Ballot Processing Systems (PowerPoint)

Document Sample
Ballot Processing Systems (PowerPoint) Powered By Docstoc
					                                         April, 2005

          Ballot Processing Systems
               in the Digital Age
           Submission to OASIS EML TC
           by David RR Webber
           Chair OASIS CAM TC
           (True Vote Maryland member)
   Why are we doing digital balloting?
  •   More accurate and timely voting process
  •   Facilitative legislative changes*
  •   Make more reliable voting process
  •   Hope of cost-effective voting process**
  •   Enshrine democracy into the electronic age
  •   Provide better access for citizens to voting
* In US includes HAVA and the $3.9B funding provided; plus legal ballot definitions
** to date DRE-based systems have cost more and had more reliability
   problems than the “old” paper ballot systems, primarily because of
   equipment related issues; e.g. -
          NIST and HAVA focus

• The Help America Vote Act (HAVA), enacted by Congress
  in October 2002, has given the National Institute of
  Standards and Technology (NIST) a key role in helping to
  realize nationwide improvements in voting systems by
  January 2006. NIST’s Information Technology Laboratory
  (ITL) is coordinating the agency’s HAVA efforts through its
  expertise in areas such as computer security and usability.
• CalTech study shows that there is a gap here – in reliability
  and precision:
• Recent NIST work on VVPAT Requirements for the VSS
   2002 Addendum (John Wack) – March 2005
• History
   – Work begun in May 2001
   – Charter: To develop a standard for the structured interchange of
     data among hardware, software, and service providers who
     engage in any aspect of providing election or voter services to
     public or private organizations
   – UK government has implementations:
       • UK Local Election pilots held in May 2003.
• Council of Europe Endorsement
   – Council of Europe Ministers have endorsed the e-voting
     recommendations and with that the use of EML
• EML 4.0 is a committee draft for review and comment
• Work on defining focus for EML 4.5 starting
       Can this be paperless?
• e-Banking, e-Marketplaces, e-Travel so
  can voting systems be paperless too?
• Voting is unique in that unlike every
  business transactional system – it is
• Traditional security in balloting systems
  was around access – access to paper
  ballot forms
• Voter access and verification is local
  community based
  Speeding up results delivery?
• If everything was paper-based, and then
  scanned and tallied this would be burdensome
  and slower
• Completely digital-only system cannot be directly
  verified by citizens nor remain truly anonymous
• Dual processing, with e-Voting and printed
  paper ballots, that supports post-vote paper
  ballot scanning and verification gives the right
  balance of speed and efficiency with security,
  trust and verification
    Delivering an Open Ballot
• Maximum access for all to voting facilities
• Multi-lingual support
• Easy for average citizen to understand and
  verify their actions
• Transparent process that can be inspected at all
• Verification and audit trail
• Simple for regulators to implement and manage
• Open marketplace for service providers
• Fast and easy to deploy and operate
     Reality of real-world voting
• Good solutions have to be adaptive and survive in a
  complex unpredictable world; they have to administer well
• Today’s paper-based voting have a culture around them
  and years of operational lessons learned
• Expecting 100% perfection is unrealistic; trusted system
  has to be a best case – that allows people to be able to
  diagnose events and occurrences, e.g.:
   – someone forgot a “Smartcard” left in a voting machine
   – the machine jammed; the disk is unreadable
   – a ballot-box is missing in transit
• A three-count system – provides diagnostics into what is
  occurring operationally in the election and allows
  systematic remediation to solve it.
    Balancing information capture
• A trusted process allows the minimum effective
  information collection to effect a secure voting
• Too much information compromises anonymous
  voting in subtle ways
• Too little information prevents effective audit
• Example: stamping votes with machine IDs –
  good idea or bad idea?
                Voting Risk Factors
• Ballot stuffing
   – Casting additional votes                  (NIST risk analysis document
                                               presented to TGDC – March 9th
• Voter disenfranchising             

