Box D.1

Excerpts from a 2006 Study of Voter Registration Databases Relevant to Privacy and Security

The following material is reprinted from the executive summary and the main text of Statewide Databases of Registered Voters: Study of Accuracy, Privacy, Usability, Security, and Reliability Issues, a 2006 report by the U.S. Public Policy Committee of the Association for Computing Machinery.

2. Accountability should be apparent throughout each VRD.

It should be clear who is proposing, making, or approving changes to the data, the system, or its policies. Security policies are an important tool for ensuring accountability. For example, access control policies can be structured to restrict actions of certain groups or individual users of the system. Further, users’ actions can be logged using audit trails (discussed below). Accountability also should extend to external uses of VRD data. For example, state and local officials should require recipients of data from VRDs to sign use agreements consistent with the government’s official policies and procedures.

3. Audit trails should be employed throughout the VRD.

VRDs that can be independently verified, checked, and proven to be fair will increase voter confidence and help avoid litigation. Audit trails are important for independent verification, which, in turn, makes the system more transparent and provides a mechanism for accountability. They should include records of data changes, configuration changes, security policy changes, and database design changes. The trails may be independent records for each part of the VRD, but they should include both who made the change and who approved the change.

4. Privacy values should be a fundamental part of the VRD, not an afterthought.

Privacy policies for voter registration activities should be based on Fair Information Practices (FIPs), which are a set of principles for addressing concerns about information privacy. FIPs typically address collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. There are many ways to implement good privacy policies. For example, we recommend that government both limit collection to only the data required for proper registration and explain why each piece of

able and functional when needed, both to perform the “real-time” updates required by HAVA and, most critically, on or before Election Day to enable real-time queries or to create poll books.

Security measures address the issue of both who is authorized to view or change information in the VRD and of what information within any record in the VRD may be viewed or changed. In the security context, viewing information includes seeing individual records and sending or transferring records en masse; changing information includes adding entirely new records, altering one or more fields within one or more records, and deleting records.

The security of systems is usually conceptualized in terms of confidentiality, integrity, and availability.3 These apply in the context of VRD systems (where “system” is intended to include the human and organizational aspects of a system as well as the technology):


See for example, NRC, Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin (eds.),The National Academies Press, Washington, D.C., 2007.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement