[Federal Register: April 12, 2006 (Volume 71, Number 70)]
[Notices]
[Page 18823-18924]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12ap06-140]
[[Page 18823]]
-----------------------------------------------------------------------
Part II
Election Assistance Commission
-----------------------------------------------------------------------
2005 Voluntary Voting System Guidelines; Notice
[[Page 18824]]
-----------------------------------------------------------------------
ELECTION ASSISTANCE COMMISSION 2005
2005 Voluntary Voting System Guidelines
AGENCY: United States Election Assistance Commission.
ACTION: Notice; publication of final 2005 Voluntary Voting System
Guidelines.
-----------------------------------------------------------------------
SUMMARY: The Help America Vote Act of 2002 (HAVA) Section 231 directs
the U.S. Election Assistance Commission (EAC) to provide for the
testing, certification, decertification and recertification of voting
systems. HAVA Section 221 mandates the development of voluntary voting
system guidelines to support this process. In 2004, the EAC formed the
Technical Guidelines Development Committee (TGDC) to create an initial
set of recommendations for the guidelines. The Director of the National
Institute of Standards and Technology (NIST) chairs the TGDC and NIST
staff provides technical support for the TGDC's work. This committee of
fifteen experts began their work in July 2004 and submitted their
recommendations to the EAC in May 2005. EAC reviewed and revised these
recommendations and published its proposed Voluntary Voting System
Guidelines in June 2005, 70 FR 37378 (June 29, 2005), beginning the
ninety-day public comment period. The Commission adopted the 2005
Voluntary Voting System Guidelines on December 13, 2005. The Guidelines
published here will be used to test voting systems for national
certification.
FOR FURTHER INFORMATION CONTACT: Brian Hancock (Election Research
Specialist), Washington, DC, (202) 566-3100, Fax: (202) 566-3127.
SUPPLEMENTARY INFORMATION:
Public Comment Process
HAVA requires publication of the proposed guidelines for public
comment. HAVA further mandates a public hearing about the proposed
guidelines. In addition, the guidelines must be reviewed by the EAC
Board of Advisors and the EAC Standards Board.
EAC posted the proposed guidelines on its Web site and made the
document available to the public in hardcopy and CD-ROM. Notice of the
public comment period was published in the Federal Register. Both the
Federal Register notice and the Web site provided instructions for
submitting comments on-line, as well as by e-mail, postal mail and
facsimile. EAC conducted three public hearings in the following
locations: New York City; Pasadena, California: and Denver, Colorado.
At these hearings, testimony was received from state and local election
officials, the vendor community, the testing laboratories, public
interest groups, academics, voting system experts, and members of the
general public. All comments received were posted on the EAC Web site.
The document was distributed to the Board of Advisors and the Standards
Board. Each board conducted a two-day meeting to formulate
recommendations.
Discussion of Comments
The EAC received 6,576 comments on the guidelines. Of this number,
4,300 were emails requesting that EAC to require voter verifiable audit
trail capability for all electronic voting systems. The remaining 2,276
comments covered various sections of the document. Of this set, the
majority were submitted by individuals--776 comments. The next largest
number of comments (684) came from system vendors, testing
laboratories, and other corporate entities. Public interest groups
submitted 436 comments. Election and other government officials
submitted 218 comments, and 162 comments were submitted by academics.
Some comments were of a general nature that did not specifically
relate to the Guidelines document. The comments from the testing
laboratories, system vendors and other corporate entities addressed
voting system functional requirements and independent dual verification
systems. Public interest groups focused their attention predominantly
on usability and accessibility requirements for voting systems and for
voter verifiable paper audit trails. Election officials commented on a
variety of topics including accessibility, security, wireless
communications, and voter verifiable paper trails. The academic
community commented principally on security.
Volume 1, Voting System Performance Guidelines, received a total of
1,660 comments. The subject area that received the most comments was
security (471), followed by the glossary (367), usability and
accessibility (361), and voting system functional requirements (267).
Volume 2, National Certification Testing Guidelines, received a total
of 167 comments on a variety of topics: software testing (31),
documentation (24), and hardware testing (11).
Consideration of Comments
The EAC reviewed and considered each comment. In some instances,
EAC also gathered more information and performed additional research
regarding the suggestions. There were 404 comments requiring extensive
research that were forwarded to the TGDC for future consideration.
Similarly, many comments (73) dealt with election administration
and procedural matters, which fall outside the scope of the VVSG. These
comments were forwarded to EAC's Management Guidelines Working Group,
which is developing a companion document covering these topics.
Changes to VVSG
The VVSG have been enhanced in response to comments received. The
document has been reorganized and reformatted. Usability and
accessibility requirements were removed from the functional
requirements section and placed in a separate section. The glossary was
revised to clarify definitions. Information about independent
verification systems was incorporated into the security section to
provide context for the voter verifiable paper audit trail
requirements. Best Practices for Election Officials (Appendix C in the
proposed guidelines) was removed and forwarded to the Management
Guidelines Working Group for consideration.
The substantive changes made to the functional requirements section
brought the language into conformance with HAVA requirements and
clarified the technical specifications regarding environmental
standards. Many comments about this section were carried over for
future TGDC consideration because they related to complex topics such
as specific testing protocols and software coding standards.
The principal substantive changes to security requirements were as
follows: clarification of language regarding software distribution and
generation of reference information; clarification of wireless
communication discussion and requirements language; revision to VVPAT
requirements related to the topics of ``Approve or Spoil the Paper
Record,'' ``Equipment Security and Reliability,'' ``Preserve Voter
Privacy,'' and ``Electronic and Paper Record Structure.''
The most significant changes overall were on the topics of
usability and accessibility. These requirements were placed in their
own section to reflect their importance and in anticipation that they
will continue to expand over time. Usability requirements were placed
first in the new section because these requirements apply to all voting
systems. Alternative language requirements were placed under the
[[Page 18825]]
usability heading because these apply to all voting systems.
Several requirements regarding system navigation and controls were
made mandatory for usability, as well as the requirement for vendors to
conduct and document summative usability testing during system
development. Requirements for accessible voting systems, including the
use of personal assistive devices, buttons and controls, speech quality
for audio ballots, limited dexterity accessibility, and voter
verifiable paper audit trail accessibility were changed from permissive
to mandatory. In addition, summative accessibility testing and
documentation by vendors was made mandatory. A complete discussion of
how comments to the VVSG were handled can be found on the EAC Web site
at http://www.eac.gov.
Effective Date
The guidelines will take effect in December 2007 (24 months), at
which time voting systems will no longer be tested against the 2002
Voting System Standards (VSS) developed by the Federal Election
Commission (FEC). However, states may decide to adopt these guidelines
before the effective date and EAC anticipates being prepared to certify
voting systems before the effective date. The effective date was
adopted to provide testing laboratories time to prepare to test to the
VVSG, give states time to change their respective laws and statutes
reflecting EAC's role in the certification process and in recognition
of efforts to develop voting systems that will meet the requirements of
the VVSG.
Thomas R. Wilkey,
Executive Director, U.S. Election Assistance Commission.
Voluntary Voting System Guidelines
Table of Contents
Volume I Voting System Performance Guidelines
Overview Voluntary Voting System Guidelines Overview
Section 1 Introduction
Section 2 Functional Requirements
Section 3 Usability and Accessibility Requirements
Section 4 Hardware Requirements
Section 5 Software Requirements
Section 6 Telecommunications Requirements
Section 7 Security Requirements
Section 8 Quality Assurance Requirements
Section Configuration Management Requirements
Appendix A Glossary
Appendix B References
Appendix C Independent Verification Systems
Appendix D Technical Guidance for Color, Contrast, and Text Size
Volume II National Certification Testing Guidelines
Overview Voluntary Voting System Guidelines Overview
Section 1 Introduction
Section 2 Description of the Technical Data Package
Section 3 Functionality Testing
Section 4 Hardware Testing
Section 5 Software Testing
Section 6 System Integration Testing
Section 7 Quality Assurance Testing
Appendix A National Certification Test Plan
Appendix B National Certification Test Report
Appendix C National Certification Test Design Criteria
Voluntary Voting System Guidelines
Volume I
Voting System Performance Guidelines
Voluntary Voting System Guidelines Overview
Table of Contents
Voluntary Voting System Guidelines Overview
Purpose and Scope of the Guidelines
Effective Date
Summary of Changes
Volume I: Voting System Performance Guidelines Summary
Volume II: National Certification Testing Guidelines Summary
Guide to Section Locations
Voluntary Voting System Guidelines Overview
The United States Congress passed the Help America Vote Act of 2002
(HAVA) to modernize the administration of federal elections, marking
the first time in our nation's history that the federal government has
funded an election reform effort. HAVA provides federal funding to help
the states meet the law's uniform and non-discretionary administrative
requirements, which include the following new programs and procedures:
(1) Provisional voting, (2) voting information, (3) statewide voter
registration lists and identification requirements for first-time
registrants, (4) administrative complaint procedures, and (5) updated
and upgraded voting equipment.
HAVA also established the U.S. Election Assistance Commission (EAC)
to administer the federal funding and to provide guidance to the states
in their efforts to comply with the HAVA administrative requirements.
Section 202 directs the EAC to adopt voluntary voting system
guidelines, and to provide for the testing, certification,
decertification, and recertification of voting system hardware and
software. The purpose of the guidelines is to provide a set of
specifications and requirements against which voting systems can be
tested to determine if they provide all the basic functionality,
accessibility, and security capabilities required of voting systems.
This document, the Voluntary Voting System Guidelines (referred to
herein as the Guidelines and/or VVSG), is the third iteration of
national level voting system standards that has been developed. The
Federal Election Commission published the Performance and Test
Standards for Punchcard, Marksense and Direct Recording Electronic
Voting Systems in 1990. This was followed by the Voting Systems
Standards in 2002.
As required by HAVA, the EAC formed the Technical Guidelines
Development Committee (TGDC) to develop an initial set of
recommendations for the Guidelines. This committee of 15 experts began
their work in July 2004 and submitted their recommendations to the EAC
in the 9-month timeline prescribed by HAVA. The TGDC was provided with
technical support by the National Institute for Standards and
Technology (NIST), which was given nearly $3 million dollars by the EAC
to complete this work.
The EAC reviewed and revised the TGDC recommendations and, as
required by HAVA, published the proposed Guidelines for a 90 day public
comment period. The document was also provided to both the Board of
Advisors and the Standards Board for their review and comment. During
the comment period the EAC conducted 3 public hearings on the
Guidelines in New York City, Pasadena and Denver. Over 6000 comments
were received from the public and the Boards. Each of these comments
was reviewed and considered by the EAC in consultation with NIST in the
development of this final version.
Purpose and Scope of the Guidelines
The purpose of the Voluntary Voting System Guidelines is to provide
a set of specifications and requirements against which voting systems
can be tested to determine if they provide all the basic functionality,
accessibility and security capabilities required to ensure the
integrity of voting systems. The VVSG specifies the functional
requirements, performance characteristics, documentation requirements,
and test evaluation criteria for the national certification of voting
systems. The VVSG is composed of two volumes: Volume I, Voting System
Performance Guidelines and Volume II, National Certification Testing
Guidelines.
[[Page 18826]]
Effective Date
The 2005 Voluntary Voting System Guidelines will take effect 24
months after their final adoption in December 2005 by the EAC. At that
time, all new systems submitted for national certification will be
tested for conformance with these guidelines. In addition, if a
modification to a system qualified or certified to a previous standard
is submitted for national certification after this date, every
component of the modified system will be tested against the 2005 VVSG.
All previous versions of national standards will become obsolete at
this time. This effective date provision does not have any impact on
the mandatory January 1, 2006, deadline for states to comply with the
HAVA Section 301 requirements.
