Federal Voluntary Voting System Guidelines: Issues

^Pr^ep^ar^{ed f}^o^r^M^e^m^b^ers^an^d^Com^mⁱ^t^t^ees^of^C^ong^r^e^ss

The federal Voluntary Voting System Guidelines (VVSG) are a set of technical standards for voting
systems that use computers to assist in recording or counting votes. The first version went into
effect in December 2007, and a draft second version has been developed. The VVSG replaced the
federal voluntary Voting Systems Standards (VSS). The 2005 VVSG are a partial revision of the
VSS, with revision focused mainly on accessibility, usability, and security. The 2007 draft is a
complete rewrite. Several issues have been raised about the VVSG that may require congressional
attention. Among them is the question of timing. Some vendors claim that there needs to be more
time for technology development before the new guidelines become effective; some activists
argue that problems with voting systems, and federal requirements, demand more rapid
implementation of the VVSG. The new guidelines did not have much direct impact on voting
systems used in 2006. One exception was provisions relating to paper-ballot audit trails, which
several states now require to be used in conjunction with electronic voting machines such as
touchscreen systems. Like the VSS, the VVSG are voluntary, but some observers believe that a
regulatory approach would be more appropriate given the importance of elections to the
democratic process. However, since many states require that voting systems be certified, vendors
are expected to treat the VVSG in the same way they have treated the VSS—as effectively
mandatory.

The Relationship Between the VVSG and the Federal Voting Systems Standards (VSS)..............1
How the VVSG Are Used.................................................................................................................2
Subjects Addressed in the VVSG.....................................................................................................2
Major Policy Issues about the VVSG...............................................................................................3
Author Contact Information............................................................................................................6

he Help America Vote Act of 2002 (HAVA, P.L. 107-252) established the federal Election
Assistance Commission (EAC) and gave it the responsibility to develop and update a set
of Voluntary Voting System Guidelines (VVSG). It established the Technical Guidelines T

Development Committee (TGDC), chaired by the director of the National Institute of Standards
and Technology (NIST), to develop recommended guidelines for consideration by the EAC.
The VVSG are a set of technical standards for voting systems that use computers to assist in
recording or counting votes. Systems covered include most used in the United States—not only
DREs (direct recording electronic systems) such as touchscreen voting machines, but also optical
scan and punch card systems. Hand-counted paper-ballot and lever-machine systems, which do
not involve computers, are not covered. However, they are used by a small and decreasing
number of election jurisdictions.
The first version of the VVSG was approved in 2005 and is therefore called the 2005 VVSG in this
report. It went into effect in December 2007. A draft of the completely rewritten second version
was made available for public comment on October 31, 2007, at http://www.eac.gov/vvsg. That
comment period closed in May 2008.

The VVSG replaced the federal voluntary VSS originally developed under the auspices of the
Federal Election Commission (FEC). The VSS, which remained in effect until the end of 2007,
were developed in response to concerns raised in the 1970s and 1980s about the then largely
unregulated voting technology industry. Congress directed the FEC to study the matter but did not
establish the VSS specifically by statute (see CRS Report RS21156, Federal Voting Systems
Standards and Guidelines: Congressional Deliberations, for more detail). The first version of the
VSS was released in 1990, and a testing and certification program began in 1994 under the
auspices of the National Association of State Election Directors (NASED). The VSS and the
NASED certification program are widely credited with having greatly improved the performance
of voting systems in several areas, such as reliability and accuracy.
The FEC began a project to update the VSS in 1997 and approved the second version in May
2002, while Congress was debating HAVA. Enacted in October 2002, HAVA provided a statutory
basis for the VSS, which the act renamed guidelines, to distinguish them from the act’s voting
system requirements, which it called standards. HAVA also provided an administrative structure
under the EAC for promulgating the guidelines and certifying systems, and also directed NIST to
assist in the certification process.
Most sections of the 2005 VVSG are virtually identical to those in the 2002 update of the VSS.
Major revision focused on usability, accessibility for persons with disabilities, and security; those
sections were completely rewritten. The decision to limit the scope of revision resulted from a
desire to meet urgent needs while creating a version that could be used in preparation for the 2006
election cycle. HAVA’s accessibility requirements went into effect in January 2006, and many
states have adopted new security requirements for voting systems, including paper-audit-trail
requirements, in the wake of controversies that emerged subsequent to the passage of HAVA (see
CRS Report RL33190, The Direct Recording Electronic Voting Machine (DRE) Controversy:
FAQs and Misperceptions). The 2007 draft VVSG have been completely rewritten.