   – Removal
   – Restricting access
   – Not counting
• Vote switching
   – Display or print choice for one candidate, actually record for
• Falsifying counts
   – Tallying does not reflect actual voting
• Falsifying electoral roll
   – Dead voters, non-existent voters, selling of votes
• Anonymous voting compromised
   – Computer techniques negate privacy and anonymous vote
• Disrupt / Discredit / Prevent voting process
                                   SWOT Analysis
                     Paper Only                                            e-Vote Only
Strengths                          Weaknesses            Strengths                     Weaknesses
Direct voter ballot verification   Ballot-box security   Accuracy of counting          Mechanical failure
Persistent nature of content       Clumsier counting     Speed of counting             Sabotage
Familiar and traditional trust     Voter intimidation    Multi-lingual support         Voters cannot directly
Strong audit trail                 Ballot-box stuffing   Enforced procedures           verify actions
Physical access can be             Voter access          Disadvantaged access          Ephemeral nature of
controlled                         Disenfranchisement    Encryption safeguards         content / audit / storage
Anonymous mechanism                Large local           Centralized distribution of   Trust and “Big Brother”
Mature open marketplace of         variances             ballot details                Electronic break-ins
vendors                            Speed of results      Operation can be certified    ‘Castle’ lure for attacker
Established operational            Slow to setup         Remotely accessible           Remote access
practices                          Distances citizens
Resistant to technology            Government            Opportunities                 Threats
attacks                            manipulation          Provide open access           Excessive regulation
Distributed process
                                                         beyond polling stations       builds vendor monopolies
No mechanical failures
                                                         Provide direct rapid          Vendors manipulate
Opportunities                      Threats               canvassing on issues          marketplace
                                                         Standards create open         Vendors align to political
Provide foundation for trusted     New technology        marketplace                   parties
voting processes                   exposes new
internationally                    weaknesses            Open government with          Vote selling by voters
                                                         citizen involvement           Anonymous compromised
                                   Government abuse
                                                         Less voter intimidation       Government manipulation
Are cryptography systems safe?
• Summary of cryptography strengths and
• Vendors of cryptography systems tout their
  safety. There’s only one problem – what if the
  cryptography system itself is compromised?
• Humans cannot “see inside” to know that their
  vote really was counted in the way they wanted
• All the Voting Risk Factors identified can apply to
  eVoting systems too, we need a reliable process
  to ensure that a fair vote is taking place –
  regardless of the technology being used.
Vote record formats analysis :
              Safeguards and Trust
 • How do we move from a centuries old
   paper-based process to one that can
   include digital and paper together in a
   safe and trusted manner?
 • What are the basic principles that need to
   be followed? (otherwise people can
   potentially cheat and we will not be able
   to know if they did or not)
 • If people can cheat, they will*
* NIST presentation to HAVA TGDC on Threats to Voting systems - March 2005
       Trust and Logic Examined
• How can we ensure the machine does not
  cheat on the human operator who cannot
  “see inside”?
• MIT coined the term the “Frog Principle”*
  for a multi-party trusted logic process
• If you have two parties that you cannot
  trust, how do you create a process that
  ‘hops’ between the two – in a way that if
  either cheats you will know?
   Trusted Logic Process Explained
• Uses write-once technology
   – paper ballots (preferred medium today)
   – or “digital-paper” – liquid crystal plastic that machine “writes” to and human can read*
   – or write-once digital chips that insert into a computer slot (MIT “frogs”)
• First party creates record of the voters’ choices
• Voter transfers that information to second party
• Second party then confirms what the first party did and
  displays that information for the voter to confirm
• Process completes with three records retained
   – What the first party said they did
   – The copy they passed to the second party
   – What the second party displays to the voter (printed as paper ballot)
• Auditor can compare all three records – to ensure they

   * too costly today – but maybe within fifteen years time will be as cheap and easy to handle as paper.
        Creating a Trusted Exchange
                  Party A                             Digital ballot recorded
                                                         Digital storage
                                                         Media (write once)
             device                  e-Vote record                               Party A’s record
                                Storage process
                                                                  • Printed ballot
                                                                  • Voter Verified
                                                                  • Hand Cast                       Audit verification
                                                          4                                         record
1                     Send Vote Details

