personal information is necessary. Further, privacy policies should be published and widely distributed, and the public should be given an opportunity to comment on any changes….

6. Election officials should rigorously test the usability, security and reliability of VRDs while they are being designed and while they are in use.

Testing is a critical tool that can reveal that “real-world” poll workers find interfaces confusing and unusable, expose security flaws in the system, or that the system is likely to fail under the stress of Election Day. All of these issues, if caught before they are problems through testing will reduce voter fraud and the disenfranchisement of legitimate voters….

Security Against Technical Attacks

… [M]echanisms should be deployed to detect any penetration of system defenses, as well as any insider misuse. For example, application-specific intrusion detection systems could be used to monitor the number of updates to the VRD. Any large spike in activity, whether by an authorized user or in the aggregate, might warrant human attention. In addition, officials could consider contracting with a third-party network security monitoring service to detect network intrusions and attempted attacks on the system….

… Officials should consider including an independent security review and publication of the software as part of the acceptance testing for the system. Claims that the security of the system will be endangered by such a review should be treated with extreme skepticism or rejected outright….

SOURCE: U.S. Public Policy Committee of the Association for Computing Machinery, Statewide Databases of Registered Voters: Study of Accuracy, Privacy, Usability, Security, and Reliability Issues, 2006, available at (c) 2006 ACM. Excerpted with permission. ISBN: 1-59593-344-1. Permission to make digital or hard copies of portions of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permission from

  • Confidentiality. A secure system keeps protected information away from those who should not have access to it. Examples of failures that affect the confidentiality of a VRD include an unauthorized party obtaining voter information on a large scale or a spouse abuser obtaining the address of his/her spouse from a VRD even if such information is supposed to be protected from disclosure.

  • Integrity. A secure system produces its intended results or information, regardless of whether or not the system has been attacked. When integrity is violated, the system may continue to operate, but under some circumstances of operation it does not provide accurate results or information that one would normally expect. Failures of integrity of a VRD include both inclusion of noneligible individuals and unauthorized exclusion of eligible registered voters, as well as unauthorized modifications to data fields such as addresses, birth dates, or voting histories.

  • Availability. A secure system is available for normal use even in the face of high load or an attack. An example of a failure in availability might be a system that is clogged with so much bad data that the system no longer operates reliably (typically this refers to electronic attempts to overwhelm a system but also could occur in the nonelectronic domain; for example, a flood of bogus paper voter registration applications might attempt to overwhelm the data-entry staff in a particularly critical jurisdiction).

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement