new security plans for colorado voting, no audit improvements

[Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>]

Well, the Secretary of State and the lawyers for the plaintiffs in the
recent case have worked out some new security requirements for the
election:

 2006 Uniform Standards for Security Plans
 http://www.elections.colorado.gov/WWW/default/Voting%20Systems/2006%20Security%20Plans/Colorado%20County%20Security%20Procedures%20-FINAL.pdf


The most glaring omission is any attention to better audits.  When
there are VVPATs, audits are about the best defense against mistakes,
hacking or fraud.  But Boulder County still doesn't do reasonable
audits on either DREs or normal paper ballots.  They didn't even print
out a summary tape from the DREs giving printed results at the end of
election day, even though that is a standard feature of the Hart
system, and is routinely done by other counties.  And the canvass
report doesn't provide appropriate detail, so there is nothing to
audit.  They always have to recount some memory card, or even recount
batches of ballots, rather than being able to verify the original
results by counting the associated paper records.  The Request For
Proposal Evaluation Team that recommended acquiring the Hart eSlates
knew this, and called for remediation of the failures of the Hart
system in terms of audits.  Instead, the county has made real audits
impossible, despite requests from citizens and canvass boards.

In fact this new requirement emphasizes the importance of printing
summary tapes early on:

> Modem Transmission -- At no time shall any component of the voting
> system be connected to another device except for the vote tally
> software, directly or indirectly, by modem.  Remote sites may use
> modem functions of optical scanners and DREs only for the purpose of
> transmitting unofficial results, as permitted by the Secretary of
> State's certification documents for the specific systems. Counties
> using modem devices to transmit results shall meet the following
> requirements: (i).  Transmissions may be used only for sending
> unofficial results; after all other steps have been taken to close
> the polls. All summary tapes should be printed before connecting any
> of the machines to a modem or telephone line.

And the other issues I've pointed out before with audits remain
unaddressed.  Sigh.


Besides the audit problems, here are some excerpts from the new
requirements, and some comments.

> No additional or modified software developed by the Vendor that is
> not specifically listed on the Secretary of State's certificate
> shall be installed on any component of the voting system. Nothing in
> this provision shall preclude the use of commercial off-the-shelf
> (COTS) software.

Huh?  Why allow additional COTS software from anywhere at all?
Shouldn't the machines be used as configured during the certification
and testing?

> All seals are to be verified by two elections officials.

Will they seal the USB ports on the central tally machines
until they need to be used?

> The Secretary of State shall be required to inspect the counties' 
> maintenance records on a randomly selected 1% of all voting devices
> in possession of the counties throughout the state in even years,
> and to inspect the maintenance records on a randomly selected 5% of
> all voting devices in possession of the counties throughout the
> state in odd years.

Sounds good.  But I hope folks are including these sorts of high
maintenance costs in any estimates of the total cost of electronic
voting equipment.  Minimizing the need for it in favor of equipment
that is less risky and easier to secure is important.

> Counties under 50,000 registered voters: A maximum of 1 employee
> shall have access to the absentee ballot storage and counting areas.

What if that one person gets sick?

> Security training shall include the following components:
>  i. Proper application and verification of seals and seal-tracking logs;
>  ii.  How to detect tampering with voting equipment, memory
>     cards/cartridges, or election data on the part of anyone coming in
>     contact with voting equipment, including county personnel, other
>     election judges, vendor personnel, or voters;
>  iii. How to detect suspicious behavior;
>  iv. Ensuring privacy in voting booths;
>  v.  The nature of and reasons for the steps taken to mitigate the
>     security vulnerabilities of DREs;
>  vi. V-VPAT requirements;
>  vii. Chain-of-custody requirements for voting equipment, memory
>     cards/cartridges, and other election materials;
>  viii. Ballot security;
>  ix. Voter anonymity.

Pay attention when you get your training, and see if you think these
requirements have been followed.

> the county shall conduct a CBI background check [on various folks]

Anyone know more about these checks, and how they deal with
information they get?  E.g. from

 https://www.cbirecordscheck.com/Question/faq.asp

it seems that this only covers Colorado, is more about
arrests than convictions, and will lead to lots of questions.

Neal McBurnett                 http://mcburnett.org/neal/
Signed and/or sealed mail encouraged.  GPG/PGP Keyid: 2C9EBA60