Summary of Changes
Volume I of the Guidelines, entitled Voting System Performance
Guidelines, includes new requirements for usability, accessibility,
voting system software distribution, generation of software reference
information, validation of software during voting system setup, and the
use of wireless communications. System functional requirements have
been revised to comply with HAVA Section 301 requirements.
Environmental criteria have been updated. This volume also includes
requirements for a voter verifiable paper audit trail component for
direct-recording electronic voting systems for use by states that
require this feature. In addition, this volume includes an updated
glossary and a conformance clause.
Volume II of the Guidelines, entitled National Certification
Testing Guidelines, has been revised to reflect the new EAC process for
national certification of voting systems. This process was initiated in
2005 and replaces the voting system qualification process conducted by
the National Association of State Election Directors (NASED) since
1994. In addition, revisions have been made to the testing procedures
to reflect new requirements for the conduct of usability and
accessibility testing. Volume II also includes an updated appendix on
procedures for testing system error rates. Terminology in both volumes
has been revised to reflect new terminology introduced by HAVA.
Volume I: Voting System Performance Guidelines Summary
Volume I, the Voting System Performance Guidelines, describes the
requirements for the electronic components of voting systems. It is
intended for use by the broadest audience, including voting system
developers, manufacturers and suppliers; voting system testing labs;
state organizations that certify systems prior to procurement; state
and local election officials who procure and deploy voting systems; and
public interest organizations that have an interest in voting systems
and voting system standards. It contains the following sections:
Section I describes the purpose and scope of the Voting System
Performance Guidelines.
Section 2 describes the functional capabilities required of voting
systems. This section has been revised to reflect HAVA Section 301
requirements.
Section 3 describes new standards that make voting systems more
usable and accessible for as many eligible citizens as possible,
whatever their physical abilities, language skills, or experience with
technology. This section reflects the HAVA 301 (a)(3) accessibility
requirements.
Sections 4 through 6 describe specific performance standards for
election system hardware, software, telecommunications, and security.
Environmental criteria have been updated in Section 4.
Section 7 describes voting system security requirements and
includes new requirements for voting system software distribution,
generation of software reference information, validation of software
during system setup, and the use of wireless. It also includes
requirements for voter verifiable paper audit trail components for
direct-recording electronic voting systems.
Sections 8 and 9 describe requirements for vendor quality assurance
and configuration management practices and the documentation about
these practices required for the EAC certification process.
Appendix A contains a glossary of terms.
Appendix B provides a list of related standards documents
incorporated into the Guidelines by reference, documents used in the
preparation of the Guidelines, and referenced legislation.
Appendix C presents an introductory discussion of independent
verification systems as a potential concept for future voting system
security design.
Appendix D contains technical guidance on color, contrast and text
size adjustment for individuals with low vision or color blindness.
Volume II: National Certification Testing Guidelines Summary
Volume II, the National Certification Testing Guidelines, is a
complementary document to Volume I. Volume II provides an overview and
specific detail of the national certification testing process, which is
performed by independent voting system test labs accredited by the EAC.
It is intended principally for use by vendors: test labs: and election
officials who certify, procure, and accept voting systems. This volume
contains the following sections:
Section 1 describes the purpose of the National Certification
Testing Guidelines.
Section 2 provides a description of the Technical Data Package that
vendors are required to submit with their system for certification
testing.
Section 3 describes the basic functionality testing requirements.
Sections 4 through 6 define the requirements for hardware, software
and system integration testing. Section 6 has been revised to reflect
new requirements for usability and accessibility testing.
Section 7 describes the required examination of vendor quality
assurance and configuration management practices.
Appendix A provides the requirements for the National Certification
Test Plan that is prepared by the voting system test lab and provided
to the EAC for review.
Appendix B describes the scope and content of the National
Certification Test Report which is prepared by the test lab and
delivered to the EAC along with a recommendation for certification.
Appendix C describes the guiding principles used to design the
voting system certification testing process. It also contains a revised
section on testing system error rates.
Volume I: Voting System Performance Guidelines
Guide to Section Locations
Section 1: Introduction
Section 2: Functional Requirements
Section 3: Usability and Accessibility Requirements
Section 4: Hardware Requirements
Section 5: Software Requirements
Section 6: Telecommunications Requirements
Section 7: Security Requirements
Section 8: Quality Assurance Requirements
Section 9: Configuration Management Requirements
Appendix A: Glossary
Appendix B: References
Appendix C: Independent Verification Systems
Appendix D: Technical Guidance for Color, Contrast, and Text Size
[[Page 18827]]
1 Introduction
Table of Contents
1 Introduction
1.1 Purpose and Scope of the Voluntary Voting System Guidelines
1.2 Use of the Voluntary Voting System Guidelines
1.3 Evolution of Voting System Standards
1.3.1 Federal Election Commission
1.3.2 Election Assistance Commisson
1.4 Overview of Voting System Testing
1.4.1 The National Certification Program for Voting Systems
1.4.2 State Certification Testing
1.4.3 Acceptance Testing
1.5 Definitions, References, and Types of Voting Systems
1.5.1 Definitions and References
1.5.2 Types of Voting Systems
1.5.2.1 Paper-Based Voting System
1.5.2.2 Direct-Recording Electronic Voting System
1.5.2.3 Public Network Direct-Recording Electronic Voting System
1.5.2.4 Precinct Count Voting System
1.5.2.5 Central Count Voting System
1.6 Conformance Clause
1.6.1 Scope and Applicability
1.6.2 Conformance Framework
1.6.2.1 Applicable Entities
1.6.2.2 Relationships Among Entities
1.6.3 Structure of Requirements
1.6.3.1 Conformance Language
1.6.3.2 Categorizing Requirements
1.6.3.3 Extensions
1.6.4 Implementation Statement
1.7 Effective Date
1 Introduction
1.1 Purpose and Scope of the Voluntary Voting System Guidelines
The purpose of the Voluntary Voting System Guidelines (VVSG or the
Guidelines) is to provide a set of specifications and requirements
against which voting systems can be tested to determine if they provide
all the basic functionality, accessibility, and security capabilities
required of voting systems. The VVSG specifies the functional
requirements, performance characteristics, documentation requirements,
and test evaluation criteria for the national certification of voting
systems. To the extent possible, these requirements and specifications
are described so they can be assessed by a series of defined, objective
tests. The VVSG is composed of two volumes: Volume 1, Voting System
Performance Guidelines; and Volume 2, National Certification Testing
Guidelines.
The VVSG is one of several inter-related EAC promulgated guidelines
and programs concerned with maintaining the reliability and security of
voting systems and the integrity of the overall election process. The
performance of national certification testing of voting systems is
restricted to testing labs that have been formally accredited to be
technically competent to evaluate systems for conformance to the Voting
System Performance Guidelines. The National Association of State
Election Directors (NASED) initiated the independent testing authority
accreditation program for test labs in 1994, applying the standards and
procedures in NASED Program Handbook 9201 (Revision A). With the
passage of the Help America Vote Act (HAVA), this responsibility
transitioned to the Election Assistance Commission (EAC) with support
from the National Voluntary Laboratory Accreditation Program (NVLAP).
This program is operated by the National Institute of Standards and
Technology (NIST), applying the standards and procedures in NIST
Handbook 150-22, NVLAP Voting System Testing.
The VVSG and the test lab accreditation process are essential
components of the EAC National Certification Program for voting
systems. This program applies the standards and procedures documented
in the EAC voting system certification manual. HAVA Section 231 charges
EAC with providing for the certification, decertification and
recertification of voting systems. Under this program national
certification is just the first step of the life cycle process of
maintaining the reliability and security of the voting systems used in
the nation's elections. To carry out this mandate, the EAC program will
include monitoring of voting system performance through incident
reporting by election officials and others. The certification program
will maintain information on the quality assurance practices associated
with the development and manufacturing of voting systems. When a system
has successfully completed the certification process, the EAC program
requires a copy of the certified voting system software to be provided
to the National Software Reference Library operated by NIST. This will
enable election officials to validate that the software received by
their jurisdictions is the same as the certified version.
The VVSG notes the need for appropriate procedures to complement
and supplement the technical requirements for voting system
performance. It is well known that deficiencies in election management
and administration procedures can have just as much impact on the
enfranchisement of voters and the outcome of elections as the
functioning of the voting machines. The overall integrity of the
election process depends on both of these elements working together.
EAC and NASED have instituted a multi-year effort to develop a
comprehensive set of election management guidelines that will
complement the technical system guidelines, as well as cover other
elements of the election process.
Except as noted below, Volume I of the Guidelines applies to all
system hardware, software, telecommunications, and documentation
intended for use to:
Prepare the voting system for use in an election
Produce the appropriate ballot formats
Test that the voting system and ballot materials have been
properly prepared and are ready for use
Record and count votes
Consolidate and report election results
Display results on-site or remotely
Produce and maintain comprehensive audit trail data
Some voting systems use one or more commercial off-the-shelf (COTS)
devices (such as card readers, printers, and personal computers) or
software products (such as operating systems, programming language
compilers, and database management systems). These devices and products
are exempt from certain portions of system certification testing, as
long as they are not modified for use in the voting system.
Volume 2 describes the testing process to provide a documented
independent verification by an accredited testing laboratory that a
voting system has been demonstrated to conform to the Volume 1
requirements and therefore should receive national certification. It
provides the specific detail about the testing process and
documentation requirements required to support the national
certification program.
1.2 Use of the Voluntary Voting System Guidelines
The Guidelines are intended for use by multiple audiences to
support their respective roles in the development, testing, and
acquisition of voting systems:
The accredited testing laboratories who use this
information to develop test plans and procedures for the analysis and
testing of systems in support of the national certification testing
process
State and local election officials who are evaluating
voting systems for potential use in their jurisdictions
Voting system designers and manufacturers who need to
ensure that their products fulfill all these requirements so they can
be certified
[[Page 18828]]
1.3 Evolution of Voting System Standards
1.3.1 Federal Election Commission
The first voting system standards were issued in January 1990, by
the Federal Election Commission (FEC). This document included
performance standards and testing procedures for Punchcard, Marksense,
and Direct-Recording Electronic (DRE) voting systems. These standards
did not cover paper ballot and mechanical lever systems because paper
ballots are sufficiently self-explanatory not to require technical
standards and mechanical lever systems are no longer manufactured or
sold in the United States. The FEC also did not incorporate
requirements for mainframe computer hardware because it was reasonable
to assume that sufficient engineering and performance criteria already
governed the operation of mainframe computers. However, vote tally
software installed on mainframes was covered.
A national testing effort was initiated by NASED in 1994. As the
system qualification process matured and qualified systems were used in
the field, the NASED Voting Systems Board, in consultation with the
testing labs, identified certain testing issues that needed to be
resolved. Moreover, rapid advancements in information and personal
computer technologies introduced new voting system development and
implementation scenarios not contemplated by the 1990 Standards.
In 1997, NASED briefed the FEC on the importance of keeping the
Standards up to date. Following a requirements analysis completed in
1999, the FEC initiated an effort to revise the 1990 Standards to
reflect the evolving needs of the elections community. This resulted in
the 2002 Voting Systems Standards.
Voters and election officials who use voting systems represent a
broad spectrum of the population, and include individuals with
disabilities who may have difficulty using traditional voting systems.
In developing accessibility provisions for the 2002 Voting System
Standards, the FEC requested assistance from the Access Board, the
federal agency in the forefront of promulgating accessibility
provisions. The Access Board submitted technical standards to meet the
diverse needs of voters with a broad range of disabilities. The FEC
adopted the entirety of the Access Board's recommendations and
incorporated them into the 2002 Voting Systems Standards.
1.3.2 Election Assistance Commission
In 2002, Congress passed the Help America Vote Act, which
established the U.S. Election Assistance Commission (EAC). EAC was
mandated to develop and adopt new voluntary voting system guidelines
and to provide for the testing, certification, and decertification of
voting systems. HAVA also established the Technical Guidelines
Development Committee (TGDC) with the duty of assisting the EAC in the
development of the new guidelines. The Director of NIST chairs the
TGDC, and NIST was tasked to provide technical support to their work.
The TGDC delivered their initial set of recommendations to the EAC in
May, 2005.
The TGDC built on the foundation of the 2002 Voting Systems
Standards and the accessibility provisions of HAVA to expand
requirements for voting system usability and accessibility. HAVA
mandates that voting systems shall be accessible for individuals with
disabilities in a manner that provides the same opportunity for access
and participation (including privacy and independence) as for other
voters. To facilitate the ability of jurisdictions to meet these
requirements, HAVA allows for the use of at least one direct-recording
electronic or other voting system equipped for individuals with
disabilities at each polling place. Implementing this provision,
however, will not entirely eliminate the necessity of accommodating the
needs of some disabled voters by human assistance, given the
limitations of current technology.
The 2005 VVSG is the culmination of sixteen months of effort by the
TGDC, NIST and the EAC. There is still much to be done to further
develop the technical guidelines for voting system performance,
accessibility and usability features, and security. Further work is
also needed for the specification of comprehensive standard test suites
for certification testing, to include testing for usability and
accessibility features and expanded security testing.
1.4 Overview of Voting System Testing
1.4.1 The National Certification Program for Voting Systems
The purpose of the national certification program is to validate
and document, through an independent testing process, that voting
systems meet the requirements set forth in VVSG Volume 1--Voting System
Performance Guidelines, and perform according to the vendor's
specifications for the system. Volume 1 specifies the minimum
functional requirements, performance characteristics, documentation
requirements, and test evaluation criteria that voting systems must
meet in order to receive national certification. At the time of VVSG
2005 publication, 39 states either require national certification or
utilize the national standards when certifying voting systems.
National certification testing can only be performed by testing
labs that have been accredited for demonstrated technical competence to
test voting systems using these Guidelines. Volume 2 of the VVSG--
National Certification Testing Guidelines--provides guidance on the
testing process and describes the associated documentation
requirements. These tests encompass the examination of software; the
inspection and evaluation of system documentation; tests of hardware
under conditions simulating the intended storage, operation,
transportation, and maintenance environments; operational tests to
validate system performance and function under normal and abnormal
conditions; and examination of the vendor's system development,
testing, quality assurance, and configuration management practices.
Certification tests address individual system components or elements,
as well as the integrated system as a whole.
Since 1994, testing of voting systems has been performed by
Independent Test Authorities (ITAs) certified by NASED. Upon the
successful completion of testing, the ITA issued a Qualification Test
Report to the vendor and NASED. The Technical Committee of the NASED
Voting Systems Board would review the test report and, if satisfactory,
issue a Qualification Number. The Qualification Number remains valid
for as long as the voting system remains unchanged.
HAVA mandated that the certification testing process be transferred
from NASED to EAC. National certification testing complements and
evaluates the vendor's developmental testing and beta testing. The test
lab is expected to evaluate the completeness of the vendor's
developmental test program, including the sufficiency of vendor tests
conducted to demonstrate compliance with the Guidelines as well as the
system's performance specifications. The test lab undertakes sample
testing of the vendor's test modules and also designs independent
system-level tests to supplement and check those designed by the
vendor. Although some of the certification tests are based on those
prescribed in the Military Standards, in most cases the test conditions
are less stringent, reflecting commercial, rather than military,
practice.
[[Page 18829]]
Upon review of test reports and a determination that satisfactory
results were achieved that address the full scope of testing, EAC will
issue a certification number that indicates the system has successfully
completed testing by an accredited test lab for compliance with the
Guidelines. The certification number applies to the system as a whole
and does not apply to individual system components or untested
configurations.
After a system has completed initial certification testing, further
examination of the system is required if modifications are made to
hardware, software, or telecommunications, including the installation
of software on different hardware. Vendors request review of
modifications by the test lab based on the nature and scope of changes
made. The test lab will assess whether the modified system should be
resubmitted for certification testing and the extent of testing to be
conducted, and then it will provide an appropriate recommendation to
the EAC and the vendor.
Generally, a voting system remains certified under the standards
against which it was tested as long as no modifications requiring
recertification have been made to the system. However, if a new threat
to a particular voting system is discovered, it is the prerogative of
EAC to determine which certified voting systems are vulnerable, whether
those systems need to be retested, and the specific tests to be
conducted. In addition, when new requirements supersede the
requirements under which the system was certified, it is the
prerogative of EAC to determine when systems that were certified under
the earlier requirements will need to be re-tested to meet current
guidelines.
1.4.2 State Certification Testing
State certification tests are performed by individual states, with
or without the assistance of outside consultants, to:
Confirm that the voting system presented is the same as
the one certified under the Guidelines
Test for the proper implementation of state-specific
requirements
Establish a baseline for future evaluations or tests of
the system, such as acceptance testing or state review after
modifications have been made
Define acceptance tests
State certification test scripts are not included in the
Guidelines, as they must be defined by the state, with its laws,
election practices, and needs in mind. However, it is recommended that
they not duplicate the national certification tests, but instead focus
on functional tests and qualitative assessment to ensure that the
system operates in a manner that is acceptable under state law. If a
voting system is modified after state certification is completed, it is
recommended that states reevaluate the system to determine if further
certification testing is warranted.
Certification tests performed by individual states typically rely
on information contained in documentation provided by the vendor for
system design, installation, operations, required facilities and
supplies, personnel support and other aspects of the voting system.
States and jurisdictions may define information and documentation
requirements additional to those defined in the Guidelines. By design,
the Guidelines do not address these additional requirements. However,
national certification testing will address all the capabilities of a
voting system stated by the vendor in the system documentation
submitted with the testing application to the EAC, including additional
capabilities that are not required by the states.
1.4.3 Acceptance Testing
Acceptance tests are performed at the state or local jurisdiction
level upon system delivery by the vendor to:
Confirm that the system delivered is the specific system
certified by EAC and, when applicable, certified by the state
Evaluate the degree to which delivered units conform to
both the system characteristics specified in the procurement
documentation, and those demonstrated in the national and state
certification tests
Establish a baseline for any future required audits of the
system
Some of the operational tests conducted during certification may be
repeated during acceptance testing.
1.5 Definitions, References, and Types of Voting Systems
1.5.1 Definitions and References
The Guidelines contain terms describing function, design,
documentation, and testing attributes of voting system hardware,
software and telecommunications. Unless otherwise specified, the
intended sense of technical terms is that which is commonly used by the
information technology industry. In some cases terminology is specific
to elections or voting systems. A glossary of terms is contained in
Appendix A. Non-technical terms not listed in Appendix A shall be
interpreted according to their standard dictionary definitions.
There are a number of technical standards that are incorporated in
the Guidelines by reference. These are referred to by title in the body
of the document. The full citations for these publications are provided
in Appendix B. In addition, this appendix includes other references
that may be useful for understanding and interpretation.
1.5.2 Types of Voting Systems
HAVA Section 301 defines a voting system as the total combination
of mechanical, electromechanical, or electronic equipment (including
the software, firmware, and documentation required to program, control,
and support the equipment), that is used to define ballots; to cast and
count votes; to report or display election results; and to maintain and
produce any audit trail information. In addition, a voting system
includes the practices and associated documentation used to identify
system components and versions of such components; to test the system
during its development and maintenance; to maintain records of system
errors and defects; to determine specific system changes made after
initial certification; and to make available any materials to the voter
(such as notices, instructions, forms, or paper ballots).
Traditionally, a voting system has been defined by the mechanism
the system uses to cast votes and further categorized by the location
where the system tabulates ballots. In addition to defining a common
set of requirements that apply to all voting systems, the VVSG states
requirements specific to a particular type of voting system, where
appropriate. However, the Guidelines recognize that as the industry
develops new solutions and the technology continues to evolve, the
distinctions between voting system types may become blurred. The fact
that the VVSG refers to specific system types is not intended to stifle
innovations that may be based on a more fluid understanding of system
types. However, appropriate procedures must be in place to ensure new
developments provide the necessary integrity and can be properly
evaluated in the certification process.
Consequently, vendors that submit a system that integrates
components from more than one traditional system type or a system that
includes components or technology not addressed in the Guidelines shall
submit the results of all beta tests of the new system when applying
for national certification. Vendors shall also submit a proposed test
plan to the EAC for use in national certification testing. The
Guidelines permit vendors to produce or utilize
[[Page 18830]]
interoperable components of a voting system that are tested within the
full voting system configuration.
The listing below summarizes the functional requirements that HAVA
Section 301 mandates to assist voters. While these requirements may be
implemented in a different manner for different types of voting
systems, all types of voting systems must provide these capabilities:
Permit the voter to verify (in a private and independent
manner) the vote selected by the voter on the ballot before the ballot
is cast and counted
Provide the voter with the opportunity (in a private and
independent manner) to change the ballot or correct any error before
the ballot is cast and counted
Notify the voter if he or she has selected more than one
candidate for a single office, inform the voter of the effect of
casting multiple votes for a single office, and provide the voter an
opportunity to correct the ballot before it is cast and counted
Be accessible for individuals with disabilities in a
manner that provides the same opportunity for access and participation
(including privacy and independence) as for other voters
Provide alternative language accessibility pursuant to
Section 203 of the Voting Rights Act 1.5.2.1 Paper-Based Voting System
A paper-based voting system records votes, counts votes, and produces a
tabulation of the vote count from votes cast on paper cards or sheets.
A marksense (also known as optical scan) voting system allows a voter
to record votes by making marks directly on the ballot, usually in
voting response locations. Additionally, a paper-based system may allow
for the voter's selections to be indicated by marks made on a paper
ballot by an electronic input device, as long as such an input device
does not independently record, store, or tabulate the voter selections.
1.5.2.2 Direct-Recording Electronic Voting System
A direct-recording electronic (DRE) voting system records votes by
means of a ballot display provided with mechanical or electro-optical
components that can be activated by the voter; that processes data by
means of a computer program; and that records voting data and ballot
images in memory components. It produces a tabulation of the voting
data stored in a removable memory component and as printed copy. The
system may also provide a means for transmitting individual ballots or
vote totals to a central location for consolidating and reporting
results from precincts at the central location.
1.5.2.3 Public Network Direct-Recording Electronic Voting System
A public network DRE voting system is an election system that uses
electronic ballots and transmits vote data from the polling place to
another location over a public network. Vote data may be transmitted as
individual ballots as they are cast, periodically as batches of ballots
throughout the election day, or as one batch at the close of voting.
For purposes of the Guidelines, public network DRE voting systems are
considered a form of DRE voting system and are subject to the standards
applicable to DRE voting systems. However, because transmitting vote
data over public networks relies on equipment beyond the control of the
election authority, the system is subject to additional threats to
system integrity and availability. Therefore, additional requirements
are applied to provide appropriate security for data transmission.
The use of public networks for transmitting vote data must provide
the same level of integrity as other forms of voting systems, and must
be accomplished in a manner that precludes three risks to the election
process: automated casting of fraudulent votes, automated manipulation
of vote counts, and disruption of the voting process such that the
system is unavailable to voters during the time period authorized for
system use.
1.5.2.4 Precinct Count Voting System
A precinct count voting system is a voting system that tabulates
ballots at the polling place. These systems typically tabulate ballots
as they are cast and print the results after the close of polling. For
DREs and some paper-based systems these systems provide electronic
storage of the vote count and may transmit results to a central
location over public telecommunication networks.
1.5.2.5 Central Count Voting System
A central count voting system is a voting system that tabulates
ballots from multiple precincts at a central location. Voted ballots
are typically placed into secure storage at the polling place. Stored
ballots are transported or transmitted to a central counting location.
The system produces a printed report of the vote count, and may produce
a report stored on electronic media.
1.6 Conformance Clause
1.6.1 Scope and Applicability
The Voluntary Voting System Guidelines define requirements for
conformance of voting systems that voting system vendors shall meet.
The Guidelines also provide the framework, procedures, and requirements
that testing labs responsible for the certification testing of voting
systems shall follow. The requirements and procedures in the Guidelines
may also be used by states to certify voting systems. To ensure that
correct voting system software has been distributed without
modification, the Guidelines include requirements for certified voting
system software to be deposited in a national software repository. This
provides an independent means for election officials to verify the
software they purchase.
The Guidelines define the minimum requirements for voting systems
and the process of testing voting systems. The guidelines are intended
for use by:
Designers and manufacturers of voting systems
Test labs performing the analysis and testing of voting
systems in support of the EAC national certification process
Software repositories designated by EAC or by a state
Election officials, including ballot designers and
officials responsible for the installation, operation, and maintenance
of voting machines
Test labs and consultants performing the state
certification of voting systems Minimum requirements specified in these
guidelines include:
Functional capabilities
Performance characteristics, including security
Documentation
Test evaluation criteria
1.6.2 Conformance Framework
This section provides the framework in which conformance is
defined. It identifies the entities to which these guidelines apply,
the relationships among the various entities, the structure of the
requirements, and the terminology used to indicate conformance.
1.6.2.1 Applicable Entities
The requirements, prohibitions, options, and guidance specified in
these guidelines apply to voting systems, voting system vendors, test
labs, and software repositories. In general, requirements for voting
systems in these guidelines apply to all types of voting systems,
unless prefaced with explanatory narrative that applicability is
limited to a specific type of system.
[[Page 18831]]
Other terms in these guidelines shall be construed as synonymous with
``voting systems.'' They are: ``systems'', ``the system'', ``the voting
system'', and ``each voting system.''
The term ``voting system vendor'' imposes documentation or testing
requirements for the manufacturer or vendor. Other terms in these
guidelines shall be construed as synonymous with ``voting system
vendor.'' They are: ``vendors'', ``the vendor'', ``manufacturer or
vendor'', ``voting system designers'', and ``implementer''.
The terms used to designate requirements and procedural guidelines
for national certification testing laboratories are indicated by
referring to ``testing authorities'', ``test labs'', and ``accredited
test labs''. The term ``repository'' will be used to designate
requirements levied on the National Software Reference Library
repository maintained at NIST or any other designated repository.
1.6.2.2 Relationships Among Entities
It is the voting system vendor that needs to implement these
requirements and provide the necessary documentation for the system. In
order to claim conformance to the Guidelines, the voting system vendor
shall satisfy the specified requirements, including implementation of
functionality, prescribed software coding and assurance practices, and
preparation of the Technical Data Package. The voting system vendor
shall successfully complete the prescribed test campaign with an EAC
accredited test lab.
The accredited test lab shall satisfy the requirements for
conducting certification testing. The test lab may use an operational
environment emulating that used by election officials as part of their
testing to ensure that the voting system can be configured and operated
in a secure and reliable manner according to the vendor's documentation
and as specified by the Guidelines. The test lab shall coordinate and
deliver the requisite documentation and test report to the EAC for
review. Upon issuance of a certification number by the EAC, the test
lab shall deposit a copy of the certified voting system software with
the National Software Reference Library.
The EAC shall review the test results and associated documentation
and make a determination that all requirements have been appropriately
tested and the test results are acceptable. The EAC will issue a
national certification number that indicates conformance of the
specified system with these Guidelines.
The National Software Reference Library (NSRL) shall create a
digital signature of the voting system software provided by the test
lab. This information will be posted to a website so election officials
can compare the digital signature of the software provided to them by
the voting system vendor with this certified reference. The NSRL shall
maintain this reference information until notified by the EAC that it
can be archived.
1.6.3 Structure of Requirements
Each voting system requirement in Volume I is identified according
to a hierarchical scheme in which higher-level requirements (such as
``provide accessibility for visually impaired voters'') are supported
by lower-level requirements (e.g., ``provide an audio-tactile
interface''). Thus, requirements are nested. When the nesting hierarchy
has reached four levels (i.e., 1.1.1.1), further nested requirements
are designated with lowercase letters, then roman numerals. Therefore,
all requirements are traceable by a distinct reference.
Some requirements are directly testable and some are not. The
latter tend to be higher-level and are included because (1) they are
testable indirectly insofar as their lower-level requirements are
testable, and (2) they often provide the structure and rationale for
the lower-level requirements. Satisfying the lower-level requirements
will result in satisfying the higher-level requirement.
1.6.3.1 Conformance Language
The following keywords are used to convey conformance requirements:
Shall--indicates a mandatory requirement in order to
conform. Synonymous with ``is required to.''
Is prohibited--indicates a mandatory requirement that
indicates something that is not permitted (allowed) in order to
conform. Synonymous with ``shall not.''
Should, is encouraged--indicates an optional recommended
action, one that is particularly suitable, without mentioning or
excluding others. Synonymous with ``is permitted and recommended.''
May--indicates an optional, permissible action. Synonymous
with ``is permitted.''
Informative parts of this document include examples, extended
explanations, and other matter that contain information necessary for
proper understanding of the Guidelines and conformance to it.
1.6.3.2 Categorizing Requirements
The Guidelines set forth a common set of requirements for national
certification that apply to all types of electronic voting systems.
They also provide requirements that are applicable for particular
circumstances, such as alternative language capability or disability
accessibility. The requirements implementing the HAVA Section 301(a)
mandates, except for disability accessibility, must be met by all
voting systems. The alternative language capability mandated by Section
301(a)(4) must be met by all systems intended for use in jurisdictions
subject to Section 203 of the Voting Rights Act. The Section 301(a)(3)
disability accessibility requirements must be met by all systems
intended to fulfill the one per polling place disability equipped
voting system provision of Section 301(a)(3)(B).
In addition, the Guidelines categorize some requirements into
related groups of functionality to address equipment type, ballot
tabulation location, and voting system component (e.g., election
management system, voting machine). Hence, all of the requirements
contained in the Guidelines do not apply to all elements of all voting
systems. For example, requirements categorized as applying to DRE
systems are not applicable to paper-based voting. The requirements
implementing disability accessibility are not required of all voting
systems, only by those systems the vendor designates as accessible
voting systems.
Among the categories defined in the VVSG are two types of voting
systems with respect to mechanisms to cast votes--paper-based voting
systems and DRE voting systems. Additionally, voting systems are
further categorized by the locations where ballots are tabulated--
precinct count voting systems, which tabulate ballots at the polling
place, and central count voting systems, which tabulate ballots from
multiple precincts at a central location. The Guidelines define
specific requirements for systems that fall within these four
categories as well as various combinations of these categories.
1.6.3.3 Extensions
Extensions are additional functions, features, and/or capabilities
included in a voting system that are not required by the Guidelines. To
accommodate the needs of states that may impose additional requirements
and to accommodate changes in technology, these guidelines allow
extensions. For example, the requirements for a voter verifiable paper
audit trail feature will only be applied to those systems designated by
the vendor as providing this feature. The use of extensions shall not
contradict nor cause the
[[Page 18832]]
nonconformance of functionality required by the Guidelines.
1.6.4 Implementation Statement
The voting system implementation statement describes the voting
system and documents the VVSG Volume 1 requirements that have been
implemented by the voting system. It can also identify optional
features and capabilities supported by the voting system, as well as
any extensions (i.e., additional functionality beyond what is required
in the guidelines). The implementation statement must include a
checklist identifying all the requirements for which a claim of
conformance is made.
The implementation statement must be submitted with the vendor's
application to the EAC for national certification testing. It must
provide a concise summary and narrative description of the voting
system's capabilities. It shall include identifying information about
the voting system, including the hardware and software components,
version number and date.
1.7 Effective Date
The Voluntary Voting System Guidelines (VVSG) shall become
effective for national certification testing 24 months after their
final adoption in December, 2005 by EAC. At that time, all new systems
submitted for national certification shall be tested for conformance
with these Guidelines. In addition, if a modification to a system
certified or qualified to a previous standard is submitted for national
certification after this date, every component of the modified system
shall be tested using these Guidelines. All previous versions of
national voting system standards will become obsolete upon this
effective date.
These Guidelines are voluntary in that each of the states can
decide whether to require the voting systems used in their state to
have a national certification. States may decide to adopt these
Guidelines in whole or in part at any time, irrespective of the
effective date. In addition, states may specify additional requirements
that voting systems in their jurisdiction must meet. The national
certification program does not in any way pre-empt the ability of the
states to have their own system certification process.
This VVSG effective date provision has no effect on the mandatory
voting system requirements prescribed in HAVA Section 301(a), which
states must comply with on or before January 1, 2006. The EAC issued
Advisory 2005-004 to assist states in determining if a voting system is
compliant with Section 301(a). This advisory is available on the EAC
Web site at http://www.eac.gov.
1 Functional Requirements
Table of Contents
2 Functional Requirements
2.1 Overall System Capabilities
2.1.1 Security
2.1.2 Accuracy
2.1.3 Error Recovery
2.1.4 Integrity
2.1.5 System Audit
2.1.5.1 Operational Requirements
2.1.5.2 Use of Shared Computing Platforms
2.1.6 Election Management System
2.1.7 Vote Tabulating Program
2.1.7.1 Functions
2.1.7.2 Voting Variations
2.1.8 Ballot Counter
2.1.9 Telecommunications
2.1.10 Data Retention
2.2 Pre-voting Capabilities
2.2.1 Ballot Preparation
2.2.1.1 General Capabilities
2.2.1.2 Ballot Formatting
2.2.1.3 Ballot Production
2.2.2 Election Programming
2.2.3 Ballot and Program Installation and Control
2.2.4 Readiness Testing
2.2.5 Verification at the Polling Place
2.2.6 Verification at the Central Location
2.3 Voting Capabilities
2.3.1 Opening the Polls
2.3.1.1 Precinct Count Systems
2.3.1.2 Paper-based System Requirements
2.3.1.3 DRE System Requirements
2.3.2 Activating the Ballot (DRE Systems)
2.3.3Casting a Ballot
2.3.3.1 Common Requirements
2.3.3.2 Paper-based System Requirements
2.3.3.3 DRE System Requirements
2.4 Post-Voting Capabilities
2.4.1 Closing the Polls
2.4.2 Consolidating Vote Data
2.4.3 Producing Reports
2.4.4 Broadcasting Results
2.5 Maintenance, Transportation, and Storage
2 Functional Requirements
This section contains requirements detailing the functional
capabilities required of a voting system. This section sets out
precisely what a voting system is required to do. In addition, it sets
forth the minimum actions a voting system must be able to perform to be
eligible for certification.
For organizational purposes, functional capabilities are
categorized as follows by the phase of election activity in which they
are required:
2.1 Overall System Capabilities: These functional capabilities
apply throughout the election process. They include security, accuracy,
integrity, system auditability, election management system, vote
tabulation, ballot counters, telecommunications, and data retention.
2.2 Pre-voting Capabilities: These functional capabilities are used
to prepare the voting system for voting. They include ballot
preparation, the preparation of election-specific software (including
firmware), the production of ballots, the installation of ballots and
ballot counting software (including firmware), and system and equipment
tests.
2.3 Voting System Capabilities: These functional capabilities
include all operations conducted at the polling place by voters and
officials including the generation of status messages.
2.4 Post-voting Capabilities: These functional capabilities apply
after all votes have been cast. They include closing the polling place;
obtaining reports by voting machine, polling place, and precinct;
obtaining consolidated reports; and obtaining reports of audit trails.
2.5 Maintenance, Transportation and Storage Capabilities: These
capabilities are necessary to maintain, transport, and store voting
system equipment.
In recognition of the diversity of voting systems, the Guidelines
apply specific requirements to specific technologies. Some of the
guidelines apply only if the system incorporates certain optional
functions (for example, voting systems employing telecommunications to
transmit voting data). For each functional capability, common
requirements are specified. Where necessary, these are followed by
requirements applicable to specific technologies (i.e., paper-based or
DRE) or intended use (i.e., central or precinct count).
2.1 Overall System Capabilities
This section defines required functional capabilities that are
system-wide in nature and not unique to pre-voting, voting, and post-
voting operations. All voting systems shall provide the following
functional capabilities, further outlined in this section:
2.1.1 Security
2.1.2 Accuracy
2.1.3 Error Recovery
2.1.4 Integrity
2.1.5 System Audit
2.1.6 Election Management System
2.1.7 Vote Tabulating Program
2.1.8 Ballot Counter
2.1.9 Telecommunications
2.1.10 Data Retention
Voting systems may also include telecommunications components.
Technical standards for these capabilities are described in Sections 3
through 6 of the Voluntary Voting System Guidelines.
[[Page 18833]]
2.1.1 Security
System security is achieved through a combination of technical
capabilities and sound administrative practices. To ensure security,
all systems shall:
a. Provide security access controls that limit or detect access to
critical system components to guard against loss of system integrity,
availability, confidentiality, and accountability
b. Provide system functions that are executable only in the
intended manner and order, and only under the intended conditions
c. Use the system's control logic to prevent a system function from
executing if any preconditions to the function have not been met
d. Provide safeguards in response to system failure to protect
against tampering during system repair or interventions in system
operations
e. Provide security provisions that are compatible with the
procedures and administrative tasks involved in equipment preparation,
testing, and operation
f. Incorporate a means of implementing a capability if access to a
system function is to be restricted or controlled
g. Provide documentation of mandatory administrative procedures for
effective system security
2.1.2 Accuracy
Memory hardware, such as semiconductor devices and magnetic storage
media, must be accurate. The design of equipment in all voting systems
shall provide for the highest possible levels of protection against
mechanical, thermal, and electromagnetic stresses that impact system
accuracy. Section 4 provides additional information on susceptibility
requirements. To ensure vote accuracy, all systems shall:
a. Record the election contests, candidates, and issues exactly as
defined by election officials
b. Record the appropriate options for casting and recording votes
c. Record each vote precisely as indicated by the voter and produce
an accurate report of all votes cast;
d. Include control logic and data processing methods incorporating
parity and check-sums (or equivalent error detection and correction
methods) to demonstrate that the system has been designed for accuracy
e. Provide software that monitors the overall quality of data read-
write and transfer quality status, checking the number and types of
errors that occur in any of the relevant operations on data and how
they were corrected
In addition, DRE systems shall:
f. As an additional means of ensuring accuracy in DRE systems,
voting devices shall record and retain redundant copies of the original
ballot image. A ballot image is an electronic record of all votes cast
by the voter, including undervotes.
2.1.3 Error Recovery
To recover from a non-catastrophic failure of a device, or from any
error or malfunction that is within the operator's ability to correct,
the system shall provide the following capabilities:
a. Restoration of the device to the operating condition existing
immediately prior to the error or failure, without loss or corruption
of voting data previously stored in the device
b. Resumption of normal operation following the correction of a
failure in a memory component, or in a data processing component,
including the central processing unit
c. Recovery from any other external condition that causes equipment
to become inoperable, provided that catastrophic electrical or
mechanical damage due to external phenomena has not occurred
2.1.4 Integrity
Integrity measures ensure the physical stability and function of
the vote recording and counting processes.
To ensure system integrity, all systems shall:
a. Protect against a single point of failure that would prevent
further voting at the polling place
b. Protect against the interruption of electrical power
c. Protect against generated or induced electromagnetic radiation
d. Protect against ambient temperature and humidity fluctuations
e. Protect against the failure of any data input or storage device
f. Protect against any attempt at improper data entry or retrieval
g. Record and report the date and time of normal and abnormal events
h. Maintain a permanent record of all original audit data that
cannot be modified or overridden but may be augmented by designated
authorized officials in order to adjust for errors or omissions (e.g.,
during the canvassing process)
i. Detect and record every event, including the occurrence of an
error condition that the system cannot overcome, and time-dependent or
programmed events that occur without the intervention of the voter or a
polling place operator
j. Include built-in measurement, self-test, and diagnostic software
and hardware for detecting and reporting the system's status and degree
of operability
In addition to the common requirements, DRE systems shall:
k. Maintain a record of each ballot cast using a process and
storage location that differs from the main vote detection,
interpretation, processing, and reporting path
l. Provide a capability to retrieve ballot images in a form
readable by humans
2.1.5 System Audit
This subsection describes the context and purpose of voting system
audits and sets forth specific functional requirements. Election audit
trails provide the supporting documentation for verifying the accuracy
of reported election results. They present a concrete, indestructible
archival record of all system activity related to the vote tally, and
are essential for public confidence in the accuracy of the tally, for
recounts, and for evidence in the event of criminal or civil
litigation.
These requirements are based on the premise that system-generated
creation and maintenance of audit records reduces the chance of error
associated with manually generated audit records. Because most audit
capability is automatic, the system operator has less information to
track and record, and is less likely to make mistakes or omissions. The
subsections that follow present operational requirements critical to
acceptable performance and reconstruction of an election. Requirements
for the content of audit records are described in Section 5.
The requirements for all system types, both precinct and central
count, are described in generic language. Because the actual
implementation of specific characteristics may vary from system to
system, it is the responsibility of the vendor to describe each
system's characteristics in sufficient detail so that test labs and
system users can evaluate the adequacy of the system's audit trail.
This description shall be incorporated in the System Operating Manual,
which is part of the Technical Data Package.
Documentation of items such as paper ballots delivered, paper
ballots collected, administrative procedures for system security, and
maintenance performed on voting equipment are also part of the election
audit trail, but are not covered in these technical standards. Useful
guidance is provided by the Innovations in Election Administration
10; Ballot Security and Accountability, available on the EAC's
website.
2.1.5.1 Operational Requirements
Audit records shall be prepared for all phases of election
operations performed
[[Page 18834]]
using devices controlled by the jurisdiction or its contractors. These
records rely upon automated audit data acquisition and machine-
generated reports, with manual input of some information. These records
shall address the ballot preparation and election definition phase,
system readiness tests, and voting and ballot-counting operations. The
software shall activate the logging and reporting of audit data as
described below.
a. The timing and sequence of audit record entries is as important
as the data contained in the record. All voting systems shall meet the
requirements for time, sequence and preservation of audit records
outlined below.
i. Except where noted, systems shall provide the capability to
create and maintain a real-time audit record. This capability records
and provides the operator or precinct official with continuous updates
on machine status. This information allows effective operator
identification of an error condition requiring intervention, and
contributes to the reconstruction of election-related events necessary
for recounts or litigation.
ii. All systems shall include a real-time clock as part of the
system's hardware. The system shall maintain an absolute record of the
time and date or a record relative to some event whose time and data
are known and recorded.
iii. All audit record entries shall include the time-and-date
stamp.
iv. The audit record shall be active whenever the system is in an
operating mode. This record shall be available at all times, though it
need not be continually visible.
v. The generation of audit record entries shall not be terminated
or altered by program control, or by the intervention of any person.
The physical security and integrity of the record shall be maintained
at all times.
vi. Once the system has been activated for any function, the system
shall preserve the contents of the audit record during any interruption
of power to the system until processing and data reporting have been
completed.
vii. The system shall be capable of printing a copy of the audit
record. A separate printer is not required for the audit record, and
the record may be produced on the standard system printer if all the
following conditions are met:
The generation of audit trail records does not interfere
with the production of output reports
The entries can be identified so as to facilitate their
recognition, segregation, and retention
The audit record entries are kept physically secure
b. All voting systems shall meet the requirements for error
messages below.
i. The voting system shall generate, store, and report to the user
all error messages as they occur.
ii. All error messages requiring intervention by an operator or
precinct official shall be displayed or printed clearly in easily
understood language text, or by means of other suitable visual
indicators.
iii. When the voting system uses numerical error codes for trained
technician maintenance or repair, the text corresponding to the code
shall be self-contained or affixed inside the voting machine. This is
intended to reduce inappropriate reactions to error conditions, and to
allow for ready and effective problem correction.
iv. All error messages for which correction impacts vote recording
or vote processing shall be written in a manner that is understandable
to an election official who possesses training on system use and
operation, but does not possess technical training on system servicing
and repair.
v. The message cue for all voting systems shall clearly state the
action to be performed in the event that voter or operator response is
required.
vi. Voting system design shall ensure that erroneous responses will
not lead to irreversible error.
vii. Nested error conditions shall be corrected in a controlled
sequence such that voting system status shall be restored to the
initial state existing before the first error occurred.
c. The Guidelines provide latitude in software design so that
vendors can consider various user processing and reporting needs. The
jurisdiction may require some status and information messages to be
displayed and reported in real-time. Messages that do not require
operator intervention may be stored in memory to be recovered after
ballot processing has been completed.
The voting system shall display and report critical status messages
using clear indicators or English language text. The voting system need
not display non-critical status messages at the time of occurrence.
Voting systems may display non-critical status messages (i.e., those
that do not require operator intervention) by means of numerical codes
for subsequent interpretation and reporting as unambiguous text.
Voting systems shall provide a capability for the status messages
to become part of the real-time audit record. The voting system shall
provide a capability for a jurisdiction to designate critical status
messages.
2.1.5.2 Use of Shared Computing Platforms
Further requirements must be applied to Commercial-off-the-Shelf
operating systems to ensure completeness and integrity of audit data
for election software. These operating systems are capable of executing
multiple application programs simultaneously. These systems include
both servers and workstations, including the many varieties of UNIX and
Linux, and those offered by Microsoft and Apple. Election software
running on these systems is vulnerable to unintended effects from other
user sessions, applications, and utilities executing on the same
platform at the same time as the election software.
``Simultaneous processes'' of concern include: unauthorized network
connections, unplanned user logins, and unintended execution or
termination of operating system processes. An unauthorized network
connection or unplanned user login can host unintended processes and
user actions, such as the termination of operating system audit, the
termination of election software processes, or the deletion of election
software audit and logging data. The execution of an operating system
process could be a full system scan at a time when that process would
adversely affect the election software processes. Operating system
processes improperly terminated could be system audit or malicious code
detection.
To counter these vulnerabilities, three operating system
protections are required on all such systems on which election software
is hosted. First, authentication shall be configured on the local
terminal (display screen and keyboard) and on all external connection
devices (``network cards'' and ``ports''). This ensures that only
authorized and identified users affect the system while election
software is running.
Second, operating system audit shall be enabled for all session
openings and closings, for all connection openings and closings, for
all process executions and terminations, and for the alteration or
deletion of any memory or file object. This ensures the accuracy and
completeness of election data stored on the system. It also ensures the
existence of an audit record of any person or process altering or
deleting system data or election data.
Third, the system shall be configured to execute only intended and
necessary processes during the execution of election software. The
system shall also be configured to halt election software processes
upon the termination of any
[[Page 18835]]
critical system process (such as system audit) during the execution of
election software.
2.1.6 Election Management System
The Election Management System (EMS) is used to prepare ballots and
programs for use in casting and counting votes, and to consolidate,
report, and display election results. An EMS shall generate and
maintain a database, or one or more interactive databases, that enables
election officials or their designees to perform the following
functions:
Define political subdivision boundaries and multiple
election districts as indicated in the system documentation
Identify contests, candidates, and issues
Define ballot formats and appropriate voting options
Generate ballots and election-specific programs for voting
equipment
Install ballots and election-specific programs
Test that ballots and programs have been properly prepared
and installed
Accumulate vote totals at multiple reporting levels as
indicated in the system documentation
Generate the post-voting reports required by Subsection
2.4
Process and produce audit reports of the data as indicated
in Subsection 5.5
2.1.7 Vote Tabulating Program
Each voting system shall have a vote tabulation program that will
meet specific functional requirements.
2.1.7.1 Functions
The vote tabulating program software resident in each voting
machine, vote count server, or other devices shall include all software
modules required to:
a. Monitor system status and generate machine-level audit reports
b. Accommodate device control functions performed by polling place
officials and maintenance personnel
c. Register and accumulate votes
d. Accommodate variations in ballot counting logic
2.1.7.2 Voting Variations
There are significant variations among state election laws with
respect to permissible ballot contents, voting options, and the
associated ballot counting logic. The Technical Data Package
accompanying the system shall specifically identify which of the
following items can and cannot be supported by the voting system, as
well as how the voting system can implement the items supported:
Closed primaries
Open primaries
Partisan offices
Non-partisan offices
Write-in voting
Primary presidential delegation nominations
Ballot rotation
Straight party voting
Cross-party endorsement
Split precincts
Vote for N of M
Recall issues, with options
Cumulative voting
Ranked order voting
Provisional or challenged ballots
2.1.8 Ballot Counter
For all voting systems, each piece of voting equipment that
tabulates ballots shall provide a counter that:
a. Can be set to zero before any ballots are submitted for tally
b. Records the number of ballots cast during a particular test
cycle or election
c. Increases the count only by the input of a ballot
d. Prevents or disables the resetting of the counter by any person
other than authorized persons at authorized points
e. Is visible to designated election officials
2.1.9 Telecommunications
For all voting systems that use telecommunications for the
transmission of data during pre-voting, voting or post-voting
activities, capabilities shall be provided that ensure data are
transmitted with no alteration or unauthorized disclosure during
transmission. Such transmissions shall not violate the privacy,
secrecy, and integrity demands of the Guidelines. Section 6 describes
telecommunications standards that apply to, at a minimum, the following
types of data transmissions:
Voter Authentication: Coded information that confirms the identity
of a voter for security purposes for a system that transmit votes
individually over a public network
Ballot Definition: Information that describes to voting equipment
the content and appearance of the ballots to be used in an election
Vote Transmission to Central Site: For voting systems that transmit
votes individually over a public network, the transmission of a single
vote to the county (or contractor) for consolidation with other county
vote data
Vote Count: Information representing the tabulation of votes at any
one of several levels: polling place, precinct, or central count
List of Voters: A listing of the individual voters who have cast
ballots in a specific election
2.1.10 Data Retention
United States Code Title 42, Sections 1974 through 1974e state that
election administrators shall preserve for 22 months ``all records and
paper that came into (their) possession relating to an application,
registration, payment of poll tax, or other act requisite to voting.''
This retention requirement applies to systems that will be used at
anytime for voting of candidates for federal offices (e.g., Member of
Congress, United States Senator, and/or Presidential Elector).
Therefore, all voting systems shall provide for maintaining the
integrity of voting and audit data during an election and for a period
of at least 22 months thereafter.
Because the purpose of this law is to assist the federal government
in discharging its law enforcement responsibilities in connection with
civil rights and elections crimes, its scope must be interpreted in
keeping with that objective. The appropriate state or local authority
must preserve all records that may be relevant to the detection and
prosecution of federal civil rights or election crimes for the 22-month
federal retention period, if the records were generated in connection
with an election that was held in whole or in part to select federal
candidates. It is important to note that Section 1974 does not require
that election officials generate any specific type or classification of
election record. However, if a record is generated, Section 1974 comes
into force and the appropriate authority must retain the records for 22
months.
For 22-month document retention, the general rule is that all
printed copy records produced by the election database and ballot
processing systems shall be so labeled and archived. Regardless of
system type, all audit trail information spelled out in Subsection 5.5
shall be retained in its original format, whether that be real-time
logs generated by the system, or manual logs maintained by election
personnel. The election audit trail includes not only in-process logs
of election-night and subsequent processing of absentee or provisional
ballots, but also time logs of baseline ballot definition formats, and
system readiness and testing results.
In many voting systems, the source of election-specific data (and
ballot formats) is a database or file. In precinct count voting
systems, this data is used to program each machine, establish ballot
layout, and generate tallying files. It is not necessary to retain this
information on electronic media if there is an official, authenticated
printed copy of all final database information.
[[Page 18836]]
However, it is recommended that the state or local jurisdiction also
retain electronic records of the aggregate data for each voting machine
so that reconstruction of an election is possible without data re-
entry. The same requirement and recommendation applies to vote results
generated by each precinct count voting machine.
2.2 Pre-Voting Capabilities
This subsection defines capabilities required to support functions
performed prior to the opening of polls. All voting systems shall
provide capabilities to support:
Ballot preparation
Election programming
Ballot and program installation and control
Readiness testing
Verification at the polling place
Verification at the central counting place
The standards also include requirements to ensure compatible
interfaces with the ballot definition process and the reporting of
election results.
2.2.1 Ballot Preparation
Ballot preparation is the process of using election databases to
define the specific contests, questions, and related instructions to be
contained in ballots and to produce all permissible ballot layouts.
Ballot preparation requirements include:
General capabilities
Ballot formatting
Ballot production
2.2.1.1 General Capabilities
All systems shall provide the general capabilities for ballot
preparation. All systems shall be capable of:
a. Enabling the automatic formatting of ballots in accordance with
the requirements for offices, candidates, and measures qualified to be
placed on the ballot for each political subdivision and election
district
b. Collecting and maintaining the following data
i. Offices and their associated labels and instructions
ii. Candidate names and their associated labels
iii. Issues or measures and their associated text
c. Supporting the maximum number of potentially active voting
positions as indicated in the system documentation
d. For a primary election, generating ballots that segregate the
choices in partisan contests by party affiliation
e. Generating ballots that contain identifying codes or marks
uniquely associated with each format
f. Ensuring that vote response fields, selection buttons, or
switches properly align with the specific candidate names and/or issues
printed on the ballot display, ballot card or sheet, or separate ballot
pages
Paper-based voting systems shall also meet the following
requirements applicable to the technology used:
g. Enable voters to make selections by making a mark in areas
designated for this purpose upon each ballot sheet
h. For marksense systems, ensure that the timing marks align
properly with the vote response fields
2.2.1.2 Ballot Formatting
Ballot formatting is the process by which election officials or
their designees use election databases and voting system software to
define the specific contests and related instructions contained on the
ballot and present them in a layout permitted by state law. All voting
systems shall provide a capability for:
a. Creation of newly defined elections
b. Rapid and error-free definition of elections and their
associated ballot layouts
c. Uniform allocation of space and fonts used for each office,
candidate, and contest such that the voter perceives no active voting
position to be preferred to any other
d. Simultaneous display of the maximum number of choices for a
single contest as indicated by the vendor in the system documentation
e. Retention of previously defined formats for an election
f. Prevention of unauthorized modification of any ballot formats
g. Modification by authorized persons of a previously defined
ballot format for use in a subsequent election
2.2.1.3 Ballot Production
Ballot production is the process of converting ballot formats to a
media ready for use in the physical ballot production or electronic
presentation.
The voting system shall provide a means of printing or otherwise
generating a ballot display that can be installed in all voting
equipment for which it is intended. All voting systems shall provide
the capabilities below.
a. The electronic display or printed document on which the user
views the ballot is capable of rendering an image of the ballot in any
of the languages required by the Voting Rights Act of 1965, as amended.
b. The electronic display or printed document on which the user
views the ballot does not show any advertising or commercial logos of
any kind, whether public service, commercial, or political, unless
specifically provided for in state law. Electronic displays shall not
provide connection to such material through hyperlink.
c. The ballot conforms to vendor specifications for type of paper
stock, weight, size, shape, size and location of mark field used to
record votes, folding, bleed-through, and ink for printing if paper
ballot documents or paper displays are part of the system.
Vendor documentation for marksense systems shall include
specifications for ballot materials to ensure that vote selections are
read from only a single ballot at a time, without detection of marks
from multiple ballots concurrently (e.g., reading of bleed-through from
other ballots).
2.2.2 Election Programming
Election programming is the process by which election officials or
their designees use election databases and vendor system software to
logically define the voter choices associated with the contents of the
ballots. All systems shall provide for the:
a. Logical definition of the ballot, including the definition of
the number of allowable choices for each office and contest
b. Logical definition of political and administrative subdivisions,
where the list of candidates or contests varies between polling places
c. Exclusion of any contest on the ballot in which the voter is
prohibited from casting a ballot because of place of residence, or
other such administrative or geographical criteria
d. Ability to select from a range of voting options to conform to
the laws of the jurisdiction in which the system will be used
e. Generation of all required master and distributed copies of the
voting program, in conformance with the definition of the ballots for
each voting device and polling place, and for each tabulating device
2.2.3 Ballot and Program Installation and Control
All systems shall provide a means of installing ballots and
programs on each piece of polling place or central count equipment in
accordance with the ballot requirements of the election and the
requirements of the jurisdiction in which the equipment will be used.
All systems shall include the following at the time of ballot and
program installation:
a. A detailed work plan or other documentation providing a schedule
and steps for the software and ballot installation, which includes a
table
[[Page 18837]]
outlining the key dates, events and deliverables
b. A capability for automatically verifying that the software has
been properly selected and installed in the equipment or in
programmable memory devices, and for indicating errors
c. A capability for automatically validating that software
correctly matches the ballot formats that it is intended to process,
for detecting errors, and for immediately notifying an election
official of detected errors
2.2.4 Readiness Testing
Election personnel conduct voting equipment and voting system
readiness tests prior to the start of an election to ensure that the
voting system functions properly, to confirm that voting equipment has
been properly integrated, and to obtain equipment status reports. All
voting systems shall provide the capabilities to:
a. Verify that voting equipment and precinct count equipment is
properly prepared for an election, and collect data that verifies
equipment readiness
b. Obtain status and data reports from each set of equipment
c. Verify the correct installation and interface of all voting
equipment
d. Verify that hardware and software function correctly
e. Generate consolidated data reports at the polling place and
higher jurisdictional levels
f. Segregate test data from actual voting data, either procedurally
or by hardware/software features
Resident test software, external devices, and special purpose test
software connected to or installed in voting equipment to simulate
operator and voter functions may be used for these tests provided that
the following standards are met:
g. These elements shall be capable of being tested separately, and
shall be proven to be reliable verification tools prior to their use
h. These elements shall be incapable of altering or introducing any
residual effect on the intended operation of the voting device during
any succeeding test and operational phase
Paper-based systems shall:
i. Support conversion testing that uses all potential ballot
positions as active positions
j. Support conversion testing of ballots with active position
density for systems without pre-designated ballot positions
2.2.5 Verification at the Polling Place
Election officials perform verification at the polling place to
ensure that all voting systems and voting equipment function properly
before and during an election. All voting systems shall provide a
formal record of the following, in any media, upon verification of the
authenticity of the command source:
a. The election's identification data
b. The identification of all equipment units
c. The identification of the polling place
d. The identification of all ballot formats
e. The contents of each active candidate register by office and of
each active measure register at all storage locations (showing that
they contain only zeros)
f. A list of all ballot fields that can be used to invoke special
voting options
g. Other information needed to confirm the readiness of the
equipment, and to accommodate administrative reporting requirements
To prepare voting devices to accept voted ballots, all voting
systems shall provide the capability to test each device prior to
opening to verify that each is operating correctly. At a minimum, the
tests shall include:
h. Confirmation that there are no hardware or software failures
i. Confirmation that the device is ready to be activated for
accepting votes
If a precinct count system includes equipment for the consolidation
of polling place data at one or more central counting locations, it
shall have means to verify the correct extraction of voting data from
transportable memory devices, or to verify the transmission of secure
data over secure communication links.
2.2.6 Verification at the Central Location
Election officials perform verification at the central location to
ensure that vote counting and vote consolidation equipment and software
function properly before and after an election. Upon verification of
the authenticity of the command source, any system used in a central
count environment shall provide a printed record of the following:
a. The election's identification data
b. The contents of each active candidate register by office and of
each active measure register at all storage locations (showing that
they contain all zeros)
c. Other information needed to ensure the readiness of the
equipment and to accommodate administrative reporting requirements
2.3 Voting Capabilities
All voting systems shall support:
Opening the polls
Casting a ballot
Additionally, all DRE systems shall support:
Activating the ballot
Augmenting the election counter
Augmenting the life-cycle counter
2.3.1 Opening the Polls
The capabilities required for opening the polls are specific to
individual voting system technologies. At a minimum, the systems shall
provide the functional capabilities indicated below.
2.3.1.1 Precinct Count Systems
To allow voting devices to be activated for voting, all precinct
count systems shall provide:
a. An internal test or diagnostic capability to verify that all of
the polling place tests specified in Subsection 2.2.5 have been
successfully completed
b. Automatic disabling of any device that has not been tested until
it has been tested
2.3.1.2 Paper-based System Requirements
To facilitate opening the polls, all paper-based systems shall
include:
a. A means of verifying that ballot marking devices are properly
prepared and ready to use
b. A voting booth or similar facility, in which the voter may mark
the ballot in privacy
c. Secure receptacles for holding voted ballots
In addition to the above requirements, all paper-based precinct
count equipment shall include a means of:
d. Activating the ballot counting device
e. Verifying that the device has been correctly activated and is
functioning properly
f. Identifying device failure and corrective action needed
2.3.1.3 DRE System Requirements
To facilitate opening the polls, all DRE systems shall include:
a. A security seal, a password, or a data code recognition
capability to prevent the inadvertent or unauthorized actuation of the
poll-opening function
b. A means of enforcing the execution of steps in the proper
sequence if more than one step is required
c. A means of verifying the system has been activated correctly
d. A means of identifying system failure and any corrective action
needed
2.3.2 Activating the Ballot (DRE Systems)
To activate the ballot, all DRE systems shall:
[[Page 18838]]
a. Enable election officials to control the content of the ballot
presented to the voter, whether presented in printed form or electronic
display, such that each voter is permitted to record votes only in
contests in which that voter is authorized to vote
b. Allow each eligible voter to cast a ballot
c. Prevent a voter from voting on a ballot to which he or she is
not entitled
d. Prevent a voter from casting more than one ballot in the same
election
e. Activate the casting of a ballot in a general election
f. Enable the selection of the ballot that is appropriate to the
party affiliation declared by the voter in a primary election
g. Activate all portions of the ballot upon which the voter is
entitled to vote
h. Disable all portions of the ballot upon which the voter is not
entitled to vote
2.3.3 Casting a Ballot
Some required capabilities for casting a ballot are common to all
systems. Others are specific to individual voting technologies or
intended use. Systems must provide additional functional capabilities
that enable accessibility to disabled voters as defined in Subsection
3.2.
2.3.3.1 Common Requirements
To facilitate casting a ballot, all systems shall:
a. Provide text that is at least 3 millimeters high and provide the
capability to adjust or magnify the text to an apparent size of 6.3
millimeters
b. Protect the secrecy of the vote such that the system cannot
reveal any information about how a particular voter voted, except as
otherwise required by individual state law
c. Record the selection and non-selection of individual vote
choices for each contest and ballot measure
d. Record the voter's selection of candidates whose names do not
appear on the ballot, if permitted under state law, and record as many
write-in votes as the number of candidates the voter is allowed to
select
e. In the event of a failure of the main power supply external to
the voting system, provide the capability for any voter who is voting
at the time to complete casting a ballot, allow for the successful
shutdown of the voting system without loss or degradation of the voting
and audit data, and allow voters to resume voting once the voting
system has reverted to back-up power
f. Provide the capability for voters to continue casting ballots in
the event of a failure of a telecommunications connection within the
polling place or between the polling place and any other location
2.3.3.2 Paper-based System Requirements
All paper-based systems shall:
a. Allow the voter to easily identify the voting field that is
associated with each candidate or ballot measure response
b. Allow the voter to mark the ballot to register a vote
c. Allow either the voter or the appropriate election official to
place the voted ballot into the ballot counting device (for precinct
count systems) or into a secure receptacle (for central count systems)
d. Protect the secrecy of the vote throughout the process
In addition to the above requirements, all paper-based precinct
count systems shall:
e. Provide feedback to the voter that identifies specific contests
for which he or she has made no selection or fewer than the allowable
number of selections (e.g., undervotes)
f. Notify the voter if he or she has made more than the allowable
number of selections for any contest (e.g., overvotes)
g. Notify the voter before the ballot is cast and counted of the
effect of making more than the allowable number of selections for a
contest
h. Provide the voter opportunity to correct the ballot for either
an undervote or overvote before the ballot is cast and counted
2.3.3.3 DRE System Requirements
In addition to the above common requirements, DRE systems shall:
a. Prohibit the voter from accessing or viewing any information on
the display screen that has not been authorized by election officials
and preprogrammed into the voting system (i.e., no potential for
display of external information or linking to other information
sources)
b. Enable the voter to easily identify the selection button or
switch, or the active area of the ballot display, that is associated
with each candidate or ballot measure response
c. Allow the voter to select his or her preferences on the ballot
in any legal number and combination
d. Indicate that a selection has been made or canceled
e. Indicate to the voter when no selection, or an insufficient
number of selections, has been made for a contest (e.g., undervotes)
f. Notify the voter if he or she has made more than the allowable
number of selections for any contest (e.g., overvotes)
g. Notify the voter before the ballot is cast and counted of the
effect of making more than the allowable number of selections for a
contest
h. Provide the voter opportunity to correct the ballot for either
an undervote or overvote before the ballot is cast and counted
i. Notify the voter when the selection of candidates and measures
is completed
j. Allow the voter, before the ballot is cast, to review his or her
choices and, if the voter desires, to delete or change his or her
choices before the ballot is cast
k. For electronic image displays, prompt the voter to confirm the
voter's choices before casting his or her ballot, signifying to the
voter that casting the ballot is irrevocable and directing the voter to
confirm the voter's intention to cast the ballot
l. Notify the voter after the vote has been stored successfully
that the ballot has been cast
m. Notify the voter that the ballot has not been cast successfully
if it is not stored successfully, including storage of the ballot
image, and provide clear instruction as to the steps the voter should
take to cast his or her ballot should this event occur
n. Provide sufficient computational performance to provide
responses back to each voter entry in no more than three seconds
o. Ensure that the votes stored accurately represent the actual
votes cast
p. Prevent modification of the voter's vote after the ballot is
cast
q. Provide a capability to retrieve ballot images in a form
readable by humans [in accordance with the requirements of Subsections
2.1.2 (f) and 2.1.4 (k) and (l)]
r. Increment the proper ballot position registers or counters
s. Protect the secrecy of the vote throughout the voting process
t. Prohibit access to voted ballots until after the close of polls
u. Provide the ability for election officials to submit test
ballots for use in verifying the end-to-end integrity of the voting
system
v. Isolate test ballots such that they are accounted for accurately
in vote counts and are not reflected in official vote counts for
specific candidates or measures
2.4 Post-Voting Capabilities
All voting systems shall provide capabilities to accumulate and
report results for the jurisdiction and to generate audit trails. In
addition, precinct count voting systems must
[[Page 18839]]
provide a means to close the polls including generating appropriate
reports. If the system provides the capability to broadcast results,
additional standards apply.
2.4.1 Closing the Polls
These requirements for closing the polls and locking voting systems
against future voting are specific to precinct count systems. The
voting system shall provide the means for:
a. Preventing the further casting of ballots once the polls have
closed
b. Providing an internal test that verifies that the prescribed
closing procedure has been followed, and that the device status is
normal
c. Incorporating a visible indication of system status
d. Producing a diagnostic test record that verifies the sequence of
events, and indicates that the extraction of voting data has been
activated
e. Precluding the unauthorized reopening of the polls once the poll
closing has been completed for that election
2.4.2 Consolidating Vote Data
All systems shall provide a means to consolidate vote data from all
polling places, and optionally from other sources such as absentee
ballots, provisional ballots, and voted ballots requiring human review
(e.g., write-in votes).
2.4.3 Producing Reports
All systems shall be able to create reports summarizing the vote
data on multiple levels.
All systems shall provide capabilities to:
a. Support geographic reporting, which requires the reporting of
all results for each contest at the precinct level and additional
jurisdictional levels
b. Produce a printed report of the number of ballots counted by
each tabulator
c. Produce a printed report for each tabulator of the results of
each contest that includes the votes cast for each selection, the count
of undervotes, and the count of overvotes
d. Produce a consolidated printed report of the results for each
contest of all votes cast (including the count of ballots from other
sources supported by the system as specified by the vendor) that
includes the votes cast for each selection, the count of undervotes,
and the count of overvotes
e. Be capable of producing a consolidated printed report of the
combination of overvotes for any contest that is selected by an
authorized official (e.g., the number of overvotes in a given contest
combining candidate A and candidate B, combining candidate A and
candidate C, etc.)
f. Produce all system audit information required in Subsection 5.4
in the form of printed reports, or in electronic memory for printing
centrally
g. Prevent data from being altered or destroyed by report
generation, or by the transmission of results over telecommunications
lines
In addition, all precinct count voting systems shall:
h. Prevent the printing of reports and the unauthorized extraction
of data prior to the official close of the polls
i. Provide a means to extract information from a transportable
programmable memory device or data storage medium for vote
consolidation
j. Consolidate the data contained in each unit into a single report
for the polling place when more than one voting machine or precinct
tabulator is used
k. Prevent data in transportable memory from being altered or
destroyed by report generation, or by the transmission of official
results over telecommunications lines
2.4.4 Broadcasting Results
Some voting systems offer the capability to make unofficial results
available to external organizations such as the news media, political
party officials, and others. Although this capability is not required,
systems that make unofficial results available shall:
a. Provide only aggregated results, and not data from individual
ballots
b. Provide no access path from unofficial electronic reports or
files to the storage devices for official data
c. Clearly indicate on each report or file that the results it
contains are unofficial
2.5 Maintenance, Transportation, and Storage
All systems shall be designed and manufactured to facilitate
preventive and corrective maintenance, conforming to the hardware
standards described in Subsection 4.1. All vote casting and tally
equipment designated for storage between elections shall:
a. Function without degradation in capabilities after transit to
and from the place of use, as demonstrated by meeting the performance
standards described in Subsection 4.1
b. Function without degradation in capabilities after storage
between elections, as demonstrated by meeting the performance standards
described in Subsection 4.1
3 Usability and Accessibility Requirements
Table of Contents
3 Usability and Accessibility Requirements
3.1 Usability Requirements
3.1.1 Usability Testing
3.1.2 Functional Capabilities
3.1.3 Alternative Languages
3.1.4 Cognitive Issues
3.1.5 Perceptual Issues
3.1.6 Interaction Issues
3.1.7 Privacy
3.1.7.1 Privacy at the Polls
3.1.7.2 No Recording of Alternate Format Usage
3.2 Accessibility Requirements
3.2.1 General
3.2.2 Vision
3.2.2.1 Partial Vision
3.2.2.2 Blindness
3.2.3 Dexterity
3.2.4 Mobility
3.2.5 Hearing
3.2.6 Speech
3.2.7 English Proficiency
3.2.8 Cognition
3 Usability and Accessibility Requirements
The importance of usability and accessibility in the design of
voting systems has become increasingly apparent. It is not sufficient
that the internal operation of these systems be correct; in addition,
voters and poll workers must be able to use them effectively. There are
some particular considerations for the design of usable and accessible
voting systems:
The voting task itself can be fairly complex; the voter
may have to navigate an electronic ballot, choose multiple candidates
in a single contest, or decide on abstrusely worded referenda
Voting is performed infrequently, so there is limited
opportunity for voters and poll workers to gain familiarity with the
process
Jurisdictions may change voting equipment, thus obviating
whatever familiarity the voter might have acquired
Usability and accessibility requirements include a broad
range of factors, including physical abilities, language skills, and
technology experience
The challenge, then, is to provide a voting system that voters can
use comfortably, efficiently, and with confidence that they have cast
their votes correctly. The requirements within this section are
intended to serve that goal. Three broad principles motivate this
section:
1. All eligible voters shall have access to the voting process
without discrimination. The voting process shall be accessible to
individuals with disabilities. The voting process includes
[[Page 18840]]
access to the polling place, instructions on how to vote, initiating
the voting session, making ballot selections, review of the ballot,
final submission of the ballot, and getting help when needed.