                                                                                     Paper ballot cast
                                                  3                                           Party B’s record
                                                           e-Print record
-print                          Party B                                                 Digital storage
                                                                                        Media (write once)
-confirm                                                Print record stored
-cast VVPB
                            device                         “Frog Principle” in action
      Cornerstones of Process
• One provider cannot supply solutions across
  more than one layer or process
• Each layer must be autonomous and passes
  information to next layer in open formats that
  can be inspected and verified
• Software involved must be published to open
• Physical separation of layers and devices
  associated with them (MIT “Frog” principle)
• Independent of and not requiring any specific
  cryptography techniques
               Pillars of Trust
•   Verifiable paper ballots
•   Matched e-Vote electronic records
•   Electoral roll of voter participation
•   Private and anonymous
•   Secure tallying and crosschecking
•   Easy for citizens to understand
           Processing Layers
•   Electoral roll and voter registration
•   Voting process
•   Counting process
•   Verification and Certification
•   Equipment deployment, setup and control
              Separation of Layers
• Verifiable paper ballots
   –   Cast by hand or by mail by citizens directly
   –   Printed / Formatted separately from e-Voting process (dual-path)
   –   Electronic log of printing activity (as backup to e-Vote counts)
   –   Allows machine scanning of paper ballots cast
• Matched e-Vote electronic records
   –   Each vote record stored, not just rolling tally
   –   Contains process status information (restartable)
   –   Signature to enable authentication came from certified polling station
   –   Anonymous - cannot identify voter
• Electoral roll of voter participation
   – Not accessible by e-Vote machines (stays private and anonymous)
   – Voter verification service and retains list of who votes and access codes
• Secure tallying and crosschecking
   – Independent service that compares totals and authenticates codes used
• Easy for citizens to understand
   – Multi-lingual voting; open access; rules on formats of ballots
     Built-in Audit and Control
• Every single paper vote is scanned and
  counted and crosschecked against its
  matching eVote to give 100% verification
  and audit control (just like in a banking
• This can happen in a timely fashion after
  the ballot – and then fully verified results
  can be published that certify the election
                           Process Overview
Confirm voter eligibility and verification                                                 1
  Maintain independent voter electoral roll        Electoral roll and voter registration
     Provide lists of voters for access to polls

 Dual path: paper and e-voting records                                                     2
   Processing uses open exchange formats                     Voting process
    Not sole vendor solution

Scans paper ballots; tallies e-votes media
                                                            Counting process
  Verifies e-vote signatures and status logs
    Compares counts from all three sources:
    paper, e-votes, electoral roll

 Artifacts storage to open public spec’s                                                   4
  Each component lab’ tested for interop’
                                                      Verification and Certification
   Version control and signature on software
   Guidelines for equipment behaviours               Equipment operational needs
        Access and deployment needs
         Process flow and separations
                                                     Digital storage
                                 digital             Media (write once)

                                 ballot                                                       6
             DRE                 recorded
             device                      e-Vote record
                                     Storage process
                                                                           5                           e-Vote counts
                                                                          close                            Reconcile
     display ballot;                                                                                       votes
     make choices                                                                                                         7
                                                 4                                                               +
 1                              Printed ballot                                                            ballot counts

                                                                                                    e-Print counts
Actions:                      Print                     ballot                                        +
             e-Print record   process                   cast                                   voter counts
                                           3                                     8            (electoral roll)
-cast VVPB
                Digital storage                                                             Results
                Media (write once)
                       Process Detail: Voting
                                                                           Printed ballot   4
    entry                                Dual-track vote
 Actions:         1                      Processing*
 -cast VVPB
                                                                                                         Cast Ballots
                      Process A                                                  Process B
                                                    Submit request
                         e-Vote                     XML                  ballot                 3
                         capture                                        printing
                                            Confirm print done

                                                                     Printed ballot records
Local                  e-Vote records                                                                   Local
Storage                                                                                                 Storage
Device                                                                             Digital storage
                               Digital storage                                     Media (write once)
                               Media (write once)

                                  * dual-track DV (direct verification) with storage implements the MIT “frog principle”
                        Process Detail: Alternate
Internet /                                               2
Absentee                        Remote
                               Voting forms
voting                                                                    Printed ballot       5
                                          Dual vote

                1                                                                                           Post vote
Authorization       system                                                                                  via Mail
Letter + code

                        Process A                                               Process B
                                                     Submit request
                    3                                                                      4
                          e-Vote                     XML                 ballot                    Local
          Remote                                                                                   system
                          capture                                       printing
                                             Confirm print done

