Thanks very much for bring up this issue Kevin.
Coincidentally, I had contacted John Wack suggesting that at the very least bar codes should be in an industry-standard format readable by standard commercial technology - without realizing that had been a requirement way back with VVSG 1.0
I agree with most all of your points and think our group ought to
.make this part of our agenda.
John
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
> To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
>
>
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
This is from the general interoperability requirements for the next VVSG, available on the interoperability page on the twiki:
Standard, publicly-available and publicly-documented protocols MUST be used, where possible, for exchanging data or encoding data.
Applies to: Voting system
Discussion
This refers to the use of common protocols for wireless communications, e.g., Bluetooth, etc. It also refers to data encodings such as for bar and QR codes typically used by ballot marking devices to encode voter choices.
Status: under review
Updated: 02/13/18
Gap notes: New requirement
Where it is not currently possible to meet requirement A.2, manufacturers MUST use a publicly documented protocol.
Applies to: Voting system
Discussion
This refers to, for example, packing or compressing data before encoding in a QR code. If a manufacturer uses its own protocol or algorithm, it must document its implementation and usage and make this available publicly.
Status: under review
Updated: 02/13/18
Gap notes:New requirement
In 1-A.3, it says that a manufacturer can use their own data compression method as long as it is publicly documented such that auditors, the public, whomever, can decompress the data.
I think, as most people would agree, it is better not to need to do compression or not to need to use a bar code at all. But, I understand that they are used because they are more accurately scanned 'in the field' than the marked paper ballots, and it's important to reasonably ensure that what gets encoded into the cast vote record is correct. And compression might be necessary depending on which barcode is being used and the amount of data. It is my recollection that the TGDC who approved the 2007 TGDC Recommendations didn't really like items such as barcodes that aren't human readable, but at the same time were okay with barcodes as long as the barcode algorithm is 'in the public' and an audit could be readily done to verify that the algorithm is being used correctly. So, these requirements above go along with this.
If this group wants to change these requirements, I think that it's important to preserve the principle of transparency and at the same time not make the requirements unnecessarily difficult to meet or complicate too much life for the election workers and auditors involved.
Judson,
I would venture a tentative "yes" with the proviso that the in the
audit, the barcode reading has to be done by a device that's independent
of the voting system product that wrote the barcode, and that coding
would have to be in an industry standard format (because of the Fram
factor).
Another important part of such an audit would be detection of cases
where a human mark placed after the barcode imprint might create a
ballot for which the barcode doesn't match the voter's intent as evident
to a human review.
John Sebes
Judson Neer wrote:
> Kevin (and others),
>
> Could a manual audit of some percentage of ballots that compares the
> contents of the barcode to the printed marks, in conjunction with a
> larger set of ballots audited via barcode scan, serve to give adequate
> confidence in the results, and restore software independence?
>
> Judson Neer
>
> /Director of Engineering/
>
>
> Everyone Counts, Inc.
>
> Phone: 937.902.7765
>
> Email: judso...@everyonecounts.com
> <mailto:judson.neer@everyonecounts.com>
>
>
> The information in this email, including any attachments, is
> confidential and intended solely for the use of the person or entity to
> which it is addressed. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is prohibited. Please
> notify the sender if you have received this message by mistake and
> delete this email from your system. Thank you.
>
>
> On Fri, Apr 27, 2018 at 9:20 AM, Kevin Skoglund <ke...@kevinskoglund.com
> <mailto:kevin@kevinskoglund.com>> wrote:
>
> You are correct, and I apologize for my sloppy writing. I can see
> how "danger" came across as a loaded word. I should rephrase it.
>
> "There is a chance that a petitioner will ask for a machine recount
> and the barcodes will be scanned again. There is a chance that a
> jurisdiction will scan barcodes while performing audits."
>
> My point was about the lack of software independence when either
> scenario occurs.
>
> Best,
> Kevin Skoglund
>
>
> > On Apr 27, 2018, at 11:57 AM, Keith Ingram <KIn...@sos.texas.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>
> > Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
> > ---
> > You received this message because you are subscribed to the
> Google Groups "vvsg-cybersecurity" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an email to vvsg-cybersecurity+unsub...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>.
> >
> >
>
> --
> To unsubscribe from this group, send email to
> vvsg-cybersecurity+unsub...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>
> Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
> ---
> You received this message because you are subscribed to the Google
> Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to vvsg-cybersecurity+unsub...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>.
>
>
> --
> To unsubscribe from this group, send email to
> vvsg-cybersecurity+unsub...@list.nist.gov
> Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google
> Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vvsg-cybersecurity+unsub...@list.nist.gov
> <mailto:vvsg-cybersecurity+unsub...@list.nist.gov>.
Regarding use of barcodes printed onto paper (in addition to human readable print) for voters’ selections:
Take the case of voter selections accompanied by a single 2D barcode printed onto a VVPAT thermal paper ballot used by a DRE as a voter verified “backup” for use during a post-election audit or recount. In this case the DRE electronic CVR (not the paper CVR) would be the ballot of record. Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paper, but would allow the holding of each ballot’s barcode in front of a scanner by hand, like scanning items in a checkout line at the grocery. The scanned vote selections on a display could be compared to each ballot’s human readable contents before scanning the next ballot. Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the data, whereas raw scanned items (optical mark, OCR) are much more prone to error. And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.
About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC. The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired). During his presentation he showed us a study comparing the accuracy of different voting technologies. According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate. That number certainly had an impact on me.
I’m not a big fan of paper as a storage medium in general because of the tremendous usability and accessibility issues associated with the technology. When the accuracy problems of optical mark or OCR scanning are factored in, the picture gets even worse. I’d much rather see our community leverage the many thousands of hours and millions of dollars spent independently testing and certifying our systems over a number of years by conducting PEPCS audits (Pre or Post-Election Physical and Cybersecurity Sweep) to assure that the configuration of the system is unmodified from the certified version comparing digital signatures and our required System Identification Tools supplied with each voting system. Barcode technology at least mitigates to a certain degree the inherent difficulties of accurately reading voter intent using optical mark, OCR scanning or (perish the thought) a complete hand count of paper ballots. Also keep in mind that re-counting a few thousand sampled paper ballots (or a whole state) is a tremendously tedious and time-consuming undertaking. Making the job less onerous and more accurate means jurisdictions are more likely to conduct meaningful recounts or audits.
From: grlndlynn via vvsg-cybersecurity [mailto:vvsg-cybe...@list.nist.gov]
Sent: Monday, April 30, 2018 18:46
To: mschn...@mitre.org; ke...@kevinskoglund.com; vvsg-cybe...@list.nist.gov
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Kevin,
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
On the call last Friday, two main uses for barcodes were mentioned:
1. Voting machines encoding voters' selections.
2. E-poll machines encoding the ballot style so that BMDs will display the correct ballot style.
I believe that your analysis was primarily dealing with the first, right?
Are there other uses for barcodes that are being considered besides these two?
Hi everyone,
Some additional info if you don't already have this:
NIST has been preparing a common data format for cast vote records, and we've had very good help in this from a variety of different groups - manufacturers, auditing people, many others. The model is considered complete and the specification is in final stages - I am redrawing some images and creating worked examples, and then it's ready for review.
The specification includes the capability for cast vote records to contain a number of items in addition to the voted contests and contest selections, including the ballot style, the creating device ID, sheet number if a multi-sheet paper ballot, corresponding paper ballot ID if this ID is impressed by the printer or possibly included in the bar code created by a BMD, party associated with the ballot if a partisan primary, positions associated with 'bubbles' on the ballot, and so on. The current version of the specification is at
https://github.com/usnistgov/CastVoteRecords
and you can read about what the cast vote record has the capability to contain.
A BMD may encode, in a bar code, some of this information (manufacturers on this list will know this better than me). It could additionally print out the ballot style, bubble positions, etc. My opinion is that while transparency is improved a little if this additional info is printed, at the same time this same information is not necessarily known or obvious to the voter who is voting a paper ballot.
One issue is that if a ballot scanner impresses an ID on a paper ballot so that the ID can be stored in the corresponding cast vote record, the voter doesn't see the impressed ID and privacy is thus preserved. If the BMD were to generate an ID and place it in the bar code so that the scanner can then store it in the corresponding cast vote record, I doubt whether the ID should be printed in human readable form; obscuring it in a bar code would prevent a voter or someone else from easily remembering the number.
At any rate, what I'm saying is that the cast vote record contains additional items beside contests and contest selections; voters casting paper ballots don't necessarily see these items; a BMD would likely encode those items in a bar code and depending on requirements, it could also print them out in human-readable form. It's not my purpose here to debate the value of printing them or not (except for the impressed ID issue), but these items do need to get put into the cast vote record so that the proper reporting of the election and auditing can be conducted.
Cheers, John
Bernie,
If the paper audit trail contains a barcode, is it really voter verified? Add a human readable representation, and then we’re back to the issue of what if the barcode and human readable versions differ?
Why do you say that thermal paper wouldn’t lend itself to OCR?
Greetings all. Last
Thursday, I attended a demonstration of new voting machines in
Harrisburg PA with 5 different vendors displaying there wares. All
of
them had paper backed ballots, now being required by PA Governor
Wolf. As I have been studying this thread on bar codes, my
question
is this: Are there any commercially available programs, for any
smartphone, that can accurately decode and display what the bar
code
translates into? Vendors who were there are ES&S, Hart Verity,
Unisyn, Dominion Voting, and Clearballot. Thank you all in advance
for the work you do.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
Judson Neer
Director of Engineering
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
I hope the vendors will weigh in here and correct me if I’m wrong but my understanding is that all the systems currently on the market that encode vote choices in a barcode use proprietary tech and cannot be decoded by any commercial off the shelf scanners.Sent from my iPad
Greetings all. Last Thursday, I attended a demonstration of new voting machines in Harrisburg PA with 5 different vendors displaying there wares. All of them had paper backed ballots, now being required by PA Governor Wolf. As I have been studying this thread on bar codes, my question is this: Are there any commercially available programs, for any smartphone, that can accurately decode and display what the bar code translates into? Vendors who were there are ES&S, Hart Verity, Unisyn, Dominion Voting, and Clearballot. Thank you all in advance for the work you do.
On 5/1/2018 6:15 PM, Bernie Hirsch wrote:
I'm working a primary election today and just scanned in a bunch of paper ballots. Yes, the error rate still hovers around 8% for paper ballots, even 10 years later. Why? Because voters make lots of errors that DRE's eliminate. I've scanned a number of ballots where voters X'd out one filled-in entry and filled in another, over-voting the office. Just read several where the voter filled in an invalid voting location (no candidate). We also had some spoiled paper ballots because two different ballot styles were mailed to the same address (husband/wife, etc.) and they switched the ballots when inserting them into the return envelopes, invalidating the activation. So basically a large contributing factor to the error rate with scanned paper ballots is voter error, not necessarily scanning error (although that's still an issue). All of this is eliminated when voting by machine. And regarding this notion of software independence for voter verified human-readable ballots, I'm suggesting that a VVPAT or precinct-scanned ballot that has BOTH human-readable and barcode is just as valid as one lacking a barcode. A paper ballot that is tabulated using OCR or optical/digital mark detection is still completely dependent on software and hardware. The scanning algorithms must determine what the marks mean and determine whether or not to assign that selection to a candidate or referendum. The only question is how difficult and inaccurate do we want to make those processes. If those ballots are hand counted or audited then the human readable information would be all that matters, regardless of any software dependence or extraneous codes on the voter-verified ballot. Bernie Hirsch -----Original Message----- From: Kevin Skoglund [mailto:kevin@kevinskoglund.com] Sent: Monday, April 30, 2018 21:37 To: vvsg-cybersecurity Subject: Re: [vvsg-cybersecurity] Barcodes on ballots Bernie,
Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paperCould you elaborate on why thermal paper does not lend itself to OCR? Is this true for both optical and digital scanners?Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the dataHow is the integrity of barcoded data checked? Are there systems that do this now or is it theoretical?And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.Other ballot representations could contain this data and more. This seems like an argument for better data compression and speed.About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC. The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired). During his presentation he showed us a study comparing the accuracy of different voting technologies. According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate. That number certainly had an impact on me.10 years is a long time. Weren't most scanners optical and not digital then? Vendors have done an amazing job improving the software that reads hand-marked paper ballots. Does anyone know of more recent data on this point? Or even just the current error rate of paper mark scanning? I'd be surprised to hear it is 8% today. Best, Kevin
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
Susan,
Thanks, I agree that having two different representations of ballot choices on a paper ballot or a paper audit trail is an issue that should be avoided. I think that non-human readable information makes it difficult, at best, for a voter to verify the information. Determining if the election outcome is correct as per guideline 9.2 - “The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities” is difficult if voters cannot verify that the information used in the tally represents what they intend.
From: Susan Greenhalgh [mailto:segree...@gmail.com]
Sent: Wednesday, May 02, 2018 10:53 AM
To: Schneider, Marc I <mschn...@mitre.org>
Cc: Bernie Hirsch <bhi...@microvote.com>; Kevin Skoglund <ke...@kevinskoglund.com>; vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Thanks, I'd like to reiterate that there remains a thorny legal question if a paper ballot contains two different representations of voter intent - one that the voter can confirm, and a different representation
that is counted by the equipment. Which is the official ballot of record?
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to
vvsg-cybersecur...@list.nist.gov
Visit this group at
https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
This kind of thing would be decided at a state level. In Wisconsin, the voter-verifiable paper audit trail always wins. We see this in DREs where essentially two records are created at once: the digital nonverifiable record and the printed verifiable record. I assume the barcode would not be considered voter-verifiable. In the worst case, I would expect an election inspector that was trying to determine voter intent would side with the human-readable record unless it was badly marred.
Clarifying legislation is always welcome, but I wouldn’t expect that to cause a problem for us. In fact I believe we saw a pilot of voting equipment that did something similar where the accessible equipment generated a human-readable printout that also contained a QR code for the tabulator.
From: Judson Neer [mailto:judso...@everyonecounts.com]
Sent: Wednesday, May 02, 2018 11:04 AM
To: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Importance: Low
For those who know the law better than I, are there provisions for having two representations, the primary being "plain text" (and hence easily voter verifiable), and a backup encoded in a barcode (using a publicly documented encoding / representation such as the cast vote record being discussed by NIST, so at least theoretically verifiable by anyone).
The use case I'm thinking of here is for ballots that are printed by a voter (e.g. UOCAVA and/or accessibility solutions that allow delivery and completion of a ballot via the web, and then mail the result). Given the variations in print quality and the potential for mangling by the post office, it seems useful to have multiple representations, if the law can accommodate it.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at
https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
I don't know if there are ES&S vendors in the group. I am not trying to single any company out - but the use of barcodes was so troubling to election security activists in Georgia recently - that legislation to revamp their voter system was stopped because it was being written to allow the adoption of barcodes.Meanwhile the ES&S Express Vote that uses barcodes is being adopted rapidly. I was told it is already in use in 3 counties in TX. Jenny Cohn had a twitter thread yesterday listing the counties that have bought the machine including counties in Kentucky, West Virginia, Tennessee, Missouri, Indiana, Arkansas, and Wisconsin.I agree with Susan and Marc that there is no meaningful way for the average voter to confirm that a barcode has accurately represented their vote. The use of barcodes is inherently opaque, and by it's very nature violates the principle of transparency.Furthermore, the use of barcodes has serious security risks. Harri Hursti said in testimony to the presidential commission on election integrity that barcodes can basically be used as a keyboard and they can be used to inject code into the process."When you read barcode, the problem is that barcode readers are usually a keyboard. So anything you can do with a keyboard you can do with a barcode. Barcode readers also
have a bad habit of reading more standards than the standard you are using, and some of these barcodes can have a thousand, two thousand characters, and they can emulate the keyboard very effectively, so
they can make those keyboard signs which are not-printable. Again, when you're reading a barcode, you can get an injection code into the system with that, and this is one thing which we found in the voting
machine hacking village is how you can inject in some of these machines a SQL inject from the barcode. So these capabilities are very dangerous and we have to be very careful with the technology;"
https://twitter.com/jennycohn1/status/991406567097483264
Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
I respectfully disagree with the statement that "a standard representation of the data inside the barcode, is quite transparent."It's not transparent to me as a voter, if I don't have a barcode scanner with me. And even if I do - since there is the possibility that the barcode is injecting code that is malicious and possibly not meant to be read - it is possible that what I would be reading would not be all of the data. Possibly it would not be clear to any scanner - even one built by a different vendor.Why is it wise to advise people on how to carefully use things that are not ultimately safe?
I think your points are very well made, Judson.
I believe that in the subject of barcodes it is important to distinguish two separate types of transparency: Transparency to auditors and transparency to voters. I think barcodes can easily fulfill the former by following open or at least published standards for both barcode encoding and data marshalling. However I don’t think the latter can be achieved. It must always be remembered that elections are open to all voters, including the sizeable percentage of the adult population who do not have access to the internet or regularly use a computer, and that there are plenty of issues with voters bringing their smartphones out in the voting booth. As such, I see no reason why they can’t be used by the machine for performance or usability reasons, but it should be clear that they are not voter-verified data and not the official record of a person’s vote.
I do agree that it is incorrect to take Hursti’s comments regarding barcode injection to mean that barcodes are a dangerous technology. It simply means that your application is as vulnerable as if someone was sitting at the keyboard, and all the same input sanitization and other considerations apply.
From: Judson Neer [mailto:judso...@everyonecounts.com]
Sent: Wednesday, May 02, 2018 12:28 PM
To: Lulu Friesdat <shuga...@gmail.com>
Cc: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Importance: Low
I'm perfectly happy to "agree to disagree" with what constitutes transparency in this case, and also the degree to which the . Your points are reasonable, just (for me) not totally convincing. I'm glad for that tension, because it helps us all work towards the best requirements we can get.
I do want to address your last statement. I think there are two reasons to give advice on "not ultimately safe" things:
1. The argument that's been made before and more eloquently than me, that it might be wise to enumerate best practices and mitigation strategies rather than pretend the technology doesn't exist or that jurisdictions won't want to use it just because a voluntary requirements document bans it.
2. In the context of elections, ultimately everything is "unsafe" to one degree or other. DREs, VVPATs, barcodes, computers, paper ballots, the post office, election officials, etc. etc. etc. Admittedly not equally so, but that's the tough work of this process, to determine what technologies and processes are "safe enough" (especially when used in conjunction with other redundant technologies, audits, etc), and develop requirements on how to mitigate the risks that are involved. It's a balancing act to be sure, but the VVSG must advise people on how to carefully use things that are not ultimately safe, because that is literally its purpose.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
On Wed, May 2, 2018 at 10:12 AM, Lulu Friesdat <shuga...@gmail.com> wrote:
I respectfully disagree with the statement that "a standard representation of the data inside the barcode, is quite transparent."
It's not transparent to me as a voter, if I don't have a barcode scanner with me. And even if I do - since there is the possibility that the barcode is injecting code that is malicious and possibly not meant to be read - it is possible that what I would be reading would not be all of the data. Possibly it would not be clear to any scanner - even one built by a different vendor.
Why is it wise to advise people on how to carefully use things that are not ultimately safe?
On Wed, May 2, 2018 at 12:54 PM, Judson Neer <judso...@everyonecounts.com> wrote:
While I agree a barcode is less transparent than human-readable text on a printed page, it does not seem to follow that the use of a barcode is "inherently opaque". As I've said earlier, the use of a standard barcode encoding, and a standard representation of the data inside the barcode, is quite transparent, at least it would be to election officials trained in how to interpret it.
Of course to do so would require a scanner. And while I appreciate some of the dangers pointed out in the linked paper, they're a bit of a straw man. Not every barcode scanner functions as a keyboard; older-style RS-232 barcode scanners and optical barcode readers (e.g. apps on a smartphone) are just two examples. And even in the case of barcode scanners that present themselves as keyboards, it is not difficult to implement proper software controls to mitigate the named vulnerabilities.
Of course this brings us back to trusting the software, which we all agree should not be done, at least when the software operates in isolation from other checks and balances. In this case, a barcode scanner/reader built by a different vendor than the software used to create the barcode, and the software used to tabulate the resultant information, would be appropriate. Taken together with the barcode potentially only being a backup representation in the first place, and that seems a reasonable set of controls.
Like prior discussions around other technologies, it seems to me the wise path here is to build in requirements for barcode best practices, rather than outright forbid them, and risk jurisdictions ignoring the ban altogether and leaving them with no guidance on how to implement them well.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
On Wed, May 2, 2018 at 9:32 AM, Lulu Friesdat <shuga...@gmail.com> wrote:
I agree with Susan and Marc that there is no meaningful way for the average voter to confirm that a barcode has accurately represented their vote. The use of barcodes is inherently opaque, and by it's very nature violates the principle of transparency.
Furthermore, the use of barcodes has serious security risks. Harri Hursti said in testimony to the presidential commission on election integrity that barcodes can basically be used as a keyboard and they can be used to inject code into the process.
"When you read barcode, the problem is that barcode readers are usually a keyboard. So anything you can do with a keyboard you can do with a barcode. Barcode readers also
have a bad habit of reading more standards than the standard you are using, and some of these barcodes can have a thousand, two thousand characters, and they can emulate the keyboard very effectively, so
they can make those keyboard signs which are not-printable. Again, when you're reading a barcode, you can get an injection code into the system with that, and this is one thing which we found in the voting
machine hacking village is how you can inject in some of these machines a SQL inject from the barcode. So these capabilities are very dangerous and we have to be very careful with the technology;"Meanwhile the ES&S Express Vote that uses barcodes is being adopted rapidly. I was told it is already in use in 3 counties in TX. Jenny Cohn had a twitter thread yesterday listing the counties that have bought the machine including counties in Kentucky, West Virginia, Tennessee, Missouri, Indiana, Arkansas, and Wisconsin.
https://twitter.com/jennycohn1/status/991406567097483264I don't know if there are ES&S vendors in the group. I am not trying to single any company out - but the use of barcodes was so troubling to election security activists in Georgia recently - that legislation to revamp their voter system was stopped because it was being written to allow the adoption of barcodes.
On Wed, May 2, 2018 at 12:04 PM, Judson Neer <judso...@everyonecounts.com> wrote:
For those who know the law better than I, are there provisions for having two representations, the primary being "plain text" (and hence easily voter verifiable), and a backup encoded in a barcode (using a publicly documented encoding / representation such as the cast vote record being discussed by NIST, so at least theoretically verifiable by anyone).
The use case I'm thinking of here is for ballots that are printed by a voter (e.g. UOCAVA and/or accessibility solutions that allow delivery and completion of a ballot via the web, and then mail the result). Given the variations in print quality and the potential for mangling by the post office, it seems useful to have multiple representations, if the law can accommodate it.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at
https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
Looking at the Principles and Guidelines, it seems to me that requirements around bar code scanner security would fall under principle 14 – system integrity and principle 15 – detection and monitoring.
If there are concerns about bar codes as an attack vector for malware, guideline 15.3 - The voting system employs mechanisms to protect against malware. I believe that a SQL injection attacks can be considered malware in this case, since the injected SQL statements are potentially code. Any use of bar codes, whether or not they contain ballot selections, needs to have security requirements in place. An argument can also be made for a requirement around injection attacks under guideline 14.2 - The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and by using other technical controls.
What other security threat arise from bar codes, or bar code scanners?
From: Judson Neer [mailto:judso...@everyonecounts.com]
Sent: Wednesday, May 02, 2018 1:28 PM
To: Lulu Friesdat <shuga...@gmail.com>
Cc: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
I'm perfectly happy to "agree to disagree" with what constitutes transparency in this case, and also the degree to which the . Your points are reasonable, just (for me) not totally convincing. I'm glad for that tension, because it helps us all work towards the best requirements we can get.
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to
vvsg-cybersecur...@list.nist.gov
Visit this group at
https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
Judson Neer
Director of Engineering
Everyone Counts, Inc.
Phone: 937.902.7765
Email: judso...@everyonecounts.com
Website: www.everyonecounts.com
The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
Strongly disagree with your statement about the "danger" of using bar codes in recounts. This demonstrates that you know very little about actual elections.
If a recount petitioner asks for a hand count then they will get a hand count. This is a public proceeding with poll watchers present. If a petitioner asks for a machine recount, then the bar codes will be scanned again. There is no "danger" involved at all.
-----Original Message-----
From: Kevin Skoglund [mailto:kevin@kevinskoglund.com]
Sent: Friday, April 27, 2018 9:53 AM
To: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: [vvsg-cybersecurity] Barcodes on ballots
> 6. Ballot barcodes / encoding - I don’t feel like the WG has ever had a discussion on this topic, and it may make sense to include requirements on this subject.
The VVSG 1.0 required barcodes to be in an industry-standard format readable by standard commercial technology (7.9.3.h), but that requirement seems to have been dropped in VVSG 1.1.
I would argue that using barcodes to transfer vote selections from a BMD to a tabulator is not allowed under the VVSG 2.0 Principles.
* Barcodes are not transparent (Principle 3). They are an opaque, secret message being passed between the BMD and the tabulator. They are not a process or transaction which is "readily available for inspection," (3.2) and the public cannot "understand and verify the operations" (3.3).
* Most current barcodes are in a proprietary format. That means they are not exporting data (from the BMD) and importing data (to the tabulator) "in an interoperable format" (4.1) or in a "standard, publicly-available" format (4.2).
* Voters cannot read barcodes so they cannot "understand all information as it is presented" (7.3).
* Barcodes do not "provide individual voters the opportunity to verify that the voting system correctly interpreted their ballot selections" (9.1-B.1), and the voter does not "have the opportunity to identify ballot errors before it is cast" (9.1-F.4). Voters can verify the human-readable version, but that is not the data being cast. Any malfunction or manipulation in the barcode data would not be detectable by the voter. It most likely would not be detectable without using proprietary hardware.
* There is a danger that barcodes would be used during recounts and audits. It is easier, faster, and cheaper to scan ballots again than to do a hand count or a proper audit. (Recently, a vendor demonstrated to me how to use a central-count tabulator to recount precinct-count ballots with barcodes.) Even in a ballot-compare audit, the voting system could be used to read the barcode, and systems with proprietary or encrypted barcodes would require it. The voting system should be software independent and audits should never trust any part of the device being audited (9.1-A).
* Barcodes could contain data besides ballot selections. They should be tested to ensure they do not "contain data or metadata associated with the CVR and ballot image files which can be used to determine the order in which votes are cast" (10.2-D).
* Similar to my previous argument about different-sized ballots, barcoded ballots look different from ballots marked by hand. The barcode is an "election artifact that can be used to associate the voter’s identity with the voter’s intent, choices, or selections" (10.2).
* Barcodes add to the attack surface of a system by adding additional code and data paths, instead of limiting them (14.2). They create new opportunities for hacking the output of the barcode via the BMD or the scanning of the barcode via the tabulator. It seems likely that third-party libraries are imported into the code for both. In a worst case scenario, some barcodes (e.g., PDF417) can encode over 1.1 kilobytes of data which is enough for a small malware program or other instructions to the tabulator.
We should also ask: why do we need barcodes at all? They solve a problem that does not exist in voting systems. A ballot marking device can easily print marks to fill in circles on a paper ballot. (They could be even randomly pick from a library of mark styles or be "fuzzed" to make them appear hand-marked.) Every system vendor with a digital scanner can accurately read less-precise marks on hand-marked ballots. Reading a machine-marked ballot is easy by comparison. I believe some vendors have systems which currently do this.
Barcodes could still be used for ballots style and precinct configuration (in a readable, interoperable format). However, I think the principle-first design of VVSG 2.0 indicates that barcodes should not be used for ballot selections anymore.
Best,
Kevin Skoglund
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--Kind Regards,
Lulu
@LuluFriesdat
Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
There are a number of other reasons. To avoid repetition here, please see the entirety of our discussion from the past several days. Thank you.
-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
---
This email has been checked for viruses by AVG.
http://www.avg.com
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
Jennifer,
Barcode technology is well-vetted worldwide in many different industries and most certainly publicly accepted. You are creating a strawman argument in suggesting that a lack of studies in a particular application (voting) invalidates the technology itself. Your argument then goes on to assume that the voter’s human readable text or marks is being counted ACCURATELY by the voting system dependent software and hardware. Maybe it is, maybe it’s not. Using anecdotal evidence from a single election in one state to prove your point doesn’t necessarily mean that all elections everywhere are equally accurate. I could point out that our touch button DRE’s show ZERO calculation and interpretation errors in both testing and practical use over many years and hundreds of million votes but would you accept that?
The short answer to your argument is just because a voter can read their data going into a system doesn’t mean it isn’t being manipulated in an undetected way downstream, either intentionally or unintentionally. An E2E system might make a lot of sense in solving most of the verification problems related to the storing and processing of data in our voting systems.
Bernie
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 16:52
To: vvsg-cybersecurity
Cc: jennif...@gmail.com; bhi...@microvote.com
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Bernie:
I looked through the thread and it seems this is where you summarized the reasons why you believe barcodes are a good idea. I'd like to go through them briefly.
1. "Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation." I respectfully disagree in that barcodes in ballots have not been thoroughly vetted or tested according to Harri Hursti. (Please let me know if believe Mr. Hursti is incorrect, i.e., if you are aware of a formal study on this issue.) And since barcodes in ballots are a relatively new concept, I think it's a bit of a stretch to say they are "publicly accepted." On the contrary, most people I've told feel the barcodes would be an invitation to fraud. Meanwhile, most voters who have used ballot marking devices already have no way of knowing that it is the barcodes (which they can't read), rather than the text (which they can), that is actually counted as their vote. Without this knowledge, their opinion on the issue is necessarily uninformed.
2. "They avoid many of the pitfalls of single optical mark interpretation and offer integrity safeguards that are absent in other forms of 'raw' visually stored data." I disagree that there is a serious problem with optical mark interpretation. In Minnesota's statewide recount, out of 2.92 million ballots cast, just 14 could not be decided unanimously by the bipartisan state canvassing board. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf
3. "Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots." Again, I respectfully disagree to the extent you imply that barcodes will make it easier to more accurately count or recount ballots. If the votes are manipulated, the results will not be accurate at all, and it will be harder, not easier, to discover this because voters can't read and thus can't verify the bar codes.
On Wednesday, May 2, 2018 at 12:14:34 PM UTC-7, Bernie Hirsch wrote:
There are a number of other reasons. To avoid repetition here, please see the entirety of our discussion from the past several days. Thank you.
-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
---
This email has been checked for viruses by AVG.
http://www.avg.com
Election officials have no problem with taking the time and doing their job right. Unfortunately, many of them have arbitrary deadlines they are statutorily required to meet.
If you want election inspectors to do their jobs well and correctly without machine assistance, you’re going to have to convince the public, the press and most importantly legislators to go back to waiting for days to get results.
An optical scan tabulator no more reads the same information that a voter is reading than a barcode scanner does. The optical scan looks for the position of marks relative to the timing marks and then compares that against internal programming. At no point is it verifying that the result it comes up with matches the name the voter selected, and the scan process is completely opaque to the voter. If there is a mistake in the programming or the timing marks, the voter will never know. Similarly in a barcode scanner, it’s looking for marks relative to position indicators at the periphery of the barcode, and processing that against internal programming. That is why the gold standard for determining voter intent will always be public review of the paper ballot record. But there is no public or political will for the kind of time and resources that full hand counts require, which is why we have to turn to the compromise solution of audited machine counting.
Thank you,
Tony Bridges
WisVote Elections Specialist
Wisconsin Elections Commission
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
---
This email has been checked for viruses by AVG.
http://www.avg.com
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
Bernie,
I agree that data can be manipulated downstream after a voter verifies their ballot selections. However, I disagree that it can be manipulated downstream in an undetectable way. Software independence is all about detecting downstream manipulation. For software independence to work, you need to have the information that the voter verifies used during the audit. Bar codes confuse the issue, and there are other technologies which are human readable and address storage of ballot choices on paper. The use of a bar code implies that the system is printing the bar code on paper. These systems can print ballot selections that do not suffer from the issues associated with humans making marks on paper just as easily as they can print bar codes. The only disadvantage (from a data storage and readback point of view) is that human readable ballots do not store the information as densely as bar codes.
While E2E systems may solve this issue in the future, they are not yet a thoroughly understood and vetted technology.
From: Bernie Hirsch [mailto:bhi...@microvote.com]
Sent: Wednesday, May 02, 2018 5:14 PM
To: jennif...@gmail.com; 'vvsg-cybersecurity' <vvsg-cybe...@list.nist.gov>
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots
Jennifer,
Tony,
Well said!
I would add that we are promoting a new type of “gold standard” system audit specifically designed to leverage the intense and exhaustive EAC testing and certification program. I have mentioned it before. It’s called a Pre (and/or Post) Election Cybersecurity Sweep (PEPCS). It is technology agnostic, which means it will work for all certified fielded voting systems. It verifies that the system is correctly configured as certified and has not been altered, either intentionally or unintentionally. It can be run before, during or after every election.
We have trained professionals to perform the sweep as a service for our system, but to avoid the “fox guarding the henhouse” scenario can also train local personnel to perform the audit. “During the sweep we use the System Identification Tools required with system certification to compare the digital signatures for the system against the ones in repository with the EAC. These signatures were created during the trusted build process by an independent, certified voting system test lab. We also verify the integrity of the election specific files. Then we examine the component seals, decals and other physical component protections looking for signs of tampering.
Bernie Hirsch
Chief Information Officer
From: Bridges, Tony - ELECTIONS [mailto:Tony.B...@wisconsin.gov]
Sent: Wednesday, May 02, 2018 17:24
To: Duncan Buell; vvsg-cybersecurity
Cc: Bernie Hirsch; jennif...@gmail.com
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots
Election officials have no problem with taking the time and doing their job right. Unfortunately, many of them have arbitrary deadlines they are statutorily required to meet.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
---
This email has been checked for viruses by AVG.
http://www.avg.com
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
I have about a dozen emails in this thread that I have not read because I am jammed up right now until a 1230pm tomorrow event.But Jennifer could not have said it better.Barcodes are not transparent or voter-verifiable unless voters are provide at the polls with all the technology necessary to verify. And we know that is not going to happen, for the most part, is prevented by state law in many places, and is in general an unrealizable fantasy. They are a showstopper, and should be rejected out of hand.Voter marks are indeed a problem. But they do leave marks to adjudicate. Barcodes do not unless there is embedded into law and practice a believable and serious audit process that statistically verifies that the barcode that is counted correlates 100% with the English that is read by the voter. Unless that is part of the law that permits barcodes, then barcodes should not be permitted, period.
I don’t care how hard it is or how long it takes for election officials to do their job. That’s their job. The goal is to make sure they get it right, not to make sure they get to “Miller time” on Election Day. Sorry, election officials, but that really ought to be the idea. We get the right result, and if it takes some extra effort, well, that’s what has to be done. Democracy is too important to become secondary in importance to efficiency in tabulation.
On May 2, 2018, at 4:51 PM, jennif...@gmail.com wrote:
Bernie:
I looked through the thread and it seems this is where you summarized the reasons why you believe barcodes are a good idea. I'd like to go through them briefly.
1. "Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation." I respectfully disagree in that barcodes in ballots have not been thoroughly vetted or tested according to Harri Hursti. (Please let me know if believe Mr. Hursti is incorrect, i.e., if you are aware of a formal study on this issue.) And since barcodes in ballots are a relatively new concept, I think it's a bit of a stretch to say they are "publicly accepted." On the contrary, most people I've told feel the barcodes would be an invitation to fraud. Meanwhile, most voters who have used ballot marking devices already have no way of knowing that it is the barcodes (which they can't read), rather than the text (which they can), that is actually counted as their vote. Without this knowledge, their opinion on the issue is necessarily uninformed.
2. "They avoid many of the pitfalls of single optical mark interpretation and offer integrity safeguards that are absent in other forms of 'raw' visually stored data." I disagree that there is a serious problem with optical mark interpretation. In Minnesota's statewide recount, out of 2.92 million ballots cast, just 14 could not be decided unanimously by the bipartisan state canvassing board. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf
3. "Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots." Again, I respectfully disagree to the extent you imply that barcodes will make it easier to more accurately count or recount ballots. If the votes are manipulated, the results will not be accurate at all, and it will be harder, not easier, to discover this because voters can't read and thus can't verify the bar codes.
On Wednesday, May 2, 2018 at 12:14:34 PM UTC-7, Bernie Hirsch wrote:
There are a number of other reasons. To avoid repetition here, please see the entirety of our discussion from the past several days. Thank you.
-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.
---
This email has been checked for viruses by AVG.
http://www.avg.com
--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
I can't speak for Bernie. My point is that barcodes paired with a human-readable VVPAT in reality are no more opaque than a system we have already come to accept. I do not presently have a business need that barcodes meet and optical scan does not, but I do know that if local election officials in the future do decide they have a need that is met by barcodes, they will use them regardless of what we say here. I think it is much more useful to regulate than to prohibit any given technology. Any technology can be used in an unsafe manner, and almost any technology can be used in a safe manner, and I see our job as to provide guidance on how to use technologies safely. In the extreme, I think we can say a technology is simply too unsafe or too challenging to implement safely, but I think if we do that we need to be prepared to state in no uncertain terms why and in what ways it is too dangerous or we won't stop anyone.
It is true that voters do not have X-ray vision and can't tell if their vote was recorded and counted properly. That is just as true of optical scan machines as it is of barcode readers or DREs. In fact, voter secrecy means that even in a hand-count the voter can only be certain their vote was counted correctly by observing the entire count. Even audits only truly address that problem if every ballot is audited. If you have a solution to that problem that maintains voter secrecy, I would love to hear it. The only solutions I've heard are variants on zero-knowledge proofs that only work in highly artificial election scenarios.
I do not pretend to know the business needs of every election jurisdiction in the country. What I do know is that if election officials feel the need for a technology, they will find a way to do it. And without recommendations on how vendors should implement it, they will likely do so in an unsafe manner.
Saying that the only thing that's counted on barcode ballots is the barcode is exactly as accurate as saying the only part of the ballot that's counted on a hand-filled optical scan ballot is the bubbles. Nothing ties the bubble to the selection next to it any more than something ties the barcode to the printed selections. It is a layer of opacity, but it's not an additional layer it's the same layer.
I'm not an advocate for barcodes. But I understand the reality that when we say here that we ban a technology, all we're really doing is giving up our opportunity to suggest guidelines on how that technology could be made safer and more transparent.
On May 2, 2018, at 7:31 PM, Bridges, Tony - ELECTIONS <Tony.B...@wisconsin.gov> wrote:Bridges, Tony - ELECTIONS (Tony.B...@wisconsin.gov) is not on your Guest List | Approve sender | Approve domain
Saying that the only thing that's counted on barcode ballots is the barcode is exactly as accurate as saying the only part of the ballot that's counted on a hand-filled optical scan ballot is the bubbles. Nothing ties the bubble to the selection next to it any more than something ties the barcode to the printed selections. It is a layer of opacity, but it's not an additional layer it's the same layer.I'm not an advocate for barcodes. But I understand the reality that when we say here that we ban a technology, all we're really doing is giving up our opportunity to suggest guidelines on how that technology could be made safer and more transparent.
To: Bridges, Tony - ELECTIONS
Cc: Bernie Hirsch; Duncan Buell; vvsg-cybersecurity
I agree that it is a best for security to reduce the number of attack vectors. However, it is a well-known maxim in the security space that security that does not meet the needs of users is no security at all because users will find a way around it.
Electronic ballot markers meet a necessary need by providing the capability for voters with disabilities to vote privately and independently. When only people with disabilities use the electronic ballot markers, you reduce the voter secrecy for people with disabilities because a small enough number of people use them that it becomes statistically feasible to uniquely match them with a ballot.
I don't particularly care if those ballot markers use barcodes or not. But what I am saying is that whether you are using optical scan ballots or you are using barcodes, either way what is being counted is not the English text, to borrow from Duncan.
And I'm telling you that realistically we have two options: Either you give vendors guidelines on how to do this safely and let the EAC and VSTLs test for them, or the vendors will do it on their own with no guidance.
I believe that voter verifiable should not be used to refer to the barcodes. But I believe that using it to refer to the English selection printout that comes with the barcode is no more misleading than referring to an optical scan paper ballot as voter-verifiable. In either case, the voter is able to verify the official record, the English selections, but is not able to independently verify what's being counted, the barcode or the arrangement of bubbles and timing marks.
Duncan (and All),
Your position: If that which is counted as the cast vote is a barcode, and that which is read by a voter is an English version of what is purported to be in that barcode, then it is false on the face of it that the process is “voter verifiable”.
Tony is right. Your position above is incorrect for multiple reasons (some of which I’ve added).
1. Digital scanners don’t “count” the English version of a ballot. Scanners use complicated proprietary software/hardware to INTERPRET light and dark areas on paper in an attempt to match that raw data up to a database of possible selections based on a number of parameters. The process is entirely opaque, software dependent and virtually identical to the reading of printed barcode data (except it’s more proprietary then reading standard barcodes, and the raw data doesn’t have error correction built-in).
2. I’m not an advocate of paper ANYTHING during an election. Horrible usability and accessibility issues. But if we must use paper as a storage medium, there is no difference between converting light and dark areas of the paper in the form of letters, numbers, bubbles, or barcodes to digital information. The only real difference is how well those images are protected against corruption. Hacking a paper ballot is relatively simple – just make an extra mark here or there. Hacking a barcode with error detection is not going to be a trivial pursuit because of the built in integrity checking.
3. It is an illusion that a voter is “verifying” anything. Once cast their ballot is irrevocably intermixed with everyone else’s, and almost always tabulated by software/hardware. If a post-election audit takes place, a relatively small number of ballots are sampled to see if the hand totaled tally matches the machine tally. There is no way to ever know if the voter’s ACTUAL ballot was correctly tabulated. For all we know the software/hardware flipped their ballot one way and a different ballot the opposite way, making the overall tally accurate but NOT tabulating their ACTUAL ballot correctly.
4. The integrity and security of paper ballots with easily hacked raw data is almost entirely dependent on procedures and beyond the scope of this group, whereas barcodes are within scope.
5. A hand-counted tally is going to use the “voter verifiable” section of the ballot, regardless of what other machine readable light and dark areas are present.
6. A post-election audit could just as easily verify that a random sampling of scanned barcodes match the human readable information on ballots. It would be an identical process to machine scanning using OCR, digital bubble detection, etc. and comparing those tabulated results to the human readable information. A barcode audit might be superior because there are a great number of independently available applications and hardware to do the scanning and interpreting of the barcodes.
7. Not all ballots will be ENGLISH. We are now required and will most likely continue to be required to present the ballot in the alternative language of the voter, including any “voter verifiable” paper record. Without the use of some type of foreign key to link these various representations of candidates to one tabulation record we will end up with a mess, especially when using OCR.
8. Voters can do more than “read.” In fact some of them can’t read due to illiteracy, non-written language or visual impairment. Many of them can “listen” and “scan” and “touch.” A well-designed fairly basic (by today’s standards) scanning smart phone app of the future could certainly mitigate the concerns of what few voters actually pay attention to verification in the first place by allowing them to scan their own ballot during the casting process.
9. We don’t need fancy academic studies to prove that barcodes work or demonstrate our “due diligence.” Just ask a Fedex driver.
10. Voters can currently bring their smart phones into the booth by law and use its camera to take a selfie with their ballot (or scan a barcode) in 20 states.
11. Guidelines and Standards are only effective if they offer guidance and are standard. Creating a VVSG that is not implemented (like V1.1) is worse than no standard at all because it wastes everyone’s time and encourages isolated, less vetted new solutions or the continued use of legacy systems.
And having said that, I believe I’ve contributed quite enough to this discussion on barcodes, especially considering our system doesn’t even currently use them and our paper scanning in general is thankfully a relatively small percentage of our overall votes cast (I’m speaking from mucho personal experience here). I will defer to the group for further comment and hope reason triumphs.
Thank you.
Bernie Hirsch
MicroVote General Corp
From: Duncan Buell [mailto:duncan...@gmail.com]
Sent: Wednesday, May 02, 2018 19:51
To: vvsg-cybersecurity
Cc: Bridges, Tony - ELECTIONS; Bernie Hirsch; Jennifer Cohn
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Let’s try to summarize some of the comments:
When an optical scan tabulator reads a hand-filled paper ballot, the tabulator doesn't see the selections. It sees bubbles and timing marks, the same way a barcode scanner doesn't see the written selections, it sees lines or squares. They are basically the same technology, with a different spatial rendering. It does not make technical sense to say that one is more opaque than the other, so long as the human-readable selections are there and match what the voter selected.
In regards to my second paragraph, what we are creating here is voluntary guidelines vendors may choose to meet and states may choose to require. If election inspectors want a technology or feature that is prohibited by the VVSG, they will just pay vendors to create a way to do it that doesn't get approved by the EAC. That means hardware and code that never gets reviewed, and features that don't meet any standard. That's what has happened right now with modems in tabulators. Instead of blocking an insecure technology, the greatest assurance of security comes from providing guidelines for the correct way to implement it.
Yes. That would be the law here. If the barcode was the official record, then I think you would have a valid point, but I see no reason why it would be.
Thank you Bernie for mentioning voters that do not read English due to language, vision or education barriers. I was mirroring Duncan's language and attempting not to muddy the waters, but it is vital to remember that a voting solution must work for all voters. If we selected out any other population of voters, especially one that constitutes nearly 15% of the electorate, and said that we didn't care about making it easier for them to vote we would (rightly) be excoriated in the media.
Duncan (and All),