains are unofficial.
2.6 Maintenance, Transportation, and Storage
All systems shall be designed and manufactured to facilitate
preventive and corrective maintenance, conforming to the hardware
standards described in Section 3.
All vote casting and tally equipment designated for storage between
elections shall:
a. Function without degradation in capabilities after transit to
and from the place of use, as demonstrated by meeting the performance
standards described in Section 3; and
b. Function without degradation in capabilities after storage
between elections, as demonstrated by meeting the performance standards
described in Section 3.
Volume I, Section 3
Table of Contents
3 Hardware Standards
3.1 Scope
3.1.1 Hardware Sources
3.1.2 Organization of this Section
3.2 Performance Requirements
3.2.1 Accuracy Requirements
[[Page 18959]]
3.2.2 Environmental Requirements
3.2.2.1 Shelter Requirements
3.2.2.2 Space Requirements
3.2.2.3 Furnishings and Fixtures
3.2.2.4 Electrical Supply
3.2.2.5 Electrical Power Disturbance
3.2.2.6 Electrical Fast Transient
3.2.2.7 Lightning Surge
3.2.2.8 Electrostatic Disruption
3.2.2.9 Electromagnetic Radiation
3.2.2.10 Electromagnetic Susceptibility
3.2.2.11 Conducted RF Immunity
3.2.2.12 Magnetic Fields Immunity
3.2.2.13 Environmental Control--Operating Environment
3.2.2.14 Environmental Control--Transit and Storage
3.2.2.15 Data Network Requirements
3.2.3 Election Management System (EMS) Requirements
3.2.3.1 Recording Requirements
3.2.3.2 Memory Stability
3.2.4 Vote Recording Requirements
3.2.4.1 Common Standards
3.2.4.2 Paper-Based Recording Standards
3.2.4.2.1 Paper Ballot Standards
3.2.4.2.2 Punching Devices
3.2.4.2.3 Marking Devices
3.2.4.2.4 Frames or Fixtures for Punchcard Ballots
3.2.4.2.5 Frames or Fixtures for Printed Ballots
3.2.4.2.6 Ballot Boxes and Ballot Transfer Boxes
3.2.4.3 DRE Systems Recording Requirements
3.2.4.3.1 Activity Indicator
3.2.4.3.2 DRE System Vote Recording
3.2.4.3.3 Recording Accuracy
3.2.4.3.4 Recording Reliability
3.2.5 Paper-based Conversion Requirements
3.2.5.1 Ballot Handling
3.2.5.1.1 Capacity (Central Count)
3.2.5.1.2 Exception Handling (Central Count)
3.2.5.1.3 Exception Handling (Precinct Count)
3.2.5.1.4 Multiple Feed Prevention
3.2.5.2 Ballot Reading Accuracy
3.2.6 Processing Requirements
3.2.6.1 Paper-Based System Processing Requirements
3.2.6.1.1 Processing Accuracy
3.2.6.1.2 Memory Stability
3.2.6.2 DRE System Processing Requirements
3.2.6.2.1 Processing Speed
3.2.6.2.2 Processing Accuracy
3.2.6.2.3 Memory Stability
3.2.7 Reporting Requirements
3.2.7.1 Removable Storage Media
3.2.7.2 Printers
3.2.8 Vote Data Management Requirements
3.2.8.1 Data File Management
3.2.8.2 Data Report Generation
3.3 Physical Characteristics
3.3.1 Size
3.3.2 Weight
3.3.3 Transport and Storage of Precinct Systems
3.4 Design, Construction, and Maintenance Characteristics
3.4.1 Materials, Processes, and Parts
3.4.2 Durability
3.4.3 Reliability
3.4.4 Maintainability
3.4.4.1 Physical Attributes
3.4.4.2 Additional Attributes
3.4.5 Availability
3.4.6 Product Marking
3.4.7 Workmanship
3.4.8 Safety
3 Hardware Standards
3.1 Scope
This section contains the requirements for the machines and
manufactured devices that are part of a voting system. It specifies
minimum values for certain performance characteristics; physical
characteristics; and design, construction, and maintenance
characteristics for the hardware and selected related components of all
voting systems, such as:
Ballot printers;
Ballot cards and sheets;
Ballot displays;
Voting devices, including punching and marking devices and
DRE recording devices;
Voting booths and enclosures;
Ballot boxes and ballot transfer boxes;
Ballot readers;
Computers used to prepare ballots, program elections,
consolidate and report votes, and perform other elections management
activities;
Electronic ballot recorders;
Electronic precinct vote control units;
Removable electronic data storage media;
Servers; and
Printers.
This section applies to the combination of software and hardware to
accomplish specific performance and system control requirements.
Standards that are specific to software alone are provided in Section 4
of the Standards.
3.1.1 Hardware Sources
The requirements of this section apply generally to all hardware
used in voting systems, including:
a. Hardware provided by the voting system vendor and its suppliers;
b. Hardware furnished by an external provider (for example,
providers of commercial off-the-shelf (COTS) machines and devices)
where the hardware may be used in any way during voting system
operation; and
c. Hardware provided by the voting jurisdiction.
