Chapter 7: Requirements by Voting Activity
7.1 Election Programming
Election programming is the process by which central election officials use election databases and manufacturer system software to logically define the voter choices associated with the contents of the ballots.
There are significant variations among the election laws of the 50 states with respect to permissible ballot contents, voting options, and the associated ballot counting logic.
The EMS SHALL provide for the logical definition of the ballot, including the definition of the number of allowable votes for each contest.
The EMS SHALL be capable of collecting and maintaining
- Offices and their associated labels and instructions;
- Candidate names and their associated labels; and
- Ballot questions and their associated text.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.1.1.b
The EMS SHALL provide for the logical definition of political and administrative subdivisions, where the list of contest choices or contests varies between precincts.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.a and I.2.3.2.b
The EMS SHALL enable central election officials to define multiple election districts.
The EMS SHALL enable central election officials to define and identify contests, contest choices, candidates, and ballot questions using all voting variations indicated in the implementation statement.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.b, I.2.2.8.2, I.2.3.2.d
In all systems, the EMS SHALL allow the definition of contests where the voter is allowed to choose at most one contest choice from a list of contest choices.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Implicit in [VSS2002]
In all systems, the EMS SHALL allow the definition of contests where the voter is allowed to vote yes or no on a question.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: New requirement / clarification of [VSS2002] intent
In all systems, the EMS SHALL allow the definition of political parties and the indication of the affiliation and/or endorsements of each contest choice.
Test Reference:Part 3: 5.2 “Functional Testing”
Source: Implicit in [VSS2002]
EMSs of the primary elections device class SHALL support the definition of both party-specific and non-party-specific contests.
Applies To: EMS Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Write-ins device class SHALL support the definition of contests that include ballot positions for write-in opportunities.
Applies To: EMS Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.1.d
EMSs of the Straight party voting device class SHALL be capable of defining the necessary straight party contest and associated metadata to support the gathering and recording of votes for the slate of contest choices endorsed by a given political party.
Applies To: EMS Λ Straight party voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Cross-party endorsement device class SHALL be capable of defining the necessary straight party contest and associated metadata to support the gathering and recording of votes for the slate of contest choices endorsed by a given political party when a given contest choice is endorsed by two or more different political parties.
Applies To: EMS Λ Cross-party endorsement device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Clarification or extension of existing requirements
EMSs of the Split precincts device class SHALL support the definition of election districts and precincts in such a way that a given polling place may serve two or more election districts.
Applies To: EMS Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the N-of-M voting device class SHALL be capable of defining contests where the voter is allowed to choose up to a specified number of contest choices (N(r) > 1, per Part 1: 8.3 “Logic Model (normative)”) from a list of contest choices.
Applies To: EMS Λ N-of-M voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2, I.2.3.2.a and glossary
EMSs of the Cumulative voting device class SHALL be capable of defining contests where the voter is allowed to allocate up to a specified number of votes (N(r) > 1, per Part 1:8.3 “Logic Model (normative)”) over a list of contest choices, possibly giving more than one vote to a given contest choice.
Applies To: EMS Λ Cumulative voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2, I.2.3.2.a and glossary
EMSs of the Ranked order voting device class SHALL be capable of defining contests where the voter is allowed to rank contest choices in a contest in order of preference, as first choice, second choice, etc.
Applies To: EMS Λ Ranked order voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
The EMS SHALL record the election contests, contest choices, issues, and political and administrative subdivisions exactly as defined by central election officials.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
The EMS SHALL record the options for casting and recording votes exactly as defined by central election officials.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.2.2.1.b / [VVSG2005] I.2.1.2.b
The EMS SHALL verify (i.e., actively check and confirm) the correct recording of election definition data to the persistent storage of the device.
Applies To: EMS
Test Reference: Part 3: 4.3 “Verification of Design Requirements”
DISCUSSION
"Persistent storage" includes nonvolatile memory, hard disks, optical disks, etc.
Source: [VSS2002] I.3.2.3.1.c and e ([VVSG2005] I.4.1.3.1.c and e), expanded to include persistent storage
The EMS SHALL provide for the generation of master and distributed copies of election definitions as needed to configure each voting device in the system.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.3.2.e
7.2 Ballot Preparation, Formatting, and Production
The EMS SHALL enable central election officials to define ballot styles.
The EMS SHALL be capable of automatically formatting ballots in accordance with the requirements for offices and contest choices qualified to be placed on the ballot for each political subdivision and election district.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.1.1.a
The EMS SHALL provide for the inclusion in a given ballot style of any contest in which the voter would be entitled to vote.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Extrapolated from relevant requirements in [VSS2002]
The EMS SHALL provide for the exclusion from a given ballot style of any contest in which the voter would be prohibited from voting because of place of residence or other such administrative or geographical criteria.
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In systems supporting primary elections, this would include the exclusion of party-specific contests that are not votable by the selected political party.
Source: [VSS2002] I.2.3.2.c
The EMS SHALL uniformly allocate space and fonts used for each office, contest choice, and contest such that the voter perceives no contest choice to be preferred to any other.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.2.c
The EMS SHALL enable central election officials to add jurisdiction-dependent text, line art, logos and images to ballot styles.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.3.2.3.1.d
EMSs of the primary elections device class SHALL support the association of different ballot configurations with different political parties.
Applies To: EMS Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties, instructing the voter to vote only in the contests applicable to a single party, and rejecting or discarding votes that violate this instruction. To satisfy the requirements for primary elections device, the EMS must be capable of associating different ballot configurations with different political parties.
Source: Reworded from [VSS2002] I.2.3.1.1.1.d
EMSs of the Ballot rotation device class SHALL support the production of rotated ballots and/or the activation of ballot rotation functions in vote-capture devices through the inclusion of relevant metadata in distributed election definitions and ballot styles.
Applies To: EMS Λ Ballot rotation device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Split precincts device class SHALL support the definition of distinct ballot configurations for voters from two or more election districts that are served by a given polling place.
Applies To: EMS Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
The EMS SHALL provide for the generation of master and distributed copies of ballot styles as needed to configure each voting device in the system.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.2.6.d
The EMS SHALL generate codes or marks as needed to uniquely identify the ballot style associated with any ballot.
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, identifying marks would appear on the actual ballots. DREs would make internal use of unique identifiers for ballot styles but would not necessarily present these where the voter would see them.
When different precincts share a common ballot style in a paper-based system, typically it is assumed that the ballots from the two precincts will be kept physically separate, tabulated separately, and attributed to the correct precinct at the time of reporting—even in combined precincts where this imposes procedural overhead.
Source: [VSS2002] I.2.3.1.1.1.e
The EMS SHALL support retention, modification, and reuse of ballot styles within the same election and from one election to the next.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.2.e and g
The EMS SHALL prevent unauthorized modification of any ballot styles.
Applies To: EMS
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
Source: [VSS2002] I.2.3.1.2.f
7.2.1 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Paper ballot production: central election officials must verify that paper ballots are produced in accordance with manufacturer specifications.
Paper ballot production quality: central election officials must ensure that paper ballots conform to manufacturer specifications for type of paper stock, weight, size, shape, size and location of field used to record votes, folding, bleed through, and ink for printing. ([VSS2002] I.2.3.1.3.1.c)
Paper ballot field alignment: Central election officials must ensure that the vote response fields can be properly aligned with respect to any ballot marking devices used. ([VSS2002] I.2.3.1.1.2.b)
Paper ballot timing mark alignment: central election officials must ensure that timing marks align properly with the vote response fields. ([VSS2002] I.2.3.1.1.2.c)
7.3 Equipment Setup for Security and Integrity
7.3.1 Logic and accuracy testing
The purpose of logic and accuracy testing is to detect malfunctioning and misconfigured devices before polls are opened. It is not a defense against fraud.[9]
Election personnel conduct equipment and system readiness tests prior to the start of an election to ensure that the voting system functions properly, to confirm that system equipment has been properly integrated, and to obtain equipment status and readiness reports. The content of those reports is defined in Part 1: 7.8 “Reporting”.
All systems SHALL provide the capabilities to:
- Verify that all voting devices are properly prepared for an election and collect data that verify equipment readiness;
- Verify the correct installation and interface of all system equipment;
- Verify that hardware and software function correctly; and
- Segregate test data from actual voting data, either procedurally or by hardware/software features.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.4.1, I.2.3.5.a2 and b2 (the second a and b, respectively), I.4.4.2.a
All programmed devices SHALL include built-in measurement, self-test, and diagnostic software and hardware for monitoring and reporting the system's status and degree of operability.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.4.1.j, I.2.2.8.1.a
The EMS SHALL enable central election officials to test that ballot styles and programs have been properly prepared and installed.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.f, I.4.4.2.c
Programmed devices SHALL include a capability to automatically verify that the software and ballot styles have been properly selected and installed in the equipment and immediately notify an election official of any errors.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Examples of detectable errors include use of software or data intended for a different type of device and operational failures in transferring the software or data.
Source: [VSS2002] I.2.3.3.b, I.4.4.2.c
Programmed devices SHALL include a capability to automatically verify that software correctly matches the ballot styles that it is intended to process and immediately notify an election official of any errors.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.3.c, I.4.4.2.c
Programmed tabulators SHALL provide the capability for central election officials or election judges to submit test ballots for use in verifying the integrity of the system.
Applies To: Programmed device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.3.s, generalized from DREs; I.4.4.2.d and f
Paper-based tabulators SHALL support testing that uses all potential ballot positions as active positions.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.4.2.a, I.4.4.2.f
Paper-based tabulators SHALL support the use of test ballots to test the calibration of the paper-to-digital conversion (i.e., the calibration of optical sensors, the density threshold, and/or the logical reduction of scanned images to binary values, as applicable).
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Interpretation of [VSS2002] I.2.3.4.2.b
Paper-based vote-capture devices SHALL include a means of verifying that the ballot marking mechanism is properly prepared and ready to use.
Applies To: Vote-capture device Λ Paper-based device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In the case of manually-marked paper ballots this requirement is mostly moot. (Sharpen the pencils.)
Source: [VSS2002] I.2.4.1.2.1.a
Logic and accuracy testing functions SHALL introduce no residual side-effects other than audit log entries and status changes to note that the tests have been run with a successful or failed result.
Applies To: Voting device
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
Status changes required to satisfy Requirement Part 1: 7.4-A and Requirement Part 1: 7.4-B.
Source: [VSS2002] I.2.3.4.1.b2 (the second b), significantly revised
Programmed tabulators SHALL ensure that all test data have been expunged before the logic and accuracy test is logged as successful. If the test data have not been expunged the logic and accuracy test SHALL log as failed.
Applies To: Programmed device Λ Tabulator
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
Test data must never be reflected in official vote counts for specific contest choices.
Source: [VSS2002] I.2.4.3.3.t / [VVSG2005] I.2.3.3.3.v, generalized from DREs; I.4.4.2.e / [VVSG2005] I.5.4.2.e
7.4 Opening Polls
Programmed devices SHALL provide an internal test or diagnostic capability to verify that all of the tests specified in Part 1: 7.3 ”Equipment Setup for Security and Integrity” have been successfully completed.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.1.a
Programmed devices SHALL provide for automatic disabling of an untested device until it has been tested.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.1.b
Paper-based tabulators SHALL include a means of activating the ballot counting device.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.2.2.a
Paper-based tabulators SHALL include a means of verifying that the ballot counting device has been correctly activated and is functioning properly.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.2.2.b
Programmed vote-capture devices SHALL provide designated functions for opening the poll.
Applies To: Vote-capture device Λ Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3, generalized
Programmed vote-capture devices SHALL include a security seal, a password, or a data code recognition capability to prevent the inadvertent or unauthorized actuation of the poll-opening function.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.a
Programmed vote-capture devices SHALL include a means of enforcing the execution of poll-opening steps in the proper sequence if more than one step is required.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.b
Programmed vote-capture devices SHALL include a means of verifying that the system has been correctly activated.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.c
7.5 Casting
These functional capabilities include all operations conducted at the polling place by voters and officials while polls are open.
7.5.1 Issuance of voting credentials and ballot activation
The term “ballot activation” is sometimes used in a broad sense to cover the general activities of (1) determining what type of ballot must be presented to the voter, and (2) activating the voting system to present the ballot style that is appropriate for that voter. In this section, "issuance of voting credentials" is used for the first activity, and “ballot activation” is used exclusively for the second activity.
Voting credentials are those data items sufficient for the voting system to activate the appropriate ballot for the voter. The credentials consist of an indication of the ballot style and ballot configuration as well as any additional ballot options that the voting system may be capable of presenting if selected by the voter, such as a magnified ballot for a voter with low vision. If the voting system is used for provisional voting, the credentials may also include an identifier that effectively would link the voter's identity with the voter’s cast ballot. The credentials must also indicate the election for which the credentials are valid. Lastly, there is usually a code calculated on the credentials so that the voting system can verify their integrity and verify that an authorized activation device issued the credentials.
An activation device (e.g., an epollbook) stores the credentials on a token (e.g., a memory card) so that the voter can carry them to the vote-capture device – a DRE or EBP. Thus, there is typically an “air gap” required between the activation device and the vote-capture device. The requirements in this section do not prohibit, however, the activation device from being connected to a network of DREs or EBPs. In this case, the credentials and token would be represented by whatever signaling and data is exchanged across the network between the activation device and the DREs/EBPs. Credential issuance also may be performed pre-election by a DRE or EBP in a ballot activation mode (for example, a series of memory cards could be activated for certain ballot styles and ballot configurations in advance of opening the polls).
Preserving privacy of the ballot is a paramount consideration in issuance of voter credentials and ballot activation because knowledge of the voter’s identity is involved. The requirements in this section mandate that privacy of the ballot be protected throughout the entire process of Credential issuance and ballot activation, and that no information be maintained in reports or logs that could assist in identifying a voter’s cast ballot (except for provisional voting on a DRE).
Provisional voting using a DRE must, however, “violate” voter privacy because it is necessary to link the DRE’s CVR with the voter’s identity. If an epollbook or other programmable activation device is used also for provisional voting, then it is possible that the epollbook could keep a record of provisional voters and include, with the voting credentials, an identifier associated with each provisional voter’s identification. The DRE might then associate that identifier with that voter’s CVR. This should only happen if the activation device and the vote-capture device are in a “provisional voting” mode; no linkage of voter identity to voter CVRs should be possible otherwise. While this may be an acceptable method for associating a voter’s identity with the voter’s CVR for provisional voting, at the same time this privacy violation is cause for special concern when implemented in software, and the source code associated with these activities on the activation device and the vote-capture device should receive extra scrutiny. As well, this general process should be considered fair game for OEVT.
This section also contains requirements that permit a ballot activation device to connect to an external voter registration database via a network. Network connectivity is inherently difficult to secure and make reliable, therefore the requirements in this section mandate that the external connectivity must be enabled/disabled by an authorized election official, and that a backup mechanism be in place if the connectivity fails. A ballot activation device or DRE/EBP used as an activation device cannot be connected simultaneously to both an internal (to the voting site) network of DREs or EBPs, and an external network. (The ballot activation device cannot include more than one network interface.) Any external network connectivity should be considered fair game for OEVT and, in particular, network vulnerability and penetration testing.
For provisional voting, if the linkage between the voter’s identity and the voter’s CVR is recorded in the external voter registration database, this may also be considered as fair game for OEVT.
7.5.1.1 Credential issuance and ballot activation
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
All DREs and EBPs, in addition to ballot activators, must support ballot activation, as defined in the following subrequirements.
Source: [VSS2002] I.2.4
DREs or EBPs MAY function exclusively as an activation device and issue ballot activation credentials.
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
A DRE or EBP could be configured, pre-election, to function exclusively as an activation device. During elections, a DRE or EBP cannot be used as both an activation device and a vote-capture device.
Source: New requirement but existing practice
Activation devices, DREs, and EBPs SHALL enable poll workers either to initiate, or to provide the voter with the credentials sufficient to initiate, a voting session in which the voter may cast or print at most one ballot.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”
DISCUSSION
A voting session on an EBP may culminate with the printing of the ballot. Activation devices, DREs, and EBPs must prevent re-use of the credentials, e.g., by erasing a memory token used to carry ballot activation information.
Source: [VSS2002] I.2.4.2.d, rewritten to respect the limits of what the system can do
Activation devices MAY create contemporaneous records of credential issuance to a voter. The record, once made, SHALL NOT be able to be modified by the voting system.
Applies To: Activation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The voting system must create a record at the time when credentials are issued to voters so that the collection of records can be compared to the number of ballots voted. This may be done if the activation device prints a record, or by using a paper pollbook.
Source: New requirement
Activation devices, DREs, and EBPs SHALL enable poll workers to control the ballot configuration(s) made available to the voter, whether presented in printed form or electronic display, such that each voter is permitted to record votes only in contests in which that voter is authorized to vote.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
For an electronic display, poll workers control the ballot configuration using an activation device and issuing credentials. See also Requirement Part 1: 7.2-A.2, Requirement Part 1: 7.2-A.3.
Source: [VSS2002] I.2.4.2.a
DREs and EBPs SHALL activate all portions of the ballot upon which the voter is entitled to vote and SHALL disable all portions of the ballot upon which the voter is not entitled to vote.
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties, instructing the voter to vote only in the contests applicable to a single party, and rejecting or discarding votes that violate this instruction. To use that approach on a DRE or EBP would violate this requirement.
DREs and EBPs SHALL enable the selection of the ballot configuration that is appropriate to a party affiliation declared by the voter in a primary election.
Applies To: DRE Λ Primary elections device, EBP Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.2.f
7.5.1.2 Secrecy of the ballot
Activation devices, DREs, EBPs SHALL preserve secrecy of the ballot throughout the process of issuing credentials and activating the ballot and the keeping of records associated with ballot activation.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
Secrecy of the ballot must be preserved during all operations associated with activation of the ballot, including during the creation of the ballot activation credential and information, during the process of activating the ballot, and in all keeping of associated records, reports, and logs. It must not be possible to identify a voter’s ballot or in some way violate secrecy of the ballot by aggregating records from different devices.
For example, an epollbook cannot retain and associate any information written to a ballot activation token with the voter’s identification information, and a vote-capture device cannot retain information from the token and associate it with the CVR – or else it would be possible to link the sets of records and identify the voter.
Note that Requirement Part 1: 7.5.1.2-A.3 modifies this requirement if the activation device is used with provisional voting on a DRE.
Source: New requirement
In an open primary on a DRE or EBP, the voter SHOULD be allowed to choose a party affiliation in private at the start of the voting session and vote the appropriate ballot configuration (i.e., the choice of affiliation SHOULD be private as well as the selection of votes on the ballot).
Applies To: DRE Λ Open primaries device, EBP Λ Open primaries device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In an open primary, the voter may be able to choose a party affiliation at the start of the voting session, therefore more than one ballot configuration may be available to the voter. The voter should be able to select the ballot configuration corresponding to the voter's chosen party affiliation in privacy.
Source: New requirement
Activation devices SHALL NoT create or retain information that can be used to identify a voter’s ballot, including the order and time at which a voter uses the voting system.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
The activation device must not create or retain any information that could be used for the purposes of identifying a voter’s ballot, or the time at which the voter arrived at the polls, or the specific vote-capture device used by the voter.
Source: New requirement
Credential issuance, only when used during provisional voting, MAY permit the voter’s name to be associated with the voter’s ballot for the purposes of deciding whether to count the ballot. The mechanism used for this association SHALL itself not identify the voter.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
For provisional voting, the voter’s identity is associated with the voter’s ballot so as to permit a subsequent decision whether to count the ballot. As an example, the activation device may create an identifier and associate it with the provisional voter’s identity, and then include this identifier with other information necessary to activate the ballot. The vote-capture device may store this identifier with the ballot so as to trace the ballot back to the voter’s identity for the purposes of deciding whether the count the ballot. The identifier must not itself identify the voter. For example, it must not include the voter’s identity or other information associated with the voter such as an SSN or other identifying information.
Source: New requirement
7.5.1.3 Credentials and tokens
The sole purpose and use of the ballot activation credentials and token SHALL be for the purpose of activating the ballot.
Applies To: Voting device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
The credentials and associated token are to be used only for ballot activation and not for other purposes. For example, the token or credentials cannot be used to convey additional information to the vote-capture device or other devices, or to convey information from the vote-capture device to other devices in the case of re-usable tokens.
Source: New requirement
The token SHOULD have the capacity to contain only the information sufficient to activate the ballot.
Applies To: Activation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The token should be limited to containing only the necessary information and nothing more – on memory card, possibly several bytes or less. This requirement addresses the threat of the token being used to pass other information to and from the vote-capture device, which should be considered especially if the activation device is connected to an external network (to connect to a registration database).
Source: New requirement
DREs and EBPs SHALL de-activate ballot activation credentials on the token after the voter has successfully cast the ballot.
Applies To: DRE, EBP
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”
DISCUSSION
The token and credentials are considered as authorization to cast a ballot and therefore must be de-activated after that ballot has been cast (and not before). It may be useful for the token to carry state information, such as:
- Inactive - ready to be used in an activation device;
- Active - loaded with credentials and able to activate the ballot;
- In use - has been used to activate the ballot but the ballot has not yet been cast;
- Closed successfully - has been used to activate the ballot and the ballot has been cast successfully; and
- Closed unsuccessfully - has been used to activate the ballot but the ballot was not successfully cast for some reason.
Source: New requirement
The ballot activation token SHOULD be non-reusable by activation devices.
Applies To: Activation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The token should be one-way in that it is used only once to activate the ballot and cannot be recycled and used again by an activation device to activate a subsequent ballot. This eliminates the threat of passing other information from the vote-capture device back to the activation device, which should be considered especially if the activation device is connected to an external network (to connect to a registration database).
Source: New requirement
Ballot activation credentials SHALL be created in such a manner that the vote-capture device can verify their integrity and authenticity for the current election and for that vote-capture device.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The vote-capture device must verify the integrity of the credentials and their validity for the election, but also must verify whether they were created from a trusted activation device and for use on the vote-capture device. This means essentially that some trust relationship must exist between the vote-capture device and the ballot activator. One approach for implementing this cryptographically is for each ballot activator to calculate, for each credential issued, a keyed-hash message authentication code, or HMAC, on the credentials, and for the vote-capture device to verify the HMAC. If cryptography is used, key sizes are determined by cryptography requirements in Part 1: 5.1 “Cryptography”.
Source: New requirement
7.5.1.4 Activation devices connected to remote registration databases
The activation device MAY connect to an external network for the purposes of accessing and updating information from a remote voter registration database.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
External is used here to mean ”a public or private network extending beyond the voting site.” An activation device may include the capability to access an external network for the purposes of accessing voter identification information in a remote voter registration database. Note that this is the only remote access permitted; network access cannot be used for other purposes such as for accessing web sites, email, etc. See also related requirements in Part 1: 5.5 “System Integrity Management” and 5.6 “Communication Security” pertaining to secure system and network configurations for the ballot activation device.
Source: New requirement
The activation device SHALL connect to at most one network; either a network connection to vote-capture devices or an external network for the purposes of accessing information in a remote voter registration database, but not both.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
Source: New requirement
The activation device SHALL have the capability to access an external network only if so authorized by an administrator.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
An election official must have the ability to enable or disable the remote access capability, i.e., its network interface and associated logic.
Source: New requirement
The activation device SHALL display a continuous indication to the poll worker during the period it is enabled to access an external network.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
The notification must be continuous and obvious to the poll worker.
Source: New requirement
The voting system SHALL include a backup capability to activate ballots if access to a remote registration database fails.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
If the remote database is unavailable, the voting system must include some backup capability so that it may continue to activate ballots, e.g., a cached local copy of the voter registration database or a paper pollbook.
Source: New requirement
If externally networked, the activation device SHALL connect to a router with network firewall capabilities using a wired connection and the TCP/IP communications protocol.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
This requirement prohibits the activation device from connecting directly to the external network and possibly using a wireless connection. The device must connect to a router over a wire (e.g., Ethernet). The router must have firewall capability and be configured to block or filter unneeded services and protocols. See [NIST02] for suggested firewall configuration information.
Source: New requirement
Activation devices SHALL be free of vulnerabilities that may be exploited by remote attackers over the network.
Applies To: Activation device ^ Electronic device
Test Reference: Part 3: 4.5 “Source Code Review” and 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
The source code review must consider that the activation device may be accessed via an external network. Certain aspects of the software may be significantly more vulnerable to attack than if there were no external network connectivity. The test lab must review the source code of activation device software and inspect COTS configuration data to search for vulnerabilities that might be exploitable through the external network.
Source: New requirement
7.5.2 General voting functionality
The ballot presented to the voter SHALL NOT display or link to any advertising or commercial logos of any kind, whether public service, commercial, or political, unless added by central election officials using the functionality described in Requirement part1: 7.2-A.5.
Applies To: Vote-capture device
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
Source: Clarification of [VSS2002] I.2.3.1.3.1.b
All vote-capture devices SHALL record the selection and non-selection of individual contest choices for each contest.
Applies To: Vote-capture device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.1.c
7.5.3 Voting variations
All vote-capture devices SHALL support the gathering of votes using all voting variations indicated for them in the implementation statement.
Applies To: Vote-capture device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Extrapolated from [VSS2002] I.2.2.8.2 and I.2.4
All vote-capture devices SHALL be capable of gathering and recording votes in contests where the voter is allowed to choose at most one contest choice from a list of contest choices.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4. Extended [VSS2002] I.2.4.2.e to all systems
All vote-capture devices SHALL be capable of gathering and recording votes in contests where the voter is allowed to vote yes or no on a question.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: New requirement / clarification of [VSS2002] intent
All vote-capture devices SHALL be capable of indicating the affiliation and/or endorsements of each contest choice.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision
Vote-capture devices of the closed primaries device class SHALL be capable of gathering and recording votes within a voting process that assigns different ballot styles depending on the registered political party affiliation of the voter and supports both party-specific and non-party-specific contests.
Applies To: Vote-capture device Λ Closed primaries device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the open primaries device class SHALL be capable of gathering and recording votes within a voting process that assigns different ballot styles depending on the political party chosen by the voter at the time of voting and supports both party-specific and non-party-specific contests.
Applies To: Vote-capture device Λ Open primaries device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties, instructing the voter to vote only in the contests applicable to a single party, and rejecting or discarding votes that violate this instruction. To satisfy the requirements for open primaries device, the vote-capture device must be capable of handling the case where different ballot configurations are associated with different political parties.
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the write-ins device class SHALL record the voter's selection of candidates whose names do not appear on the ballot and record as many write-in votes as the voter is allowed, per the definition of N(r) in Part 1: 8.3 “Logic Model (normative)”.
Applies To: Vote-capture device Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.1.d
Vote-capture devices of the write-ins device class SHALL be capable of gathering and recording votes within a voting process that allows for reconciliation of aliases and double votes.
Applies To: Vote-capture device Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Reconciliation of aliases means allowing central election officials to declare two different spellings of a candidate's name to be equivalent (or not). Reconciliation of double votes means handling the case where, in an N-of-M contest, a voter has attempted to cast multiple votes for the same candidate using the write-in mechanism. See Part 1: 7.7.2.4 “Logic for reconciling write-in double votes” for details.
Source: Added precision based on clarification of write-in reconciliation process
Vote-capture devices of the ballot rotation device class SHALL be capable of gathering and recording votes when the ordering of contest choices in ballot positions within each contest is variable.
Applies To: Vote-capture device Λ Ballot rotation device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Programmed vote-capture devices that enable ballot rotation in a given contest SHALL alter the ordering of contest choices in such a manner that no contest choice SHALL ever have appeared in any particular ballot position two or more times more often than any other.
Applies To: Vote-capture device Λ Programmed device Λ Ballot rotation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This is less restrictive than requiring sequential rotation. For a contest of M contest choices, the order may be shuffled randomly after each batch of M ballots and rotated sequentially within each batch.
Source: Clarification or extension of existing requirements
Vote-capture devices of the straight party voting device class SHALL be capable of gathering and recording votes for a special contest in which the selection of a political party implies votes for the contest choices endorsed by that party in all straight-party-votable contests on the ballot.
Applies To: Vote-capture device Λ Straight party voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the cross-party endorsement device class SHALL be capable of gathering and recording straight-party votes when a given contest choice is endorsed by two or more different political parties.
Applies To: Vote-capture device Λ Cross-party endorsement device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Clarification or extension of existing requirements
Vote-capture devices of the split precincts device class SHALL be capable of gathering and recording votes in a precinct where there are distinct ballot styles for voters from two or more election districts.
Applies To: Vote-capture device Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the N-of-M voting device class SHALL be capable of gathering and recording votes in contests where the voter is allowed to choose up to a specified number of contest choices (N(r) > 1, per Part 1 8.3 “Logic Model (normative)”) from a list of contest choices.
Applies To: Vote-capture device Λ N-of-M voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the cumulative voting device class SHALL be capable of gathering and recording votes in contests where the voter is allowed to allocate up to a specified number of votes (N(r) > 1, per Part 1 per Part 1: 8.3 “Logic Model (normative)”) over a list of contest choices, possibly giving more than one vote to a given contest choice.
Applies To: Vote-capture device Λ Cumulative voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the ranked order voting device class SHALL be capable of gathering and recording votes in contests where the voter is allowed to rank contest choices in a contest in order of preference, as first choice, second choice, etc.
Applies To: Vote-capture device Λ Ranked order voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
Vote-capture devices of the provisional-challenged ballots device class SHALL be capable of gathering and recording votes within a voting process that allows the decision whether to count a particular ballot to be deferred until after election day.
Applies To: Vote-capture device Λ Provisional-challenged ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Unique identification of each provisional/challenged ballot is required. See Requirement Part 1: 7.7.2-A.5.
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
DREs of the provisional-challenged ballots device class SHALL provide the capability to categorize each provisional/challenged ballot.
Applies To: DRE Λ Provisional-challenged ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Categories (e.g., "regular provisional," "extended hours provisional," "regular extended hours") would be jurisdiction-dependent.
Vote-capture devices of the review-required ballots device class SHALL be capable of gathering and recording votes within a voting process that requires certain ballots to be flagged or separated for review.
Applies To: Vote-capture device Λ Review-required ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In some systems and jurisdictions, all ballots containing write-in votes require flagging or separation for review. Support for the class indicates that the system can flag or separate ballots in this manner and include the results of the review in the reported totals (see Part 1: 2.5.3.1 “Supported voting variations (system-level)”). Other reasons for which ballots are flagged or separated are jurisdiction-dependent. It is assumed that ballot presentation is unchanged for Review-required ballots.
Source: Extrapolated from [VSS2002] I.2.5.2
7.5.4 Recording votes
Vote-capture devices SHALL record each vote precisely as indicated by the voter.
Applies To: Vote-capture device
Test Reference: Part 3: 5.2 “Functional Testing”
All CVRs and logs SHALL be consistent with the feedback given to the voter.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision
DREs SHALL verify (i.e., actively check and confirm) the correct addition of votes to the persistent storage of the device.
Applies To: DRE
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 4.5 “Source Code Review”
DISCUSSION
"Persistent storage" includes nonvolatile memory, hard disks, optical disks, etc.
Source: [VSS2002] I.3.2.4.3.3.c, expanded to include persistent storage
All systems SHALL support the casting of a ballot.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This does not entail retaining a ballot image. DREs are required to retain ballot images (see Part 1: 4.3 “Electronic Records”) but other devices might not.
Source: [VSS2002] I.2.4. Extended [VSS2002] I.2.4.2.e to all systems
All systems SHALL make it possible for each eligible voter to cast a ballot, provided that the limits declared in the implementation statement for each device are not exceeded.
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
See also Requirement Part 1:7.5.7.
Source: [VSS2002] I.2.4.2.b, generalized to all systems
Systems that include paper-based vote-capture devices SHALL include secure receptacles for holding voted ballots.
Applies To: Paper-based device Λ Vote-capture device
Test Reference: Part 3: 4.2 “Physical Configuration Audit”
Source: [VSS2002] I.2.4.1.2.1.c
DREs SHALL prevent modification of the voter's vote after the ballot is cast.
Applies To: DRE
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
See also Part 1: Section 7.5.7, cast ballot.
Source: [VSS2002] I.2.4.3.3.n
7.5.5 Redundant records
This section contains design requirements to enhance the recoverability of DRE devices. This is a separate concern from auditability, which is addressed in Part 1: Chapter 4: “Security and Audit Architecture”. However, in some systems, the same records might satisfy both these requirements and auditability requirements.
Applies To: DRE
Test Reference: Part 3: 4.3 “Verification of Design Requirements”
DISCUSSION
Besides data stored in electronic memory, a paper record with barcodes or EBM-style markings or a paper record printed in a machine-readable font would qualify as machine-countable.
Source: [VSS2002] I.2.2.2.2, I.2.2.4.2 and I.3.2.4.3.2.c
These redundant records SHALL be written to media that are physically separate from one another (e.g., two separate memory cards or one electronic record and one paper record).
Test Reference: Part 3: 4.3 “Verification of Design Requirements”
DISCUSSION
For improved auditability, it is preferable for the processes and paths used to record separate records to themselves to be as separate as possible, so that the opportunities for a single error to corrupt multiple records in the same way are minimized.
Source: [VSS2002] I.2.2.4.2 and I.3.2.4.3.2.c
7.5.6 Respecting limits
When a tabulator can no longer accept another ballot without the potential of overflowing a vote counter or otherwise compromising the integrity of the counts, it SHALL notify the user or operator and cease to accept new ballots.
Applies To: Tabulator
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”
DISCUSSION
Assuming that the counter size is large enough such that the value will never be reached is not adequate. Systems are required to detect and prevent an impending overflow condition.
Source: Clarification of [VSS2002] II.5.4.2.g
When a DRE can no longer accept another ballot without the potential of overflowing a vote counter or otherwise compromising the integrity of the counts, it SHALL emit appropriate warnings and audit events and cease to activate new ballots.
Applies To: DRE
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 4.5 “Source Code Review”, 5.2 “Functional Testing”, Requirement Part 3: 4.6-B
DISCUSSION
A DRE must not initiate a voting session if there is the possibility that the next ballot could not be properly cast and recorded. If there exists a way of voting the ballot that would exceed one of the limits, then the ballot must not be activated.
Source: Clarification of [VSS2002] II.5.4.2.g
7.5.7 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Process allows each eligible voter to vote: The voting process must allow each eligible voter to cast a ballot. ([VSS2002] I.2.4.2.b, generalized from DRE systems to the voting process.) See also Requirement Part 1: 7.5.4-C.1.
At most one cast ballot per voter: The voting process must prevent a voter from casting more than one ballot in the same election. ([VSS2002] I.2.4.2.d, generalized from DRE systems to the voting process.) See also Requirement Part 1: 7.5.1.1-A.2.
Process ensures correct ballot style: The voting process must prevent a voter from voting a ballot style to which he or she is not entitled. ([VSS2002] I.2.4.2.c, generalized from DRE systems to the voting process.) See also Requirement Part 1: 7.2-A.2, Requirement Part 1: 7.2-A.3 and Requirement Part 1: 7.5.1.1-C.
Process prevents vote tampering: The voting process must prevent modification of the voter's vote after the ballot is cast. ([VSS2002] I.2.4.3.3.n, generalized.) See also Requirement Part 1: 7.5.4-D, cast ballot.
Early voting, ballot accounting: In the presence of a witness, election judges must record the value of the ballot counter from each tabulator at the end of each active period. (Issue #1366, Issue #2143) See Part 1: 8.2 “Vote-Capture Device State Model (informative)”. This procedure might be facilitated by designated functions of the voting equipment (i.e., printing of special early-voting end-of-day reports that include the timestamp, the value of the ballot counter, and little else).
Early voting, resumption practices: election judges returning equipment to the ready state after it has been placed in the suspended state must perform this operation in the presence of a witness, confirm that the equipment recorded no activity, and confirm that the ballot counter is unchanged from the value that was recorded when voting was suspended. See Part 1: 8.2 “Vote-Capture Device State Model (informative)”. This procedure might be facilitated by designated functions of the voting equipment (i.e., printing of special early-voting resumption reports that include the timestamp, the value of the ballot counter, confirmation that nothing happened overnight, and little else).
7.6 Closing Polls
Applies To: DRE
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
This does not apply to paper-based devices because the ballot is subject to handling beyond their control; however, a locked ballot box (per Requirement Part 1: 7.5.4-C.2 and Requirement Part 1: 6.1-F) serves the same purpose. See also Requirement Part 1: 7.7.1-A.
Source: [VSS2002] I.2.4.3.3.r
Programmed vote-capture devices SHALL provide designated functions for closing the polls.
Applies To: Vote-capture device Λ Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.5
Programmed vote-capture devices SHALL prevent the further enabling, activation or marking of ballots by those devices once the polls have closed.
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
An EBM cannot prevent a voter from marking a paper ballot with a writing utensil after polls have closed. This must be prevented through procedures.
Source: Reworded from [VSS2002] I.2.5.1.a
DREs SHALL prevent the further casting of ballots once the polls have closed.
Applies To: DRE
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
Source: Reworded from [VSS2002] I.2.5.1.a
Programmed vote-capture devices SHALL provide an internal test that verifies that the prescribed closing procedure has been followed and that the device status is normal.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.5.1.b
Programmed vote-capture devices SHALL provide a means to produce a diagnostic test record that verifies the sequence of events and indicates that the poll closing process has been activated.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.5.1.d
Programmed vote-capture devices SHALL prevent reopening of the polls once the poll closing has been completed for that election.
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
Source: Revised from [VSS2002] I.2.5.1.e; made consistent with [GPO90] 2.2.3.1
Precinct EMSs SHALL provide designated functions for generating precinct post-election reports.
Applies To: Precinct tabulator Λ EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.5
7.6.1 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Process, no early reporting: The voting process must prevent access to voted ballots until after the close of polls. ([VSS2002] I.2.4.3.3.r, generalized.) See also Requirement Part 1: 7.6-A.
7.7 Counting
7.7.1 Integrity
All voting systems SHALL detect ballot style mismatches and prevent votes from being tabulated or reported incorrectly due to such a mismatch.
Applies To: Voting system
Test Reference: Requirement Part 3: 5.2.3-F.1
DISCUSSION
For example, if the ballot styles loaded on a tabulator disagree with the ballot styles that were used by vote-capture devices, the system must raise an alarm and prevent the incorrect ballot styles from being used during tabulation. Otherwise, votes could be ascribed to the wrong contest choices.
Such a mismatch should have been detected and prevented in L&A testing (see Requirement Part 1: 7.3.1-C, Requirement Part 1: 7.3.1-D and Requirement Part 1: 7.3.1-E), but if it was not, it must be detected and prevented before tabulation commences.
Source: Amplification of existing requirements
Paper-based tabulators SHALL either:
- Correctly count ballots regardless of whether they are fed upside down, right side up, forward, or reversed; or
- Detect and reject ballots that are oriented incorrectly.
Applies To: Paper-based device Λ Tabulator
Test Reference: Requirement Part 3: 5.2.3-F.1
Source: New requirement
7.7.2 Voting variations
All tabulators SHALL support all voting variations indicated in the implementation statement.
Applies To: Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.8.1 plus I.2.2.8.2
All tabulators SHALL be capable of tabulating votes, overvotes, and undervotes in contests where the voter is allowed to choose at most one contest choice from a list of contest choices.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Implicit in [VSS2002]
All tabulators SHALL be capable of tabulating votes, overvotes, and undervotes in contests where the voter is allowed to vote yes or no on a question.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: New requirement / clarification of [VSS2002] intent
Tabulators of the absentee voting device class SHALL be capable of tabulating votes, overvotes, and undervotes from absentee ballots.
Applies To: Tabulator Λ Absentee voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the provisional-challenged ballots device class SHALL be capable of tabulating votes, overvotes, and undervotes in contests where the decision whether to count a particular ballot is deferred until after election day.
Applies To: Tabulator Λ Provisional-challenged ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the provisional-challenged ballots device class SHALL support the independent acceptance and rejection of individual provisional/challenged ballots.
Applies To: Tabulator Λ Provisional-challenged ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This is meant to rule out the mode of failure in which the IDs assigned to provisional ballots fail to be unique, rendering the system incapable of accepting one without also accepting the others with the same ID.
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the provisional-challenged ballots device class SHALL support the acceptance and rejection of provisional/challenged ballots by category.
Applies To: Tabulator Λ Provisional-challenged ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
For "category," see Requirement Part 1: 7.5.3-A.17. The behavior when an individual acceptance/rejection conflicts with a categorical acceptance/rejection is system-dependent and should be documented by the manufacturer.
Tabulators of the primary elections device class SHALL be capable of keeping separate totals for each political party for the number of ballots read and counted.
Applies To: Tabulator Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties and instructing the voter to vote only in the contests applicable to a single party. This approach requires additional logic in the tabulator to support the rejection or discarding of votes that violate these special instructions, while the approach of assigning different ballot configurations to different parties does not. Support for the merged ballot approach is not required for a tabulator to satisfy the requirements for primary elections device. See Part 1: 7.7.2.1 “Merged ballot approach to open primaries”.
This requirement to separate by party applies only to the number of read ballots and counted ballots. It does not apply to contest choice vote totals.
Source: Added precision, based on [VSS2002] reporting requirements
Tabulators of the write-ins device class SHALL be capable of tabulating votes for write-in candidates, with separate totals for each candidate.
Applies To: Tabulator Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the write-ins device class SHALL be capable of gathering and recording votes within a voting process that allows for reconciliation of aliases and double votes.
Applies To: Tabulator Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Reconciliation of aliases means allowing central election officials to declare two different spellings of a candidate's name to be equivalent (or not). Reconciliation of double votes means handling the case where, in an N-of-M contest, a voter has attempted to cast multiple votes for the same candidate using the write-in mechanism. See Part 1: 7.7.2.4 “Logic for reconciling write-in double votes” for details.
Source: Added precision based on clarification of write-in reconciliation process
Tabulators of the ballot rotation device class SHALL be capable of tabulating votes when the ordering of contest choices in ballot positions within each contest is variable.
Applies To: Tabulator Λ Ballot rotation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This simply means that ballot rotation must not impact the correctness of the count. A mode of failure would be getting confused about the mapping from ballot positions to contest choices.
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the straight party voting device class SHALL be capable of tabulating straight party votes.
Applies To: Tabulator Λ Straight party voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
A straight party vote SHALL be counted as a vote in favor of all contest choices endorsed by the chosen party in each straight-party-votable contest in which the voter does not cast an explicit vote.
Applies To: Tabulator Λ Straight party voting device
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
This requirement intentionally says nothing about what happens when there is both a straight party endorsed contest choice and an explicit vote in a given contest (a straight party override). See Part 1: 7.7.2.3 “Logic for counting straight party overrides”.
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the cross-party endorsement device class SHALL be capable of tabulating straight-party votes when a given contest choice is endorsed by two or more different political parties.
Applies To: Tabulator Λ Cross-party endorsement device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the split precincts device class SHALL be capable of tabulating votes for two or more election districts within the same precinct.
Applies To: Tabulator Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the N-of-M voting device class SHALL be capable of tabulating votes, overvotes, and undervotes in contests where the voter is allowed to choose up to a specified number of contest choices (N(r) > 1, per Part 1: 8.3 “Logic Model (normative)”) from a list of contest choices.
Applies To: Tabulator Λ N-of-M voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the cumulative voting device class SHALL be capable of tabulating votes, overvotes, and undervotes in contests where the voter is allowed to allocate up to a specified number of votes (N(r) > 1, per Part 1: 8.3 “Logic Model (normative)”) over a list of contest choices however he or she chooses, possibly giving more than one vote to a given contest choice.
Applies To: Tabulator Λ Cumulative voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.1, I.2.2.8.2 and glossary
Tabulators of the ranked order voting device class SHALL be capable of determining the results of a ranked order contest for each round of voting.
Applies To: Tabulator Λ Ranked order voting device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This requirement is minimal. Since ranked order voting is not currently in wide use, it is not clear what, other than the final result, must be computed. See Part 1: 7.7.2.5 “Logic for ranked order voting”.
Source: [VSS2002] I.2.2.8.1 plus I.2.2.8.2
The following subsections discuss cases for which tabulation logic is not specified in the VVSG.
7.7.2.1 Merged ballot approach to open primaries
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties and instructing the voter to vote only in the contests applicable to a single party. This approach requires additional logic in the tabulator to support the rejection or discarding of votes that violate these special instructions, while the approach of assigning different ballot configurations to different parties does not.
Support for the merged ballot approach is not required for a tabulator to satisfy the requirements in these Guidelines for support of open primaries. Voting systems may provide this option as an extension to the Guidelines without breaking conformance.
7.7.2.2 Recall candidacy linked to recall question
In some jurisdictions, a vote for a candidate to replace a recalled official is counted only if the recall question on the same ballot was voted, and sometimes only if it was voted in the affirmative. Voting systems may provide this option as an extension to the Guidelines without breaking conformance.
7.7.2.3 Logic for counting straight party overrides
Although initially it seems obvious that a straight party override in a 1-of-M race should take precedence over a straight party vote, it is less obvious after considering the generalized case of an N-of-M race in which the number of candidates endorsed by the selected party might be less than N. Approaches supported by commercially available technology include (1) all straight party votes are cancelled when an explicit vote exists; (2) both straight party and explicit votes are counted; (3) both straight party and explicit votes are counted unless this exceeds N, in which case only the explicit votes are counted; (4) both straight party and explicit votes are counted unless this exceeds N, in which case straight party votes from the bottom of the list are dropped until the number of votes is reduced to N.
These Guidelines do not specify any particular approach to resolving straight party overrides, but the approach(es) supported are required to be described in the Voting Equipment User Documentation. See Requirement Part 2: 4.4.4-B.
7.7.2.4 Logic for reconciling write-in double votes
Reconciliation of double votes means handling the case where, in an N-of-M contest, a voter has attempted to cast multiple votes for the same candidate using the write-in mechanism. If the voter has selected a ballot position for a given candidate but also written in that candidate's name, or if the voter has written in the same candidate twice using the same spelling or different legal spellings, some corrective action is required—possibly counting only one of the votes, possibly considering the contest to be overvoted. Which action should be specified by jurisdiction election law.
Given a sufficiently robust mechanism for reconciliation of aliases, the reconciliation of double votes can be automated. Once it is known that the name written in identifies the same candidate as the previous ballot position, the tabulator can take whatever action is specified by election law.
These Guidelines do not specify any particular approach to reconciling double votes, but the approach(es) supported are required to be described in the Voting Equipment User Documentation. See Requirement Part 2: 4.4.4-C.
7.7.2.5 Logic for ranked order voting
The 1-of-M case of ranked order voting, known by various names including instant runoff voting, requires the definition of criteria for breaking ties. Whereas in plurality voting the voting system need only report the vote totals, a voting system supporting ranked order voting must implement tie-breaking logic in order to be certain of reaching a reportable result.
It is also necessary to decide whether voters may assign equal rankings to two contest choices, whether voters are required to rank every choice, and how to compute a result in the case where they do not.
The N-of-M generalization, called single transferable vote, has two additional adjustable parameters: the vote quota (the number of votes required to declare a candidate elected) and the weighting or distribution of votes transferred from contest choices that exceed the quota.
Finally, to the extent that a particular ranked order variant defines certain voter responses to be partly or wholly invalid, the manner in which the votes from the affected ballots are to be accounted for and reported (analogous to the reporting of overvotes in plurality contents) must be decided.
Ranked order voting has had insufficient use in the United States to establish clear precedent on how these questions are to be answered; consequently, it would be premature to standardize any particular algorithm or set of algorithms, or attempt to accommodate every possible interpretation.
7.7.3 Ballot separation
See also Part 1: 3.2.2.2 “Non-Editable interfaces” and Requirement Part 1: 6.3.3-A.
In response to designated conditions, paper-based central tabulators SHALL (a) outstack the ballot (i.e., divert to a stack separate from the ballots that were normally processed), (b) stop the ballot reader and display a message prompting the election official or designee to remove the ballot, or (c) mark the ballot with an identifying mark to facilitate its later identification.
Applies To: Central tabulator Λ Paper-based device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.3.2.5.1.2
All paper-based central tabulators SHALL perform this action in response to an unreadable ballot.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.3.2.5.1.2
Paper-based central tabulators of the review-required ballots device class SHALL be able to perform this action in response to a ballot containing write-in votes.
Applies To: Central tabulator Λ Paper-based device Λ Review-required ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The requirement to separate ballots containing write-in votes is not applicable in systems in which an EBM encodes write-in votes in machine-readable form and an optical scanner generates individual tallies for all written-in candidates automatically. Separation of ballots containing write-in votes is only necessary in systems that require the allocation of write-in votes to specific candidates to be performed manually. Such systems do not conform to the write-ins class. See Part 1: 2.5.3.1 “Supported voting variations (system-level)”.
Source: [VSS2002] I.3.2.5.1.2
All paper-based central tabulators SHALL provide a capability that can be activated by central election officials to perform this action in response to ballots containing overvotes, blank ballots, and ballots containing undervotes in a designated race.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.3.2.5.1.2
Paper-based precinct tabulators of the review-required ballots device class SHALL have the capability, when presented with a ballot containing a write-in vote, to segregate the ballot or mark the ballot with an identifying mark to facilitate its later identification.
Applies To: Precinct tabulator Λ Paper-based device Λ Review-required ballots device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The requirement to separate ballots containing write-in votes is not applicable in systems in which an EBM encodes write-in votes in machine-readable form and an optical scanner generates individual tallies for all written-in candidates automatically. Separation of ballots containing write-in votes is only necessary in systems that require the allocation of write-in votes to specific candidates to be performed manually. Such systems do not conform to the write-ins class. See Part 1: 2.5.3.1 “Supported voting variations (system-level)”.
Source: [VSS2002] I.3.2.5.1.3.b
ECOS SHOULD provide a capability to alert an election official when a ballot that is scanned appears to contain marginal marks or overvotes.
Applies To: ECOS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
If an EMPB appears to contain marginal marks or overvotes, either the EBM is broken or the scanner is broken. Either way, an election official should be notified immediately. (It is possible that the voter simply disregarded instructions and marked the ballot manually.)
Source: New requirement
7.7.4 Misfed ballots
If multiple feed or misfeed (jamming) occurs, a paper-based tabulator SHALL halt in a manner that permits the operator to remove the ballot(s) causing the error and reinsert them in the input hopper (if unread) or insert them in the ballot box (if read).
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
See also Requirement Part 1: 7.7.4-B and Part 1 Section 7.7.7.
Source: [VSS2002] I.3.2.5.1.4.a, expanded to include jamming and ballots that were read
If multiple feed or misfeed (jamming) occurs, a paper-based tabulator SHALL clearly indicate whether or not the ballot(s) causing the error have been read.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
A similar issue arises with DREs that hang just as the voter presses the "cast ballot" button. See Requirement Part 1: 3.2.2.1-F. See also Requirement Part 1: 7.7.4-A and Part 1: 7.7.7 “Procedures required for correct system functioning”.
Source: [MS05] 14.2.5.3 (page 46)
7.7.5 Accuracy
Requirement Part 1: 6.3.2-B applies to all voting systems and need not be repeated here. The following requirements elaborate the general requirement with respect to issues that are unique to paper-based systems.
Optical scanners SHALL ignore (i.e., not record as votes) unmarked voting targets to the satisfaction of Requirement Part 1: 6.3.2-B.
Applies To: Optical scanner
Test Reference: Part 3: 5.3.3 “Reliability”
DISCUSSION
"Unmarked" in this requirement means containing no marks of any kind other than those designed to be present as part of the ballot style. This includes extraneous perforations, smudges, folds, and blemishes in the ballot stock. See Requirement Part 1: 7.7.5-E, Requirement Part 1: 7.7.5-F and Requirement Part 1: 7.7.5-G.
Source: [VSS2002] I.3.2.5.2, "Recognize vote punches or marks, or the absence thereof"
ECOS SHALL detect EBM-generated vote indications to the satisfaction of Requirement Part 1: 6.3.2-B.
Applies To: ECOS
Test Reference: Part 3: 5.3.3 “Reliability”
DISCUSSION
Reading of marginal marks should be a non-issue if EBMs are used.
Source: Narrowed from [VSS2002] I.3.2.5.2.a and I.3.2.6.1.1
MCOS SHALL detect marks that conform to manufacturer specifications to the satisfaction of Requirement Part 1: 6.3.2-B.
Applies To: MCOS
Test Reference: Part 3: 5.3.3 “Reliability”
Source: [VSS2002] I.3.2.5.2.a and I.3.2.6.1.1
MCOS SHALL detect a 1 mm thick line that is made with a #2 pencil that crosses the entirety of the voting target on its long axis, that is centered on the voting target, and that is as dark as can practically be made with a #2 pencil, to the satisfaction of Requirement Part 1: 6.3.2-B.
Applies To: MCOS
Test Reference: Part 3: 5.3.3 “Reliability”
DISCUSSION
Different optical scanning technologies will register imperfect marks in different ways. Variables include the size, shape, orientation, and darkness of the mark; the location of the mark within the voting target; the wavelength of light used by the scanner; the size and shape of the scanner's aperture; the color of the ink; the sensed background-white and maximum-dark levels; and of course the calibration of the scanner. The mark specified in this requirement is intended to be less than 100 % perfect, but reliably detectable, i.e., not so marginal as to bring the uncontrolled variables to the forefront. In plain language: scanning technologies may vary, but as a minimum requirement, all of them should be capable of reliably reading this mark.
Source: Many issues and public comments. Specification of mark originated with recommendation in Issue #1322, changed to reduce ambiguity.
Paper-based tabulators SHALL NOT record as votes any marks, perforations, smudges, or folds appearing outside the boundaries of voting targets.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In previous iterations of these VVSG it was unclear whether "extraneous perforations, smudges, and folds" included perforations, smudges and folds appearing within voting targets. Those appearing within voting targets are now discussed in Requirement Part 1: 7.7.5-F and Requirement Part 1: 7.7.5-G. Those other requirements are "should" not "shall"—technology in wide use as of 2006 cannot reliably distinguish extraneous marks within voting targets from deliberate marks.
Marks that conflict with timing marks may cause a tabulator to reject a ballot. This is conforming behavior, as it does not result in the recording of bogus votes.
Source: Clarified from [VSS2002] I.3.2.5.2.b
Optical scanners SHOULD NOT record as votes imperfections in the ballot stock and similar insignificant marks appearing inside voting targets.
Applies To: Optical scanner
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
With technology that is in wide use as of 2006, insignificant marks appearing inside voting targets can be detected as votes. This problem should be minimized.
Source: Clarified from [VSS2002] I.3.2.5.2.b
MCOS SHOULD NOT record as votes hesitation marks and similar insignificant marks.
Applies To: MCOS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
With technology that is in wide use as of 2006, it may be possible to reliably detect reasonable marks and reliably ignore hesitation marks if the scanner is calibrated to a specific marking utensil. Unfortunately, in practice, optical scanners are required to tolerate the variations caused by the use of unapproved marking utensils. Thus, lighter marks of a significant size are detected at the cost of possibly detecting especially dark hesitation marks. Emerging technologies for context-sensitive ballot scanning may solve this problem. It is also solvable through procedures that ensure that all voters use only the approved marking utensil.
Source: Clarified from [VSS2002] I.3.2.5.2.b
7.7.5.1 Marginal marks
A marginal mark is a mark within a voting target that does not conform to manufacturer specifications for a reliably detectable vote. The word "marginal" refers to the limit of what is detectable by an optical scanner, not the margin of the page. Marks that are outside of voting targets are called extraneous marks.
A marginal mark is neither clearly countable as a vote nor clearly countable as a non-vote. It is an ambiguous vote, analogous to dimpled chad on a punchcard.
The voter should always be instructed to make an ideal mark, which in a typical optical scan system means completely filling the oval with a #2 pencil. To allow for variations in the marks that diligent voters actually make when trying to follow this instruction, the accidental use of non-approved marking utensils, et cetera, optical scanners are configured to accept a relatively wide range of marks as votes (Requirement Part 1: 7.7.5-D). Marginal marks are below this range. They happen when voters do not follow instructions or the instructions are inadequate.
Although the criteria are not necessarily simple, manufacturers are required to specify what constitutes a reliably detectable mark versus a marginal mark (Requirement Part 2: 4.1.2-A.2). If this cannot be accomplished, then the voting system is counting votes using a mystery algorithm. Such a system cannot be found compliant.
A ballot that was marked with an EBM should never contain marginal marks. If it does, an equipment malfunction has occurred, and it should be handled as such (Requirement Part 1: 7.7.3-C).
In the case of precinct counting of manually-marked paper ballots, the precinct count scanner should be configured to reject ballots containing marginal marks (Requirement Part 1: 3.2.2.2-E). For example, a hypothetical optical scanner that detected marks based only on overall darkness could be configured so that a mark that was more than (30 ± 2) % dark would count as a vote, a mark that was less than (10 ± 2) % dark would count as a non-vote, and anything in between would be rejected as marginal. (These numbers are just examples to clarify the general intent, and are not necessarily fit for use in an any given election.)
The uncertainty at both ends of the marginal zone is of no consequence. A mark that was exactly 30 % dark would either be accepted as a vote or rejected as marginal and returned to the voter for clarification. Either way, it would not be mistaken for a non-vote. Similarly, a mark that was exactly 10 % dark would either be accepted as a non-vote or rejected as marginal and returned to the voter for clarification. Either way, it would not be mistaken for a vote. (Detectable marks in the lower range are typically hesitation marks, accidental smudges, or damage to the paper.)
In the central count case, rejection of marginal marks is only helpful if someone is going to examine each affected ballot and judge the intent of the voter. If this is not going to occur, then it is preferable to disable the detection of marginal marks so that every mark is counted either as a vote or as a non-vote. Unfortunately, it is not technically possible to do this without creating the potential for irreproducible tabulation results. For example, if a hypothetical optical scanner that detected marks based only on overall darkness were calibrated to distinguish votes from non-votes using a threshold of (25 ± 2) % darkness, the detection of marks that were between 23 % and 27 % dark would not reproduce on a different scanner of the same kind. Moreover, the detection of marks that happened to fall very close to the actual detection threshold of the scanner as calibrated would not repeat on the same scanner. As the darkness of a mark (or whatever the scanner is measuring) approaches the detection threshold, the signal-to-noise ratio approaches zero. At some point, the noise determines the result that is tabulated.
Short of banning the use of manually-marked paper ballots, which would create a crisis for absentee voting, the best that can be done for this central count case is to prohibit bias in the detection of marginal marks (Requirement Part 1: 7.7.5.1-A) and advise that the detection of marginal marks be made as repeatable as possible (Requirement Part 1: 7.7.5.1-B).
The detection of marginal marks from manually-marked paper ballots SHALL show a bias.
Applies To: MCOS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Bias errors are not permissible in any system ([GPO90] 7.3.3.3). An example of bias would be if marginal marks in the first ballot position were detected differently than marginal marks in the second ballot position.
Source: New requirement
The detection of marginal marks from manually-marked paper ballots SHOULD be repeatable.
Applies To: MCOS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
It is difficult to have confidence in the equipment if consecutive readings of the same ballots on the same equipment yield dramatically different results. However, it is technically impossible to achieve repeatable reading of ballots containing marks that fall precisely on the sensing threshold. See Part 1: 7.7.5.1 “Marginal marks”.
Source: New requirement
7.7.6 Consolidation
Precinct EMSs SHALL consolidate the data contained in each unit into a single report for the polling place when more than one vote-capture device or precinct tabulator is used.
Applies To: Precinct tabulator Λ EMS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
For requirements on report content see Part 1: 7.8 “Reporting”.
Source: Reworded from [VSS2002] I.2.5.3.2
DREs SHALL, if the consolidation of polling place data is done locally, perform this consolidation in a time not to exceed 5 minutes per DRE.
Applies To: Precinct tabulator Λ EMS Λ DRE
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This requirement assumes that the precinct is operating using DREs exclusively and that one of those DREs fills the role of EMS.
Source: Reworded from [VSS2002] I.3.2.6.2.1
7.7.7 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Paper-based tabulator, clearing misfeeds when ballot was read: If it is necessary to clear a misfed ballot that was read by a paper-based tabulator but became stuck on its way to the ballot box, election judges or central election officials must perform this task in the presence of a witness. If an audit found that the contents of the ballot box and the records from the tabulator did not match, one would want to be able to rule out the possibility that something made its way into the ballot box while the tabulator was disconnected.
7.8 Reporting
Although reporting is typically an EMS function, most of the requirements in this section are scoped to the entire system because any given EMS might not generate all of the specified information. For example, the precinct- and system extent-level reports might be generated by different EMSs located in the precinct and central location, respectively. The precinct EMSs need not have the capability to generate system extent-level reports and vice-versa.
7.8.1 General reporting functionality
All reports SHALL include the date and time of the report's generation, including hours, minutes, and seconds.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Even if the clock's accuracy leaves something to be desired, second precision is useful to have if two reports are generated in quick succession.
Source: New requirement
Timestamps in reports SHOULD comply with ISO 8601 [ISO04], provide all four digits of the year and include the time zone.
All programmed devices SHALL prevent data, including data in transportable memory, from being altered or destroyed by report generation.
Applies To: Programmed device
Test Reference: Part 3: 4.3 “Verification of Design Requirements”
DISCUSSION
The appending of an audit record reflecting the fact that a report has been generated is not considered an alteration.
Source: From [VSS2002] I.2.2.6.h, I.2.5.3.1.g, and I.2.5.3.2.d
7.8.2 Audit, status, and readiness reports
All systems SHALL be capable of producing reports of the event logs defined in Part 1: 5.7 “System Event Logging”.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.i and I.2.5.3.1.f
The EMS SHALL provide the capability to obtain a report that includes:
- The allowable number of votes in each contest;
- The combinations of voting patterns permitted or required by the jurisdiction;
- The inclusion or exclusion of contests as the result of multiple districting within a polling place;
- Any other characteristics that may be peculiar to the jurisdiction, the election or the precincts;
- Manual data maintained by election personnel;
- Samples of all final ballot styles; and
- Ballot preparation edit listings.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
For the logging of auditable events during election programming see Part 1: 5.7 “System Event Logging”.
All programmed devices SHALL provide the capabilities to obtain status and equipment readiness reports.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
These reports typically are generated during pre-voting logic and accuracy testing; see Part 1: 7.3.1 “Logic and accuracy testing”.
Source: Reworded from [VSS2002] I.2.3.4.1.b
Readiness reports SHALL include at least the following information for each polling place:
- The election's identification data;
- The identification of the precinct and polling place;
- The identification of all voting devices deployed in the precinct;
- The identification of all ballot styles used in that precinct;
- Confirmation that no hardware or software failures were detected during setup and testing, or a record of those that occurred; and
- Confirmation that all vote-capture devices are ready for the opening of polls, or identification of those that are not.
Applies To: In-person voting
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In jurisdictions where there are no programmed devices in the precincts, confirmation of equipment readiness could occur through a manual check and signoff by election judges. These readiness reports could take the form of checklists, fill-in forms and signature sheets supplied to the precincts by a central authority.
Source: [VSS2002] I.2.3.5, separated generic precinct vs. precinct tabulator reqs, modified to deal with failures
Readiness reports SHALL include the following information for each precinct tabulator:
- The election's identification data;
- The identification of the precinct and polling place;
- The identification of the tabulator;
- The contents of each active contest choice register at all storage locations;
- Confirmation that no hardware or software failures were detected during setup and testing, or a record of those that occurred; and
- Any other information needed to confirm the readiness of the equipment and to accommodate administrative reporting requirements.
Applies To: Precinct tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.5, separated generic precinct vs. precinct tabulator reqs, harmonized with Requirement Part 1: 7.8.2-F, modified to deal with failures, deleted "special voting options"
Readiness reports SHALL include the following information for each central tabulator:
- The election's identification data;
- The identification of the tabulator;
- The identification of all ballot styles used in the system extent;
- The contents of each active contest choice register at all storage locations;
- Confirmation that no hardware or software failures were detected during setup and testing, or a record of those that occurred; and
- Any other information needed to confirm the readiness of the equipment and to accommodate administrative reporting requirements.
Applies To: Central tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.6, harmonized with Requirement Part 1: 7.8.2-E, modified to deal with failures, deleted "special voting options"
Systems that send ballots over a public network SHALL provide a report of test ballots that includes:
- The number of test ballots sent;
- When each test ballot was sent;
- The identity of the machine from which each test ballot was sent; and
- The specific votes contained in the test ballots.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
7.8.3 Vote data reports
The requirements in this section specify a minimum set of information that a voting system must report. They do not prohibit any voting system from reporting additional information that may be required by jurisdictions or merely found to be useful.
Similarly, the identification of four "standard" reporting contexts (tabulator, precinct, election district, and system extent) requires voting systems to support these at a minimum, but does not prohibit any voting system from supporting additional reporting contexts or from offering a generalized facility through which central election officials may define arbitrary reporting contexts.
7.8.3.1 General functionality
All devices used to produce reports of the vote count SHALL be capable of producing:
- Alphanumeric headers;
- Election, office and issue labels; and
- Alphanumeric entries generated as part of the audit record.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
All systems SHALL be able to produce an accurate, human-readable report of all votes cast.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Binary document formats and text containing markup tags are not considered human-readable. The system may generate such documents, but it must also provide the functionality to render those documents in human-readable form (e.g., by including the necessary reader application).
Source: [VSS2002] I.2.2.2.1.c as expanded by [P1583] 5.2.1.1.c[5]
All systems SHALL produce vote data reports that account for all cast ballots and all valid votes.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
Vote data reports SHALL be completely consistent, with no discrepancy among reports of voting device data at any level.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.3.2.6.2.2, extended to all systems
Any discrepancy that is detectable by the system SHALL be flagged by the system by an annotation or error message in the affected report(s) and/or a separate discrepancy report.
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
If this requirement is applicable, then the system has failed to satisfy Requirement Part 1: 7.8.3.1-D and is therefore non-conforming. Nevertheless, in practice it is essential that discrepancies be flagged by the system as much as possible so that they are not overlooked by election judges. The system cannot detect discrepancies if no single voting device is ever in possession of a sufficient set of data.
Source: New requirement in response to Issue #1366
Any discrepancy in reports, regardless of source, SHALL be resolvable to a specific cause.
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
If this requirement is applicable, then the system has failed to satisfy Requirement Part 1 :7.8.3.1-D and is therefore non-conforming. Nevertheless, in practice it is essential that a specific cause be determinable.
Source: Reworded and generalized from [VSS2002] I.3.2.6.2.2
All systems SHOULD be capable of generating reports that consolidate vote data from selected precincts.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Jurisdictions in which more than one precinct may vote at the same location on either the same ballot style or a different ballot style may desire reports that consolidate the voting location.
Source: Derived from [ND06] 5.04.05.g, [UT04] Requirement 23 and [MS05] 14.3.2.3
Precinct tabulators SHALL prevent the printing of vote data reports and the extraction of vote tally data prior to the official close of polls.
Applies To: Precinct tabulator
Test Reference: Part 3:4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
Providing ballot counts does not violate this requirement. The prohibition is against providing vote totals. Ballot counts are required for ballot accounting, but early extraction of vote totals is an enabler of election fraud.
Source: Revised from [VSS2002] I.2.5.3.2
7.8.3.2 Ballot counts
Source for Requirement Part 1: 7.8.3.3-A through Requirement Part 1: 7.8.3.3-I: These requirements were distilled, refactored, and clarified from overlapping, subtly differing requirements appearing several places in Chapters 2 and 4 of [VSS2002], including: I.2.2.2.1.c (produce an accurate report of all votes cast), I.2.2.6.h (printed report of everything in I.2.5), I.2.2.9 (ballot counter), I.2.5.2 (means to consolidate vote data), I.2.5.3.1.a (geographic reporting), I.2.5.3.1.b (printed report of number of ballots counted by each tabulator), I.2.5.3.1.c (contest results, overvotes, and undervotes for each tabulator), I.2.5.3.1.d (consolidated reports including other data sources), I.4.4.4.a (number of ballots cast, using each ballot configuration, by tabulator, precinct, and political subdivision), I.4.4.4.b (candidate and measure totals for each contest, by tabulator), I.4.4.4.c (number of ballots read within each precinct and for additional jurisdictional levels, by configuration, including separate totals for each party in primary elections), I.4.4.4.d (separate accumulation of overvotes and undervotes for each contest, by tabulator, precinct, and additional jurisdictional levels), and I.4.4.4.e (for paper-based systems, the total number of ballots both processed and unprocessable, and the total number of cards read).
All voting systems SHALL report the number of cast ballots in the precinct, election district, and system extent reporting contexts, both in total and broken down by ballot configuration.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In the case of 100 % DRE systems, it would suffice to provide a single total that is noted to represent both the number of cast ballots and the number of read ballots, since these are necessarily equal. Only when there is a tangible (i.e., paper) ballot is it possible to cast a ballot that is never read. There is no subrequirement for separate reporting of provisional cast ballots because the system is unlikely to know whether a ballot is provisional until it is successfully read.
All systems SHALL report the number of read ballots in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
Systems that include paper-based devices SHALL, if there are multiple card/page ballots, report the number of cards/pages read in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Test Reference: Part 3: 5.2 “Functional Testing”
Systems conforming to the primary elections class SHALL report separate totals for each party in primary elections.
Applies To: Primary elections
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This requirement to report by party applies only to the number of read ballots. It does not apply to contest choice vote totals.
Systems conforming to the provisional-challenged ballots class SHALL report the number of provisional-challenged read ballots in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Applies To: Provisional-challenged ballots
Test Reference: Part 3: 5.2 “Functional Testing”
All systems SHALL report the number of counted ballots in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
See also Requirement Part 1: 7.8.3.2-D, which breaks down counted ballots by contest.
Systems conforming to the primary elections class SHALL report separate ballot counts for each party in primary elections.
Applies To: Primary elections
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This requirement to report by party applies only to the number of counted ballots. It does not apply to contest choice vote totals.
Systems conforming to the provisional-challenged ballots class SHALL report the number of provisional-challenged counted ballots in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Applies To: Provisional-challenged ballots
Test Reference: Part 3: 5.2 “Functional Testing”
All systems SHOULD report the number of blank ballots (ballots containing no votes) that were counted in each reporting context (tabulator, precinct, election district, and system extent), both in total and broken down by ballot configuration.
Applies To: Part 3: 5.2 “Functional Testing”
DISCUSSION
Some jurisdictions find this information to be useful. Blank ballots sometimes represent a protest vote.
All systems SHALL report the number of counted ballots for each relevant N-of-M or cumulative voting contest, in each reporting context (tabulator, precinct, election district, and system extent), per the definition of K(j,r,tE) in Part 1: Table 8-2.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
See definition of relevant contest in Appendix A.
This is by contest, while Requirement Part 1: 7.8.3.2-C is the overall count. The count by contest could be inferred from the other counts that are broken down by ballot configuration, but providing this figure explicitly will make it easier to account for every vote per Part 1: 8.3.3 “Cumulative voting”.
N-of-M in this requirement includes the most common type of contest, 1-of-M.
7.8.3.3 Vote totals
For the source of these requirements, please see the note in Part 1: 7.8.3.2 "Ballot counts".
All systems SHALL report the vote totals for each contest choice in each relevant N-of-M or cumulative voting contest, in each reporting context (tabulator, precinct, election district, and system extent), per the definition of T(c,j,r,tE) in Part 1: Table 8-2 and Part 1: 8.3.3 “Cumulative voting”.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
See definition of relevant contest in Appendix A.
N-of-M in this requirement includes the most common type of contest, 1-of-M.
All systems SHALL report the number of overvotes for each relevant N-of-M or cumulative voting contest, in each reporting context (tabulator, precinct, election district, and system extent), per the definition of O(j,r,tE) in Part 1: Table 8-2 and Part 1: 8.3.3 “Cumulative voting”.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
See definition of relevant contest in Appendix A.
N-of-M in this requirement includes the most common type of contest, 1-of-M.
[VSS2002] required the reporting of overvotes even on 100 % DRE systems where overvoting is prevented (Requirement Part 1: 3.2.2.1-A); that requirement is retained here, though it may be redundant.
Overvotes are defined in Part 1: 8.3 “Logic Model (normative)”. Consistent with the definition of undervotes (see Requirement Part 1: 7.8.3.3-C), the count is of votes lost to overvoting, not of ballots containing overvotes. This means that a ballot that overvotes an N-of-M contest would contribute N to the count of overvotes for that contest.
All systems SHALL be capable of producing a consolidated report of the combination of overvotes for any contest that is selected by an authorized official (e.g., the number of overvotes in a given contest combining candidate A and candidate B, combining candidate A and candidate C, etc.).
Test Reference: Part 3: 5.2 “Functional Testing”
Source: From [VSS2002] I.2.2.6.h and I.2.5.3.1.e
All systems SHALL report the number of undervotes for each relevant N-of-M or cumulative voting contest, in each reporting context (tabulator, precinct, election district, and system extent), per the definition of U(j,r,tE) in Part 1: Table 8-2 and Part 1: 8.3.3 “Cumulative voting”.
Applies To: Voting system
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
See definition of relevant contest in Appendix A.
N-of-M in this requirement includes the most common type of contest, 1-of-M.
Undervotes are defined in Part 1: 8.3 “Logic Model (normative)” as needed to enable accounting for every vote. Counting ballots containing undervotes instead of votes lost to undervoting is insufficient.
Systems conforming to the ranked order voting class SHALL report the contest choice vote totals for each ranked order contest for each round of voting/counting at the system extent level.
Applies To: Ranked order voting
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
This requirement is minimal. Since ranked order voting is not currently in wide use, it is not clear what must be reported, how bogus orderings are reported, or how it would be done in multiple reporting contexts. See Part 1: 7.7.2.5 “Logic for ranked order voting”.
Systems conforming to the in-person voting class SHALL include all votes collected from In-person voting in the consolidated reports.
Applies To: In-person voting
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
"Include" simply means that the final totals must reflect them. It does not entail separate totals for the different kinds of votes.
Systems conforming to the absentee voting class SHALL include all votes from absentee ballots in the consolidated reports.
Applies To: Absentee voting
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
"Include" simply means that the final totals must reflect them. It does not entail separate totals for the different kinds of votes.
Systems conforming to the write-ins class SHALL include all write-in votes in the consolidated reports.
Applies To: Write-ins
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
"Include" simply means that the final totals must reflect them. It does not entail separate totals for the different kinds of votes.
Systems conforming to the provisional-challenged ballots class SHALL include all votes from accepted provisional/challenged ballots in the consolidated reports.
Applies To: Provisional-challenged ballots
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
"Include" simply means that the final totals must reflect them. It does not entail separate totals for the different kinds of votes. See also Requirement Part 1: 7.7.2-A.4, Requirement Part 1: 7.8.3.2-B.3 and Requirement Part 1: 7.8.3.2-C.2.
Systems conforming to the review-required ballots class SHALL include all votes from accepted reviewed ballots in the consolidated reports.
Applies To: Review-required ballots
Test Reference: Part 3: 4.6 “Logic Verification”, 5.2 “Functional Testing”
DISCUSSION
"Include" simply means that the final totals must reflect them. It does not entail separate totals for the different kinds of votes.
7.8.4 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Ballot accounting: All precincts must account for all ballots pursuant to the current best practices for ballot accounting.
Label unofficial reports: Any unofficial reports must be clearly labeled as unofficial. ([VSS2002] I.2.5.4.c, converted to procedural requirement.)