http://www.wheresthepaper.org/VSSpassed060420comments.htm

Comments by Teresa Hommel

May 25, 2006

 

Overall:

 

1. There is no arm’s length relationship between buyer and seller. These regulations describe a process that is dependent on vendor honesty as well as a degree of competence that no computer scientist has ever claimed to have – the ability to guarantee that a major software product contains no malware.

 

2.  It is improper to fail to examine the entire system to confirm that no unnecessary components are present, and to ensure that all components are examined, have a known purpose, and have no insecure relationships or interactions with other components. The State Board makes clear that they will not examine the entire system, but only those parts that the vendor identifies as related to functionality. This opens the possibility that other components will be present in certified systems, such as components to enable wireless communication which is banned by New York state law. The presence of additional components would be both improper as well as unnecessary, since these are single-purpose systems.

 

3. The regulations are vague enough to enable a thorough and careful process, as well as a shoddy and superficial process.

 

4. The underlying premise of these regulations is that by examining a computer system today, you can ensure that it will function properly and securely tomorrow. This is false for computers as well as for cars and any other complex modern product.

 

 

Subtitle V of Title 9 of the Official Compilation of Codes, Rules and Regulations of the State of New York is hereby amended by repealing Part 6209, and by adding thereto a new Part, to be Part 6209, to read as follows:

 

                                                                  SUBTITLE V

 

                                                                     Part 6209

 

                                                     Voting Systems Standards

                                                                             

 

Section 6209.1 Definitions.  The terms used in this part shall have the significance herein defined unless another meaning is clearly apparent in language or content.

 

1.  Acceptance Test means a test conducted by the county board and the State Board, to demonstrate that each voting system delivered, when installed in the user's environment, meets all functional requirements and contains exactly the same components as the voting system of that type, which received certification from New York State, including but not limited to all hardware, programming (whether in the form of software, firmware, or any other kind), all files, all file system hierarchies, all operating system parts, all off-the-shelf hardware and programming parts and any other components.

 

Comment 1

Excellent definition of Acceptance Test. The procedures for accomplishing such tests should be set forth in the regulations.  

 

2.   Audio Voting Feature means a device that allows blind or visually-impaired persons, or persons with limited reach and/or hand dexterity, the ability to cast their vote.

 

Comment 2

2. Audio Voting Feature means a device that provides an audible presentation of voting instructions, ballot contents, and the voter’s choices, so that voters may choose to hear rather than visually read such information. 

 

3.   Auxiliary Components means any device, materials or equipment which is used to give assistance or aid to the actual voting device but is not a permanent or enclosed part of the voting device.

 

4.  Ballot Configuration (Layout) means the positioning on and/or linkage within the ballot (whether on a DRE or other display screen, or on paper), of all political party names and emblems, and names and emblems of all independent bodies, office titles, ballot proposals, and candidate names, and spaces for write-in candidates, in accordance with the requirements of the Election Law as to order and rotation.

 

Comment 3

Linkage” is discussed below in definition 11.

 

5.  Calibration Test means a test prepared and conducted to determine and/or verify that the correct Sensitive Areas of a voting system, and their level of sensitivity function on an ongoing basis in the same manner as the certified system.   

 

6.  Canvass means a compilation of election returns and validation of the outcome that forms the basis of the official results by political subdivision. 

 

Comment 4

If a canvass includes validation of outcomes, then the canvass procedure must be revised to describe how the 3% spot check of DREs will be done, and how to deal with challenges by candidates, etc.

 


7.  Central Count Paper-Based System means a voting system that uses an optical scan technology to record and tabulate votes from multiple election districts at a county board

 

page 1

page 2

 

office, including all absentee, emergency, affidavit and other such paper ballots.

 

Comment 5

This term is not used in these regulations. Presumably such a system would use paper ballots for all voters. Rather than use an optical scanner in the poll site to check the ballots for overvotes, all ballots would be brought to the county board office for counting via a central count scanner.

 

8.  County Board means a county’s Board of Elections, including the Board of Elections in the City of New York.

 

9.  DRE means a direct recording electronic voting system in which, through a touch-screen, push-button, or other electronic mechanism, a vote is immediately recorded onto electronic media, by means of a ballot display provided with mechanical or electro-optical components, or an ultrasonic, capacitative or other touch screen, which is activated by the voter.  Styles include bubble switch ballot overlay and touch-screen- style machines.  

 

10.  Election Assistance Commission (EAC) is the commission established by the Help America Vote Act of 2002, which serves as a national clearinghouse for information and the review of procedures with respect to the administration of federal elections.

 

11.   Election Configuration means the file or files created by the election management software including but not limited to the following data used to program polling place and central count voting systems: definition of jurisdictional information (e.g., counties, local legislative, congressional or election districts),  both electronic and paper ballot content and artwork (e.g., ballot text, voting positions), definition of races (e.g., elected offices, candidates, number to vote for, propositions, or other types that control voting in other races on the ballot, definition of voter groups (e.g., by party, absentee, non-absentee), ballot styles, linkage of candidates to their respective parties and races, linkage of races to their respective jurisdictions, linkage of ballot text to database labels to produce results reports, and allocation of trans-district vote tallies to their constituent districts for reporting purposes.

 

Comment 6

“linkage of ballot text to database labels to produce results reports” is one place where errors can change the outcome of an election.

 

12.  Election Management Software (EMS) means the software used by the voting system to describe ballot layout, collect and report election results, and maintain audit trails.

 

Comment 7

a. Errors in the EMS programming to collect and report election results can affect the outcome of elections.

b. What does it mean to “maintain audit trails”?

 

13.  Environmental Conditions means the effect of natural environmental conditions such as: temperature, humidity, dust and induced environmental conditions such as handling, storage or transportation which may affect the operation of the system and/or equipment.

 

14.   Escrow Account means an account and/or a secure facility held by a third party, which shall be approved by the State Board, for the purpose of taking custody of all materials required to be put in escrow by statute or by these voting system standards.   

 

15. Firmware means a computer program stored in read-only memory (either programmable or non-programmable), that becomes a permanent part of the computing device that is not subject to change or modification without review by the State Board.  

 

Comment 8

a. Firmware means a computer program stored in read-only memory (either programmable or non-programmable).

b. The definition should not say that firmware is a “permanent part” or that it is “not subject to change or modification without review by the State Board” because permanence, change and modification, and review by the State Board are not inherent characteristics of firmware. These things depend on how the computer system is handled. Any person with modest knowledge of a computer system can replace, change, or modify firmware.

 

16.   Hardware means the actual voting or ballot counting device.

 

page 2

page 3

 


17.  Header Card (or Header Sheet) means a marksense card or sheet upon which appears printed information used to identify a particular batch of ballots, usually those for a single election district.  It is placed at the beginning of the batch for vote tabulation to ensure that the votes cast on those ballots are correctly attributed.  Cards placed at the end of a particular batch of ballots are called End Cards.

 

18.  Maintenance Log means a written and/or electronic record which contains all information relating to performance of scheduled and non-scheduled maintenance on a voting system, all service visits performed by the vendor or manufacturer, and other maintenance or service performed by any other provider of service, including county and state board employees.

 

19.   Marksense means a system by which votes are recorded by means of marks made in voting response fields designated on one or both faces of a ballot or ballot cards.  Marksense systems may use an optical scanner or similar sensor to read the ballots.  Also known as Optical Scan.

 

20.  Modification means any change in the software, firmware or hardware, data storage location of files, or any other component of the voting system, and shall require re-examination of certified system or equipment by the State Board.

 

Comment 9

This definition may be in conflict with Section 6209.6 (2), page 18, where the phrase “shall be subject to re-examination” may not mean “shall be re-examined.”

 

21.  Optical Scan Voting System means a voting system in which a voter records his or her vote by placing a mark in a designated voting response field on a paper ballot or card, which is read and tabulated using optical-scan technology or a mark-sense system that reads the paper ballot or card by scanning the ballot and interpreting the contents.  Styles include precinct-based and central-count paper-based systems.

 

Comment 10

“interpreting the contents” may allow use of bar-codes to represent the votes, which are then handled via the bar codes rather than the voter’s marks. If bar codes are used, then the voter no longer can know whether their votes are correctly recorded or counted, because the voter cannot easily read the bar codes and verify that they indicate the same votes as the voter’s marks.

 

22.  Operational Manual means a manual of all procedures involved in every phase of the operation and use of the voting system by board of elections personnel, including but not limited to unpacking and acceptance testing, storing, installing all programming, operations testing, preparing for an election, servicing and maintaining, trouble-shooting and repairing, packing and shipping to poll sites, and returning to the county board’s facilities, and including all operational procedures for the set-up of the ballot, opening of the polls, use for voting, closing the polls, and canvassing the count. 

 

Comment 11

This definition seems to say that there will be one manual with all this information. Such a manual would be very large. It is more likely that there will be many manuals, which together will have all this information. Section 6209.6 (2) (b) (iv), page 18, lists “operator manual, user manual and software maintenance manual.” Section 6209.6 F. (2) lists the users of documentation as “voter, the operator, maintenance technicians, and other appropriate county board personnel.”

 

23.   Paper-based Voting Systems means any electronic or computerized ballot counting system or equipment which tabulates and reports votes cast on paper ballots.

 

Comment 12

a. The definition of paper-based voting systems should not be written in a way that prevents the use of hand-counts.

b. If computers are used, there will be more parts than those that tabulate and report.

 

24.  Pneumatic Switch means a device which allows persons with certain disabilities the ability to cast their vote.

 

Comment 13

Pneumatic Switch means a device which allows persons with certain disabilities the ability to interact with a voting or ballot-marking device through the use of breath.

 


25.  Pre-qualification test means a predetermined set of tests of the total voting system throughout the election process including votes and vote totals prepared by the State Board.  Such votes shall be entered into the voting system in the same manner as they will be entered by voters during an election.  If a voting system offers several methods for

 

page 3

page 4

 

votes to be entered, such as touch-screen, push-button, or other electronic mechanism, a key pad and/or pneumatic switch for voters with disabilities, or alternate language displays, then the pre-determined set of votes shall be entered separately using each method and language display.  The results of the casting of said votes and all voting system logs shall be extracted from the system as though during normal use in an election, and the results and logs shall be compared to the predetermined results of the test votes and vote totals prepared by the State Board.

 

Comment 14

a. It is unclear whether predetermined contents of logs can be prepared, but the definition is good to indicate that the logs must be examined.

b. Accuracy criteria for passing the test must be specified. Otherwise the test becomes merely a ritual ceremony, and regardless of how many errors are detected the system can pass.

 

26.   Printout means the printed copy of zero totals, candidate names and offices and other information produced by the voting equipment prior to the official opening of the polls and the tabulation of votes cast for each candidate and question, the names of candidates and the offices for each candidate and other information provided after the official closing of the polls.

 

27.   Resident vote tabulation means the manufacturer's internal firmware which shall permanently reside on the voting system’s central processing unit, registering, accumulating, and storing votes and ballot images.

 

Comment 15

a. Resident vote tabulation programming means a DRE’s internal programming which  registers, accumulates, and stores votes and ballot images.

b. Will such programming always be in firmware? In the CPU? Does it matter?

 

28.   Resident memory means the internal memory of the voting system that stores election results and ballot images but is prohibited from storing executable code on removable media. 

 

Comment 16

Resident memory means the internal memory of the voting system. These regulations require election results and ballot images to be stored in resident memory and prohibit storing executable code on removable media.  QQ

 

29.  Software means any programming instructions used by the vote counting system, including but not limited to system programs and application programs.  System programs include but are not limited to the operating system, control programs, communication programs, database managers, and device drivers.  Application programs include but are not limited to, any program that processes the data.   

 

Comment 17

a. Software means any programming instructions used by a computer system….

b. It is regrettable that NY State law and these regulations do not ban all communications capability in electronic voting and vote tabulating equipment.

 

30.  Source Code means the computer program in its original form, as written by the programmer.  Source Code is not executed by the computer directly, but is converted into machine language by compilers, assemblers and interpreters. 

 

31.   State Board means the New York State Board of Elections.

 

32.   Tactile Discernible Controls means a voting feature which allows persons with limited reach and/or hand dexterity, the ability to cast their vote, for example: raised buttons of different shapes and colors, large or raised numbers or letters, and light pressure switches.


 

33.   Test Deck means a pre-audited group of ballots prepared for each election.  The ballots are voted with a pre-determined number of valid votes for each candidate, each write-in position, and each voting option on every proposal that appears on the ballot as certified by the county board.  The deck includes one or more ballots that have been improperly voted, or which are voted in excess of the number allowed by law, and one or more ballots on which no votes are cast, in order to test the ability of the system to recognize and/or notify of an under or overvote.  It also includes one or more ballots on

 

page 4

page 5

 

 which two or more votes are cast for a candidate whose name appears on the ballot more than once for the same office in order to test the ability of the system to count only the first of such votes for the candidate.  If there is more than one ballot style for an election, a separate test deck is created for each ballot style. 

 

Comment 18

a. The federal Help America Vote Act requires voter notification of overvotes, but not undervotes.

b. When one candidate’s name appears on the ballot more than once, the first of such votes is counted. This bears on the party which receives credit for the vote.

 

34.   Testing laboratory means a certified private or public laboratory used to perform tests on the voting systems and related equipment.

 

Comment 19

Certified by whom?

 

35.   Vendor shall include any manufacturer, company or individual who seeks to sell voting systems and/or services for such systems in New York State.

 

36.   Voting Position means the specific voting response area on the face of the displayed ballot where a selection is made for a candidate or proposal.

a.  Ballot Position means the area on the ballot or ballot display occupied by one candidate or position on an issue, including the area devoted to the candidate name or position on the issue and the sensitive area, as defined immediately below.

b.  Sensitive Area means the area on the ballot or ballot display which may be pressed, touched, or marked in order to cast a vote which, in some cases, may be the entire position, while in other cases it may be limited to the voting target (as defined immediately below) on a paper ballot or push button on a full-face DRE machine.

c.   Voting Target means the area of a paper ballot which the voter is asked to mark in order to cast a vote; typically an oval, square or a fragmented arrow.  

 

Comment 20

What is the difference between a “voting position” and a “ballot position”?

 

37.  Voting System means the total combination of mechanical, electro-mechanical, or electronic equipment, and any ancillary equipment and all software, firmware, and documentation required to program, control, and support the equipment, all of which is used to define ballots, cast and count votes, report and/or display election results, and maintain and produce any audit trail information.

 

Comment 21

a.  This definition omits “entering votes.” In a paper ballot system, the marking of  the paper ballot by the voter is part of the “voting system”

b. This definition conflicts with HAVA section 301 by omission of various “practices”:

 

    (b) Voting System Defined.--In this section, the term "voting system" means--

            (1) the total combination of mechanical, electromechanical, or electronic equipment (including the software, firmware, and documentation required to program, control, and support the equipment) that is used--

                    (A) to define ballots;

                    (B) to cast and count votes;

                    (C) to report or display election results; and

                    (D) to maintain and produce any audit trail information; and

            (2) the practices and associated documentation used--

                    (A) to identify system components and versions of such components;

                    (B) to test the system during its development and maintenance;

                    (C) to maintain records of system errors and defects;

                    (D) to determine specific system changes to be made to a system after the initial qualification of the system; and

                    (E) to make available any materials to the voter (such as notices, instructions, forms, or paper ballots).

 

38.  Voting System Supporting Software means the vendor-supplied software used to configure and control the election day tabulation and accumulation of election results. 

 

39.   VVPAT means a voter verifiable paper audit trail.

 

Comment 22

Since state law uses the term “voter verifiable paper audit record” these regulations should consistently use that term also.

 

 

Section 6209.2 Polling Place Voting System Requirements

 

A.  In order for a polling place voting system to be considered by the State Board for certification, it must comply with the mandates of New York State Election Law, and  meet the Election Assistance Commission’s 2005 Voluntary Voting System Guidelines to the extent that they are consistent with state law and these regulations.  Such polling place voting systems shall meet the following requirements:

 


(1) Provide a full ballot display on a single surface, except that proposals may appear on the reverse side of any paper ballot, and that such ballot display is easily visible

 

page 5

page 6

under typical lighting found in a poll site.

 

(2)  For jurisdictions within the State of New York that have been identified by the U.S. Department of Justice, as requiring that ballots be provided in alternate languages, pursuant to Section 203 of the Voting Rights Act, 42 USC 1973aa-1a.  Voting systems must be able to recognize and interpret alternate language ballots. 

 

(3) Provide a device that produces and retains a voter-verifiable permanent paper record, pursuant to statute, which the voter can review and/or correct prior to the casting of their vote.  In the case of a paper-based voting system, the ballot marked by the voter shall constitute the paper record referred to in Section F. The paper record shall allow a manual audit and allow for preservation in accordance with the provisions of Election Law, Section 3-222.

 

(4) Provide a device or means by which the record of the votes cast on the machine can be printed and visually reviewed after the polls are closed.

 

Comment 23

Does “the record of the votes” mean the tallies?

 

(5) Provide a battery power source in the event that the electric supply used to make the voting system equipment function, is disrupted.  The battery power source shall  operate the system and allow for the casting of votes for a period not less than 2 hours, to ensure that the system can shut down and preserve the integrity of votes cast prior to the power failure, and can resume functionality when power is provided or restored without significant or intrusive power-up procedures.  Such batteries must be rechargeable and have minimum five-year life when used under normal conditions.  In the event of a power failure, the equipment shall perform a normal shut-down not less than one hour before battery power is depleted, and shall notify the election inspector that the system will do so.

 

Comment 24

a. Will these battery-related requirements be tested (two hour function, preserve the votes cast prior to power failure and shut-down, resume functionality without significant or intrusive power-up procedure, notification of election inspector?

b. Will election inspectors be required and instructed to print a tally report prior to shut-down, or will systems be required to automatically print such a tally report  prior to shut-down?

c. If power is restored prior to “one hour before battery power is depleted” will systems keep working and automatically recharge their batteries?

 

(6) The system shall contain software and hardware required to perform a diagnostic test of system status, and a means of simulating the random selection of candidates and casting of ballots in quantities sufficient to demonstrate that the system is fully operational and that all voting positions are operable.

 

Comment 25

It is impossible for software and hardware to perform a test to demonstrate that it is fully operational and that all voting positions are operable. See

http://www.wheresthepaper.org/NoAutomatedTests.htm      

 

(7) The system shall incorporate multiple memories, including resident vote tabulation, storage of results and ballot images in resident memory, serving as a redundant means of verifying or auditing election results and ballot images, and further, the system shall be required to alert the election day worker that memory capacity is about to be reached. 

 

Comment 26

a. A contemporary rule of good design says that there should be only one copy of any data because when multiple copies are maintained it is so common that, due to mistakes in programming, the copies become different.

b. Usually computers have one memory regardless of how many copies of anything is stored there.

c. Verifying and auditing election results and ballot images must be done by use of the voter-verified printout, because a meaningful audit cannot be done by inspecting multiple copies of information from computer memory.

 

(8) In a DRE voting system, the system must prevent voters from overvoting and indicate to the voter specific contests or ballot issues for which no selection or an insufficient number of selections has been made.  In a paper-based voting system, the system must indicate to the voter specific contests or ballot issues for which an overvote or undervote is detected. 

 


(9)  The voting system shall provide a method for write-in voting and shall report the

 

page 6

page 7

 

number of votes cast in each contest in write-in voting positions.

 

(10) The voting system shall be capable of accumulating and reporting a count of the number of ballots tallied for an election district and votes cast for each candidate, and the total vote for or against each ballot proposal, and shall be capable of separating and tabulating those election district totals to produce a report of the total of ballots tallied by groups of election districts such as legislative districts or wards.

 

Comment 27

For poll-site-based optical scan systems, tallies by election district (ED)would require the ED to be recorded in scanner-readable form on each paper ballot.

 

B.  In addition to the requirements of subdivision (A) of this section, fully-accessible voting equipment certified by the State Board shall meet the following requirements for usability by voters who are disabled:

 

(1) The voting system or equipment shall be equipped with a voting device with tactile discernible controls, pursuant to Election Law Section 7-202.  Such controls shall allow persons with limited reach and/or hand dexterity, the ability to cast their vote, and shall include, for example: raised buttons of different shapes and colors, large or raised numbers or letters, and light pressure switches.

 

(2) The voting system or equipment shall be equipped with an audio voting feature, pursuant to Election Law Section 7-202.  The audio feature shall be able to be used either independently or simultaneously with the on-screen display.

 

(3) The voting system or equipment shall be capable of being equipped with a pneumatic switch, pursuant to Election Law Section 7-202.  

 

C.  Standards for noise level

 

(1) Voting systems or equipment to be certified by the State Board shall be constructed in a manner so that noise levels of the system or equipment during operation will not interfere with the duties of the election inspectors or the voting public.

 

(2) The noise level of write-in components of the system or equipment shall be so minimal that it will be virtually impossible under normal conditions for someone at the table used by the inspectors of elections to determine that a write-in vote is being cast or has been cast.

 

D.  Standards for voter privacy

 

(1) Voting systems or equipment shall be constructed so that no one within the polling site will be able to see how a voter is casting a vote. 

 

(2) Curtains, screens, shields or other privacy devices shall be designed so as to allow any voter, either electronically or manually, to open, close or otherwise use the device with ease when entering and exiting the system or equipment.

 

page 7

page 8

 


E.  Environmental Standards

 

The voting system shall be designed to protect against dust and moisture during storage and transportation.  Testing shall be similar to the procedure of MIL-STD-810F, Method 510.4,  for dust, and MIL-STD-810F, Method 506.4 for moisture.  These tests are intended to evaluate exposure to these elements when the system or equipment  is in a non-operating configuration and the equipment or system’s required protective cover is in place.

 

F.  Voter Verified Paper Audit Trails (VVPAT)

 

(1) The voting system shall print and display a paper record of the voter’s ballot choices prior to the voter making the ballot choices final.  In the case of a paper-based voting system, the ballot marked by the voter shall constitute the paper record referred to in this Section F.

 

(a) The paper record shall constitute a complete record of ballot choices that can be used in audits of the accuracy of the voting systems electronic records, in audits of the election results, and in full recounts.

 

(b) In the case of a DRE voting system, the paper record shall contain all information stored in the electronic record.

 

Comment 28

a. What information is envisioned by this requirement? Will DREs record the ED? A random number generated for each voter?

b. This provision should also require all information to be printed in an easily human-readable form so that bar-codes are not used to circumvent the requirement for VVPAT (the voter verifies a human-readable record of his/her votes, but a bar code is also printed, and then the 3% state-mandated spot-check is done by a bar-code reader that counts the votes recorded in the bar code, which was not verified by the voter).  

 

(c) The voting system shall be capable of showing the information on both the display screen and the paper in a font size of 3.0mm, and should be capable of showing the information in at least two font ranges, a) 3.0-4.0 mm and b) 6.3-9.0 mm, under control of the voter.

 

Comment 29

One inch is 25.40 millimeters. 3.0-4.0 millimeters is approximately 1/8 to 1/6 inch. Few  people can read such small print. 6.3 millimeters is almost 1/4 inch. Will poll workers know how to set the size? Will voters be instructed how to enlarge the size prior to printing their VVPAT? Or will voters be embarrassed and discouraged from verifying their printout by the small print size?

 

(d) In the case of a DRE voting system, the paper and electronic display of the voter’s selections shall be presented and positioned so as to allow the voter to easily read and compare the two.

 

Comment 30

Does this requirement prohibit hip-level printouts? Does it prohibit use of 3.0-4.0 mm fonts

 

(e) If the paper record cannot be displayed in its entirety, a means for moving the paper to show all paper record contents shall be provided.

 

Comment 31

The paper must be able to be moved both forward and backward.

 

(2) There shall be instructions for performing the verification process made available to the voter in a location on the voting system.

 

Comment 32

Conveniently visible location? Visible during voting or only on the outside of the booth? Will poll workers be trained to remind voters to verify and show them where the printer is? The best way to encourage verification is to have the DRE screen display a statement such as "I have verified that the paper printout matches my selections" with a big “YES” button that voters have to press to be able to go on and cast their vote.

 

(3) The voting system shall display, print, and store a paper record in any of the alternative languages chosen for making ballot selections.  Candidate names and other markings not related to the ballot selection on the paper record shall appear in English.

 

(4)  The voting system shall allow the voter to approve or reject the paper record, in the case of DRE systems, marking the ballot as such in the presence of the voter.

 

page 8

page 9

 

 (a) Any DRE voting system shall provide a means to reconcile the number of rejected paper records with the number of occurrences of rejected electronic selections, and procedures shall be in place to address any discrepancies.

 

Comment 33

a. Addressing discrepancies between the number of rejected paper and electronic ballots in a meaningful way would require someone to know quite a lot about the computer system. Perhaps this provision means merely that someone with authority will say, “Well, they were different. But with either number the outcome of the election would not be affected.”

b. When a computer malfunctions, everything should be checked. The regulations should make such a discrepancy a reason for decertification.

 

(b) Prior to reaching the maximum number of ballots allowed pursuant to statute, any DRE voting system shall display a warning message to the voter indicating the voter may reject only one more ballot, and that the third ballot shall become the ballot of record.

 

Comment 34

a. In other states, voters have reported having to enter their votes as many as 8 or 9 times before the DRE accepted the vote as entered (rather than switching the vote to another candidate).

b. The law and these regulations should not make the assumption that the DRE is correct and that the voter is making errors. Paragraph (5) below should say “prevent voter review or approval”.

c. Paragraph (6) below should explicitly enable voters to request an emergency ballot, and should require the DRE to be taken out of service. Voters and poll workers must be trained in procedures for such a possibility, and this must be in the instructions to the voter mentioned in paragraph (2) above.

 

(5)  In case of conditions that prevent voter review of the paper record, there shall be a means for the voter to notify an election official, and in the case of a DRE voting system, shall cause an error message to be displayed and shall prevent the recording of the electronic record.

 

(6) In the case of a DRE voting system, procedures by which an election official can be notified and prescribed actions can be taken to address discrepancies if a voter indicates that the electronic and paper records do not match, shall be documented.

 

Comment 35

Such procedures should not only be documented, they must be posted in the polling place, made part of the training for poll workers and voters.

 

(7)  The voting system shall not record the electronic record as being approved by the voter until the paper record has been stored.

 

Comment 36

DRE systems must display notification to the voter when the ballot has been cast electronically and voting is finished for that voter. If voters are not instructed how to determine that they have finished voting, then after a voter leaves the electronic voting booth, others can enter the booth, change votes, and then cast the ballot. There are allegations that this has happened in other states.

 

(8)  Vendor documentation shall include procedures for returning a voting system to correct operation after a voter has used it incompletely or incorrectly; this procedure shall not cause discrepancies between the tallies of the electronic and paper records.

 

(9) The voter’s privacy and anonymity shall be preserved during the process of recording, verifying, and auditing ballot choices.

 

(a) The privacy and anonymity of the voter’s verification of ballot choices and the creation and storage of these choices, both electronically and on paper record,  shall be maintained. 

 

(b) The privacy and anonymity of voters whose paper records contain any of the alternative languages chosen for making ballots selections shall be maintained.

 

(c) Information for the purposes of auditing the electronic or paper records that may permit a voter to reveal his or her ballot choices shall be displayed so as not to be memorable to the voter.

 

Comment 37

See also comment 28. This provision may be an invitation to the use of bar codes and circumvention of the legal requirement for 3% spot-check manual audits. All information on the VVPAT should be easily human-readable and understandable to the voter.

 

(10)  The voting system’s ballot records shall be structured and contain information so as to support highly precise audits of their accuracy.

 

Comment 38

Paragraph (11) below requires a unique random number to be associated with each DRE ballot, and subparagraph (b) below requires information to identify the ED, etc. The purpose of paragraph (10) is unclear.

 

(a) All cryptographic software in the voting system shall have been approved by the U.S. Government’s Crypto Module Validation Program (CMVP) as applicable.

 

page 9

page 10

 

 (b) This information shall contain, but not be limited to, the voting site/election district, type of election, ballot style, and whether the system is operating in a “test” mode.

 

Comment 39

a. Machine ID should be required to be included, since multiple DREs will be needed in most EDs.

b. It is not clear why there is a need to know whether a system is operating in “test” mode. Processes should be the same regardless whether the system is being tested or used in a real election.

 

(11) In the case of a DRE voting system, the electronic and paper records shall be linked by including a unique identifier within each record that can be used to identify each record uniquely and correspond the two accordingly. 

 

(12)  The voting system shall generate and store a digital signature for each electronic record.  

 

Comment 40

Digital signature is not defined. Perhaps what is meant is “hash-code.”

The use of the digital signature should be set forth.

 

(13)  The electronic records shall be able to be exported for auditing or analysis on standards-based and/or information technology computing platforms.

 

Comment 41

“standards-based computing platform” should be defined.

 

(a) The exported electronic records shall be in an open, non-proprietary format.

 

(b) The voting system shall export the records accompanied by a digital signature of the collection of records, which shall be calculated on the entire set of electronic records and their associated digital signatures.

 

(c)  The voting system vendor shall provide documentation as to the structure of the exported records and how they shall be read and processed by software. 

 

(d) The vendor shall provide a software program that will display the exported records and such software may include other capabilities, such as providing vote tallies and indications of undervotes.

 

Comment 42

Perhaps paragraphs (10) through (13) and their subparagraphs are meant to describe how to secure and print  electronic ballot records so they can be compared ballot by ballot to  the VVPAT. If so, this should be explicitly stated. It is unclear what analysis is intended.

 

(14)  The voting system printers shall be physically secure from tampering.

 

(a)  The voting system shall communicate with its printers over a standard, publicly documented printer port using a standard communication protocol.

 

Comment 43

The word “communication” here is misleading and should be omitted.

 

(b)  The paper path between the printing, viewing and storage of the paper record shall be protected and sealed from access except by authorized election officials.

 

(c)  The printer shall not be permitted to communicate with any other system or machine other than the single voting system to which it is connected.

 

Comment 44

For systems that make use of telephone lines to connect their different parts, compliance with this requirement would probably be difficult to ascertain and impossible to enforce.

 

(d)  The printer shall only be able to function as a printer: it cannot store information or contain or provide any services that are not essential to system function, (e.g., provide copier or fax functions) or have network capability.

 

Comment 45

It is unclear how this would apply to the Avante system which uses a fax machine as a printer. It is unclear how it would apply to systems that use telephone lines to connect the different parts of the system.

 

(e) Printer access to replace consumables such as ink or paper shall only be granted if it does not compromise the sealed printer paper path.

 

Comment 46

If poll workers cannot load more paper in the printer, this may limit the number of voters  per DRE to a very small number.

 


(f) Prior to the opening of polls on election day, poll workers shall

 

page 10

page 11

 

demonstrate that the ballot storage devices are empty.  The storage devices shall then be sealed and no further access shall be provided to polling place workers.

 

(g)  Tamper-evident seals or physical security measures shall protect the connection between the printer and the voting machine, so that the connection cannot be broken or interfered with without leaving extensive and obvious evidence.

 

(15)  The voting system’s printers shall be highly reliable and easily maintained.

 

(a)  The voting system should include a printer port to which a commercial off-the-shelf printer which complies with sub-section F(14) above, could be attached for  the purposes of printing paper records and any additional records.

 

(b)  The voting system shall detect errors and malfunctions such as paper jams or low supplies of consumables such as paper and ink that may prevent paper records from being correctly displayed, printed and stored.

 

(c)  If an error or malfunction occurs, the voting equipment attached to the defective printer shall suspend voting operations and shall present a clear indication to the voter and election workers of the error or malfunction.

 

(d)  There shall be adequate supplies of consumable items such as paper and printer ink on hand to operate from opening to closing of polls.

 

(i)  Printing devices should contain paper and ink of sufficient capacity so as not to require reloading or opening equipment covers or enclosures and circumvention of security features, or reloading shall be able to be accomplished with minimal disruption to voting and without circumvention of security features such as seals.

 

(ii)  Printer consumables shall be stored within the temperature and humidity ranges specified by the manufacturer and shall be stored in State Board-approved containers to protect them from sustaining any damage.

 

(e) The vendor shall make recommendations as to appropriate numbers of printers to be used in conjunction with the number of voting systems being utilized.  A sufficient number of replacement printers shall be available.

 

(16)  Vendor documentation shall include procedures for investigating and resolving malfunctions including but not limited to misreporting of votes, unreadable paper records, paper jams, low ink, mis-feeds and power failures.

 

Comment 47

Misreporting of votes would indicate programming errors in DRE software. What kind of procedures will vendors be able to suggest for this possibility? It  would be appropriate to rescind certification of systems where printers misreport votes.

 

(17)  Vendor documentation shall include procedures for ensuring, in the case of malfunctions, that electronic and paper records are correctly recorded and stored.

 

Comment 48

Will poll workers be able to implement such procedures? Will technicians be stationed in each poll site? In case of some computer malfunctions, no procedure can ensure that electronic records are correctly recorded and stored. Writing a requirement into the regulations doesn’t make it feasible.

 

page 11

page 12

 


(18)  Protective coverings intended to be transparent on voting system devices shall be maintainable via a predefined cleaning process.  If the coverings become damaged such that they obscure the paper record, they shall be replaced.

 

(19)  The paper record shall be sturdy, clean, and of sufficient durability to be used for manual auditing and recounts conducted manually.  The paper record shall be able to be stored and remain fully readable without degradation for 22 months within the temperature and humidity ranges specified by the manufacturer, but at a minimum temperature range of at least from -20 degrees to 140 degrees Fahrenheit, and at a humidity as high as 98%. 

 

G.  Any submitted voting system’s software shall not contain any code, procedures or other material which may disable, disarm or otherwise affect in any manner, the proper operation of the voting system, or which may damage the voting system, any hardware, or any computer system or other property of the State Board or county board, including but not limited to ‘viruses’, ‘worms’, ‘time bombs’, and ‘drop dead’ devices that may cause the voting system to cease functioning properly at a future time.

 

Comment 49

The whole point of malware is that it is difficult or impossible to detect. Writing a requirement into the regulations doesn’t make it do-able.

 

H.  Any submitted voting system shall provide methods through security seals or device locks to physically secure against attempts to interfere with correct system operations.  Such physical security shall guard access to machine panels, doors, switches, slots, ports, peripheral devices, firmware, and software. 

 

I.  The system shall provide a means by which the ballot definition code may be positively verified to ensure that it corresponds to the format of the ballot face and the election configuration.

 

Comment 50

Isn’ t this what logic and accuracy tests are for?

 

 

Section 6209.3    Additional Requirements for Voting Systems

 

A.  In addition to voting system requirements provided for elsewhere in these rules and regulations, paper-based systems shall:

 

(1) Allow the voter, at their choice, to vote a new ballot or submit the ballot ‘as is’.

 

(2) An over-vote in one or more office or ballot proposals shall not prevent the counting of all other offices or ballot proposals contained on the ballot.

 

(3) In the case of candidates who appear on one or more party lines, the system shall be capable of correctly counting the vote according to provisions of Election Law §9-112.

 

B.  Ballot specifications:

 

(1) As to the printing and arrangement of ballots, all ballots shall meet the requirements as to form and content provided in section 7-121 of the Election Law, and:

 

page 12

page 13

 


(2) ballots shall be printed in black print on a white background or on backgrounds of different colors to identify different types of ballots (i.e., emergency, affidavit, etc) or in the case of a primary, to identify ballots for each political party according to the color assigned to such party pursuant to law, and

 

(3) coding which is both machine readable and manually readable shall be used to identify different ballot styles, and

 

Comment 51

In order to provide tallies by AD/ED, there needs to be a way to encode AD/ED on the paper ballots also, since the same ballot style is used in multiple AD/EDs.

 

(4) ballots used in the paper-based voting system shall be able to be counted by hand as well as be counted by machine, and 

 

(5) The types of ballots used and their form, type size and arrangement must be approved by the State Board of Elections.

 

C.  For all paper-based voting systems, the system shall count a mark on a ballot that is in a:

 

(1) Sensitive Area for a candidate whose name is on the ballot;

 

(2) Sensitive Area designated for write-in voting for a write-in candidate; or

 

(3) Sensitive Area for a ballot proposal.

 

D.  With regard to the central counting of absentee, affidavit, emergency and special ballots, the requirements of 6209.2 (F)(1)(c-e),and (F)(2) not consistent with this section shall not apply.

 

Comment 52

a.  What is a special ballot?

b. These regulations should specify exactly which requirements shall not apply.

 

 

Section 6209.4  Application Process

 

A.  The Election Operations Unit shall forward an application form within one week from the date of receipt of a request from a vendor, together with a copy of applicable rules and regulations and a pre-qualification test format for both a general and primary election ballot program.

 

B.  Said vendor shall return completed ballot layouts based upon the pre-qualification test format to the Election Operations Unit.  Upon approval of the layouts, the vendor shall program such system or equipment and complete the pre-qualification tests for both ballot programs provided, and enter the simulated votes upon said system or equipment for each election program.

 

C.  The completed application shall be returned by the vendor applicant, with a printout of tabulated votes from the primary and general election pre-qualification tests as cast on the voting system equipment which the applicant requests to have certified.  The pre-qualification test programs shall be retained by the applicant for use in the certification process.


 

page 13

page 14

 


D.  The application and printouts shall be reviewed to determine if the voting system shall be considered for certification and the applicant shall be notified of such determination. 

 

Comment 53

Response time requirements are appropriate for each response to a vendor by the State Board.

 

E.  No application shall be deemed to be filed until all documentation required by these rules has been submitted to the State Board or its designee.

 

F.  A certified or bank check in the amount of $5,000 shall accompany such application, and be applied towards the actual cost of the examination. 

 

G.  Fees for the examination of a voting system shall be assessed against the vendor by the State Board based upon the cost to the State Board for examination of such voting system by an outside contractor, laboratory or other authorized examiner. 

 

Comment 54

“Outside contractor, laboratory or other authorized examiner” The state board should consult with New Yorkers for Verified Voting, VoteTrustUSA.org, or VerifiedVoting.org for suggestions for examiners.

 

H.  A vendor submitting an application shall affirm that;

 

(1)  the submitted voting system complies with all applicable rules adopted by the State Board, and with all applicable 2005 Federal Voting System Guidelines not inconsistent with state law or these regulations, and is suitable for use by voters;

 

Comment 55

It is the responsibility of the State Board to determine if a voting system complies with New York’s legal and regulatory requirements. This requirement erases the arm’s length relationship needed between buyer and seller, asks vendors to act as lawyers for the State Board, and is improper for that reason.

 

(2)  the vendor will quote and provide a statewide, uniform price for each unit of the voting system’s equipment, and;

 

(3)  the submitted voting system’s software does not contain any code, procedures or other material (including but not limited to ‘viruses’, ‘worms’, ‘time bombs’, and ‘drop dead’ devices that may cause the voting system to cease functioning at a future time), which may disable, damage, disarm or otherwise affect the proper operation of the voting system, any hardware, or any computer system or other property of the State Board or county board;

 

Comment 56

As comment 48 said, The whole point of malware is that it is difficult or impossible to detect. Making vendor executives submit sworn affidavits can put vendors on notice about legal consequences to malware in their products, but does not provide election integrity.

a. What is the enforcement and penalty if the affirmation is false?

b. What if the vendor uses the defense of “impossibility” because it is impossible to determine if software of such large size contains malware.

c. If vendors phrase their affirmations in terms of “to the best of my knowledge” then they can evade these requirements.

 

(4)  any submitted voting system provides methods through security seals or device locks to physically secure against attempts to interfere with correct system operations.  Such physical security shall guard access to machine panels, doors, switches, slots, ports, peripheral devices, firmware, and software. 

 

I.  All vendors shall submit with their application forms, sworn affidavits from the president, chief executive officer or chief operating officer of the vendor, disclosing any contributions made within the United States by any of those officers, by the vendor itself, or by any controlling shareholder to any political party or candidate for any office, within two years prior to the date the application is submitted.  After the submission of any application forms, or after the submission of any such affidavit, a vendor must submit to the Election Operations Unit, an affidavit at the end of each calendar quarter (March 31, June 30, September 30 and December 31), disclosing whether or not any new contribution has been made.   The submission of such affidavits shall be required throughout the period during which the system is certified in New York.   

 

Comment 57

This requirement should require such information from at least the year 2000 to the present date. HAVA became law on October 29, 2002. Vendors, lobbyists, etc. were active long before then to sell the idea of electronic voting to Congress. Let’s know who was in bed with whom. See

http://www.wheresthepaper.org/Newsday12_2000ElectionDebacle.htm

 

page 14

page 15

 


J.  All vendors shall submit with their application forms, information regarding past or pending court cases involving their voting systems or its major components, any evidence of fraud, faulty systems, or failure to correct past problems.

 

Comment 58

a. Rather than “evidence” this requirement should be for “allegations.” Evidence is a matter of opinion, but whether allegations have been made or not is simple fact.

b. A time period needs to be associated with this requirement.

c. This requirement needs to be associated with the voting systems whether or not owned by the vendor at the time allegations were made. Several vendors now are selling equipment that was owned by other companies when flaws were first identified. Such vendors can evade the intent of this requirement by asserting that the systems were not “theirs” at the time of the allegations.

 

 

Section 6209.5 Submission of Voting Systems Equipment.

 

A.  Voting systems considered for certification by the State Board shall be delivered to the State Board or its designee.  Such equipment shall include documentation, operation manual(s), auxiliary components and equipment used to program ballot layout, and any other additional equipment used in the operation of said voting system.

 

B.  Vendors submitting systems or equipment for certification must also provide additional systems to be used by the State Board for the purposes of the Voter Demonstration Test.  See Section 6209.6(G)(8).

 

Comment 59

The Voter Demonstration Test is in Section 6209.6 F (9) on page 27.

 

C.  If the voting systems equipment is certified by the State Board, the specific system or equipment and components examined by the State Board shall become the property of  the State Board for as long as the system or equipment is in use in the State or for such shorter period as the State Board shall so determine.  Voting systems or equipment not certified shall be disposed of pursuant to the vendor’s direction.

 

Comment 60

The State Board needs to retain each examined system that is certified if any such systems are in use in the state so that counties can compare the systems delivered to the examined certified system, as well as determine whether systems after maintenance or service are still the same as the examined certified system. This provision should give specific reasons why the State Board would not keep the examined certified systems that are in use in the state.

 

D.  The applicant shall provide service and normal maintenance of said system or equipment after certification and shall supply to the State Board, at no cost, any modification to the system or equipment for upgrading of any feature during the period that said system or equipment is offered for sale and use in the State.

 

Comment 61

This provision should say “offered for sale or is in use in the State.”

 

E.  The vendor shall provide, either at the time of submission or no later than the completion of certification testing by the State Board, a list of system proprietary and non-proprietary consumables, extended warranties, services, and other such items as may be considered by county boards for purchase, with the exception of programming, as county boards are prohibited from contracting with a vendor for programming services.  Such list shall become a component of the contract.

 

Comment 62

a. Where are County Boards prohibited from contracting with a vendor for programming services? Is it page 31, Section 6209.9 A (4) (e) ?

b. Any services with regard to computer equipment that are not performed by, or closely observed by, bipartisan elections staff compromise the system. These are not mechanical lever machines which are difficult to compromise, these are computers where all future elections using all similar equipment can be compromised by one person with a few minutes access to one system. See Hursti Hack II. It is a failure of the federal certification process and federally certified “ITAs” that such weaknesses in computerized voting systems have not caused ITAs to refuse to certify such systems.

 

G.  The vendor shall disclose, in the application for certification, any pecuniary interest in or any direct or indirect control over any testing laboratory as defined herein or which may be used in connection with the certification or acquisition of any voting system.

 

Comment 63

This provision should require a report of all funds paid by the vendor to each ITA for any services at any time, and a description of the service and the product that was examined.

 


H.   Vendors shall make available to the State Board, in a quantity to be determined by the State Board, voting systems for the purpose of conducting a usability test, which will establish the minimum number of voting machines required in each polling place and the maximum number of voters that can vote on one voting machine during the course of an ordinary 15-hour election day.  The ballots to be used for this test shall include both primary and general election ballots, with ample candidate selection options and ballot proposal selections.  For the purposes of the usability test, voting shall occur by utilizing

 

page 15

page 16

 

all the devices which a voter may use to make their selections.  If a vendor has previously performed a usability test on the same or similar voting system which meets the requirements of this section, the State Board may consider the findings of same.  Whenever the State Board is satisfied that a voting machine or system’s usability analysis has provided adequate and accurate information relative to the requirements of Election Law Section 7-203.2, then the State Board may, in its discretion, accept such documentation as satisfaction of the usability test required by these regulations.

 

Comment 64

This provision gives discretion to the State Board to determine which voting machines or systems are “similar.” Since New York State has a unique set of requirements for full-face ballot display, voter verifiable printout, and accessible devices, presumably there are no systems similar to the ones created for New York. 

 

I.  For voting systems which are not PC-based, vendors shall submit recommendations for acceptance and maintenance testing to ensure that the firmware in systems purchased and used by county boards is identical to certified firmware.

 

Comment 65

a. Provisions like this may seem helpful to the State Board but they prevent an arm’s length buyer-seller relationship.

b. If the State Board is not expert enough to know how to test a particular system, it is unlikely that the system will be properly tested by following vendor recommendations.

c. The term “maintenance testing” should be defined.

 

 

Section 6209.6 Examination Criteria

 

A.  State Board testing and examination shall be performed in an open and public venue.  Testing shall be performed in conformity with written procedures adopted by the State Board.  Such procedures and the test reports of the State Board and its ITA, shall be available for public inspection at the office of the State Board, and at its website. Each tested system shall, at a minimum, conform to the EAC’s 2005 Voluntary Voting System Guidelines, to the extent that they are consistent with State Law and these Regulations.

 

Comment 66

a. The requirement for “an open and public venue” may apply only to tests and examinations conducted by the State Board, and may not apply to tests and examinations conducted by their ITA.

b. Persons with appropriate experience should be hired to write the procedures.

c. The requirement for conformity to the EAC’s 2005 VVSG may be meaningless. See "Gaping Hole in HAVA Voting System Standards Widened in 2005" by Howard Stanislevic, VoteTrustUSA E-Voting Education Project, May 21, 2006.

 

B.  The State Board or its designee, as part of its examination, may at its discretion, submit the voting system for analysis by a testing laboratory.

 

Comment 67

Will testing by the designee or testing laboratory be performed in an open and public venue? In New York State? According to written procedures?

 

C.  Whenever the State Board is satisfied that a voting machine or system has been proven to meet the Environmental Standards of subdivision (E) of Section 6209.2 of these regulations; and the vendor is able to provide documentation for the State Board’s testing authority to establish that those standards have been met; then the State Board may, in its discretion, accept such documentation as satisfaction of the tests required by these regulations.

 

Comment 68

The last phrase should be “accept such documentation as proof that the voting machine or system meets those standards.”

 

D.  All laboratory testing shall be conducted or verified by independent testing authorities appropriately certified by the National Association of State Election Directors, the EAC or approved by the commissioners of the State Board.

 

Comment 69

All testing should be performed by local “ITAs” so that the money and work stays in New York State and so that the citizens of New York State who wish to observe can do so without having to travel out-of-state. Heretofore, federal ITAs have never allowed citizen observation.

 

(1)  Software and Hardware Qualification Tests

 

    Qualification of voting system software and hardware shall consist of a series of tests, code analyses, and inspection tests performed at the federal and state levels, to verify that the software and hardware meet design requirements and that characteristics are correctly described in the documentation items.  Qualification shall also include a Functional Configuration Audit and a Physical Configuration Audit.

 

Comment 70

a. What is the difference between “tests” and “inspection tests”? The term “inspection tests” should be defined.

b. There is no federal inspection or testing. There is testing performed by NASED-approved ITAs which is paid for by vendors and if the equipment “passes” it gets a NASED number.

c. The approval of ITAs was supposed to be taken over by the EAC but that process has been in progress for a year and at this time no one seems to be in charge of it.

d. The term “design requirements” should be defined. Where are “design requirements” set forth?

e. The emphasis on documentation is not a replacement for independent evaluation of systems.

 

(2)  Functional Configuration Audit

 

page 16

page 17

 

      A functional configuration audit shall be performed to verify that the software complies with the Software Specification (as defined in subparagraph (B)(2)(B)(1) below) and applicable laws and regulations.  Federal qualification test data may be used in partial fulfillment of this requirement; however, the State Board or its designee shall perform or supervise the performance of additional tests, or order additional laboratory testing, to verify system performance in all operating modes, including but not limited to disability access and alternate language modes and to validate the vendor's test data reports.  The Functional Configuration Audit shall be performed in a facility selected by the State Board.

 

Comment 71

a. The only Software Specification below is in F (3) on page 20. There is no (B)(2)(B)(1).

b. The Software Specification pertains to documentation.

c. It appears that the Functional Configuration Audit means merely that the those parts of the software that the vendor chooses to document is correctly documented and complies with applicable laws and regulations.

d. “operating modes” should be defined if it includes more than the ability to receive voter interaction via accessible attachments and to provide information in non-English languages.

e. The facility selected by the State Board for the Functional Configuration Audit should be open to the public and located within New York State.

 

(a) Vendor Responsibility

 

        The vendor shall provide a list of all documentation and data required to be included as part of the independent review, and vendor technical personnel shall be available to the State Board during the performance of the Functional Configuration Audit.

 

(b) Technical Data

 

        The vendor shall provide the following technical data:

 

                        (i) copies of all procedures used for module or unit testing, integration testing and system testing;

 

(ii) copies of all test cases generated for each module and integration test and sample ballot formats or other test cases used for system;

 

(iii) records of all tests performed by the procedures listed above, including error correction and retest.

 

Comment 72

“Technical Data” consists of procedures, test data, and documentation of tests performed by the vendor on their own equipment, for testing of individual modules, integration of individual modules, and the overall system.

 

                        (c) Audit Procedure

 

        The State Board, with the assistance of an independent testing authority, shall subject each voting system to a complete functional test, including but not limited to actual use testing of all components used by voters to enter or review votes.  Additionally, the State Board and its independent testing authority shall review the vendor's test procedures and test results.

 

        This review shall include an assessment of the adequacy of test cases and input data to exercise all system functions and to detect program logic and data processing errors if such be present.

        The review shall also include an examination of all test data which is to be used as a basis for qualification.

 

Comment 73

What will the State Board and their assisting ITA actually do?

a. Use-test all components used by voters to enter or review votes.

b. Review the procedures/test data/results that the vendor said they used/got internally when they tested their own system.

c. What’s missing from the explicit list above (what should we hope is meant by the phrase  “not limited to”)? Machine tallies, system tallies, communication of voting machines with central tallying machines, audit logs, setup and shutdown procedures, all procedures that poll workers are supposed to be able to perform when systems fail during election day, procedures to discover why there are discrepancies between paper and electronic tallies, and procedures that service and maintenance may involve, etc.

 

(3)  Physical Configuration Audit

 


The Physical Configuration Audit is an examination of the software configuration

 

page 17

page 18

 

against its technical documentation to establish a configuration baseline for approval.  The Physical Configuration Audit shall include an audit of all drawings, specifications, technical data and test data associated with the system hardware and this audit shall establish the system hardware baseline associated with the software baseline.  All subsequent changes to the software or hardware shall be subject to re-examination.

 

Comment 74

a. The Physical Configuration Audit creates the software baseline, which has to do with consistency of the software and its documentation, and ALSO creates the hardware baseline, which is the hardware that the software runs on. 

b. The phrase “shall be subject to re-examination” means that all subsequent changes will not necessarily cause the system to be re-examined. Criteria for when re-examination will occur are ----

 

(a) Vendor Responsibility

 

                The vendor shall provide a list of all documentation and data required to be audited by the State Board.  Vendor’s technical personnel shall be available to the State Board during the performance of the Physical Configuration Audit.

 

(b) Technical Data

 

        The vendor shall provide the following technical data:

 

(i) identification of all items which are to be a part of the software release;

 

(ii) identification of all hardware which interfaces with the software;

 

(iii) configuration baseline data for all hardware included within the system;

 

(iv) copies of all software documentation which is intended for distribution to users, including program listings, specifications, operator manual, user manual and software maintenance manual;

 

Comment 75

a. What program listings does the State Board envision will be intended for distribution to users?

b. There will be many types of users of these systems, including voters, poll workers, maintenance repair and service technicians, ballot programmers, etc. The term “users” should be more specific.

 

(v) proposed user acceptance test procedure and acceptance criteria;

 

Comment 76

Which users? Acceptance by whom for what purpose? Acceptance by the State Board for certification?

 

(vi) an identification and explanation of any changes between the Physical Configuration Audit and the configuration submitted for the Functional Configuration Audit.

 

Comment 77

What changes are envisioned by these regulations?

 

(c) Audit Procedure

 


        Required data items include draft and formal documentation of the vendor's software development program which are relevant to the design and conduct of Qualification Tests.  The vendor shall identify all documents, or portions of documents, which the vendor asserts contain proprietary information not approved for public release.  The State Board or its designee shall agree to use any proprietary information contained therein solely for the purpose of analyzing and testing the software and shall refrain from disclosing proprietary information to any other person or agency without the prior written consent of the vendor or a Court order.  The State Board or its designee shall review the vendor's source code and documentation to verify that the software conforms to the

 

page 18

page 19

 

documentation, and that the documentation is sufficient to enable the user to install, validate, operate and maintain the voting system.  The review shall also include an inspection of all records of the baseline version against the vendor's release control system to establish that the configuration, being qualified, conforms to the engineering and test data.

 

Comment 78

a. The State Board again will shortcut its evaluation of systems by relying on vendor documentation for guidance.

b. The State Board will not evaluate the vendor’s claims of proprietary control of information.

c. The State Board will merely evaluate whether the software that the vendor chooses to designate is correctly and adequately documented.

d. There is no arm’s length relationship or evaluation required here. 

 

E.  Functional Tests, Security Tests and Simulated Voting

 

Prior to certifying a voting system, the state board shall designate an independent expert to review, all source code made available by the vendor pursuant to this section and certify only those voting systems compliant with these Regulations. At a minimum, such review shall include a review of security, application vulnerability, application code, wireless security, security policy and processes, security/privacy program management, technology infrastructure and security controls, security organization and governance, and operational effectiveness, as applicable to that voting system. 

 

Comment 79

a. The State Board, and New York voters, will rely upon an independent expert to assess whether a system is secure and compliant.

b. Voters will rely upon the State Board to designate an expert who is in fact independent.

 

(1) For all systems or equipment, functional tests shall consist of the validation of equipment functional performance, and shall be performed in an open and public venue, in conformity with written procedures adopted by the State Board.

 

Comment 80

The written procedures must require a test of the entire system from the start-up procedures that poll workers are supposed to perform at the beginning of the election day to the 3% spot-check of the voter verified paper audit record to the tabulation of results by the central tabulator to the evaluation of accuracy of the system audit logs.

 

(2) All votes entered shall use the identical interfaces as would be used by the actual voters during the actual voting process.  By way of explanation, touch-screen votes, or votes cast via alternative accessible devices such as tactile-discernible key pads or pneumatic switches shall be used as the voter would use them rather than casting simulated votes via any of these processes into the voting system using any type of diagnostic input cartridge. 

 

(3) Functional tests of voting system software which runs on general purpose data processing equipment shall include all tests similar to those in procedures which are necessary to validate the proper functioning of the software and its ability to control the hardware environment.  The tests shall also validate the ability of the software to detect and act correctly upon any error conditions which may result from hardware malfunctions.  Detection capability may be contained in the software, the hardware or the operating system.  It shall be validated by any convenient means up to and including the introduction of a simulated failure (power off, disconnect a cable, etc.) in any equipment associated with vote processing.

 

(4) Each system shall be submitted for electronic and technical security and integrity analysis by independent certified security experts, who shall be given full unrestricted access to production units of the system, for such analysis.  Whenever the vendor is able to provide documentation for the State Board and its testing authority, to establish that the standards of this section of these regulations have been met; then the State Board may, in its discretion, accept such documentation as satisfaction of the tests required by these regulations.

 

Comment 81

a. “Independent certified security expert” should be defined.

b. This requirement for “analysis by independent certified security experts” cannot be met by federal certification procedures, since the vendor pays for them (hence they are not “independent”).

c. “standards of this section of these regulations” is unclear. Does it mean “this paragraph” or does it mean “Section 6209.6 Examination Criteria” or something in between? Similarly, the phrase “tests required by these regulations” is improperly vague and could be argued to mean that no state tests need to be performed if a system has federal certification.

d. Paragraph (1) above only requires “functional tests” to be performed in an open and public venue.

e. This paragraph does not require security “tests” but rather “analysis.” The use of the analysis is not specified.

 

page 19

page 20

 

(5)    Functional tests for the following types of equipment shall be required:

 

(a) Standard commercial, off-the-shelf production models of general purpose data processing equipment (PC’S, printers, etc.) shown to be compatible with these requirements and with the voting system.

 

(b) Production models of special purpose data processing equipment (scanners, bar code readers, etc.) having successfully performed in elections use and having been shown to be compatible with the voting system.

 

F.  Software, Hardware, Operating and Support Documentation

 

(1) Software Qualification

 

      The following system software and firmware vendor data items shall be submitted as a precondition of certification of acceptability for elections use. 

 

            (2) Vendor Documentation

 

      Complete product documentation shall be provided to the State Board for voting systems, their components and all auxiliary devices.  This documentation shall be sufficient to serve the needs of the voter, the operator, maintenance technicians, and other appropriate county board personnel.  It shall be prepared and published in accordance with standard industrial practice for electronic and mechanical equipment such documentation shall include:

 

(3) Software Specification

 

        The Software Specification shall contain and describe the vendor's design standards and conventions, environment and interface specifications, functional specifications, programming architecture specifications, and test and verification specifications.  Vendor must also provide document identification, an abstract of the specification, configuration control status and a table of contents.  The body of the specification shall contain the following material:

 

(a) System Overview

 

The vendor shall identify the system hardware and the environment in which the software will operate and the general design and operational considerations and constraints which have influenced the design of the software.

 

(b) Program Description

 


The vendor shall provide descriptions of the software system concept, the array of hardware in which it operates, the intended operating environment, the specific software

 

page 20

page 21

 

design objectives and development methodology and the logical structure and algorithms used to accomplish the objectives.

 

(c) Standards and Conventions

 

The vendor shall provide information which can be used as a partial basis for code analysis and test design.  It should include a description and discussion of the standards and conventions used in the preparation of this specification and in the development of the software.

 

(d) Specification Standards and Conventions

 

The vendor shall identify all published and private standards and conventions used to document software development and testing.  Vendor internal procedures shall be provided as attachments to this Software Specification.

 

(e) Test and Verification Standards

 

The vendor shall identify any standards or other documents which are applicable to the determination of program correctness and acceptance criteria.

 

(f) Quality Assurance Standards

 

The vendor shall describe all standards or other documents which are applicable to the examination and testing of the software, including standards for flowcharts, program documentation, test planning and test data acquisition and reporting.

 

(g) Operating Environment

 

The vendor shall provide a description of the system and subsystem interfaces at which inputs, outputs and data transformations occur.  It shall contain or make reference to all operating environment factors which influence the software design.

 

(h) Hardware Constraints

 

The vendor shall identify and describe the hardware characteristics which influence the design of the software, such as:

 

(i) the logic and arithmetic capability of the processor,

 

(ii) memory read/write characteristics,

 

(iii) external memory device characteristics

 

(iv) peripheral device interface hardware data I/O device protocols, and

 

page 21

page 22

 


(v) operator controls, indicators and displays.

 

(i) Software Environment

 

The vendor shall identify all compilers, assemblers, or other software tools to be used for the generation of executable code and a description of the operating system or system monitor.  This section shall also contain an overview of the compile-time interaction of the voting system software with library calls and linking.

 

(j) Interface Characteristics

 

The vendor shall describe the interfaces between executable code and system input-output and control hardware.

 

(k) Software Functional Specification

 

The vendor shall provide a description of the overall functions which the software performs in the context of its mode or modes of operation.  The vendor shall also describe the capabilities and methods for detecting and handling exceptional conditions, system failure, data input/output errors, error logging and audit record generation and security monitoring and control.

 

Comment 82

“mode or modes of operation” should be defined.

 

(l) Configurations and Operating Modes

 

The vendor shall describe the various software configurations and operating modes of the system; such as preparation for opening of the polling place, vote recording and/or vote processing, closing of the polling place and report generation.  For each software function or operating mode, a definition of the inputs (characteristics, tolerances or acceptable ranges) to the function or mode, how the inputs are processed and what outputs are produced (characteristics, tolerances or acceptable ranges) shall be provided.

 

Comment 83

The list of “modes” in this paragraph should include the extraction of election data from the voting machine, the transfer of that data to the central tabulator, and the extraction and evaluation of system event logs.

 

(m) External files

 

In the event that external files are used for data input or output, the definition of information context and record formats shall be provided.  The vendor shall also describe the procedures for file maintenance, access privileges and security.

 

(n) Security

 


Security requirements and security provisions of the system’s software shall be identified for each system function and operating mode.  The voting system must be secure against attempts to interfere with correct system operation.  The vendor shall identify each potential point of attack.  For each potential point of attack, the vendor shall identify the technical safeguards embodied in the voting system to defend against attack, and the procedural safeguards that the vendor has recommended be followed by the

 

page 22

page 23

 

election administrators to further defend against that attack.  Each defense shall be classified as preventative, if it prevents the attack in the first place; detective if it allows detection of an attack; or corrective if it allows correction of the damage done by an attack. Security requirements and provisions shall include the ability of the system to detect, prevent, log and recover from the broad range of security risks identified.  These procedures shall also examine system capabilities and safeguards claimed by the vendor to prevent interference with correct system operations.  The State Board, with the assistance of its ITA, shall conduct tests to confirm that the security requirements of these Regulations have been completely addressed.  Notwithstanding any other provisions of these Regulations, the State Board shall determine whether all or a portion of such security requirements and security provisions shall be available for public inspection, but shall exclude any information which compromises the security of the voting system.

 

Comment 84

a. ITAs are the wrong assistant for this, since they have consistently failed to find security flaws identified later by activists in federally certified systems. Security experts such as RABA Technologies, Harri Hursti, or a classroom of computer science students would provide more trustworthy and independent assistance.

b. Security by obscurity is notoriously failure prone, and if any information about a system would compromise it, the system should be considered insecure.

c. New York State should not assume that all insiders are trustworthy.

d. New York State should not assume that vendors will foresee all possible security flaws and that insiders and outside hackers will not be able to access the system by vendor-unforeseen methods.

 

(o) Programming Specifications

 

The vendor shall provide an overview of the software design, structure and implementation algorithms.  Whereas the Functional Specification of the preceding section provides a description of what functions the software performs and the various modes in which it operates, this section should be prepared so as to facilitate understanding of the internal functioning of the individual software modules.  Implementation of functions shall be described in terms of software architecture, algorithms and data structures and all procedures or procedure interfaces which are vulnerable to degradation in data quality or security penetration shall be identified.

 

Comment 85

New York State should not assume that vendors will foresee all possible flaws in their own systems.

 

(p) Test and Verification Specifications

 

The vendor shall provide a description of the procedures used during software development to verify logical correctness, data quality and security.  This description shall include existing standard test procedures, special purpose test procedures, test criteria and experimental design and validation criteria.  In the event that this documentation is not available, the Qualification Test agency shall design test cases and procedures equivalent to those ordinarily used as a basis for verification (see below).

 

Comment 86

New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures.

 

(q) Qualification Test Specification

 

The vendor shall provide a description of the specification for verification and validation of overall software performance, including acceptance criteria for control and data input/output, processing accuracy, data quality assessment and maintenance, exceptional handling and security.  The specification shall identify specific procedures by means of which the general suitability of the software for elections use can be assessed and demonstrated.  The vendor's specification and procedure shall be used to establish the detailed requirements of the tests described in "Laboratory Environmental Test Procedures for Hardware and Software" of this Standard.

 

Comment 87

a. New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures and guidance. The only way to demonstrate general suitability is via Mock Elections conducted in public with public participation.

b. There is no part of this Standard called “Laboratory Environmental Test Procedures for Hardware and Software."

 

(r) Acceptance Test Specification

 

page 23

page 24

 

The vendor shall provide a description of the specification for installation, acceptance and readiness verification.  This specification shall identify specific procedures by means of which the capability of the software to accommodate actual ballot formats and format logic, and pre-election logic, accuracy and security test requirements of using jurisdictions may be assessed and demonstrated.  The vendor's specification shall be used to establish the detailed requirements of the tests described in "Laboratory Environmental Test Procedures for Hardware and Software" of this standard performed to evaluate the adequacy of the vendor's procedures and it shall be suitable for inclusion in the regulations and procedures of user counties when preparing for the conduct of actual elections.

 

Comment 88

a. New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures and guidance.

b. There is no part of this Standard called “Laboratory Environmental Test Procedures for Hardware and Software."

 

(s) Appendices

 

The vendor shall provide descriptive material and data supplementing the various sections of the body of the Software Specification.  The content and arrangement of appendices shall be at the discretion of the vendor.  Topics recommended for amplification and treatment in appendix form include:

 

(i) Glossary: Provide a listing and brief definition of all software module names and variable names with reference to their locations in the software structure.  Include abbreviations, acronyms and terms which are either not commonly used in data processing and software development or which are used in an uncommon semantic context.

(ii) References:  Provide a list of references to all related vendor documents, data, standards and technical sources used in software development and testing.

 

 (iii) Program Analysis:  Provide the results of software configuration analysis, algorithm analysis and selection, timing studies and hardware interface studies reflected in the final software design and coding.

 

(iv) Security Analysis:  Provide a detailed description of the penetration analysis performed to preclude intrusion by unauthorized persons and fraudulent manipulation of elections data.  Identify security policies and measures and selection criteria for audit log data categories.

 

Comment 89

The standards should require the audit log to be a complete list of ALL software and hardware events including but not limited to interactions with persons via all interfaces including the touchscreen and accessible attachments, the central tabulator, keyboard and mouse interactions with any part of the system, events related to external memory devices, ports and drivers including printers, and events related to communications capability.

 

(4) Operator Information

 

This documentation shall include a physical description of the equipment sufficient to identify all features, controls and displays.  It shall include a complete procedure for energizing the equipment, for testing and verifying operational status and for identifying all abnormal equipment states.  It shall include a complete operating procedure for inserting ballots to be tabulated, for controlling the tabulation process, for monitoring the status of the equipment, for recovering from error conditions and for preparing output reports.  It shall also include troubleshooting instructions. 

 

page 24

page 25

 

The documentation shall also include a description of the relationship of the Sensitive Area, Voting Target, and Ballot Position.  For paper-based systems, this description shall include a description of the nature of the marks the system will and will not count as votes, for example, the types of marks made with each of a variety of pens and pencils that should be counted and that should not be counted.  For DRE voting systems, this description shall include a description of the nature of the voter action required to cast a vote in the Sensitive Area, for example, the force and duration of contact required. 

 

Comment 90

For DREs, the dimension of the area that the voter must touch should be described. On a touchscreen, will the tip of a stylus be recognized? Will a touch with the tip of a fingernail be recognized? Will a touch with the pad of the last section of a finger be too broad? These questions bear on voter training.  

 

(5) Maintenance Information

 

(a) This documentation shall contain a complete physical and functional description of the equipment and a theory of operation which fully describes the electrical and mechanical function of the equipment, how the processes of ballot handling and reading are performed, how data are handled in the processor and memory sections, how data output is initiated and controlled, how power is converted or conditioned and how test and diagnostic information is acquired and used.

 

Comment 91

This paragraph surely does not apply to DREs. Perhaps it applies to optical scanners. When DREs and optical scanners are different, the regulations should explicitly state which type of equipment is being addressed.

 

(b) A complete parts and materials list shall be provided which contains sufficient descriptive information to identify all parts by type, size, value or range and manufacturer's designation.

 

(c) Technical illustrations and schematic representations of electronic circuits shall be provided with indications of all test and adjustment points and the nominal value and tolerance or waveform to be measured.  Fault detection, isolation and correction procedures or logic diagrams shall be prepared for all operational abnormalities identified by design analysis and operating experiences.

 

Comment 92

a. This paragraph surely does not apply to DREs. Perhaps it applies to optical scanners. When DREs and optical scanners are different, the regulations should explicitly state which type of equipment is being addressed.

b. The term “design analysis” should be defined and its relationship to maintenance should be described.

 

(6) Logistics, Facilities and Training

 

The vendor shall identify all operating and support requirements of the system or component.  These requirements include material, facilities and personnel, including furnishings, fixtures, and utilities which will be required to support system operation, maintenance and storage.

 

(7) Maintenance Training and Supply

 

(a) The vendor shall identify all corrective and preventive maintenance tasks, including  the calibration of the system, as appropriate,  and the level at which they shall be performed.  Levels of maintenance shall include operator tasks, maintenance personnel tasks and factory repair.

 

Comment 93

“Calibration of the system” should be defined.

 

(b) Operator tasks shall be limited to the activation of controls to identify irrecoverable error conditions and to the replenishment of consumables such as printer ribbons, paper and the like.

 

Comment 94

Operators of DREs and precinct-based optical scanners will be poll workers and voters. There are additional tasks they will have to perform.

 

page 25

page 26

 

 


(c) Maintenance personnel tasks shall include all field maintenance actions which require access to internal portions of the equipment.  They shall include the conduct of tests to localize the source of a malfunction; the adjustment, repair or replacement of malfunctioning circuits or components and the conduct of tests to verify restoration to service.

 

Comment 95

a. If “field maintenance actions” are tasks that maintenance personnel will perform in poll sites when DREs fail, this paragraph is completely unrealistic. Does the State Board imagine someone will go to a poll site, open a security panel on the DRE, and start taking components out and putting others in? Replace a few chips of firmware or internal memory?

b. The only realistic actions in the field would be, if a printer cable or electrical cord falls out of its socket, someone will plug it back in.

 

(d) Factory repair tasks shall be minimized, and repairs shall be made on site whenever reasonably possible.  Factory repairs shall only include complex and infrequent maintenance functions which require access to proprietary or to specialized facilities and equipment which cannot be obtained by the county board.

 

(e)  The vendor shall identify by function all personnel required to operate and support the system.  For each functional category, the number of personnel and their skills and skill levels shall be specified.

 

Comment 96

Poll workers and voters are the personnel who will operate DREs and precinct-based optical scanners.

 

(f)  The vendor shall specify requirements for the training of each category of operating and support personnel, including but not limited to voters, poll workers, and elections staff.  The vendor shall prepare all materials required in the training activity and shall provide or otherwise arrange for the provision of as many qualified instructors as are necessary to properly and fully train said personnel in each category. 

 

(g)  The vendor shall recommend a standard complement of supplies, spares and repair parts which will be required to support system operation.  This list shall include the identification of these materials and their individual quantities and sources from which they may be obtained.  The vendor shall supply, at vendor's expense, any special tools required to repair or maintain the equipment.

 

(h) The vendor shall provide complete instructions for all methods of voting which voters may use to cast their vote, including instructions on entering and changing votes, write-in voting, verifying votes and accepting the cast votes.  Written and audio instructions shall be provided in each language in which voting shall occur within the state.   

(8)     Usability Test

 


Vendors shall make available to the State Board, in a quantity to be determined by the State Board, voting systems for the purpose of conducting a usability test, which will establish the minimum number of voting machines required in each polling place and the maximum number of voters that can vote on one voting machine during the course of an ordinary 15-hour election day.  The ballots to be used for this test shall include both primary and general election ballots, with ample candidate selection options and ballot proposal selections.  For the purposes of the usability test, voting shall occur by utilizing all the devices which a  voter may use to make their selections.  If a vendor has previously performed a usability test on the same or similar voting system which meets the requirements of this section, the State Board may consider the findings of same.  Whenever the State Board is satisfied that a voting machine or system’s usability analysis

 

page 26

page 27

 

has provided adequate and accurate information relative to the requirements of Election Law Section 7-203.2, then the State Board may, in its discretion, accept such documentation as satisfaction of the usability test required by these regulations.

 

Comment 97

This paragraph should require that accessible attachment should be tested by individuals with appropriate disabilities, so that realistic timing can be assessed.

Given New York State’s unique combination of requirements (full face ballot, broad accessibility, and voter verified paper audit record) it is unlikely that any vendor will have usability test data from similar systems.

 

(9)       Voter Demonstration Test

 

(a)  The purpose of this test is to provide, in a simulated election day environment, a public demonstration of the usability and accuracy of such systems or machines

 

(b)   Vendor must submit, in a quantity to be determined by the State Board, additional voting systems or equipment that have been submitted for certification.  These additional systems or equipment will be returned to the vendor upon the completion of voter demonstration testing.

 

(c)   The State Board shall make available to the public, all non-proprietary documentation submitted by the vendor.

 

Comment 98

a. The State Board of Elections was urged to include in these regulations a requirement for a Mock Election public test, and this “Voter Demonstration Test” is apparently the watered-down and vague result. Mock elections are described at

www.wheresthepaper.org/WhatIsAPublicMockElection.htm     and

www.votetrustusa.org/index.php?option=com_content&task=view&id=1474&Itemid=26

Regardless of what the test is called, the regulations should more clearly and fully describe what the test consists of, and what the requirements of a “simulated election day environment” are. The regs should list:

--DRE or optical scanner programming and preparation by Board of Elections staff,

--poll workers who have been trained who perform the tasks required in a poll site at the beginning and end of an election day,

--voters who enter votes by all methods available,

--extraction of tallies and system event and activity logs,

--transfer of voting machine election data to the central tabulator,

--the comparison of vote data with DRE voter verified paper audit records and system event and activity logs, or with the marked paper ballots for optical scanner systems.

b. The “Voter Demonstration Test” is an opportunity for election staff to demonstrate that they know how to confirm that the systems delivered for the test are the same as the system delivered to the State Board for certification.

c. “all non-proprietary documentation submitted by the vendor” should be made available to the public on the web site of the State Board at least two weeks in advance of the announcement of the “Voter Demonstration Test” so that the public has a chance to read it.

 

(10)     Certification

 

(a) The State Board shall escrow a complete copy of all certified software that is relevant to functionality, setup, configuration, and operation of the voting system, including but not limited to, a complete copy of the source and executable code, build scripts, object libraries, application program interfaces, and complete documentation of all aspects of the system including, but not limited to, compiling instructions, design documentation, technical documentation, user documentation, hardware and software specifications, drawings, records, and data.  Documentation shall include a list of programmers responsible for creating the software and a sworn affidavit that the source code includes all relevant program statements in low-level and high-level languages.  The State Board may require that additional items be escrowed.  If any vendor contracts to escrow additional items, those items shall be subject to the provisions of this section.

 

Comment 99

a. State law requires “a complete copy of all programming, source coding and software” to be escrowed.

b. All software should be escrowed so that all memory can be completely blank and all software, firmware, and any other programming can be loaded from that which is in escrow.

c. This paragraph and paragraphs (b) and (c) immediately below create a loophole which guarantees that malware and  fraud will be difficult or impossible to detect.

 

(b) The vendor shall immediately notify the state board of any change in any item required to be escrowed by subdivision (a) of this subsection, and shall provide an updated version for deposit.

 

(c) The chief executive officer of the vendor shall sign a sworn affidavit that the source code and other material in escrow is the same being used in its voting systems in the State. The chief executive officer shall have an ongoing obligation to ensure the statement is true. 

 

(d) The vendor shall promptly notify the state board and each county board using its voting system of any decertification of the same system in any state, of any defect in the same system known to have occurred anywhere, and of any relevant defect known to have occurred in similar systems.


 

Comment 100

“Promptly” should be defined, such as, “within 5 business days.”

 

page 27

page 28

 

 (e) Upon completion of testing, reports shall be produced by the ITA and State Board staff, and a recommendation either for or against certification shall be made to the State Board’s commissioners. 

 

(f)  If the State Board determines that a system meets the requirements of these Regulations, and is determined to be suitable for use by voters, it shall certify such system.  A notice of provisional certification shall be prepared and forwarded to the vendor, forthwith.  The vendor shall ensure that the voting system’s software has been escrowed as set forth in Election Law Section 7-208, and the vendor has updated any affidavit and complied with the affidavit requirements, as set forth in Section 6209.4(H) of these regulations.

 

Comment 101

a. One can foresee the “oops” moment when allegations of system failure occur and vendors realize that they made a mistake and the escrowed software was not complete, or the certified version, etc.

b. The State Board should take responsibility for managing what is in escrow.

 

(g)  Upon compliance with the provisions set forth above, a Notice of Certification shall be awarded to the vendor.  Notice of such Certification shall also be provided to all county boards.

 

(h)  If the State Board fails to certify a system, the vendor shall be so notified. 

(i)  Once a certified system is selected for purchase by a county board, that system’s software shall be provided to the county board by the State Board, and not the vendor.

 

Comment 102

How this will be done needs to be specified in detail. Within what timeframe will the software be provided? How many persons will be needed at the State Board to provide the software to counties? In what form will the software be delivered? What about firmware? Who will install the software in the county’s machines? What training will these persons need? Who will pay for the training and the person-days needed to load the software? How long will it take? Will there be a comprehensive test of each system after software is loaded to catch any errors in loading before the machines are used?

 

 

Section 6209.7 Modifications and Re-examination

 

A.  Any prospective modification to a previously certified voting system shall be submitted to and approved by the State Board before such modification is made.

 

B.  No modification of previously certified voting systems equipment shall be used in any election until such modification has been approved by the State Board.

 

C.  Prospective modification shall be reviewed by the State Board or by an examiner or testing laboratory selected by the State Board in accordance with the fee schedule established by section 7-201 of the Election Law.

 

D.  Upon completion of a review of such prospective modification, the State Board may cause a re-examination of the entire voting system, or within its discretion, grant continuation of certification pursuant to the provisions of section 7-201 of the Election Law.

 

Comment 103

Because any change to software can have unforeseen effects on other parts of the system, any modification should trigger re-examination of the entire voting system.

 

 

Section 6209.8   Rescission of Certification

 


A.  If at any time subsequent to the State Board's approval of a voting system, the State Board determines that the voting system fails to fulfill the criteria prescribed by statute and these rules, the State Board shall notify any purchasers and vendors of that particular voting system’s failure, post such notice on its website, and give notice by mail to the chairs

 

page 28

page 29

 

of all political parties and interested persons who have previously requested notification of such information, that the State Board's approval or certification of that system in New York State is to be withdrawn.

 

Comment 104

To avoid charges that the State Board makes ad hoc, arbitrary and capricious decisions in either rescinding or failing to rescind certification of systems, the basic criteria for such decisions should be specified. In creating a list of criteria, the State Board can use the experience of other states as well as suggestions from citizens that were submitted in the comments to previous drafts of these standards.

 

B.  Failure of a vendor, its officers and its controlling shareholders to file affidavits as required in Section 6209.4(I) may result in the rescission of certification.  Notice of such failure shall be in writing and shall specify the reasons why the approval or certification of the system is being rescinded. 

 

C.  At the State Board’s discretion and depending on the reason for recision, a notice may also provide for a 30-day period within which the vendor must correct deficiencies, and shall further specify the date on which the rescission is to become effective.

 

Comment 105

a. New York should not repeat the experience of some states in which the same equipment is repeatedly certified and decertified. As noted in comment 103, any change (especially a hastily-made change) to computer products typically leads to a new set of problems.

b. “Discretion” is another term for “ad hoc, arbitrary and capricious.” Using the experience of other states, the State Board should specify criteria allowing 30-day periods for correction of deficiencies.

 

D.  Any vendor or purchaser of such voting system, and any interested person or organization, may request in writing that the State Board reconsider its decision to rescind approval or certification of the voting system.

 

Comment 106

A parallel provision should allow a party to request that the State Board reconsider its decision to certify, or re-certify a voting system.

 

E.  Upon receipt of such request to reconsider, the State Board shall hold a public hearing for the purpose of reconsidering the decision to rescind the approval or certification, and shall give published notice of such hearing at least two weeks in advance, including posting it prominently on its website and giving notice by mail to public advocacy organizations which have requested such notification or requested that the State Board reconsider its decision.  Any interested party shall be given the opportunity to submit testimony or documentation in support of or in opposition to the Board's decision to rescind approval or certification.

 

F.  The State Board may affirm or reverse its decision.  Should the State Board affirm its decision, such vendor may be prevented from submitting a new application form for a period of two years following the date of the final decision.

 

Comment 107

a. The State Board should be required to specify its reasons or reasoning in a published report posted on its web site within a required time.

b. The word “may” indicates that the State Board is again giving itself discretionary powers, which is improper in a system of law and in the context of elections in which the legitimacy of the government is at stake. The regulations should at least provide  guidance in the form of a list of criteria for decision-making.

 

 

Section 6209.9  Contracts

 

A.  In addition to complying with all statutory requirements, all contracts for the purchase of voting systems by county boards, hereinafter to be designated ‘purchaser’, shall include the following requirements:

 

(1) Training

 

Vendors of voting systems shall provide for sufficient training of boards of elections personnel in the following:

 

(a) training prior to delivery of voting systems and equipment on procedures for unpacking, assembling and acceptance testing of such equipment;

 

Comment 108

Staff will also need training in the installation of the software they will receive from the State Board.

 

(b) training for proper use of such equipment including maintenance, storage

 

page 29

page 30

 

and transportation procedures;

 

(c) the vendor shall provide complete operations manuals (including operations manuals for any auxiliary features, programming, hardware, telecommunications systems and central vote tabulating systems) upon delivery of voting systems equipment to a jurisdiction.  Such manuals shall include one copy of procedures to be followed by inspectors at polling places.  The vendor shall permit this copy to be reproduced and distributed by the county board at its training school for election inspectors or the vendor shall supply as many copies of the procedures as required by purchaser for such distribution;

 

(d) the vendor shall assist in the training of all elections personnel (including election inspectors) during the first two elections, to include a general election, in which the system or equipment is used.  Such assistance relating to the number of people and the hours of assistance shall be identified in the executed contract. 

 

(e) sufficient training for county board personnel in the use of the vendor’s voting system’s supporting software, procedures to be used to accomplish ballot face layout and ballot programming, and all other features of the software.

 

(2) Service provisions                                 

 

(a) The contract shall identify the obligations of the vendor to promptly rectify any problems identified through testing any or all of the voting systems equipment delivered to the purchaser.

 

(b) The vendor shall, without additional cost, provide to the purchaser a five-year guarantee of parts and service, that such voting systems equipment shall be kept in good working order and that other statutory requirements are met.  Shipping costs for any factory repairs or part replacement will be incurred by the vendor. 

 

Comment 109

a. It seems reasonable for vendors to warrantee "good working order" of their equipment for five years, but county boards must not abdicated their responsibility to ensure bipartisan handling and control of voting and vote-tabulating equipment. Outside technicians should not have access to voting and vote-tabulating systems unless they are meaningfully, closely supervised by bipartisan elections staff and/or multipartisan observers. 

b. Training in all servicing of the equipment must be required, so that county boards can either perform the required servicing of equipment, or provide effective and meaningful bipartisan supervision or oversight of the vendor's work. (The only measure of training effectiveness is that trained personnel can perform their tasks competently and independently. But as long as the vendor performs the tasks, then BOE personnel will (a) forget what they learned since they won't be using it and (b) won't have an opportunity to test their learning by trying to perform the tasks they were trained for.)

c. In the absence of a requirement for open source software, this provision and paragraph (d) below will tie county boards to their vendors and create opportunities for price gouging after five years if the equipment is still in use after five years. These regulations should require that all software be open source for two reasons. First, it enables elections staff to learn their own equipment and achieve independence in using it, and second, it enables competitive companies to learn the equipment and bid on service contracts.

d. Litigation will be required to clarify the meaning of "good working order." If a voting machine fails during an election, is this evidence that it was not in good working order? If it fails during two elections?

e. Voters and candidates have an interest in the good working order of voting and vote-tabulating equipment, and should have the explicit right in these regulations to enforce the legal requirement for equipment to be in "good working order" and seek appropriate remedies if the county board does not do so within a short period of time following equipment failures during elections.

 

(c) The vendor shall provide to the purchaser of said voting systems  equipment a detailed listing of proper maintenance, storage and transportation procedures to be carried out by each purchaser.

 

(d) The vendor and the purchaser shall agree in writing as to the proper maintenance procedures to be implemented on each piece of equipment and shall further agree in writing as to the obligations of each party for servicing and maintenance procedures.

 

(e) The vendor must correct any problems or defects in the voting equipment or voting systems within a commercially reasonable time period.  If the time for resolving problems or defects is insufficient to allow for adequate resolution prior to use in an election, an alternate machine or unit shall be provided by the vendor, and such machine or unit shall be subjected to the acceptance testing requirements of these Regulations.

 

page 30

page 31

 

(f) The vendor shall provide the purchaser with the criteria necessary for the proper operation of the voting system or equipment at a polling place.

 

(3) Polling site survey

 

(a) The vendor, together with the purchaser, shall survey the present polling places in a jurisdiction to which its voting system or equipment has been sold, to determine whether or not such polling places meet environmental conditions for the proper operation of the voting system or equipment.  This provision shall apply to those polling places which are in use at the time of the proposed sale.

 

(b) If any polling places are not compatible, the vendor shall advise the jurisdiction purchasing the voting system or equipment on the methods or procedures that the said jurisdiction may use to remedy any such problem.

 

(4) Additional Requirements    

 

(a) delivery deadline for a minimum of 10% (ten percent) of the systems or machines ordered by a county shall be not less than six months prior to the first election in which said units shall be used.  The deadline for the delivery of the balance of systems or machines ordered shall be not less than three months prior to the first election in which they are to be used or if the contract is for ten or less units, the delivery deadline is not less than one month prior to such election;

 

Comment 110

Large counties and New York City will be getting many systems, and would need to receive more than 10% of them earlier than three months prior to the first election in which they are to be used in order to perform acceptance testing and preparation for the election. 

 

(b) acceptance testing requirements;

 

(c) storage and maintenance responsibilities; and

 

(d) shipping delivery guidelines and requirements.

 

(e) a list of system proprietary and non-proprietary consumables, extended warranties, services, and other such items as may be considered by county boards for purchase, with the exception of programming, as county boards are prohibited from contracting with a vendor for programming services.

 

Comment 111

The prohibition of contracting with the vendor for programming services is mentioned also in Section 6209.5 E.

 

B.  A vendor entering into a contract shall affirm that;

 

(1)  the submitted voting system complies with all applicable rules adopted by the State Board, and with all applicable 2005 Federal Voting System Guidelines;

 

Comment 112

In light of the May 21 Stanislevic article on the gap in the federal guidelines, this requirement would have to be more specific in order to be meaningful.

www.votetrustusa.org/index.php?option=com_content&task=view&id=1299&Itemid=26

 

(2)  the vendor will quote and provide a statewide, uniform price for each unit of the voting system’s equipment;

 


(3)  the submitted voting system’s software does not contain any code, procedures or other material (including but not limited to ‘viruses’, ‘worms’, ‘time bombs’, and ‘drop

 

page 31

page 32

 

dead’ devices that may cause the voting system to cease functioning at a future time), which may disable, damage, disarm or otherwise affect the proper operation of the voting system, any hardware, or any computer system or other property of the State Board or county board, and;

 

Comment 113

As stated in earlier comments, it is impossible for anyone to know that large software products do not contain malware.

 

(4)  any submitted voting system provides methods through security seals or device locks to physically secure against attempts to interfere with correct system operations.  Such physical security shall guard access to machine panels, doors, switches, slots, ports, peripheral devices, firmware, and software.

 

C.  The Vendor shall post a bond or letter of credit to cover any and all expenses, costs, and damages, including but not limited to all costs of inspecting or testing a voting system that does not meet the standards contained in these Regulations and all costs incurred in conducting any new election resulting from any breach of the warranties and representations required to be made anywhere in these Regulations, or in the New York State Election Law.  Said bond or letter of credit shall be set by the State Board.  

 

D.   For purposes of the initial purchases of voting machines and systems, pursuant to the federal Help America Vote Act of 2002, and the state Election Reform and Modernization Act of 2005, all contracts entered by the State Board or county boards with vendors, must comply with Office of General Services (OGS) regulations on Purchasing Procedures and Purchases from Preferred Sources, found in NYCRR Title 9, Subtitle G, Subchapter A, Part 250, section 250.0 through and including section 250.11.

 

Section 6209.10 Acceptance Testing

 

A.  County boards, under the supervision of the State Board, shall conduct a public acceptance test on each unit of any voting system purchased by such county.  Such acceptance testing shall begin within seventy-two hours of delivery of the equipment from the vendor to the purchaser and shall be completed prior to the use of the equipment in any election.

 

B.  Such testing shall be conducted under the supervision of the State Board in accordance with the testing requirements and formats provided by the State Board.  This test may consist in part, of the original certification test deck as utilized by the State Board in the certification of the system.

 

Comment 114

a. Acceptance testing must include all functionality of the system, not just entering of votes.

b. State Board supervision should be defined.

 

C.  Acceptance testing for voting systems shall include the comparison of software installed on the delivered system to certified software, via the use of a Secure Hash Signature Standard (SHS) validation program, contained in Federal Information Processing Standards Publication 180-2 issued by the National Institute Standards Technology.

 

Comment 115

How will county election personnel know how to do this?

 


D.  Acceptance testing for non-PC-based voting systems shall include testing to be prescribed  by the State Board at the time of system selection, pursuant to 6209.5(i) of

 

page 32

page 33

 

these Regulations, to verify that the voting system delivered to the county board is identical to the system certified by the State Board.

 

E.  The results of acceptance testing shall be both documented and attested to by the county board and the State Board, and the documentation placed in the maintenance log for the system, and on file with the State Board.

 

F.  If the acceptance test reveals any impropriety or fault in the ballot counting system’s equipment, the vendor must make corrections to such improper or faulty equipment within 15 days from the date of such acceptance testing.

 

Comment 116

Why is this requirement limited to counting systems?

 

G.  The State Board, upon its review of the acceptance testing of such system’s  equipment may, at its discretion, rescind certification of said equipment in the State of New York in accordance with the provisions of Section 6209.8 of these regulations. 

 

 

Section 6209.11      Temporary Provision

 

Notwithstanding any other regulation, no voting machine certified after May 1, 2006 may be used in any election until the State Board adopts regulations for routine maintenance and testing, voting system operations procedures, and central count procedures.