3.1.2 Organization of this Section
The standards presented in this section are organized as follows:
Performance Requirements: These requirements address the
combined operational capabilities of the voting system's hardware and
software across a broad range of parameters;
Physical Requirements: These requirements address the
size, weight and transportability of the voting system; and
Design, Construction, and Maintenance Requirements: These
requirements address the reliability and durability of materials,
product marking, quality of system workmanship, safety, and other
attributes to ensure smooth system operation in the voting environment.
3.2 Performance Requirements
The performance requirements address a broad range of parameters,
encompassing:
a. Accuracy requirements, where requirements are specified for
distinct processing functions of paper-based and DRE systems;
b. Environmental requirements, where no distinction is made between
requirements for paper-based and DRE systems, but requirements for
precinct and central count are described;
c. Vote data management requirements, where no differentiation is
made between requirements for paper-based and DRE systems;
d. Vote recording requirements, where separate and distinct
requirements are delineated for paper-based and DRE systems;
e. Conversion requirements, which apply only to paper-based
systems;
f. Processing requirements, where separate and distinct
requirements are delineated for paper-based and DRE systems; and
g. Reporting requirements, where no distinction is made between
requirements for paper-based and DRE systems, but where differences
between precinct and central count systems are readily apparent based
on differences of their reporting.
The performance requirements include such attributes as ballot
reading and handling requirements; system accuracy; memory stability;
and the ability to withstand specified environmental conditions. These
characteristics also encompass system-wide requirements for shelter,
electrical supply, and compatibility with data networks.
Performance requirements for voting systems represent the combined
operational capability of both system hardware and software. Accuracy,
as measured by data error rate, and operational failure are treated as
distinct attributes in performance testing. All systems shall meet the
performance requirements under operating
[[Page 18960]]
conditions and after storage under non-operating conditions.
3.2.1 Accuracy Requirements
Voting system accuracy addresses the accuracy of data for each of
the individual ballot positions that could be selected by a voter,
including the positions that are not selected. For a voting system,
accuracy is defined as the ability of the system to capture, record,
store, consolidate and report the specific selections and absence of
selections, made by the voter for each ballot position without error.
Required accuracy is defined in terms of an error rate that for testing
purposes represents the maximum number of errors allowed while
processing a specified volume of data. This rate is set at a
sufficiently stringent level such that the likelihood of voting system
errors affecting the outcome of an election is exceptionally remote
even in the closest of elections.
The error rate is defined using a convention that recognizes
differences in how vote data is processed by different types of voting
systems. Paper-based and DRE systems have different processing steps.
Some differences also exist between precinct count and central count
systems. Therefore, the acceptable error rate applies separately and
distinctly to each of the following functions:
a. For all paper-based systems:
(1) Scanning ballot positions on paper ballots to detect selections
for individual candidates and contests;
(2) Conversion of selections detected on paper ballots into digital
data;
b. For all DRE systems:
(1) Recording the voter selections of candidates and contests into
voting data storage; and
(2) Independently from voting data storage, recording voter
selections of candidates and contests into ballot image storage.
c. For precinct-count systems (paper-based and DRE):
Consolidation of vote selection data from multiple precinct-based
systems to generate jurisdiction-wide vote counts, including storage
and reporting of the consolidated vote data; and
d. For central-count systems (paper-based and DRE):
Consolidation of vote selection data from multiple counting devices
to generate jurisdiction-wide vote counts, including storage and
reporting of the consolidated vote data.
For testing purposes, the acceptable error rate is defined using
two parameters: The desired error rate to be achieved, and the maximum
error rate that should be accepted by the test process.
For each processing function indicated above, the system shall
achieve a target error rate of no more than one in 10,000,000 ballot
positions, with a maximum acceptable error rate in the test process of
one in 500,000 ballot positions.
3.2.2 Environmental Requirements
The environmental requirements for voting systems include shelter,
space, furnishings and fixtures, supplied energy, environmental control
, and external telecommunications services. Environmental conditions
applicable to the design and operation of voting systems consist of the
following categories:
Natural environment, including temperature, humidity, and
atmospheric pressure;
Induced environment, including proper and improper
operation and handling of the system and its components during the
election processes;
Transportation and storage; and
Electromagnetic signal environment, including exposure to
and generation of radio frequency energy.
All voting systems shall be designed to withstand the environmental
conditions contained in the appropriate test procedures of the
Standards. These procedures will be applied to all devices for casting,
scanning and counting ballots, except those that constitute COTS
devices that have not been modified in any manner to support their use
as part of a voting system and that have a documented record of
performance under conditions defined in the Standards.
The TDP supplied by the vendor shall include a statement of all
requirements and restrictions regarding environmental protection,
electrical service, recommended auxiliary power, telecommunications
service, and any other facility or resource required for the proper
installation and operation of the system.
3.2.2.1 Shelter Requirements
All precinct count systems shall be designed for storage and
operation in any enclosed facility ordinarily used as a warehouse or
polling place, with prominent instructions as to any special storage
requirements.
3.2.2.2 Space Requirements
There is no restriction on space allowed for the installation of
voting systems, except that the arrangement of these systems shall not
impede performance of their duties by polling place officials, the
orderly flow of voters through the polling place, or the ability for
the voter to vote in private.
3.2.2.3 Furnishings and Fixtures
Any furnishings or fixtures provided as a part of voting systems,
and any components provided by the vendor that are not a part of the
system but that are used to support its storage, transportation, or
operation, shall comply with the design and safety requirements of
Subsection 3.4.8.
