Meeting Minutes: April 12, 2018 (approved May 9, 2018)
City and County of San Francisco
Don Chan, Secretary
Christopher Jerdonek, Chair
Larry Bafundo, Vice Chair
Open Source Voting System Technical Advisory Committee
of the San Francisco Elections Commission
Thursday, April 12, 2018
City Hall, Room 421
1 Dr. Carlton B. Goodlett Place
San Francisco, California 94102
Order of Business
1. Call to Order & Roll Call
Chair Jerdonek called the meeting to order at 6:02 p.m. Present: Members Hage, Jerdonek, Kattouw, Wasserman. Member Bafundo had an excused absence due to working out of state. Member Wasserman left early at 8:46 p.m. during item #9. Also present: Secretary Chan.
2. General Public Comment
3. Approval of Minutes of Previous Meeting
This item was tabled until the next committee meeting.
Member Wasserman summarized his report to the Elections Commission at the Commission’s March 21 meeting. He referred to TAC’s letter to the Commission about TAC’s recommendations, and encouraged the Commission to request support from the Mayor, Assemblyman Chiu and Senator Weiner for state funding for the project. The Commission had no questions for him.
Chair Jerdonek mentioned that TAC members’ terms end next month and that he will ask the Commission to act on reappointments.
The Committee reviewed Member Kattouw’s draft of the third report from the Committee to the Commission. Chair Jerdonek suggested that the parts covering events other than the Committee’s work (e.g. the status of state funding, the San Francisco Examiner articles, etc) could be put into a separate section of the report and noted as background to the work the Committee took up. Chair Jerdonek also asked Member Kattouw to include the last quote from the Examiner article, after the reference to the recommendations letter to the Commission. Member Kattouw will make the noted changes for submission to the Commission at their May meeting.
Public comment: None.
Member Kattouw moved to approve the report with the changes, seconded by Member Wasserman. The motion carried 4-0.
There was a discussion about scheduling the next TAC meeting to accommodate members’ schedules. It was proposed to try May 8 or 9.
5. Member Reports
Member Hage reported speaking with Mitch Trachtenberg, a programmer and freelance writer in Humboldt County, regarding the Humboldt County Election Transparency Project and the Trachtenberg Election Verification System (TEVS), which allows anyone with a computer to examine every single ballot cast. The project was passed on to Wes Rishel to continue development. Member Hage will get the source code from Wes to try it out. Member Wasserman asked if it’s been licensed. Member Hage said he wasn’t sure. Member Hage has still not gotten Prime III’s software to work yet.
Member Kattouw said he spoke at LibrePlanet. There is a link to the slides he used in his presentation, in the report to the Commission. Someone at the conference asked him if it would be possible to publish the ranked-choice voting (RCV) data from San Francisco’s elections. He said he would refer the person to Chair Jerdonek.
Chair Jerdonek reported that, since the last Elections Commission meeting, Slalom published their report. Three representatives from Slalom were at the Commission meeting to answer questions, and the Commission approved the Committee’s recommendations that were included in TAC’s letter to the Commission. The Chair of the Board of Supervisors’ Budget Committee, Supervisor Malia Cohen, wrote a letter to the State in support of state matching funds for developing an open source voting system. There is a COIT finance subcommittee meeting Friday, April 13 at 9 a.m. The Department is asking for $6.8 million, but COIT has only recommended allocating $300,000.
He also referred to the RFI included in the agenda packet to upgrade San Francisco’s hiring process. The RFI is interesting in that it entertains an agile approach. It might be useful as an example of how the process could work for the open source voting project.
Member Kattouw commented that the document referenced a process the state of Alaska is engaged in, which might be the same one that Member Bafundo mentioned Jessie Polsilkin (the presenter at a previous TAC meeting) is working with.
Chair Jerdonek noted on page 11 where they talk about a modular approach. He mentioned that he didn’t have a chance to talk with New Hampshire yet but still plans to.
Public comment: None.
6. Slalom Report
Chair Jerdonek wanted the Committee to discuss Slalom’s report in the hopes of developing a “supplement” or response to it containing points of agreement or disagreement.
Member Hage had some first impressions that Slalom didn’t do a deep analysis of the costs, but rather assumed e.g. a generic web architecture, with numbers plugged in for that. Member Wasserman said it looked like they were describing a system that was custom made, and thus had higher expense estimates.
The discussion raised issues with how the report did not figure costs on a modular basis or at different stages of development. Nor did it present options of less expensive items versus more expensive items. So the final estimates do not accurately reflect possible costs of developing an open source system as opposed to a proprietary one.
Chair Jerdonek said that two years ago, the Commission had six groups present their estimates of developing a system. Those estimates ranged from $3 million to $14 million (with OSET on the high end). Of those groups, Slalom spoke only with OSET to arrive at their estimates. He said the proposed $1 million discovery phase is not agile and questioned Slalom’s estimates of a central ballot scanner costing the same as a reporting system.
Member Kattouw said they didn’t make comparisons to the work of other jurisdictions.
Member Hage said that certification doesn’t include many things, for example the reporting system. It wasn’t clear how Slalom reached their numbers for the cost of certification.
Generally, it was felt that the figures arrived at by Slalom don’t closely reflect the costs of developing an open source system.
Chair Jerdonek suggested that the Committee review the report, maybe 15 pages at a time, and compose responses to their findings. Member Wasserman suggested taking on the report and preparing responses to a short list of key issues arising from the Slalom report that the Commission desires a resolution on.
It was decided to review the first five sections for the next meeting. Chair Jerdonek said members could also refer to Mr. David Cary’s questions while reading the report (also included in the packet).
Mr. W. Adam Koszek asked if a security audit was planned for the project. He wanted to know how other open source efforts were being carried out. He was referred to links in the Committee’s recommendations document.
Mr. Sergey Armishev asked if the major goal of open source was to prevent foreign or domestic hacking of elections. There should be a cost assigned to this aspect. There needs to be a clear goal of security budgeted in the project.
Ms. Mirka Morales asked what the cost estimates were that the Commission got a couple years back, and where she could learn more about licenses.
Member Wasserman said 50% of open software projects use General Public License (GPL).
Mr. Sergey Armishev said the Committee should make a list of risks for the project. Chair Jerdonek said there wasn’t one but if he wanted to put one together he is welcomed to do so. Member Wasserman referred him to the Slalom report and the risks they compiled.
Mr. W. Adam Koszek asked about a document for frequently asked questions. The answer is that it is currently listed as “to do.”
7. Voting System Component Development
Chair Jerdonek proposed developing a component, like the reporting component, as something the Committee could do as a group to show how it could be done at a cost much lower than what Slalom estimated. If this worked, it could call into question the other estimated costs.
Member Kattouw commented that there already exists some form of that component in other jurisdictions (e.g. New Hampshire).
There was a discussion about how to tackle this given Brown and Sunshine restrictions. This need not be constructed as a TAC sub-committee. Chair Jerdonek asked if Member Hage could begin putting something together, and if other members want to review it before the next meeting, they can reach out to him. Member Hage said he could write up a design architecture specification and some decisions to be made for the general approach. If an output format for the “totaler” can be arrived at, he can provide some sample data to run with. Interested members of the public could also contribute.
Mr. W. Adam Koszek asked what input Slalom sought to come up with their cost figures.
Member Kattouw said it appeared basically to be OSET.
Mr. W. Adam Koszek asked if there were estimates on the cost of the new system interacting with the current system.
Ms. Mirka Morales asked about the Los Angeles project and if they have their scanner yet.
Mr. Sergey Armishev asked how the public could have a role in reviewing and acceptance of TAC’s processes and practices.
8. Project Background and Terminology
Chair Jerdonek referred to Member Hage’s document that was brought up last meeting. Member Hage sent it out only late today so members have not had time to review it. It will be added to the agenda packet on the Committee’s website later. Member Kattouw will review it “off-line” and comment on it at the next meeting.
Member Hage said he added sections 8.1.6 and 188.8.131.52: Hardware Security Module and the Trusted Platform module.
Chair Jerdonek raised the question of whether the terminology section should include descriptions of concepts that are not actually in use versus those that have a real application. Member Hage felt that it’s useful to have descriptions of all concepts that make for a fuller background of the field. It was discussed to make a distinction between those that are in actual use and those which are possible, but not necessarily in wide use currently.
Mr. W. Adam Koszek suggested the use of words like “shall,” “may,” and “might” in the document.
Mr. Sergey Armishev said to consider reporting on what was done including what went wrong, and recommendations that address those mistakes.
9. Equipment Decisions and Implementation Plan
The Committee reviewed Member Hage’s “diff” (see the agenda packet). A short discussion was held regarding machine marking ballots with QR codes for identification and security to protect against substitution of ballots, and hand-marking ballots. Georgia’s process and San Mateo’s (Eastlake system) were mentioned as examples. It was felt that this description needed to be shortened to be a single bullet point in the “pros” list, rather than the entire paragraph.
Member Wasserman departed from the meeting at 8:46 PM.
Member Hage said he’d re-work the wording for those items. The point about RCV should say there is no upper limit.
There was a discussion about configuring scanners for the purpose of recording or recalling ballot results. Member Hage mentioned that VSAP (Los Angeles County) doesn’t scan printed ballots.
Chair Jerdonek commented that remote accessible vote-by-mail system (RAVBM) using COTS hardware must be operable on COTS hardware. The statement concerning ballot size needs re-working. He asked Member Hage to re-write the first section, and include the edits discussed tonight in the rest of the document.
With the noted edits, Member Kattouw moved to accept Member Hage’s changes, and all edits discussed tonight, from “Extra machines provide redundancy vs. a single disability-access machine.” Chair Jerdonek seconded. The motion carried 3-0.
Mr. Sergey Armishev said he liked the way it was formatted, but missing was an explanation on how it can be hacked. He felt different scenarios need to be enumerated.
There was a discussion related to security risks due to software, which Member Kattouw said he would write a patch to address.
10. Committee Recommendations
The document Member Hage provided for this item had not been analyzed deeply by the Committee because it was included late, so the Committee had a general discussion about several of the points brought up by Member Hage. Questions included whether the points were all recommendations, whether some points set the bar so high they may not be achievable, and whether some could be placed in the appendix. Under hardware issues, members discussed the use of read-only files, secure boot, and hardware cryptographic devices. There also was a discussion around the pros and cons of “containers” and whether they should be recommended versus stating them as a possible option to meet more general criteria.
Member Hage said he intended for these points to be discussed and explored. Member Kattouw agreed to this need.
Member Hage felt security should be raised to the level of a component of the deliverables.
Chair Jerdonek thought that first point (regarding security) could be moved to assumptions. He felt that security couldn’t be a separate deliverable. There wasn’t a conclusion reached on this topic.
Mr. Sergey Armishev asked whether San Francisco was aiming to use a dedicated voting machine or just a general purpose server. He also asked how many people would need to be involved, and what skill level staff would need to support the machines.
11. Topics for future discussion
None were suggested.
Adjourned at 10:32 p.m.