2. Each cast ballot shall accurately capture the selections made by
the voter. The ballot shall be presented to the voter in a manner that
is clear and usable. Voters should encounter no difficulty or confusion
regarding the process for recording their selections.
3. The voting process shall preserve the secrecy of the ballot. The
voting process shall preclude anyone else from determining the content
of a voter's ballot, without the voter's cooperation. If such a
determination is made against the wishes of the voter, then his or her
privacy has been violated.
All the requirements in this section have the purpose of improving
the quality of interaction between voters and voting systems.
Requirements for general usability apply to all voting
systems. Requirements for any alternative languages required by state
or federal law are included under this heading.
Requirements to assist voters with physical, sensory, or
cognitive disabilities apply, as a minimum, to the accessible voting
stations required by HAVA Section 301 (a)(3)(B). They may also assist
those not usually described as having a disability, e.g., voters with
poor eyesight or limited dexterity.
Several uncommon terms are used in this section. For the
convenience of the reader, they are defined below, in addition to being
included in the Glossary. Other terms frequently used here and
throughout this document are defined in the Glossary. Note in
particular the distinctions between these terms: voting system, voting
equipment, voting machine and voting station.
Common Industry Format (CIF)--the format to be used for
usability testing reporting, described in ANSI/INCITS 354-2001 ``Common
Industry Format (CIF) for Usability Test Reports''
Accessible Voting Station--the voting station equipped for
individuals with disabilities referred to in HAVA 301 (a)(3)(B).
Audio-Tactile Interface--a voter interface designed not to
require visual reading of a ballot. Audio is used to convey information
to the voter and sensitive tactile controls allow the voter to convey
information to the voting system.
3.1 Usability Requirements
The voting process shall provide a high level of usability for
voters. Accordingly, voters shall be able to negotiate the process
effectively, efficiently, and comfortably. The mandatory voting system
standards mandated in HAVA Section 301 relate to the interaction
between the voter and the voting system:
a. Requirements.--Each voting system used in an election for
federal office shall meet the following requirements:
1. In general.--
A. Except as provided in subparagraph (B), the voting system
(including any lever voting system, optical scanning voting system,
or direct recording electronic system) shall--
i. Permit the voter to verify (in a private and independent
manner) the votes selected by the voter on the ballot before the
ballot is cast and counted;
ii. Provide the voter with the opportunity (in a private and
independent manner) to change the ballot or correct any error before
the ballot is cast and counted (including the opportunity to correct
the error through the issuance of a replacement ballot if the voter
was otherwise unable to change the ballot or correct any error); and
iii. If the voter selects votes for more than one candidate for
a single office--
I. Notify the voter that the voter has selected more than one
candidate for a single office on the ballot;
II. Notify the voter before the ballot is cast and counted of
the effect of casting multiple votes for the office; and
III. Provide the voter with the opportunity to correct the
ballot before the ballot is cast and counted.
B. A state or jurisdiction that uses a paper ballot voting
system, a punch card voting system, or a central count voting system
(including mail-in absentee ballots and mail-in ballots), may meet
the requirements of subparagraph (A)(iii) by--
i. Establishing a voter education program specific to that
voting system that notifies each voter of the effect of casting
multiple votes for an office; and
ii. Providing the voter with instructions on how to correct the
ballot before it is cast and counted (including instructions on how
to correct the error through the issuance of a replacement ballot if
the voter was otherwise unable to change the ballot or correct any
error).
C. The voting system shall ensure that any notification required
under this paragraph preserves the privacy of the voter and the
confidentiality of the ballot.
Usability is defined generally as a measure of the effectiveness,
efficiency, and satisfaction achieved by a specified set of users with
a given product in the performance of specified tasks. In the context
of voting, the primary user is the voter, the product is the voting
system, and the task is the correct recording of the voter ballot
selections. Additional requirements for task performance are
independence and privacy: the voter should normally be able to complete
the voting task without assistance from others, and the voter
selections should be private. Lack of independence or privacy may
adversely affect effectiveness (e.g., by possibly inhibiting the
voter's free choice) and efficiency (e.g., by slowing down the
process).
Among the basic metrics for usability are:
Low error rate for marking the ballot (the voter selection
is correctly conveyed to and represented within the voting system)
efficient operation (time required to vote is not
excessive)
satisfaction (voter experience is safe, comfortable, free
of stress, and instills confidence)
It is the intention of the EAC that in future revisions to the
Guidelines, usability will be addressed by high-level performance-based
requirements. That is, the requirements will directly address metrics
for effectiveness (e.g., correct capture of voter selections),
efficiency (e.g., time taken to vote), and satisfaction. Until the
supporting research is completed, however, the contents of this
subsection are limited to a basic set of widely accepted design
requirements and lower-level performance requirements. The reasons for
this approach are:
These are to serve as interim requirements, pending the
issuance of high-level performance requirements
The actual benefit of numerous detailed design guidelines
is difficult to prove or measure
The technical complexity and costs of a large set of
detailed requirements may not be justified
Guidelines that are difficult to test because of
insufficient specificity have been omitted
While the scope of usability applies to the entire voting process,
the emphasis in these requirements is on the voter interface with the
voting machine, which is assumed to be a visual-tactile interface.
The outline for this subsection is:
3.1.1 Usability Testing
3.1.2 Functional Capabilities
3.1.3 Alternative Languages
3.1.4 Cognitive Issues
3.1.5 Perceptual Issues
3.1.6 Interaction Issues
3.1.7 Privacy
3.1.1 Usability Testing
The vendor shall conduct summative usability tests on the voting
system using individuals representative of the general population. The
vendor shall document the testing performed and report the test results
using the Common Industry Format. This documentation shall be included
in the Technical Data Package submitted to the EAC for national
certification.
[[Page 18841]]
Discussion: Voting system developers are required to conduct
realistic usability tests on the final product. For the present,
vendors can define their own testing protocols. Future revisions to
the Guidelines will include requirements for usability testing that
will provide specific performance benchmarks.
3.1.2 Functional Capabilities
The voting process shall provide certain functional capabilities to
support voter usability.
a. The voting system shall provide feedback to the voter that
identifies specific contests or ballot issues for which he or she has
made no selection or fewer than the allowable number of selections
(e.g., undervotes)
b. The voting system shall notify the voter if he or she has made
more than the allowable number of selections for any contest (e.g.,
overvotes)
c. The voting system shall notify the voter before the ballot is
cast and counted of the effect of making more than the allowable number
of selections for a contest
d. The voting system shall provide the voter the opportunity to
correct the ballot for either an undervote or overvote before the
ballot is cast and counted
e. The voting system shall allow the voter, at his or her choice,
to submit an undervoted ballot without correction
f. DRE voting machines shall allow the voter to change a vote
within a contest before advancing to the next contest.
Discussion: The point here is that voters using a DRE should not
have to wait for the final ballot review screen in order to change a
vote.
g. DRE voting machines should provide navigation controls that
allow the voter to advance to the next contest or go back to the
previous contest before completing a vote on the contest currently
being presented (whether visually or aurally).
Discussion: For example, the voter should not be forced to
proceed sequentially through all the contests before going back to
check his or her selection for a previous contest.
3.1.3 Alternative Languages
The voting equipment shall be capable of presenting the ballot,
ballot selections, review screens and instructions in any language
required by state or federal law.
Discussion: HAVA Section 301 (a)(4) states that the voting
system shall provide alternative language accessibility pursuant to
the requirements of section 203 of the Voting Rights Act of 1965 (42
U.S.C. 1973aa-1a). Ideally every voter would be able to vote
independently and privately, regardless of language. As a practical
matter, alternative language access is mandated under the Voting
Rights Act of 1975, subject to certain thresholds, e.g., if the
language group exceeds 5% of the voting age population. The audio
interface provided for blind voters may also assist voters who speak
English, but who are unable to read it (See Subsection 3.2.2.2).
3.1.4 Cognitive Issues
The voting process shall be designed to minimize cognitive
difficulties for the voter.
a. Consistent with election law, the voting system should support a
process that does not introduce any bias for or against any of the
selections to be made by the voter. In both visual and aural formats,
contest choices shall be presented in an equivalent manner.
Discussion: Certain differences in presentation are mandated by
state law, such as the order in which candidates are listed and
provisions for voting for write-in candidates. But comparable
characteristics such as font size or voice volume and speed must be
the same for all choices.
b. The voting machine or related materials shall provide clear
instructions and assistance to allow voters to successfully execute and
cast their ballots independently.
Discussion: Voters should not routinely need to ask for human
assistance.
i. Voting machines or related materials shall provide a means for
the voter to get help at any time during the voting session.
Discussion: The voter should always be able to get help if
needed. DRE voting machines may provide this with a distinctive
``help'' button. Any type of voting equipment may provide written
instructions that are separate from the ballot.
ii. The voting machine shall provide instructions for all its valid
operations.
Discussion: If an operation is available to the voter, it must
be documented. Examples include how to change a vote, how to
navigate among contests, how to cast a straight party vote, and how
to cast a write-in vote.
c. The voting system shall provide the capability to design a
ballot for maximum clarity and comprehension.
i. The voting equipment should not visually present a single
contest spread over two pages or two columns.
Discussion: Such a visual separation poses the risk that the
voter may perceive one contest as two. If a contest has a large
number of candidates, it may be infeasible to observe this
guideline.
ii. The ballot shall clearly indicate the maximum number of
candidates for which one can vote within a single contest.
iii. There shall be a consistent relationship between the name of a
candidate and the mechanism used to vote for that candidate.
Discussion: For example, if the response field where voters
indicate their selections is located to the left of a candidate's
name, then each response field shall be located to the left of the
associated candidates' names.
d. Warnings and alerts issued by the voting system should clearly
state the nature of the problem and the set of responses available to
the voter. The warning should clearly state whether the voter has
performed or attempted an invalid operation or whether the voting
equipment itself has malfunctioned in some way.
Discussion: In case of an equipment failure, the only action
available to the voter might be to get assistance from a poll
worke