3.2.2.4 Electrical Supply
Components of voting systems that require an electrical supply
shall meet the following standards:
a. Precinct count systems shall operate with the electrical supply
ordinarily found in polling places (120vac/60hz/1);
b. Central count systems shall operate with the electrical supply
ordinarily found in central tabulation facilities or computer room
facilities (120vac/60hz/1, 208vac/60hz/3, or 240vac/60hz/2); and
c. All systems shall also be capable of operating for a period of
at least 2 hours on backup power, such that no voting data is lost or
corrupted, nor normal operations interrupted. When backup power is
exhausted the system shall retain the contents of all memories intact.
The backup power capability is not required to provide lighting of
the voting area.
3.2.2.5 Electrical Power Disturbance
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand, without disruption of
normal operation or loss of data:
d. Surges of 15% line variations of nominal line
voltage; and
e. Electric power increases of 7.5% and reductions of 12.5% of
nominal specified power supply for a period of up to four hours at each
power level.
3.2.2.6 Electrical Fast Transient
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand, without disruption of
normal operation or loss of data, electrical fast transients of:
a. 2 kV AC & DC external power lines;
b. 1 kV all external wires >3m no control; and
c. 2 kV all external wires control.
3.2.2.7 Lightning Surge
Vote scanning and counting equipment for paper-based systems, and
[[Page 18961]]
all DRE equipment, shall be able to withstand, without disruption of
normal operation or loss of data, surges of:
a. 2 kV AC line to line;
b. 2 kV AC line to earth;
c. .5 kV DC line to line >10m;
d. .5 kV DC line to earth >10m; and
e. 1 kV I/O sig/control >30m.
3.2.2.8 Electrostatic Disruption
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand 15 kV air
discharge and 8 kV contact discharge without damage or loss
of data. The equipment may reset or have momentary interruption so long
as normal operation is resumed without human intervention or loss of
data. Loss of data means votes that have been completed and confirmed
to the voter.
3.2.2.9 Electromagnetic Radiation
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall comply with the Rules and Regulations of the
Federal Communications Commission, Part 15, Class B requirements for
both radiated and conducted emissions.
3.2.2.10 Electromagnetic Susceptibility
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand an electromagnetic field
of 10 V/m modulated by a 1 kHz 80% AM modulation over the frequency
range of 80 MHz to 1000 MHz, without disruption of normal operation or
loss of data.
3.2.2.11 Conducted RF Immunity
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand, without disruption of
normal operation or loss of data, conducted RF energy of:
a. 10V AC & DC power; and
b. 10V, 20 sig/control >3m.
3.2.2.12 Magnetic Fields Immunity
Vote scanning and counting equipment for paper-based systems, and
all DRE equipment, shall be able to withstand, without disruption of
normal operation or loss of data, AC magnetic fields of 30 A/m at 60
Hz.
3.2.2.13 Environmental Control--Operating Environment
Equipment used for election management activities or vote counting
(including both precinct and central count systems) shall be capable of
operation in temperatures ranging from 50 to 95 degrees Fahrenheit.
3.2.2.14 Environmental Control--Transit and Storage
Equipment used for vote casting, or for counting votes in a
precinct count system, shall meet specific minimum performance
standards that simulate exposure to physical shock and vibration
associated with handling and transportation by surface and air common
carriers, and to temperature conditions associated with delivery and
storage in an uncontrolled warehouse environment.
a. High and low storage temperatures ranging from -4 to +140
degrees Fahrenheit, equivalent to MIL-STD-810D, Methods 501.2 and
502.2, Procedure I-Storage;
b. Bench handling equivalent to the procedure of MIL-STD-810D,
Method 516.3, Procedure VI;
c. Vibration equivalent to the procedure of MIL-STD-810D, Method
514.3, Category 1--Basic Transportation, Common Carrier; and
d. Uncontrolled humidity equivalent to the procedure of MIL-STD-
810D, Method 507.2, Procedure I--Natural Hot--Humid.
3.2.2.15 Data Network Requirements
Voting systems may use a local or remote data network. If such a
network is used, then all components of the network shall comply with
the telecommunications requirements described in Section 5 of the
Standards and the Security requirements described in Section 6.
3.2.3 Election Management System (EMS) Requirements
The EMS requirements address electronic hardware and software used
to conduct the pre-voting functions defined in Section 2 with regard to
ballot preparation, election programming, ballot and program
installation, readiness testing, verification at the polling place, and
verification at the central location.
3.2.3.1 Recording Requirements
Voting systems shall accurately record all election management data
entered by the user, including election officials or their designees.
For recording accuracy, all systems shall:
a. Record every entry made by the user;
b. Add permissible voter selections correctly to the memory
components of the device;
c. Verify the correctness of detection of the user selections and
the addition of the selections correctly to memory;
d. Add various forms of data entered directly by the election
official or designee, such as text, line art, logos, and images;
e. Verify the correctness of detection of data entered directly by
the user and the addition of the selections correctly to memory;
f. Preserve the integrity of election management data stored in
memory against corruption by stray electromagnetic emissions, and
internally generated spurious electrical signals; and
g. Log corrected data errors by the system.
3.2.3.2 Memory Stability
Electronic system memory devices, used to retain election
management data, shall have demonstrated error-free data retention for
a period of 22 months.
3.2.4 Vote Recording Requirements
The vote recording requirements address the enclosure, equipment,
and supplies used by voters to vote.
3.2.4.1 Common Standards
All systems shall provide voting booths or enclosures for poll site
use. Such booths or enclosures may be integral to the voting system or
supplied as components of the voting system, and shall:
a. Be integral to, or makes provision for, the installation of, the
voting device;
b. Ensure by its structure stability against movement or
overturning during entry, occupancy, and exit by the voter;
c. Provide privacy for the voter, and be designed in such a way as
to prevent observation of the ballot by any person other than the
voter; and
d. Be capable of meeting the accessibility requirements of Section
2.2.7.1.
3.2.4.2 Paper-Based Recording Standards
The paper-based recording requirements govern:
Ballot cards or sheets, and pages or assemblies of pages
containing ballot field identification data;
Punching devices;
Marking devices;
Frames or fixtures to hold the ballot while it is being
punched;
Compartments or booths where voters record selections; and
Secure containers for the collection of voted ballots.
3.2.4.2.1 Paper Ballot Standards
Paper ballots used by paper-based voting systems shall meet the
following standards:
a. Punches or marks that identify the unique ballot format, in
accordance with Section 2.3.1.1.1.c., shall be
[[Page 18962]]
outside the area in which votes are recorded, so as to minimize the
likelihood that these punches or marks will be mistaken for vote
responses and the likelihood that recorded votes will obliterate these
punches or marks;
b. If printed or punched alignment marks are used to locate the
vote response fields on the ballot, these marks shall be outside the
area in which votes are recorded, so as to minimize the likelihood that
these marks will be mistaken for vote responses and the likelihood that
recorded votes will obliterate these marks; and
c. The TDP shall specify the required paper stock, size, shape,
opacity, color, watermarks, field layout, orientation, size and style
of printing, size and location of punch or mark fields used for vote
response fields and to identify unique ballot formats, placement of
alignment marks, ink for printing, and folding and bleed-through
limitations for preparation of ballots that are compatible with the
system.
3.2.4.2.2 Punching Devices
Punching devices used by voting systems shall:
a. Be suitable for the type of ballot card specified;
b. Facilitate the clear and accurate recording of each vote
intended by the voter;
c. Be designed to avoid excessive damage to vote recorder
components; and
d. Incorporate features to ensure that the chad (debris) is
completely removed, without damage to other parts of the ballot card.
3.2.4.2.3 Marking Devices
The TDP shall specify marking devices (such as pens or pencils)
that, if used to make the prescribed form of mark, produce readable
marked ballots such that the system meets the performance requirements
for accuracy specified previously. These specifications shall identify:
a. Specific characteristics of marking devices that affect
readability of marked ballots;
b. Performance capabilities with regard to each characteristic; and
c. For marking devices manufactured by multiple external sources, a
listing of sources and model numbers that are compatible with the
system.
3.2.4.2.4 Frames or Fixtures for Punchcard Ballots
The frame or fixture for punchcards shall:
a. Hold the ballot card securely in its proper location and
orientation for voting;
b. When contests are not printed directly on the ballot card or
sheet, incorporate an assembly of ballot label pages that identify the
offices and issues corresponding to the proper ballot format for the
polling place where it is used and that are aligned with the voting
fields assigned to them; and
c. Incorporate a template to preclude perforation of the card
except in the specified voting fields; a mask to allow punches only in
fields designated by the format of the ballot; and a backing plate for
the capture and removal of chad. This requirement may be satisfied by
equipment of a different design as long it achieves the same result as
the Standards with regard to:
(1) Positioning the card;
(2) Association of ballot label information with corresponding
punch fields;
(3) Enabling of only those voting fields that correspond to the
format of the ballot; and
(4) Punching the fields and the positive removal of chad.
3.2.4.2.5 Frames or Fixtures for Printed Ballots
A frame or fixture for printed ballot cards is optional. However,
if such a device is provided, it shall:
a. Be of any size and shape consistent with its intended use;
b. Position the card properly;
c. Hold the ballot card securely in its proper location and
orientation for voting; and
d. Comply with the requirements for design and construction
contained in Section 3.4.
3.2.4.2.6 Ballot Boxes and Ballot Transfer Boxes
Ballot boxes and ballot transfer boxes, which serve as secure
containers for the storage and transportation of voted ballots, shall:
a. Be of any size, shape, and weight commensurate with their
intended use;
b. Incorporate locks or seals, the specifications of which are
described in the system documentation;
c. Provide specific points where ballots are inserted, with all
other points on the box constructed in a manner that prevents ballot
insertion; and
d. For precinct count systems, contain separate compartments for
the segregation of unread ballots, ballots containing write-in votes,
or any irregularities that may require special handling or processing.
In lieu of compartments, the conversion processing may mark such
ballots with an identifying spot or stripe to facilitate manual
segregation.
3.2.4.3 DRE Systems Recording Requirements
The DRE systems recording requirements address the detection and
recording of votes, including the logic and data processing functions
required to determine the validity of voter selections, to accept and
record valid selections, and to reject invalid selections. The
requirements also address the physical environment in which ballots are
cast.
3.2.4.3.1 Activity Indicator
DRE systems shall include an audible or visible activity indicator
providing the status of each voting device. This indicator shall:
a. Indicate whether the device has been activated for voting; and
b. Indicate whether the device is in use.
3.2.4.3.2 DRE System Vote Recording
To ensure vote recording accuracy and integrity while protecting
the anonymity of the voter, all DRE systems shall:
a. Contain all mechanical, electromechanical, and electronic
components; software; and controls required to detect and record the
activation of selections made by the voter in the process of voting and
casting a ballot;
b. Incorporate redundant memories to detect and allow correction of
errors caused by the failure of any of the individual memories;
c. Provide at least two processes that record the voter's
selections that:
(1) To the extent possible, are isolated from each other;
(2) Designate one process and associated storage location as the
main vote detection, interpretation, processing and reporting path; and
(3) Use a different process to store ballot images, for which the
method of recording may include any appropriate encoding or data
compression procedure consistent with the regeneration of an
unequivocal record of the ballot as cast by the voter.
d. Provide a capability to retrieve ballot images in a form
readable by humans; and
e. Ensure that all processing and storage protects the anonymity of
the voter.
3.2.4.3.3 Recording Accuracy
DRE systems shall meet the following requirements for recording
accurately each vote and ballot cast:
a. Detect every selection made by the voter;
[[Page 18963]]
b. Correctly add permissible selections to the memory components of
the device;
c. Verify the correctness of the detection of the voter selections
and the addition of the selections to memory;
d. Achieve an error rate not to exceed the requirement indicated in
Section 3.2.1;
e. Preserve the integrity of voting data and ballot images (for DRE
machines) stored in memory for the official vote count and audit trail
purposes against corruption by stray electromagnetic emissions, and
internally generated spurious electrical signals; and
f. Maintain a log of corrected data.
3.2.4.3.4 Recording Reliability
Recording reliability refers to the ability of the DRE system to
record votes accurately at its maximum rated processing volume for a
specified period of time. The DRE system shall record votes reliably in
accordance with the requirements of Section 3.4.3.
3.2.5 Paper-Based Conversion Requirements
The paper-based conversion requirements address the ability of the
system to read the ballot card and to translate its pattern of punches
or marks into electronic signals for later processing. These
capabilities may be built into the voting system in an integrated
fashion, or may be provided by one or more components that are not
unique to the system, such as a general-purpose data processing card
reader or read head suitably interfaced to the system. These
requirements address two major functions: ballot handling and ballot
reading.
3.2.5.1 Ballot Handling
Ballot handling consists of a ballot card's acceptance, movement
through the read station, and transfer into a collection station or
receptacle.
3.2.5.1.1 Capacity (Central Count)
The capacity to convert the punches or marks on individual ballots
into signals is uniquely important to central count systems. The
capacity for a central count system shall be documented by the vendor.
This documentation shall include the capacity for individual components
that impact the overall capacity.
3.2.5.1.2 Exception Handling (Central Count)
This requirement refers to the handling of ballots for a central
count system when they are unreadable or when some condition is
detected requiring that the cards be segregated from normally processed
ballots for human review. In response to an unreadable ballot or a
write-in vote all central count paper-based systems shall:
a. Outstack the ballot, or
b. Stop the ballot reader and display a message prompting the
election official or designee to remove the ballot, or
c. Mark the ballot with an identifying mark to facilitate its later
identification.
Additionally, the system shall provide a capability that can be
activated by an authorized election official to identify ballots
containing overvotes, blank ballots, and ballots containing undervotes
in a designated race. If enabled, these capabilities shall perform one
of the above actions in response to the indicated condition.
3.2.5.1.3 Exception Handling (Precinct Count)
This requirement refers to the handling of ballots for a precinct
count system when they are unreadable or when some condition is
detected requiring that the cards be segregated from normally processed
ballots for human review. All paper based precinct count systems shall:
a. In response to an unreadable or blank ballot, return the ballot
and provide a message prompting the voter to examine the ballot;
b. In response to a ballot with a write-in vote, segregate the
ballot or mark the ballot with an identifying mark to facilitate its
later identification;
c. In response to a ballot with an overvote the system shall:
(1) Provide a capability to identify an overvoted ballot;
(2) Return the ballot;
(3) Provide an indication prompting the voter to examine the
ballot;
(4) Allow the voter to submit the ballot with the overvote; and
(5) Provide a means for an authorized election official to
deactivate this capability entirely and by contest; and
d. In response to a ballot with an undervote the system shall:
(1) Provide a capability to identify an undervoted ballot;
(2) Return the ballot;
(3) Provide an indication prompting the voter to examine the
ballot;
(4) Allow the voter to submit the ballot with the undervote; and
(5) Provide a means for an authorized election official to
deactivate this capability.
3.2.5.1.4 Multiple Feed Prevention
Multiple feed refers to the situation arising when a ballot reader
attempts to read more than one ballot at a time. The requirements
govern the ability of a ballot reader to prevent multiple feed or to
detect and provide an alarm indicating multiple feed.
a. If multiple feed is detected, the card reader shall halt in a
manner that permits the operator to remove the unread cards causing the
error, and reinsert them in the card input hopper.
b. The frequency of multiple feeds with ballots intended for use
with the system shall not exceed 1 in 10,000.
3.2.5.2 Ballot Reading Accuracy
This paper-based system requirement governs the conversion of the
physical ballot into electronic data. Reading accuracy for ballot
conversion refers to the ability to:
Recognize vote punches or marks, or the absence thereof,
for each possible selection on the ballot;
Discriminate between valid punches or marks and extraneous
perforations, smudges, and folds; and
Convert the vote punches or marks, or the absence thereof,
for each possible selection on the ballot into digital signals.
To ensure accuracy, paper-based systems shall:
a. Detect punches or marks that conform to vendor specifications
with an error rate not exceeding the requirement indicated in Section
3.2.1;
b. Ignore, and not record, extraneous perforations, smudges, and
folds; and
c. Reject ballots that meet all vendor specifications at a rate not
to exceed 2 percent.
3.2.6 Processing Requirements
Processing requirements apply to the hardware and software required
to accumulate voting data for all candidates and measures within voting
machines and polling places, and to consolidate the voting data at a
central level or multiple levels. These requirements also address the
generation and maintenance of audit records, the detection and
disabling of improper use or operation of the system, and the
monitoring of overall system status. Separate and distinct requirements
for paper-based and DRE voting systems are presented below.
3.2.6.1 Paper-Based System Processing Requirements
The paper-based processing requirements address all mechanical
devices, electromechanical devices, electronic devices, and software
required to perform the logical and numerical functions of interpreting
the electronic image of the voted ballot, and assigning votes to the
proper memory registers.
[[Page 18964]]
3.2.6.1.1 Processing Accuracy
Processing accuracy refers to the ability of the system to receive
electronic signals produced by punches for punchcard systems and vote
marks and timing information for marksense systems; perform logical and
numerical operations upon these data; and reproduce the contents of
memory when required, without error. Specific requirements are detailed
below:
a. Processing accuracy shall be measured by vote selection error
rate, the ratio of uncorrected vote selection errors to the total
number of ballot positions that could be recorded across all ballots
when the system is operated at its nominal or design rate of
processing;
b. The vote selection error rate shall include data that denotes
ballot style or precinct as well as data denoting a vote in a specific
contest or ballot proposition;
c. The vote selection error rate shall include all errors from any
source; and
d. The vote selection error rate shall not exceed the requirement
indicated in Section 3.2.1.
3.2.6.1.2 Memory Stability
Paper-based system memory devices, used to retain control programs
and data, shall have demonstrated error-free data retention for a
period of 22 months, under the environmental conditions for operation
and non-operation (i.e. storage).
3.2.6.2 DRE System Processing Requirements
The DRE system processing requirements address all mechanical
devices, electromechanical devices, electronic devices, and software
required to process voting data after the polling places are closed.
3.2.6.2.1 Processing Speed
DRE voting systems shall meet the following requirements for
processing speed:
a. Operate at a speed sufficient to respond to any operator and
voter input without perceptible delay (no more than three seconds); and
b. If the consolidation of polling place data is done locally,
perform this consolidation in a time not to exceed five minutes for
each device in the polling place.
3.2.6.2.2 Processing Accuracy
Processing accuracy is defined as the ability of the system to
process voting data stored in DRE voting devices, or in removable
memory modules installed in such devices. Processing includes all
operations to consolidate voting data after the polling places have
been closed. DRE voting systems shall:
a. Produce reports that are completely consistent, with no
discrepancy among reports of voting device data produced at any level;
and
b. Produce consolidated reports containing absentee, provisional,
or other voting data that are similarly error-free. Any discrepancy,
regardless of source, is resolvable to a procedural error, to the
failure of a non-memory device, or to an external cause.
3.2.6.2.3 Memory Stability
DRE system memory devices used to retain control programs and data
shall have demonstrated error-free data retention for a period of 22
months. Error-free retention may be achieved by the use of redundant
memory elements, provided that the capability for conflict resolution
or correction among elements is included.
3.2.7 Reporting Requirements
The reporting requirements govern all mechanical,
electromechanical, and electronic devices required for voting systems
to print audit record entries and results of the tabulation. These
requirements also address data storage media for transportation of data
to other sites.
3.2.7.1 Removable Storage Media
In voting systems that use storage media that can be removed from
the system and transported to another location for readout and report
generation, these media shall use devices with demonstrated error-free
retention for a period of 22 months under the environmental conditions
for operation and non-operation contained in Section 3.2.2. Examples of
removable storage media include: programmable read-only memory (PROM),
random access memory (RAM) with battery backup, magnetic media, or
optical media.
3.2.7.2 Printers
All printers used to produce reports of the vote count shall be
capable of producing:
a. Alphanumeric headers;
b. Election, office and issue labels; and
c. Alphanumeric entries generated as part of the audit record.
3.2.8 Vote Data Management Requirements
The vote data management requirements for all systems address
capabilities that manage, process, and report voting data after the
data has been consolidated at the polling place or other intermediate
levels. These capabilities allow the system to:
a. Consolidate voting data from polling place data memory or
transfer devices;
b. Report polling place summaries; and
c. Process absentee ballots, data entered manually, and
administrative ballot definition data.
The requirements address all hardware and software required to
generate output reports in the various formats required by the using
jurisdiction.
3.2.8.1 Data File Management
All voting systems shall provide the capability to:
a. Integrate voting data files with ballot definition files;
b. Verify file compatibility; and
c. Edit and update files as required.
3.2.8.2 Data Report Generation
All voting systems shall include report generators for producing
output reports at the device, polling place, and summary level, with
provisions for administrative and judicial subdivisions as required by
the using jurisdiction.
