Figure 2-1 Voting device class hierarchy
This document contains considerable new material and material expanded from previous versions of the voting standards. This section provides an introduction to and overview of major features of the VVSG, those being
The VVSG structure is markedly different from the structure of previous versions. First, the VVSG should be considered as a foundation for requirements for voting systems; it is a foundation that provides precision, reduces ambiguity, eliminates repeated requirements, and provides an avenue for orderly change, i.e., the addition of new types of voting devices or voting variations.
It was necessary to focus on providing this robust foundation for several reasons. First, previous versions suffered from ambiguity, which resulted in a less-robust testing effort. In essence, it has been more difficult to test voting systems when the requirements themselves are subject to multiple interpretations. This new version should go a long way towards reducing that ambiguity.
Secondly, there are simply more different types of voting devices than anticipated by previous versions, and new devices will continue to be marketed as time goes by. The VVSG provides a strong organizational foundation so that existing devices can be unambiguously described and development of new devices can proceed in an orderly, structured fashion.
The VVSG has been reorganized to bring it in line with applicable standards practices of ISO, W3C and other standards-creating organizations. It contains three volumes or “Parts” for different types of requirements:
Part 1, Equipment Requirements, provides guidelines for manufacturers to produce voting systems that are secure, accurate, reliable, usable, accessible, and fit for their intended use. Requirements in VVSG 2005 that were ambiguous have been clarified. In those cases where no precise replacement could be determined and no testing value could be ascribed, requirements have been deleted.
Part 2, Documentation Requirements, is a new section containing documentation requirements separate from functional and performance requirements applying to the voting equipment itself. It contains requirements applying to the Technical Data Package, the Voting Equipment User Documentation, the Test Plan, the Test Report, the Public Information Package, and the data for voting software repositories.
Part 3, Testing, contains requirements that apply to the national certification testing to be conducted by non-governmental certified testing laboratories. It has been reorganized to focus on test methods and to avoid repetition of requirements from the product standard. Although different testing specialties are likely to be subcontracted to different laboratories, the prime contractor must report to the certifying authority on the conformity of the system as a whole.
The requirements in these Parts rely on delimitation and strict usage of certain terms, included in Appendix A, Definition of Words with Special Meanings. This covers terminology for standardization purposes that must be sufficiently precise and formal to avoid ambiguity in the interpretation and testing of the standard. Terms are defined to mean exactly what is intended in the requirements of the standard. Note: Readers may already be familiar with definitions for many of the words in this section, but the definitions here often may differ in small or big ways from locality usage because they are used in special ways in the VVSG.
The VVSG also contains a table of requirement summaries, to be used as a quick reference for locating specific requirements within sections/subsections. Appendix B contains references and end notes.
Voting system and device classes are new to the VVSG. Classes in essence form profiles of voting systems and devices. They are used as fields in requirements to connote the scope of the requirements. For example, Figure 2-1 shows the high-level device class called vote-capture device. There are various requirements that apply to vote-capture device; this means that all vote-capture devices must satisfy these requirements (e.g., for security, usability, etc.). There are also requirements that apply more specifically to, say, IVVR vote-capture devices and those explicit devices underneath it, such as VVPAT. These devices inherit the requirements that apply to vote-capture device, that is, they must satisfy all the general vote-capture device requirements as well as the more specific requirements that apply. In this way, new types of specific vote-capture devices can be added in the future; they must satisfy the general requirements that all Vote-capture devices are expected to satisfy, but at the same time they can satisfy specific requirements that only apply to the new device. This structure assists in unambiguously making it clear to manufacturers and test labs which requirements apply to ALL vote-capture devices, for example, as opposed to which requirements apply specifically to just VVPAT. This structure also allows for the addition or modification of new or existing device requirements without affecting the rest of the standard.
Figure 2-1 Voting device class hierarchy
Requirements are now very specific to either a type of voting variation or a type of voting device (as stated in the previous section, the voting device can be a general profile of certain types of voting devices or be a profile of a more specific voting device). The requirements contain expanded description text and more precise language to make requirements explicit and to indicate the general test method to be used by the test lab for determining whether the requirement is satisfied in the voting system under test. As appropriate, the requirement also contains a reference to versions of the requirement in previous standards (e.g., VVSG 2005 or the 2002 VSS) so as to show its genesis and to better convey its purpose.
The terminology used in the VVSG has been considered carefully and is used strictly and consistently. In this way, requirements language can be made even more clear and unambiguous. Hypertext links are used throughout the VVSG for definitions of terminology to reinforce the importance of understanding and using the terminology in the same way.
However, it is important to understand that the terminology used in the VVSG is specific to the VVSG. An effort has been made to make sure that the terms used in the VVSG mean essentially the same thing as used in other contexts, however at times the definitions in the VVSG may vary in big or small ways.
Figure 2-2 illustrates the relationships and interaction between requirements, device classes, and types of testing from Part 3, all in the framework of strictly used terminology.
Figure 2-2 Interaction between requirements, definitions, and parts of the VVSG
Usability is conventionally defined as "the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use" [ISO98a]. In VVSG 2005, the usability guidelines relied on three assessment methods:
While all these help to promote usability, methods 1 and 2 are all somewhat indirect methods. The actual "effectiveness, efficiency and satisfaction" of voting systems are never evaluated directly in the 3rd method.
This version of the VVSG uses a new method based on summative usability testing that directly addresses usability itself, i.e., measured mainly in how accurately voters cast their ballot choices. The features of this new method include:
Obviously, the implementation of such complex tests is more difficult than simply checking design features. However, performance-based testing using human subjects yields the most meaningful measurement of usability because it is based on their interaction with the system's voter interface, whereas design guidelines, while useful, cannot be relied upon to discover all the potential problems that may arise. The inclusion of requirements for performance testing in these Guidelines advances the goal of providing the voter with a voting system that is accurate, efficient, and easy to use.
In addition to usability performance metrics, the treatment of human factors, i.e., usability, accessibility, and privacy, has been expanded considerably. Table 2-1 summarizes the new and expanded material.
Table 2-1 Expanded human factors coverage
Human Factors Topic |
Description |
Voter-Editable Ballot Device |
The VVSG defines a new class of voting station: Voter-Editable Ballot Device (VEBD). These are voting systems such as DREs and EBMs that present voters with an editable ballot (as opposed to manually-marked paper ballots), allowing them to easily change their choices prior to final casting of the ballot. See Part 1: 2.5 and Part 1: 3.1.2. |
Ballot Checking and Correction |
Requirements for both interactive and optical-scan based ballot checking and correction (so-called "voter's choice" issues). There is also a new requirement for detection and reporting of marginal marks. See Part 1: 3.2.2. |
Notification of Ballot Casting |
Requirements to notify the voter whether the ballot has been cast successfully. See Requirements Part 1: 3.2.2.1-F and Part 1: 3.2.2.2-F. |
Plain Language |
Requirements for the use of plain language when the voting system communicates with the voter. The goal is to make the instructions for use of the system easier to understand and thus improve usability. See Requirement Part 1: 3.2.4-C. |
Icons and Language |
New requirement that instructions cannot rely on icons alone; they must also include linguistic labels. See Requirement Part 1: 3.2.4-G. |
Adjustability |
Clarified that when the voter can control or adjust some aspect of voting station, the adjustment can be done throughout the voting session. See Requirement Part 1: 3.2.5-B. |
Choice of Font and Contrast |
Requirements for the availability of the choice of font size and contrast on VEBDs. See Requirements Part 1: 3.2.5-E and Part 1: 3.2.5-H. |
Legibility |
Legibility for voters with poor reading vision has been strengthened from a recommendation to a requirement. See Requirement Part 1: 3.2.5-G. |
Timing |
Requirements on the timing for interactive systems. Addresses the response time of system to the user (no undue delay) and mandates that systems issue a warning if there is lengthy user inactivity. See Section Part 1: 3.2.6.1. |
Alternative Languages |
This entire section has been expanded and clarified. See Section Part 1: 3.2.7. |
Poll Workers |
Addresses usability for poll workers as well as for voters. Manufacturers are required to perform usability testing of system setup, operation, and shutdown. System safety is addressed. See Section Part 1: 3.2.8. |
End-to-End Accessibility |
New requirement to ensure accessibility throughout the entire voting session. See Requirement Part 1: 3.3.1-A. |
Accessibility of Paper Records |
Requirements address the need for accessibility when the system uses paper records as the ballot or for verification. In particular, an audio readback mechanism is required to ensure accessibility for those with vision problems. See Requirement Part 1: 3.3.1-E. |
Color Adjustment |
Consolidated and clarified material on color adjustment of voting station. See Requirement Part 1: 3.3.2-B. |
Synchronized Audio and Video |
Clarifies the availability of synchronized audio and video for the accessible voting station. The voter can choose any of three modes: audio-only, visual-only, or synchronized audio/video. See Requirement Part 1: 3.3.2-D. |
Software independence [Rivest06] means that an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results. All voting systems must be software independent in order to conform to the VVSG.
There are essentially two issues behind the concept of software independence, one being that it must be possible to audit voting systems to verify that ballots are being recorded correctly, and the second being that testing software is so difficult that audits of voting system correctness cannot rely on the software itself being correct. Therefore, voting systems must be ‘software independent’ so that the audits do not have to trust that the voting system’s software is correct; the voting system must provide proof that the ballots have been recorded correctly, e.g., voting records must be produced in ways in which their accuracy does not rely on the correctness of the voting system’s software.
This is a major change from previous versions of the VVSG, because previous versions permitted voting systems that are software dependent, that is, voting systems whose audits must rely on the correctness of the software. One example of a software dependent voting system is the DRE, which is now non-conformant to this version of the VVSG.
The VVSG requires that, to be software independent, all voting systems include an IVVR vote-capture device, that is, a vote-capture device that uses independent voter-verifiable records (IVVR). IVVR can be audited independently of the voting system software but do not necessarily have to be paper-based. IVVR relies on voter-verification, that is, the voter must verify that the electronic record is being captured correctly by examining a copy that is maintained independently of the voting system’s software, i.e., the IVVR.
Voter-verifiable paper records (VVPR) is a form of IVVR that is paper-based. Currently, the voting systems that can satisfy the definition of software independence use VVPR, such as with
Figure 2-3 illustrates this in a tree-like structure. At the top of the tree is software independence; as stated previously all voting systems that are conformant to the VVSG must be software independent. One route to achieving software independence is to use IVVR. The VVSG contains requirements for IVVR, of which VVPR is one (currently the only) type. If different types of IVVR are developed that do not use paper, systems that use them can also be conformant to the VVSG “as is.” In other words, new types of IVVR that do not use paper are already “covered” by the IVVR requirements in the VVSG; new requirements will not necessarily need to be added.
Figure 2-3 Voting systems that can conform to current requirements in the VVSG
Use of IVVR is currently the only method specified by requirements in the VVSG for achieving software independence. Manufacturers that produce systems that do not use IVVR must use the Innovation Class as a way of proving and testing conformance to the VVSG. The innovation class is for the purpose of ensuring a path to conformance for new and innovative voting systems that meet the requirement of software independence but for which there may not be requirements in the VVSG. Technologies in the innovation class must be different enough to other technologies permitted by the VVSG so as to justify their submission. Technologies in the innovation class must meet the relevant requirements of the VVSG as well as further the general goals of holding fair, accurate, transparent, secure, accessible, timely, and verifiable elections.
A review panel process, separate from the VVSG conformance process, will review innovation class submissions and make recommendations as to their eventual conformance to the VVSG.
The goal of open-ended vulnerability testing (OEVT) is to discover architecture, design and implementation flaws in the system which may not be detected using systematic functional, reliability, and security testing and which may be exploited to change the outcome of an election, interfere with voters’ ability to cast ballots or have their votes counted during an election, or compromise the secrecy of vote. The goal of OEVT also includes attempts to discover logic bombs, time bombs or other Trojan Horses that may have been introduced in the system hardware, firmware or software for said purposes. Open-ended vulnerability testing (OEVT) relies heavily on the experience and expertise of OEVT team members, their knowledge of the system, its component devices and associated vulnerabilities, and the team’s ability to exploit those vulnerabilities.
In addition to software independence and OEVT, the treatment of security in voting systems has been expanded considerably. There are now detailed sets of requirements for eight aspects of voting system functionality and features, as shown in Table 2-2.