The 2005 VVSG provide a set of specifications and requirements to be used in the development of
computer-assisted voting systems and their certification-testing by independent laboratories. The
guidelines include descriptions of functional requirements and performance standards, as well as
requirements for vendors in quality assurance and in configuration management, which involves
ensuring that a system functions in specified ways under various modifications and throughout its
life cycle. They provide details of the testing process for certification of voting systems, and also
include suggested practices for election officials in some areas covered by the guidelines, and
discussion of verification concepts for future design of voting systems.
The guidelines are aimed at a broad audience, but most specifically at vendors, testing
laboratories, and election officials. Their use is voluntary at the federal level, but many states
require that any new voting systems used in the state adhere to them or to state standards that
incorporate similar specifications. The practical effect of such state requirements is that voting
system vendors can successfully market systems only if they are certified under the VSS or VVSG.
In this sense, the provisions have acquired some of the force of regulation, in that they are treated
by manufacturers as requirements. Nevertheless, HAVA specifically exempts states from being
required to adhere to the VVSG as a condition for receipt of payments to meet HAVA
requirements.
Consequently, when a company develops a new voting system, it typically uses the VVSG as a
source of specifications to which the system must adhere. When the vendor submits the system to
an independent laboratory for certification, the laboratory uses the VVSG as a source of standards
against which it tests the system. The system may also need to be certified against state standards
to the extent that they differ from the federal guidelines. State officials may then use the VVSG in
their state-level certification tests of systems they are considering for acquisition. Private citizens
who might wish to test voting systems cannot ordinarily do so because of contractual restrictions
imposed by the vendors. While adherence to some specifications can be assessed by
knowledgeable citizens when they vote, many provisions can be assessed only in a laboratory.

HAVA does not specifically direct the EAC to include any particular issues in the guidelines.
However, in the debate on the House floor before passage of the HAVA conference agreement on
October 10, 2002, a colloquy (Congressional Record, daily ed., 148: H7842) stipulated an
interpretation that the guidelines specifically address the usability, accuracy, security,
accessibility, and integrity of voting systems. Also, the act requires NIST to provide support to the
TGDC for development of guidelines relating to security, voter privacy, human factors, remote
voting, and fraud detection and prevention.
HAVA establishes specific requirements for voting systems, but leaves methods of
implementation to the states. The EAC is required to provide guidance for implementing the
requirements, but the guidance is not a technical standard and its use is also voluntary. The act is
largely silent on the relationship between the VVSG and those requirements, which stipulate that
voting systems must provide for auditability, accessibility, and ballot verification and error
correction by voters, that states must set standards for what constitutes a vote on a given system,
and that machine error rates of voting systems must conform to the standards set in the

guidelines. This last is the only direct connection in the act between the requirements and the
VVSG, but in practice, the specifications in the guidelines clearly need to conform to the HAVA
voting system requirements.
The VVSG cover largely the same topics as did the VSS. They include the following:
• The functional capabilities a voting system is expected to have. These fall into
several categories, including security, accuracy, error recovery, system integrity,
auditing, election management, human factors, vote tabulation and reporting,
telecommunications, data retention, ballot preparation and control, voting,
maintenance, transportation, and storage.
• Performance, physical, design, construction, and maintenance requirements for
hardware, from printers to voting devices to paper ballots to back-office
computer equipment.
• Requirements for software, including design and coding, data and document
retention, audit record data, and vote secrecy for DREs.
• Telecommunications requirements for operation and reporting election results,
including performance, design, and maintenance characteristics.
• Essential security capabilities, including controls to minimize errors and
accidents, protect from malicious manipulation, identify fraudulent or erroneous
changes, and protect voting secrecy.
• Requirements for voter-verified paper trails (VVPAT) used in conjunction with
DREs (this is new in the VVSG).
• Requirements for quality-assurance programs and configuration management
throughout a voting system’s life cycle.
• Suggested best practices for election officials with respect to usability and
security requirements.
• Suggested specifications for a class of vote-verification systems (which includes
VVPAT) that produce at least two separate, independent ballot records that voters
can verify before casting and that can be compared in a post-election audit.
• The certification testing process, including planning, testing sequence, specific
tests required, exemptions (such as unaltered commercial off-the-shelf software),
and vendor requirements.

Several issues have been raised about the VVSG that may require congressional attention. Among
them are the following:
The degree to which the guidelines are voluntary. HAVA makes the standards voluntary at the
federal level and did not give the EAC regulatory authority, but vendors have usually treated the
VSS as mandatory because of state requirements. Nevertheless, some observers believe that
adherence should be mandatory or at least a condition of receiving any federal grants for voting
equipment. Others state that mandatory standards would give too large a role to the federal

government and reduce the flexibility of state and local governments to respond to their specific
needs.
What standards can and cannot do. Standards can address only issues that were considered by the
developers of those standards, and the way that they are developed and implemented can also
affect the way issues are addressed. The VSS and its certification process were criticized for not
anticipating the kinds of security weaknesses with DREs that have been discovered in some
certified systems, and for limiting testing of systems to controlled laboratory conditions rather
than realistically simulated election conditions. The 2005 VVSG strengthened the security
requirements, and the 2007 draft completely rewrote them. The 2005 version did not address the
second criticism, but the 2007 draft would require more realistic testing.
Development and implementation of the VVSG. The development of standards can involve lengthy
deliberations under the best of circumstances, and HAVA may have exacerbated that characteristic
by creating a complex process for the development of the VVSG. HAVA does not specify an
updating cycle for the guidelines, but international standards are often updated on a three- to five-
year cycle. Some observers believe that a four-year development cycle is desirable, to permit
systems to be used for two federal election cycles without requiring recertification. Others have
criticized the process for development of the VVSG as being too slow and cumbersome. There
appears to be an inherent conflict in responsiveness of the guidelines to, on the one hand,
evolving needs and technology and, on the other, time and cost constraints inherent in responding
appropriately to such changes. Achieving the right balance is likely to be difficult.
Funding has also been an issue. Although HAVA requires NIST to assist in the development of the
VVSG and the certification process, it did not authorize any funding specifically for that purpose.
Appropriations legislation has been addressing that gap by specifying EAC funds to be
transferred to NIST for their support activities. However, funding for the EAC was authorized
only through FY2005, and some observers have called for abolishing the EAC.
Certification process. The development of plans for certification testing has also raised issues.
Some observers believe that the public trust would best be served by open certification testing,
whereas others believe that the release of proprietary vendor information that would accompany
such open testing would be a strong disincentive for investment and innovation by vendors, and
therefore counterproductive. The process for selecting testing laboratories has also been
criticized, with some observers arguing that the process does not provide sufficient independence
of testing laboratories from manufacturers and creates concerns about conflicts of interest.
However, it is generally recognized that the HAVA process is likely to be superior to the one it
replaced, which was criticized as slow and expensive. Nevertheless, no voting systems have been
certified by the EAC for use in the 2008 federal election. Until such certifications are in place,
election jurisdictions around the country must rely on certifications obtained before the EAC
process went into effect.
VVSG revisions. The 2005 version of the guidelines partially revised the VSS, and some observers
believe that the revisions should have been more comprehensive to address perceived
shortcomings of the VSS. Some also believe that the added provisions are inadequate to meet
accessibility, alternative language, and security needs and that broader and more stringent
requirements are required. Others believe that the limited changes in the 2005 VVSG are more
likely to be implementable in the short term. Still others believe that the guidelines have more
new requirements for certification than is prudent for an interim document, which was intended to
be followed by the more complete revision embodied in the 2007 draft. It is not clear at this point

what the appropriate balance is among those and other conflicting concerns, and the question of
scope is liable to remain contentious at least until the next version of the guidelines is completed
and implemented. The extensive revisions in the 2007 draft could cause some states to reconsider
their use of the VVSG as a basis for state certification, arguing that they have become too
restrictive and costly. The EAC may need to take this kind of concern into account as it
deliberates how to revise the draft.
The role of the VVSG in the 2006 and 2008 federal elections. Until the VVSG went into effect in
late 2007, federal certification of voting systems continued to be based on the 2002 VSS, and the
next version of the VVSG will also likely go into effect about two years after they are adopted
probably some time in 2009. However, state or local jurisdictions may choose to require vendors
to meet some or all of the VVSG requirements sooner. That may be especially important for those
jurisdictions that require a voter-verifiable paper audit trail for use with DREs.
Some observers have expressed concerns that if states do not follow the VVSG in meeting the
requirements, they could be judged not to be in compliance with HAVA, despite the voluntary
nature of the guidelines and the stipulation in HAVA that the methods of implementation are left
to states. As a result, uncertainties remain about whether systems previously acquired to meet the
January 2006 deadline for HAVA requirements will be deemed inadequate at some point.
Voter registration. HAVA requires NIST to provide technical support for development of
guidelines for the computerized statewide voter registration lists that the act mandates. There are
currently no widely accepted standards for those lists. That absence has raised concerns about
adequate state implementation of the requirement. The 2005 VVSG do not address voter
registration, but the 2007 draft does address some aspects of those systems, especially electronic
pollbooks.
Use of proprietary software. Most if not all voting systems use proprietary software for which the
code is not publicly available. Some of that software consists of commercial off-the-shelf (COTS)
products, and some is written or modified by the vendor. Some critics argue that all software,
including COTS, should be inspected during certification to ensure that it functions properly and
does not have any malicious code. They say that such an approach is essential to ensure public
trust. Others disagree, arguing that such an approach would stifle innovation, increase costs by
prohibiting the use of most COTS software, and would not result in improved software quality.
Vote verification, including voter-verified paper audit trails (VVPAT). The possible need for
improved vote verification features in voting systems has become a matter of public interest
because of the controversy over the security of DREs. While most public attention has been paid
to VVPAT for use with DREs, other methods arguably show more promise in terms of usability,
accessibility, and verification power. Some observers believe that the VVSG should require
VVPAT, but others believe that the verification provided by that method is of questionable value
in practice and may create unforeseen problems of its own. The trend at the state level toward
requiring the use of paper ballots has also raised questions about whether such restrictions can be
reconciled with HAVA accessibility requirements under the constraints imposed by current
technology. Several bills have been introduced in recent Congresses that would make the use of
paper ballots a federal requirement. The 2007 draft VVSG addresses this issue by requiring voting
systems to be “software independent”—that is, by prohibiting the voting system from permitting
the software to erroneously change the election results in an undetectable manner. Currently, the
only method that would conform to this proposed requirement is the use of voter-verifiable paper

records of the ballot, such as optical-scan ballots and VVPAT. The proposal has generated
controversy and it is unclear what changes to it will be made in the EAC’s revisions to the draft.
^{Eric A}^.^Fⁱ^s^c^h^e^r
^Senⁱ^{or Specialis}^{t i}ⁿ^Scieⁿ^{ce a}ⁿ^{d T}^echⁿ^o^logy
^efⁱ^s^c^h^er@^c^r^s^.l^oc.g^ov^{, 7-}⁷⁰⁷¹