Information about http://vote.nist.gov/comment_al_kolwicz_camber.pdf
September 29, 2005 Allan Eustis Thank you for inviting me to attend…
Tags: application developers, attorneys general, county clerks, development committee, district attorneys, election officials, election workers, general secretary, hillman, official document, pamphlet, personal requirements, political campaigns, political parties, poll watchers, proper consideration, september 29, testing authorities, trivial example, volume ii,Pages: 5
Language: english
Created: Wed Oct 5 08:51:26 2005
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
September 29, 2005
Allan Eustis
Thank you for inviting me to attend today's Technical Guidelines Development
Committee in Boulder. It was good to meet you in person.
I have two requests:
1. Please forward a copy of this letter and its attachments to members of the TGDC,
and to anybody else that you wish.
The first attachment is my August 24th letter to Ms. Hillman. I do not believe that
she has had a chance to respond to. The second is a sketch of a brochure that
outlines the level of documentation that we expect. The final technical guidelines
should fit in a small pamphlet.
2. Please ensure that my letter to Ms. Hillman is posted to the comments data base,
is not rejected, is available to reviewers online, and will receive proper
consideration and a response. If you wish, follow this instruction: (a) DELETE
VOLUME I, (b) DELETE VOLUME II, and INSERT this document including its
attachments.
It is clear to me that the TGDC has not spent enough time considering the audience for
the guidelines. We believe that the audience includes: judges, attorneys, district
attorneys, attorneys general, secretary of state, county clerks, election officials,
legislators, political parties, political campaigns, Election workers, poll watchers,
vendors, application developers, application and system testers, independent testing
authorities, the public and the press. A summary of the document is not a solution. For
example, the Court, in order to decide a case being litigated before it, must comprehend
and make its determination on the official document itself. The current work product
does not meet the needs of its audience.
A trivial example of what is needed might be helpful. Consider what the individual
members of the TGDC would write if they were asked to document their personal
requirements for a car. I would anticipate that their individual requirements could be
grouped into fairly regular categories such as: comfort, safety, performance, price,
operating cost, service, and warrantee. I anticipate that few, if any, members would
differentiate between the type of ignition system used to start the engine. The current
guidelines are aimed at the wrong things, because they are not aimed at the right
audience.
The direction that the work is heading would be prohibitively expensive to maintain and
impossible to litigate.
Al Kolwicz, Executive Director, CAMBER 303-494-1540 AlKolwicz@qwest.net
Al Kolwicz, CAMBER to Allan Eustis, EAC Page 1 of 5
August 24, 2005
Ms. Hillman,
Again I compliment you for your wonderfully insightful questions of panelists at
yesterday's EAC hearing in Denver. I deduce from your questions that you truly want to
represent the interests of the public.
You don't know me, so you won't know how much weight to attribute to the following
comments. I hope that you will take them seriously.
1. The problem that you and the other commissioners appear to sense with the VVSG is
that the VVSG is both voluminous and complex. I concur with this appraisal. In fact,
I would go a step further and say that the VVSG is unusable because of its volume
and complexity.
Writing a superficial overview will not suddenly make the VVSG useable. Editing
the VVSG will not make it useable. The problem with the guide is fundamental -- it
is aiming at the wrong target, and it is using the wrong ammunition.
a. The guide is incomplete (wrong target). The election system involves many
components the VVSP addresses very few of them. For example, the guide
does not address public oversight, yet public oversight is a fundamental
component of a trustworthy election process. The guide does not address
procedures, such as authentication that a voter is the person who they claim to
be. All of the components of the election system must be identified, and must
be documented in a high-level systems diagram supplemented with a high
level systems description. The diagram and description must be void of
specific implementation details, and must not require change for different
implementations. The current guide violates these precepts.
b. The guide addresses implementation-level details (wrong ammo). The VVSG
should specify only: required results, measurement specifications for each
result, acceptable performance for each result, and consequences when the
required result is not achieved. HOW the result is achieved must be invisible
in the VVSG. Instead, this guide is burdened with detailed descriptions of
how things are to be done for specific implementations. For example, there is
no general requirement that people and procedures be tested and measured.
One of the problems with the approach taken in the VVSG is that it will
require revision every time a new technology is introduced. Remember, it
will take years before any VVSG change will be reflected in a majority of the
nation's voting systems. Unless changed to reflect principles rather than
implementations, the VVSG will fail in its goal of returning public trust to the
election system.
2. The proposal for accreditation of Testing Laboratories and the testing process itself is
headed in the wrong direction.
a. Missing, for example, is a way to pay for the testing. The vendors should not
pay, because that would compromise the integrity of the Testing Labs. The
people should not pay for overly expensive or frivolous tests, and should be
compensated through penalty fees, for poor vendor performance.
b. There is nothing proposed that will motivate vendors to withhold certification
requests until they have a very high degree of confidence that the certification
process will not discover a deviation between requirements and the
implementation.
c. The role of the public, and in particular the interested professional computer
scientists, is missing.
d. There is no penalty when a Testing Lab fails to detect problems that make it
into production. How is a lab de-certified?
e. Who is accountable for the quality of the election process?
f. Also, because of the fundamental problems with the VVSG, described above,
the Testing Labs are going to be testing the wrong stuff. There is a difference
between systems testing that is aimed at requirements and architecture (what),
and implementation testing that is aimed at implementation specifications
(how).
Few people have the skills needed to draw the elegant line between
requirements/architecture and the implementation specifications. The VVSG desperately
needs these skills. Unless the VVSG is revamped, I anticipate that it will become a
burden on the public. It will generate enormous costs, fail to deliver quality, and be
rejected by the public as a solution to their concerns.
Finally, yesterday it was suggested by staff that only public comments that are specific to
a page and line number will be considered. In my opinion, the VVSG problems are so
severe that it is way premature to inspect spelling errors. Until focused on the correct
target, and using the correct ammunition, it is too way early to do any fine tuning.
Is there anything you would like me to do to amplify these points?
Thank you for conducting your hearing in Denver. I look forward to working with you.
Al
Al Kolwicz
CAMBER - Citizens for Accurate Mail Ballot Election Results
2867 Tincup Circle
Boulder, CO 80305
303-494-1540
AlKolwicz@qwest.net
www.users.qwest.net/~alkolwicz
http://ColoradoVoter.blogspot.com
Election Objects Election Requirements System Standards
Property Jurisdicti Requirement Metric
on Standard
Person Contest Security
Accuracy
Verifiability
Contesta Transparency
nt Performance
Ease of use
Price
Cost
Cycle time
Unused Support
Ballot
Cast
Ballot
Election
Results
Control
Citizens for Accurate
data & Mail Ballot Election Results
Audit 2867 Tincup Circle
Report Boulder, CO 80305
Phone: 303-494-1540
E-mail: AlKolwicz@qwest.net
www.ColoradoVoter.blogspot.com
Election System WARNING Election
Design Rules
System
"Using the computer industry as an "We are fast approaching the stage
example, Carliss Y. Baldwin and
of the ultimate inversion: the stage
Kim B. Clark develop a powerful
theory of design and industrial
evolution. They argue that the
where the government is free to do
anything it pleases, while the
Requirements
industry has experienced previously
unimaginable levels of innovation citizens may act only by
and growth because it embraced the
permission; which is the stage of
concept of modularity, building
complex products from smaller the darkest periods of human
subsystems that can be designed
history, the stage of rule by brute
independently yet function together
as a whole. Modularity freed force."
designers to experiment with
different approaches, as long as - Ayn Rand, The Nature of Government
they obeyed the established design
rules." from Amazon.com
"Process Synthesis, also known as
Structured Conceptual Process
Design, is a technique suitable not
only for making a step-change in
the existing process but also for
synthesizing a process flowsheet CAMBER
CAMBER is a dedicated group of
from scratch." From Process
volunteers who are working to
Design Center, The Netherlands Citizens for Accurate ensure that every voter gets to
Mail Ballot Election Results vote once, every vote is counted
2867 Tincup Circle
Boulder, CO 80305
once, and that every ballot is
secure and anonymous.
Phone: 303-494-1540
E-mail: AlKolwicz@qwest.net
www.ColoradoVoter.blogspot.com Tel: 303-494-1540