COMISIÓN ELECTORAL FEDERAL DE LOS EE UU
Estándares para los sistemas de voto electrónico
Votobit 10-02-2003
--Mapa electoral USA (Estados)
El 30 de abril de 2002, después de tres años, la Comisión Electoral Federal (FEC) aprobó y desbloqueó la publicación de los estándares para sistemas de votación. Publicamos, más abajo y en inglés, la introdución correspondiente a dichos estándares. Para consultar documento original, pulsar aquí

Índice en inglés de la introducción al documento de estándares

Objectives and Usage of the Voting System Standards
DEVELOPMENT HISTORY FOR INITIAL STANDARDS
UPDATE OF THE STANDARDS
ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES
DEFINITIONS
Voting System
Paper-Based Voting System
Direct Record Electronic (DRE) Voting System
Public Network Direct Record Electronic (DRE) Voting System
Precinct Count Voting System
Central Count Voting System
APPLICATION OF THE SATNDARDS AND TEST SPECIFICATIONS
Qualification Tests
Certification Tests
Acceptance Tests
OUTLINE OF CONTENTS


Los estándares permiten certificar la exactitud, la legalidad y la confianbilidad de los distintos sistemas de votación que pudieran adquirir, contratar o desarrollar los estados de la Unión. El documento ha sido sometido al análisis público y a la opinión de empresas, funcionarios, académicos, expertos técnicos y grupos de defensa de los intereses públicos, con su consiguiente impacto sobre el documento final.

Los estándares se dividen en dos volúmenes: I) Estándares sobre la capacidad funcional de sistema. II) Documentación que se exige para obtener la certificación. La certificación sera expedida por una autoridad independiente. A continuación ofrecemos el índice de los estándares y la introducción (en inglés) del documento original.

Volumen I ESTÁNDARES DE FUNCIONAMIENTO
Sección 1
Sección 2
Sección 3
Sección 4
Sección 5
Sección 6
Sección 7
Sección 8
Sección 9
Apéndice A
Apéndice B
Apéndice C
Introducción
Capacidad Funcional
Hardware
Software
Telecomunicaciones
Seguridad
Garantía de Calidad
Administración del sistema
Descripción de las pruebas de calidad

Glosario
Documentos Aplicables
Usabilidad

Volumen II ESTÁNDARES DE PRUEBA
Sección 1
Sección 2
Sección 3
Sección 4
Sección 5
Sección 6
Sección 7
Apéndice A
Apéndice B
Apéndice C
Introducción
Documentación técnica
Prueba de Funcionalidad
Prueba de hardware
Prueba de software
Prueba de Integración del Sistema
Prueba del CM y QA
Plan de Calificación
Informe de Calificación
Criterios de Diseño para la prueba de Calificación


1. Introduction

1.1 Objectives and Usage of the Voting System Standards
State and local officials today are confronted with increasingly complex voting system technology and an increased risk of voting system failure. Responding to calls for assistance from the states, the United States Congress authorized the Federal Election Commission (FEC) to develop voluntary national voting systems standards for computer-based systems. The resulting FEC Voting System Standards (“the Standards”) seek to aid state and local election officials in ensuring that new voting systems are designed to function accurately and reliably, thus ensuring the system’s integrity. States are free to adopt the Standards in whole or in part. States may also choose to enact stricter performance requirements for systems used in their jurisdictions.

The Standards specify minimum functional requirements, performance characteristics, documentation requirements, and test evaluation criteria. For the most part, the Standards address what a voting system should reliably do, not how system components should be configured to meet these requirements. It is not the intent of the Standards to impede the design and development of new, innovative equipment by vendors. Furthermore, the Standards balance risk and cost by requiring voting systems to have essential , but not excessive, capabilities.

The Standards are not intended to define appropriate election administration practices. However, the total integrity of the election process can only be ensured if implementation of the Standards is coupled with effective election administration practices.

The Standards are intended for use by multiple audiences to support their respective roles in the development, testing, and acquisition of voting systems:

Authorities responsible for the analysis and testing of such systems in support of qualification and/or certification of systems for purchase within a designated jurisdiction;
State and local agencies evaluating voting systems to be procured within their jurisdictions; and
Designers and manufacturers of voting systems.
1.2 Development History for Initial Standards


1.2 DEVELOPMENT HISTORY FOR INITIAL STANDARDS

Much of the groundwork for the Standards’ development was laid by a national study conducted in 1975 by the National Bureau of Standards, now known as the National Institute of Standards and Technology (NIST). This study was requested by the FEC's Office of Election Administrator’s predecessor, the Office of Federal Elections of the General Accounting Office. The report, “Effective Use of Computing Technology in Vote-Tallying,” made a number of recommendations bearing directly on the Standards project. After analyzing computer-related election problems encountered in the past, the report concluded that one of the basic causes for these difficulties was the lack of appropriate technical skill at the state and local level for developing or implementing sophisticated and complex standards against which voting system hardware and software could be tested.