                                                                      Print ballot records
                        e-Vote records                                                                  Sent to
 Stored on
 Remote                                                                                                 Remote
 Storage                                                                                                Storage
                                                                                  Digital storage       Device
                                Digital storage                                   Media (write-once)
                                Media (write-once)
                   Process Detail: Counting
   Initial Counting                           1
   e-Vote records
                                                                    scanning             2
             Digital storage
             media                Provisional
Retrieve from storage
devices collected                                          Count Verification
Print ballot records                          Compare                     Ballot Tally
                                            Vote records
                                             and counts

           Digital storage                                                  Electoral Roll

Retrieve from storage                                          Accepted
devices collected                                              ballots
                                          Verified Results      4
    Process Detail: Voter Verification

                                  Electoral               Token enabling
                                    Roll                      device

                                Provide random              Recycle voting
                                 voting token                  token

                                       3                       4
 Electoral records                                                 Deposit ballot
                                            Proceed to
                                           Voting booth

          Digital storage
          media                                             Digital voting records

KEY FACTOR: Avoid inadvertent
                                                                        Digital storage
sequential local information imprinting!                                media
       Process Detail: Alternate Verification
                                                         Voter Receives e-Ballot in
                                1           +            the mail. Calls to be verified
                                                         and then receives election
                                                         access token
Call Centre
Volunteer Staff
                                    Token providing                                                 Delivery
                                                                       Print ballot
                                        system                         locally

                                        Provide random
                                         voting token
                Roll                            3                                     4
  Electoral records                                                                       Mail-in ballot
                                                    Proceed to
              Digital storage
              media                                                           Digital voting records

Electoral                                                        Remote
system                                                           Electoral                     Digital storage
          Supporting Infrastructure
• Election officials have an obligation to provide trusted
  election services including:
    – accurate electoral rolls that are confidential (e.g. not sold like
           telephone white pages, mailing lists)
    – secure and safe voting environments - including polling stations,
      but beyond that to libraries and broader access for citizens
    – a trusted voting process to include independent verification of the
      ballot by trained government employed election staff using
      independently developed counting and verification tools.
    – ensure open source software that is inspected and only certified
      components are used in the voting process so that citizens can
      know that this is a trusted process
    – retain 100% copies of paper ballots, and write-once electronic
      media copies of e-Voting records, for minimum of one year
      following an election.
Sample overview of a voting process:
         Verification Services
• Federal and International community
  – supporting ongoing analysis by organizations such as
    NIST, the United Nations and others (EU) that provide
    analysis tools and technical support to the verification
  – open specifications work - at the level of OASIS and
    ISO that provides the foundation for open public
    mechanisms for voting procedures
  – provide certification services for voting solutions that
    conform to the requirements and specifications
 Creating an open marketplace
• A healthy and open marketplace, not a quasi-
  monopoly, where a broad range of service
  providers can deliver solutions to citizens, cost
  effectively and innovatively, that support and
  enhance the voting system and experience
• Based on open specifications that have free use
  licensing and not encumbered by any specific
  proprietary technology
• Cushion against migration to new specifications
  and changes and surprise requirements
• Better guidance to legislators
• Allow determination of trusted process
  combining paper and digital ballots
• Overview of the core elements and their
  interactions, safeguards and cornerstones
• Details can then be refined from the basic
  process overview
• XML required to run all the exchanges
• Goal – produce open public specification
                       Useful Resources
•   Website of Professor Rebecca Mercuri -
•   Brookings Institute Report - Agenda for Election Reform -
•   CalTech site on ensuring voting integrity -
•   NYVV - Advantages of ballot scanners over DREs -
•   Analysis of counting irregularities in US elections -
•   MIT Study on accuracy of voting systems -
•   Verified Voting site
•   West Virginia procedures for optical scanning ballots -
•   Administration and Cost of Elections (ACE) -
•   Anecdotal reporting on 2004 US elections -
•   NIST Glossary of Terms document – glossaryv2Feb28.doc
       Why VVPAT can be VVPB!
• Voter Verified Paper Audit Trail
    – only small % audited – not complete ballot (typically only 1%)
    – requires casting in central box to:
        •   retain anonymous vote (especially for disabled voters)
        •   ensure voter can verify exactly what is on printed record
        •   allow ‘spoiled vote’ capability for voter
        •   retain familiar simple process – not confusing; with 100% voter use
    – integrated printing device
    – paper record contains cross-reference to eVote (use obvious random
       mechanism and code sequences that are voter selectable and not time dependent)