Table 2-2 Expanded security coverage
Security Topic |
Description |
Cryptography |
Requirements relating to use of cryptography in voting systems, e.g., use of U.S. Government FIPS standards. Voting devices must now contain hardware cryptographic modules to sign election information. |
Setup Inspection |
Requirements that support the inspection of a voting device to determine that: (a) software installed on the voting device can be identified and verified; (b) the contents of the voting device’s storage containing election information can be determined; and (c) components of the voting device (such as touch screens, batteries, power supplies, etc.) are within proper tolerances, functioning properly, and ready for use. |
Software Installation |
Requirements that support the secure installation of voting system software using digital signatures. |
Access Control |
Requirements that address voting system capabilities to limit and detect access to critical voting system components in order to guard against loss of system and data integrity, availability, confidentiality, and accountability in voting systems. |
System Integrity Management |
Requirements that address operating system security, secure boot loading, system hardening, etc. |
Communications Security |
Requirements that address both the integrity of transmitted information and protect the voting system from communications based threats. |
System Event Logging |
Requirements to address system event logging to assist in voting device troubleshooting, recording a history of voting device activity, and detecting unauthorized or malicious activity. |
Physical Security |
Requirements that address the physical aspects of voting system security: locks, tamper-evident seals, etc. |
To clarify the treatment of components that are neither manufacturer-developed nor unmodified COTS (commercial off-the-shelf software/hardware) and to allow different levels of scrutiny to be applied depending on the sensitivity of the components being reviewed, different subdivisions of COTS have been identified, with various requirements scoped to the new terminology. For example, a COTS operating system may not require source code review, but configuration files that support the configuration of the operating system would require test lab review.
The way in which COTS is tested has also changed; the manufacturer must deliver the system to test without the COTS installed, and the test lab must procure the COTS separately and integrate it. If the integration is successful, the COTS can safely be assumed to be unmodified.
The testing specified in previous versions of the VVSG for accuracy and reliability is not required to be end-to-end but may bypass significant portions of the system that would be exercised during an actual election, such as the touch-screen or keyboard interface. This resulted in the voting system not being tested thoroughly for reliability or accuracy, thus this practice is now prohibited in this version of the VVSG. For example, if a tabulator is specified to count paper ballots that are manually-marked with a specific writing utensil, it is not valid to substitute ballots that were mechanically marked by a printer. Devices or software that closely and validly simulate actual election use of the system are permissible.
The metric for reliability has been changed from Mean Time Between Failure (MTBF) to a failure rate based on volume that varies by device class and severity of failure (failures are equipment breakdowns, including software crashes, such that continued use without service or replacement is worrisome to impossible). In this version of the VVSG, there are now different failure rates per device, which permits more refined testing and eliminates the previous “one size fits all” approach.
Additionally, a volume test is now included that is analogous to the California Volume Reliability Testing Protocol. This test simulates actual election conditions and will better assess overall reliability and accuracy.
Reliability, accuracy, and probability of misfeed for optical scanners are now assessed using data collected through the course of the entire test campaign, including the volume testing. This increases the amount of data available for assessment of conformity to these performance requirements without necessarily increasing the duration of testing.
The general core requirements for voting systems have been expanded greatly. In addition to the already noted improvements in COTS coverage, end-to-end testing for accuracy and reliability, and the new reliability metric, the following topics in Table 2-3 have been added or expanded.
Table 2-3 Expanded core coverage in the VVSG
Core Topic |
Description |
EBMs |
Requirements broadened to cover Electronically-assisted Ballot Markers (EBMs) and Electronic Ballot Printers (EBPs). |
Early voting |
Updates to requirements to handle early voting. |
Optical scanner accuracy |
Significant changes to accuracy requirements for optical scanners and handling of marginal marks. |
Coding conventions |
Major revisions to coding conventions and prohibited constructs in languages. |
QA and CM |
Major revisions to Quality Assurance and Configuration Management requirements for manufacturers. |
Humidity |
New operating tests for humidity affecting paper and the voting system. |
Logic verification |
Requirements to show that the logic of the system satisfies certain constraints and correctness. |
Epollbooks |
Requirements on ballot activation involving epollbooks to protect integrity and privacy of ballot activation information and to ensure records on epollbooks do not violate secrecy of the ballot. |
Common data formats |
Requirements dealing with making voting device interfaces and data formats transparent and interchangeable and to use consensus-based, publicly available formats. |