Following the release of this report, Congress mandated that the FEC, with the cooperation and assistance of the National Bureau of Standards, study and report on the feasibility of developing “voluntary engineering and procedural performance standards for voting systems used in the United States.” (2 U.S.C. §431 Note) The resulting 1983 study cited a substantial number of technical and managerial problems that affected the integrity of the vote counting process. It also asserted the need for a federal agency to develop national performance standards that could be used as a tool by state and local election officials in the testing, certification, and procurement of computer-based voting systems. In 1984, Congress approved initial funding for the Standards.

The FEC held a series of public hearings in developing the initial Standards. State and local election officials, election system vendors, technical consultants, and others reviewed drafts of the proposed criteria. The FEC considered their many comments and made appropriate revisions. Before final issuance, the FEC publicly announced the availability of the latest draft of the Standards in the Federal Register and requested that all interested parties submit final comments. The FEC meticulously reviewed all responses to the notice and incorporated corrections and suitable suggestions. Ultimately, the final product was the result of considerable deliberation, close consultation with election officials, and careful consideration of comments from all interested parties.

In January 1990, the FEC issued the performance standards and testing procedures for punchcard, marksense, and direct recording electronic (DRE) voting systems. The Standards did not cover paper ballot and mechanical lever systems because paper ballots are sufficiently self-explanatory not to require technical standards and mechanical lever systems are no longer manufactured or sold in the United States. The FEC also did not incorporate requirements for mainframe computer hardware because it was reasonable to assume that sufficient engineering and performance criteria already governed the operation of mainframe computers. However, vote tally software installed on mainframes is covered by the Standards.


1.3 UPDATE OF THE STANDARDS

Today, over two-thirds of the States have adopted the Standards in whole or in part. As a result, the voting systems marketed today are dramatically improved. Election officials are better assured that the voting systems they procure will work accurately and reliably. Voting system failures are declining, and now primarily involve pre-Standard equipment, untested equipment configurations, or the mismanagement of tested equipment. Overall, systems integrity and the election processes have improved markedly.

However, advances in voting technology, legislative changes, and the proliferation of electronic voting systems make an update of the Standards necessary. The industry has been marked by widespread integration of personal computer technology and non-mainframe servers into DRE voting systems.

In addition, voting systems need to be responsive to the Americans with Disabilities Act (ADA) of 1990 and guidelines developed to assist in implementing the ADA.


1.4 ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES

Voters and election officials who use voting systems represent a broad spectrum of the population, and include individuals with disabilities who may have difficulty using traditional voting systems. In developing accessibility provisions for the Standards, the FEC requested assistance from the Access Board, the federal agency in the forefront of promulgating accessibility provisions. The Access Board submitted technical standards designed to meet the diverse needs of voters with a broad range of disabilities. The FEC has adopted the entirety of the Access Board’s recommendations and incorporated them into the Standards. These recommendations comprise the bulk of the accessibility provisions found in Section 2.2.7. Implementing these provisions, however, will not entirely eliminate the need to accommodate the needs of some disabled voters by human interface.

The FEC anticipates that during the lifetime of this version of the Standards increased obligations will be placed upon election officials at every jurisdictional level to provide voting equipment tailored to meet the needs of voters with disabilities. To facilitate jurisdictions in meeting accessibility needs, the Standards mandate that every voting system incorporate some accessible voting capabilities. The Standards also mandate that systems incorporating a DRE component meet specific technological requirements. To do so, it is anticipated that a vendor will have to either configure all of the system’s voting stations to meet the accessibility specifications or will have to design a unique station that conforms to the accessibility requirements and is part of the overall voting system configuration.

Under no circumstances should compliance with requirements for accessibility be viewed as mutually exclusive from compliance with any other provision of the Standards. If a voting system contains a machine uniquely designed to meet the accessibility requirements, such a machine will be tested for compliance with the accessibility requirements, as well as for compliance with all of the DRE standards, in order to ensure that an accessible machine does not unintentionally abrogate the mandates of the Standards.


1.5 DEFINITIONS

The Standards contain terms describing function, design, documentation, and testing attributes of equipment and computer programs. Unless otherwise specified, the intended sense of technical terms is that which is commonly used by the information technology industry. In some cases terminology is specific to elections or voting systems, and a glossary of those terms is contained in Appendix A. Non-technical terms not listed in Appendix A shall be interpreted according to their standard dictionary definitions.
Additionally, the following terms are defined below:
Voting system;
Paper-based voting system;
Direct record electronic (DRE) voting system;
Public network direct record electronic (DRE) voting systems;
Precinct count voting system; and
Central count voting system.

1.5.1 Voting System
A voting system is a combination of mechanical, electromechanical, or electronic equipment. It includes the software required to program, control, and support the equipment that is used to define ballots; to cast and count votes; to report and/or display election results; and to maintain and produce all audit trail information. A voting system may also include the transmission of results over telecommunication networks.

Additionally, a voting system includes the associated documentation used to operate the system, maintain the system, identify system components and their versions, test the system during its development and maintenance, maintain records of system errors and defects, and determine specific changes made after system qualification. By definition, this includes all documentation required in Section 9.4.

Traditionally, a voting system has been defined by the mechanism the system uses to cast votes and further categorized by the location where the system tabulates ballots. However, the Standards recognize that as the industry develops unique solutions to various challenges and as voting systems become more responsive to the needs of election officials and voters, the rigid dichotomies between voting system types may be blurred. Innovations that use a fluid understanding of system types can greatly improve the voting system industry, but only if controls are in place to monitor and control integrity through the proper evaluation of the system brought for qualification.

As such, vendors that submit a system that integrates components from more than one traditional system type or a system that includes components not addressed in this Standard shall submit the results of all beta tests of the new system. Vendors also shall submit a proposed test plan to the appropriate independent test authority recognized by the National Association of State Election Directors (NASED) to conduct national qualification testing of voting systems. The Standards permit vendors to produce or utilize interoperable components of a voting system that are tested within the full voting system configuration.

1.5.2 Paper-Based Voting System
A Paper-Based Voting System, (referred to in the initial Standards as a Punchcard and Marksense [P&M] Voting System) records votes, counts votes, and produces a tabulation of the vote count from votes cast on paper cards or sheets. A punchcard voting system allows a voter to record votes by means of holes punched in designated voting response locations. A marksense voting system allows a voter to record votes by means of marks made by the voter directly on the ballot, usually in voting response locations. Additionally, a paper based system may record votes using other approaches whereby the voter’s selections are indicated by marks made on a paper ballot by an electronic input device, as long as such an input device does not independently record, store, or tabulate the voters selections.

1.5.3 Direct Record Electronic (DRE) Voting System
A Direct Record Electronic (DRE) Voting System records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter; that processes data by means of a computer program; and that records voting data and ballot images in memory components. It produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location.

1.5.4 Public Network Direct Record Electronic
(DRE) Voting System

A Public Network Direct Record Electronic (DRE) Voting System is an election system that uses electronic ballots and transmits vote data from the polling place to another location over a public network as defined in Section 5.1.2. Vote data may be transmitted as individual ballots as they are cast, periodically as batches of ballots throughout the election day, or as one batch at the close of voting. For purposes of the Standards, Public Network DRE Voting Systems are considered a form of DRE Voting System and are subject to the standards applicable to DRE Voting Systems. However, because transmitting vote data over public networks relies on equipment beyond the control of the election authority, the system is subject to additional threats to system integrity and availability. Therefore, additional requirements discussed in Section 5 and 6 apply.
The use of public networks for transmitting vote data must provide the same level of integrity as other forms of voting systems, and must be accomplished in a manner that precludes three risks to the election process: automated casting of fraudulent votes, automated manipulation of vote counts, and disruption of the voting process such that the system is unavailable to voters
during the time period authorized for system use.

1.5.5 Precinct Count Voting System
A Precinct Count Voting System is a voting system that tabulates ballots at the polling place. These systems typically tabulate ballots as they are cast, and print the results after the close of polling. For DREs, and for some paper-based systems, these systems provide electronic storage of the vote count and may transmit results to a central location over public telecommunication networks.

1.5.6 Central Count Voting System
A Central Count Voting System is a voting system that tabulates ballots from multiple precincts at a central location. Voted ballots are typically placed into secure storage at the polling place. Stored ballots are transported or transmitted to a central counting place. The systems produce a printed report of the vote count, and may produce a report stored on electronic media.


1.6 APPLICATION OF THE SATNDARDS AND
TEST SPECIFICATIONS


The Standards apply to all system hardware, software, telecommunications, and documentation intended for use to:
Prepare the voting system for use in an election;
Produce the appropriate ballot formats;
Test that the voting system and ballot materials have been properly prepared and are ready for use;
Record and count votes;
Consolidate and report results;
Display results on-site or remotely; and
Maintain and produce all audit trail information.

In general, the Standards define functional requirements and performance characteristics that can be assessed by a series of defined tests . Standards are mandatory requirements and are designated by use of the term “shall.”
Some voting systems use one or more readily available commercial off-the-shelf (COTS) devices (such as card readers, printers, or personal computers) or software products (such as operating systems, programming language compilers, or database management systems). COTS devices and software are exempted from certain portions of the qualification testing process as defined herein, as long as such products are not modified for use in a voting system.

Generally, voting systems are subject to the following three testing phases prior to being purchased or leased:
Qualification tests;
State certification tests; and
State and/or local acceptance tests.

1.6.1 Qualification Tests
Qualification tests validate that a voting system meets the requirements of the Standards and performs according to the vendor’s specifications for the system. Such tests encompass the examination of software; the inspection and evaluation of system documentation; tests of hardware under conditions simulating the intended storage, operation, transportation, and maintenance environments; operational tests to validate system performance and function under normal and abnormal conditions; and examination of the vendor’s system development, testing, quality assurance, and configuration management practices. Qualification tests address individual system components or elements, as well as the integrated system as a whole.

Since 1994, qualification tests for voting systems have been performed by Independent Test Authorities (ITAs) certified by the National Association of State Election Directors (NASED). NASED has certified an ITA for either the full scope of qualification testing or a distinct subset of the total scope of testing. To date, ITAs have been certified only for distinct subsets of testing. Upon the successful completion of testing by an ITA, the ITA issues a Qualification Test Report to the vendor and NASED. The qualification test report remains valid for as long as the voting system remains unchanged.

Upon receipt of test reports that address the full scope of testing, NASED issues a Qualification Number that indicates the system has been tested by certified ITAs for compliance with the Standards and qualifies for the certification process of states that have adopted the Standards. The Qualification Number applies to the system as a whole, and does not apply to individual system components or untested configurations.

After a system has completed qualification testing, further examination of a system is required if modifications are made to hardware, software, or telecommunications, including the installation of software on different hardware. Vendors request review of modifications by the appropriate ITA based on the nature and scope of changes made and the scope of the ITA’s role in NASED qualification. The ITA will determine the extent to which the modified system should be resubmitted for qualification testing and the extent of testing to be conducted.

Generally, a voting system remains qualified under the standards against which it was tested, as long as no modifications not approved by an ITA are made to the system. However, if a new threat to a particular voting system is discovered, it is the prerogative of NASED to determine which qualified voting systems are vulnerable, whether those systems need to be retested, and the specific tests to be conducted. In addition, when new standards supersede the standards under which the system was qualified, it is the prerogative of NASED to determine when systems that were qualified under the earlier standards will lose their qualification, unless they are tested to meet current standards.

Among other things, qualification testing complements and evaluates the vendor's developmental testing and beta testing. The ITA is expected to evaluate the completeness of the vendor's developmental test program, including the sufficiency of vendor tests conducted to demonstrate compliance with the Standards as well as the system’s performance specifications. The ITA undertakes sample testing of the vendor's test modules and also designs independent system-level tests to supplement and check those designed by the vendor. Although some of the qualification tests are based on those prescribed in the Military Standards, in most cases the test conditions are less stringent, reflecting commercial, rather than military, practice.


1.6.2 Certification Tests
Certification tests are performed by individual states, with or without the assistance of outside consultants, to:
Confirm that the voting system presented is the same as the one qualified through the Standards;
Test for the proper implementation of state-specific requirements;
Establish a baseline for future evaluations or tests of the system, such as acceptance testing or state review after modifications have been made; and
Define acceptance tests.

Precise certification test scripts are not included in the Standards, as they must be defined by the state, with its laws, election practices, and needs in mind. However, it is recommended that they not duplicate qualification tests, but instead focus on functional tests and qualitative assessment to ensure that the system operates in a manner that is acceptable under state law. If a voting system is modified after state certification, it is recommended that States reevaluate the system to determine if further certification testing is warranted.

Certification tests performed by individual states typically rely on information contained in documentation provided by the vendor for system design, installation, operations, required facilities and supplies, personnel support and other aspects of the voting system. States and jurisdictions may define information and documentation requirements additional to those defined in the Standards. By design, the Standards, and qualification testing of voting systems for compliance with the Standards, do not address these additional requirements. However, qualification testing addresses all capabilities of a voting system stated by the vendor in the system documentation submitted to an ITA, including additional capabilities that are not required by the Standards.


1.6.3 Acceptance Tests
Acceptance tests are performed at the state or local jurisdiction level upon system delivery by the vendor to:
Confirm that the system delivered is the specific system qualified by NASED and, when applicable, certified by the state;
Evaluate the degree to which delivered units conform to both the system characteristics specified in the procurement documentation, and those demonstrated in the qualification and certification tests; and
Establish a baseline for any future required audits of the system.
Define acceptance tests.

Some of the operational tests conducted during qualification may be repeated during acceptance testing.


1.7 OUTLINE OF CONTENTS

The organization of the Standards has been simplified to facilitate its use. Volume I, Voting System Performance Standards, is intended for use by the broadest audience, including voting system developers, equipment manufacturers and suppliers, independent test authorities, local agencies that purchase and deploy voting systems, state organizations that certify a system prior to procurement by a local jurisdiction, and public interest organizations that have an interest in voting systems and voting systems standards.
Section 2 describes the functional capabilities required of voting systems.
Sections 3 through 6 describe specific performance standards for election system hardware, software, telecommunications and security, respectively.
Sections 7 and 8 describe practices for quality assurance and configuration management, respectively, to be used by vendors, and required information about vendor practices that will be reviewed in concert with system qualification and certification test processes and system purchase decisions.
Section 9 provides an overview of the test and measurement process used by test authorities for qualification and re-qualification of voting systems.
Appendix A provides a glossary of important terms used in Volume I.
Appendix B lists the publications that were used for guidance in the preparation of the Standards. These publications contain information that is useful in interpreting and complying with the requirements of the Standards.
Appendix C addresses issues of usability of voting systems, commonly referred to as “human factors.” This appendix does not represent mandates that voting systems will be tested against, but rather contain recommendations and best practices on usability issues designed to provide vendors and election officials with guidance on designing and procuring systems that are easy and intuitive to use by voters.

Volume II, Voting System Qualification Testing Standards describes the standards for the technical information submitted by the vendor to support testing; the development of test plans by the ITA for initial system testing and testing of system modifications; the conduct of system qualification tests by the ITA; and the test reports generated by the ITA. This volume complements the content of Volume I and it is intended primarily for use by ITAs, state organizations that certify a system, and vendors.


Primera
Informes a los Presidentes
La llave · Revista
OVE
Ediciones Votobit
Misiones de Observación
Consultoría
Certificación
Master Internacional*
(*) En preparación
• IV Informe
¿Cuánto vale confiar?
OVE • Emisión 15-09-2004

• III Informe
El Efecto hip-hop sobre el voto-e
OVE • Emisión 15-07-2003

• II Informe
La urna que guarda silencio
OVE • Emisión 15-01-2003

• I Informe
La información que
decide

OVE • Emisión 15-08-2002
NUEVO Emisión 24-06-05
Diseño de una plataforma de democracia digital
Por Ana Gómez Oliva, Sergio Sánchez García, Carlos González Martínez, Emilia Pérez Belleboni y Jesús Moreno Blázquez
r


NUEVO Emisión 27-05-05
Is there a future for internet voting?
Por Stephen Mason, Barrister

NUEVO Emisión 27-05-05
Voto Electrónico. Antecedentes y despliegue
Por Macarita Elizondo Gasperín

El computador cuántico y el final de la criptografía de clave pública
Por Fernando Acero Martín
Emisión 15-03-2005

El caso Indra
Por Antonio Yuste
Emisión 01-03-2005

Cuestionario OVE
Prueba Piloto en España de Voto por Internet
Observatorio Voto Electrónico Emisión 27-01-05

Consejo de Europa Recomendaciones legales y técnica sobre voto electrónico
Emisión 05-10-04

Informe. Elecciones catalanas de 2003
Por Jordi Barrat i Esteve y Josep Maria Reniu i Vilamala

DNI electrónico y firma electrónica

Por Fernando Acero
Emisión 24-04-03

La democracia
se pone al día

Por Javier Tornadijo
Emisión 28-03-2003

La automatización del proceso electoral
Por Ángel A. de la Rosa
Emisión 07-03-2003

Esto es lo que parece
Por Antonio Yuste
Emisión 10-02-2003

Los núcleos de decisión entran en el quirófano
Por Jorge A. García Diez
Emisión 03-02-2003


Estrategias civiles para crear transparencia
Por Antonio Yuste
Emisión 03-02-2003

El bucle decisor
Por Ángel Alonso
Emisión 15-08-2002

Estándares para los sistemas de votación
Comisión Electoral Federal de los EE UU

Patrocinio · Contacto
OVE (Observatorio Voto Electrónico) · Campus de Vegazana
Edificio Tecnológico, s/n · 24071 León - España · tel +34 987 291 915