3.3 Physical Characteristics
This section covers physical characteristics of all voting systems
and components that affect their general utility and suitability for
election operations.
3.3.1 Size
There is no numerical limitation on the size of any voting system
equipment, but the size of each device should be compatible with its
intended use and the location at which the equipment is to be used.
3.3.2 Weight
There is no numerical limitation on the weight of any voting system
equipment, but the weight of each device should be compatible with its
intended use and the location at which the equipment is to be used.
3.3.3 Transport and Storage of Precinct Systems
All precinct systems shall:
a. Provide a means to safely and easily handle, transport, and
install polling place equipment, such as wheels or a handle or handles;
and
b. Be capable of using, or be provided with, a protective enclosure
rendering the equipment capable of withstanding:
(1) Impact, shock and vibration loads accompanying surface and air
transportation; and
(2) Stacking loads accompanying storage.
[[Page 18965]]
3.4 Design, Construction, and Maintenance Characteristics
This section covers voting system materials, construction
workmanship, and specific design characteristics important to the
successful operation and efficient maintenance of the system.
3.4.1 Materials, Processes, and Parts
The approach to system design is unrestricted, and may incorporate
any form or variant of technology capable of meeting the voting systems
requirements and standards.
Precinct count systems shall be designed in accordance with best
commercial practice for microcomputers, process controllers, and their
peripheral components. Central count voting systems and equipment used
in a central tabulating environment shall be designed in accordance
with best commercial and industrial practice.
All voting systems shall:
a. Be designed and constructed so that the frequency of equipment
malfunctions and maintenance requirements are reduced to the lowest
level consistent with cost constraints;
b. Include, as part of the accompanying TDP, an approved parts
list; and
c. Exclude parts or components not included in the approved parts
list.
3.4.2 Durability
All voting systems shall be designed to withstand normal use
without deterioration and without excessive maintenance cost for a
period of ten years.
3.4.3 Reliability
The reliability of voting system devices shall be measured as mean
time between Failure (MTBF) for the system submitted for testing. MBTF
is defined as the value of the ratio of operating time to the number of
failures which have occurred in the specified time interval. A typical
system operations scenario consist of approximately 45 hours of
equipment operation, consisting of 30 hours of equipment set-up and
readiness testing and 15 hours of elections operations. For the purpose
of demonstrating compliance with this requirement, a failure is defined
as any event which results in either the:
a. Loss of one or more functions; or
b. Degradation of performance such that the device is unable to
perform its intended function for longer than 10 seconds.
The MTBF demonstrated during qualification testing shall be at
least 163 hours.
3.4.4 Maintainability
Maintainability represents the ease with which maintenance actions
can be performed based on the design characteristics of equipment and
software and the processes the vendor and election officials have in
place for preventing failures and for reacting to failures.
Maintainability includes the ability of equipment and software to self-
diagnose problems and make non-technical election workers aware of a
problem. Maintainability addresses all scheduled and unscheduled
events, which are performed to:
Determine the operational status of the system or a
component;
Adjust, align, tune, or service components;
Repair or replace a component having a specified operating
life or replacement interval;
Repair or replace a component that exhibits an undesirable
predetermined physical condition or performance degradation;
Repair or replace a component that has failed; and
Verify the restoration of a component, or the system, to
operational status.
Maintainability shall be determined based on the presence of
specific physical attributes that aid system maintenance activities,
and the ease with which system maintenance tasks can be performed by
the ITA. Although a more quantitative basis for assessing
maintainability, such as the mean to repair the system is desirable,
the qualification of a system is conducted before it is approved for
sale and thus before a broader base of maintenance experience can be
obtained.
3.4.4.1 Physical Attributes
The following physical attributes will be examined to assess
reliability:
a. Presence of labels and the identification of test points;
b. Provision of built-in test and diagnostic circuitry or physical
indicators of condition;
c. Presence of labels and alarms related to failures; and
d. Presence of features that allow non-technicians to perform
routine maintenance tasks (such as update of the system database).
3.4.4.2 Additional Attributes
The following additional attributes will be considered to assess
system maintainability.
a. Ease of detecting that equipment has failed by a non-technician;
b. Ease of diagnosing problems by a trained technician;
c. Low false alarm rates (i.e., indications of problems that do not
exist);
d. Ease of access to components for replacement;
e. Ease with which adjustment and alignment can be performed;
f. Ease with which database updates can be performed by a non-
technician; and
g. Adjust, align, tune, or service components.
3.4.5 Availability
The availability of a voting system is defined as the probability
that the equipment (and supporting software) needed to perform
designated voting functions will respond to operational commands and
accomplish the function. The voting system shall meet the availability
standard for each of the following voting functions:
a. For all paper-based systems:
(1) Recording voter selections (such as by ballot marking or
punch); and
(2) Scanning the punches or marks on paper ballots and converting
them into digital data;
b. For all DRE systems, recording and storing the voter's ballot
selections.
c. For precinct-count systems (paper-based and DRE), consolidation
of vote selection data from multiple precinct-based systems to generate
jurisdiction-wide vote counts, including storage and reporting of the
consolidated vote data; and
d. For central-count systems (paper-based and DRE), consolidation
of vote selection data from multiple counting devices to generate
jurisdiction-wide vote counts, including storage and reporting of the
consolidated vote data.
System availability is measured as the ratio of the time during
which the system is operational a (up time) to the total time period of
operation (up time plus down time). Inherent availability (Ai) is a the
fraction of time a system is functional, based upon Mean Time Between
Failure (MTBF) and Mean Time to Repair (MTTR), that is:
Ai = (MTBF)/(MTBF + MTTR)
Mean Time to Repair (MTTR) is the average time required to perform
a corrective maintenance task during periods of system operation.
Corrective maintenance task time is active repair time, plus the time
attributable to other factors that could lead to logistic or
administrative delays, such as travel notification of qualified
maintenance personnel and travel time for such personnel to arrive at
the appropriate site.
Corrective maintenance may consist of substitution of the complete
device or one of its components, as in the case of precinct count and
some central count systems, or it may consist of on-site repair.
[[Page 18966]]
The voting system shall achieve at least ninety nine percent
availability during normal operation for the functions indicated above.
This standard encompasses for each function the combination of all
devices and components that support the function, including their MTTR
and MTBF attribute.
Vendors shall specify the typical system configuration that is to
be used to assess availability, and any assumptions made with regard to
any parameters that impact the MTTR. These factors shall include at a
minimum:
a. Recommended number and locations of spare devices or components
to be kept on hand for repair purposes during periods of system
operation;
b. Recommended number and locations of qualified maintenance
personnel who need to be available to support repair calls during
system operation; and
c. Organizational affiliation (i.e., jurisdiction, vendor) of
qualified maintenance personnel.
3.4.6 Product Marking
All voting systems shall:
a. Identify all devices by means of a permanently affixed nameplate
or label containing the name of the manufacturer or vendor, the name of
the device, its part or model number, its revision letter, its serial
number, and if applicable, its power requirements;
b. Display on each device a separate data plate containing a
schedule for and list of operations required to service or to perform
preventive maintenance; and
c. Display advisory caution and warning instructions to ensure safe
operation of the equipment and to avoid exposure to hazardous
electrical voltages and moving parts at all locations where operation
or exposure may occur.
3.4.7 Workmanship
To help ensure proper workmanship, all manufacturers of voting
systems shall:
a. Adopt and adhere to practices and procedures to ensure that
their products are free from damage or defect that could make them
unsatisfactory for their intended purpose; and
b. Ensure that components provided by external suppliers are free
from damage or defect that could make them unsatisfactory for their
intended purpose.
3.4.8 Safety
All voting systems shall meet the following requirements for
safety:
a. All voting systems and their components shall be designed so as
to eliminate hazards to personnel, or to the equipment itself;
b. Defects in design and construction that can result in personal
injury or equipment damage must be detected and corrected before voting
systems and components are placed into service; and
c. Equipment design for personnel safety shall be equal to or
better than the appropriate requirements of the Occupational Safety and
Health Act (OSHA), as identified in Title 29, part 1910, of the Code of
Federal Regulations.
Volume I, Section 4
Table of Contents
4 Software Standards
4.1 Scope
4.1.1 Software Sources
4.1.2 Location and Control of Software and Hardware on Which it
Operates
4.1.3 Exclusions
4.2 Software Design and Coding Standards
4.2.1 Selection of Programming Languages
4.2.2 Software Integrity
4.2.3 Software Modularity and Programming
4.2.4 Control Constructs
4.2.5 Naming Conventions
4.2.6 Coding Conventions
4.2.7 Comment Conventions
4.3 Data and Document Retention
4.4 Audit Record Data
4.4.1 Pre-election Audit Records
4.4.2 System Readiness Audit Records
4.4.3 In-Process Audit Records
4.4.4 Vote Tally Data
4.5 Vote Secrecy (DRE Systems)
4 Software Standards
4.1 Scope
This section describes essential design and performance
characteristics of the software used in voting systems, addressing both
system-level software, such as operating systems, and voting system
application software, including firmware. The requirements of this
section are intended to ensure that voting system software is reliable,
robust, testable, and maintainable. The standards in this section also
support system accuracy, logical correctness, privacy, security and
integrity.
The general requirements of this section apply to software used to
support the entire range of voting system activities described in
Section 2. More specific requirements are defined for ballot counting,
vote processing, creating an audit trail, and generating output reports
and files. Although this section emphasizes software, the standards
described also influence hardware design considerations.
This section recognizes that there is no best way to design
software. Many programming languages are available for which modern
programming practices are applicable, such as the use of rigorous
program and data structures, data typing, and naming conventions. Other
programming languages exist for which such practices are not easily
applied.
The Standards are intended to guide the design of software written
in any of the programming languages commonly used for mainframe, mini-
computer, and microprocessor systems. They are not intended to preclude
the use of other languages or environments, such as those that exhibit
``declarative'' structure, ``object-oriented'' languages,
``functional'' programming languages, or any other combination of
language and implementation that provides appropriate levels of
performance, testability, reliability, and security. The vendor makes
specific software selections. However, the use of widely recognized and
proven software design methods will facilitate the analysis and testing
of voting system software in the qualification process.
4.1.1 Software Sources
The requirements of this section apply generally to all software
used in voting systems, including:
Software provided by the voting system vendor and its
component suppliers;
Software furnished by an external provider (for example,
providers of COTS operating systems and web browsers) where the
software may be used in any way during voting system operation; and