• Voter Verified Paper Ballots
    – full ballot that is printed separately and hand-cast by voter and
      100% scanned and counts cross-checked
    – separate printer device (MIT “frog principle”)
    – use of XML to make output scriptable
    – paper record contains cross-reference to eVote
* NIST presentation to HAVA TGDC on VVPAT Requirements - March 2005
       Issue Avoidance for VVPAT
• Potential VVPAT issues for “closed” printer system
      Voter unable to directly verify what the       Sequence of paper in container may not be random enough compared to
  A   printer dumps into the container           E   single central ballot box in VVPB approach

      Single vendor for voting and                   Printer could print additional code information that is not verified by voter
  B   printing devices (trust issues)            F   (compromise anonymous vote + vote switching attacks)
      Requires special printer instead of            More difficult for visually impaired voters to verify printed ballot behind
  C   familiar everyday printer (trust issues)   G   plexi-glass shield; VVPB approach puts ballot in voters hands
      VVPAT process compromises the voting
  D   process if not done correctly

• Burden of use for polling officials
• Reliability of printers
    – regular simple home PC printer 30,000 hours MTBF
    – use of simple printer without mechanical modifications
      and changes therefore common sense
• Support simple verification by election staff and
  scanning by optical devices
* NIST Approach to VVPAT Requirements - March 2005
                 Maryland DRE analysis
  1                                Electoral                        Token enabling
                                     Roll                               device

                                                                Recycle voting
                                 Provide random                    token
      Manual tracking
                                  voting token
                                                                         Return token

DRE                                               Problem:
                                                  voter cannot                   5
device                   Proceed to
                                                  verify media
                        Voting booth                                             Polls

         Digital voting records
                                                  Digital storage   +                Paper tape roll
                                                  media                              of vote counts
                Maryland Count Analysis
Polls          DRE
closed         devices           digital
                                 records              6
                                                                      Media placed          audit on
                                                                      in reader             small % only

  Print tape roll
  of vote counts

                                                  e-Vote counts       TRUST ISSUES
                                                                      Voter unable to directly verify storage
Tape rolls checked                            Reconcile           A
with station voter counts
                            Problem:                        7         of vote details on digital media
and signed
                            paper roll        votes                   Tape Roll Counts totals only – so no
                            contains                              B   verification of votes themselves
                            summary vote
                            Counts only                Results
                                                  8               C   Is Digital storage media write once?
                                                                      Single vendor for voting and tallying
                                                                  D   software
                                                                      Limited audit of small % of votes cast,
                                                                  E   not every vote
                                                                      No audit trail - impossible to verify if
                                                                  F   vote switching has occurred
      DRE + VVPAT Sealed Printer Analysis
    DRE                                                                                TRUST ISSUES
    entry                                             Audit record                     Voter unable to directly verify what the
              1                                         printing                   A   printer dumps into the container
 -choose                                                                               Sequence of paper in container may not
                                     Submit request
                                                                                   B   be random enough compared to single
 -confirm                                                          2                   central ballot box
 -complete         e-Vote           Confirm print done      Printed audit          C   Printer could print information that is
                                                                                       not verified by voter (not anonymous)
                   capture                                  record
                                                                                       Single vendor for voting and printing
                                                                 Voter verifies
                                                                                   D   devices
                                                                 Printed details       Requires special printer instead of
                                                                                   E   familiar everyday printer
Local             e-Vote records                                   3               F   More difficult for visually impaired voters
Storage                                                                                to verify printed ballot behind plexi-glass
Device                                                                             G   Use of special embossed paper in
                                                                                       printer would increase voter trust
                          Digital storage                          4
                          Media (write once)                                       H   Equipment reliability and failures
                                                                   dumps               DRE can manipulate vote and printing
                                                                   sheet into      I   without needing voter intervention, or

             Fails                                                 sealed
                                                                                       by ignoring / misleading voter

                                                                                   J   Voter cannot be assured that spoiled
             Trusted Logic!                                                            or incomplete ballots really are ignored
                                                                                       Missing use of standard XML to configure
                                                                                   K   Ballot forms and manage printing

Shared By: