Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

Similar documents
Volume I Appendix A. Table of Contents

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

The name or number of the polling location; The number of ballots provided to or printed on-demand at the polling location;

IC Chapter 15. Ballot Card and Electronic Voting Systems; Additional Standards and Procedures for Approving System Changes

ARKANSAS SECRETARY OF STATE

Colorado Secretary of State Election Rules [8 CCR ]

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

Colorado Secretary of State Election Rules [8 CCR ]

Ballot Reconciliation Procedure Guide

ARKANSAS SECRETARY OF STATE. Rules on Vote Centers

Privacy Issues in an Electronic Voting Machine

COMMISSION CHECKLIST FOR NOVEMBER GENERAL ELECTIONS (Effective May 18, 2004; Revised July 15, 2015)

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

Every electronic device used in elections operates and interacts

L9. Electronic Voting

The documents listed below were utilized in the development of this Test Report:

Direct Recording Electronic Voting Machines

Please see my attached comments. Thank you.

Key Considerations for Implementing Bodies and Oversight Actors

An OASIS White Paper. The Case for using Election Markup Language (EML)

PROCESSING, COUNTING AND TABULATING EARLY VOTING AND GRACE PERIOD VOTING BALLOTS

DIRECTIVE November 20, All County Boards of Elections Directors, Deputy Directors, and Board Members. Post-Election Audits SUMMARY

Electronic Voting Machine Information Sheet

CENTRAL COUNTING STATION

FULL-FACE TOUCH-SCREEN VOTING SYSTEM VOTE-TRAKKER EVC308-SPR-FF

STATE OF NEW JERSEY. SENATE, No th LEGISLATURE

POLLING TOUR GUIDE U.S. Election Program. November 8, 2016 I F E. S 30 Ye L A

Voting System Examination Election Systems & Software (ES&S)

GAO. Statement before the Task Force on Florida-13, Committee on House Administration, House of Representatives

VOTERGA SAFE COMMISSION RECOMMENDATIONS

REQUESTING A RECOUNT 2018

Key Considerations for Oversight Actors

Allegheny Chapter. VotePA-Allegheny Report on Irregularities in the May 16 th Primary Election. Revision 1.1 of June 5 th, 2006

Statement on Security & Auditability

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

HOUSE RESEARCH Bill Summary

L14. Electronic Voting

E-Voting, a technical perspective

NC General Statutes - Chapter 163 Article 14A 1

If your answer to Question 1 is No, please skip to Question 6 below.

Election Audit Report for Pinellas County, FL. March 7, 2006 Elections Using Sequoia Voting Systems, Inc. ACV Edge Voting System, Release Level 4.

Good morning. I am Don Norris, Professor of Public Policy and Director of the

Procedures for the Use of Optical Scan Vote Tabulators

Act means the Municipal Elections Act, 1996, c. 32 as amended;

BILINGUAL ELECTION OFFICER HANDBOOK

Instructions for Closing the Polls and Reconciliation of Paper Ballots for Tabulation (Relevant Statutes Attached)

Draft rules issued for comment on July 20, Ballot cast should be when voter relinquishes control of a marked, sealed ballot.

COUNTY OF SACRAMENTO CALIFORNIA

Global Conditions (applies to all components):

Risk-limiting Audits in Colorado

SECTION 8. ELECTION AND VOTER REGISTRATION RECORDS

Supporting Electronic Voting Research

Additional Case study UK electoral system

(1) PURPOSE. To establish minimum security standards for voting systems pursuant to Section (4), F.S.

IC Chapter 13. Voting by Ballot Card Voting System

HOUSE BILL 1060 A BILL ENTITLED. Election Law Delay in Replacement of Voting Systems

Prepared by: Secretary of State Elections Division April 8, 2004

Colorado Secretary of State

Election Inspector Training Points Booklet

RANKED VOTING METHOD SAMPLE PLANNING CHECKLIST COLORADO SECRETARY OF STATE 1700 BROADWAY, SUITE 270 DENVER, COLORADO PHONE:

RULES OF SECRETARY OF STATE CHAPTER ELECTRONIC VOTING MACHINES RULES AND REGULATIONS TABLE OF CONTENTS

2016 Election Judges Manual. Casting Ballots. At the Scanning Unit Inserting a Ballot into the Ballot Scanner

Sincerely, Rebecca Mercuri, Ph.D. 116 Grayson Ave. Mercerville, NJ /

This page intentionally left blank

This presentation was made at the Secretary of State s seminar in August It has been revised to fit Tom Green County procedure.

CHAPTER 11: BALLOT PROCESSING AND VOTER INTENT

Automating Voting Terminal Event Log Analysis

PINELLAS COUNTY VOTER GUIDE INSIDE. D e b o r a h Clark. S u p e r v i s o r of Elections. P i n e l l a s County. - How to Register to Vote

Case Study. MegaMatcher Accelerator

CRS Report for Congress

Estonian National Electoral Committee. E-Voting System. General Overview

H 7249 S T A T E O F R H O D E I S L A N D

DURING VOTING HOURS. On election day, open the poll promptly at 7:30 a.m. and keep the poll open continuously until 7:30 p.m.

GENERAL RETENTION SCHEDULE #23 ELECTIONS RECORDS INTRODUCTION

*HB0348* H.B ELECTION CODE - ELECTRONIC VOTING 2 PROCEDURES AND REQUIREMENTS

Secure Electronic Voting: Capabilities and Limitations. Dimitris Gritzalis

CRS Report for Congress

Scott Gessler Secretary of State

Introduction of Electronic Voting In Namibia

EML for Open Voting. Parker Abercrombie com. NIST Voting Data Formats Workshop. Gaithersburg October, 2009

POLL WATCHER S GUIDE

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Voting System Certification Evaluation Report

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

The E-voting Controversy: What are the Risks?

Colorado s Risk-Limiting Audits (RLA) CO Risk-Limiting Audits -- Feb Neal McBurnett

TITLE 6 ELECTIONS (ELECTION COMMISSION)

UPDATE ON RULES. Florida Department of State

RCV POLLING PLACE CHECK LISTS. rcv polling place checklist final /28/2012 9:35 AM

Braille Voting Instructions - Improving Voter Empowerment

The problems with a paper based voting

E- Voting System [2016]

H 5372 S T A T E O F R H O D E I S L A N D

Options for New Jersey s Voter-Verified Paper Record Requirement

INFORMATION TO VOTERS

1S Recount Procedures. (1) Definitions. As used in this rule, the term: (a) Ballot text image means an electronic text record of the content of

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

Volume I, Appendix A Glossary Table of Contents

Machine-Assisted Election Auditing

Transcription:

April 27, 2005 http://www.oasis-open.org Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language) Presenter: David RR Webber Chair OASIS CAM TC http://drrw.net

Contents Trusted Logic Voting (TLV) Needs, Approach and Implementation Using OASIS EML History, Overview, Processes, Transactions Applying OASIS EML Example process steps and actions Supporting US-style elections Summary

Trusted Logic Voting Needs How can we ensure the voting machine does not cheat on the human operator who cannot see inside? How can we know that every vote is counted as cast? If you have two parties that you cannot trust, how do you create a process that works between the two in a way that if either cheats you will know? How can you create an audit trail that allows 100% crosschecking while keeping voter privacy? Use existing work in the field on multi-party trusted logic process (e.g. MIT approach using the Frog Principle *) *see: http://www.vote.caltech.edu/media/documents/vtp_wp2.pdf

Trusted Logic Concept Party A Party B 2 Take what Party A tells you 1 ask Party B to tell you what that information says 4 3 Keep secure copy Compare the two Keep secure copy copies can be independently audited

Trusted Logic Applied to Voting First party creates record of the voters choices Voter selection information transferred to second party Second party then confirms what the first party did and displays that information for the voter to confirm Confirmation uses write-once technology paper ballots (preferred medium today) or digital-paper liquid crystal plastic that machine writes to and human can read* or write-once digital chips that insert into a computer slot (MIT frogs ) Process completes with three records retained What the first party said they did The copy they passed to the second party What the second party displays to the voter (printed as paper ballot) Auditor can compare all three records to ensure they match * too costly today but maybe within fifteen years time will be as cheap and easy to handle as paper.

US Voting System Example Party A Digital ballot recorded DRE device 2 e-vote record Digital storage Media (write once) Party A s record Storage process 1 Voter Send Vote Details XML XML 4 Printed ballot Voter Verified Hand Cast Paper ballot cast Audit verification record Actions: -choose -print -confirm -complete -cast VVPB Print process Party B printing device 3 e-print record Print record stored Party B s record Digital storage Media (write once) - Trusted Logic Voting in action -

Core Trust Principles Verifiable paper ballots Matched e-vote electronic records Electoral roll of voter participation Private and anonymous Secure 100% tallying and crosschecking Easy for citizens to understand

Three Pillars of Trust Electoral Roll managed by election officials and administered by voting staff process designed to ensure anonymous vote Electronic voting records generated by voter using voting system digitally recorded and stored by voting system Matching Paper voting records generated by voter using voting system manually cast or mailed by voter

Fundamentals of Trust 100% audit and comparison every time of all three Trusted Pillar counts to produce a certified election result Separation required between each step of the process; the trusted logic process is applied between the electronic and paper vote handling No single system can control or access more than one of the Trusted Pillars processing each has to be distinct Every paper vote record is scanned and counted; every matching electronic vote is stored and then separately tallied

Ensuring Timely Results To be trusted elections must be able to produce timely answers and results 100% audit and comparison of three counting sources provides this real time analysis during voting and immediately after the balloting closes Avoids recrimination, legal challenges and uncertainty that is introduced by today s partial audits only Identifies and traces operational issues (machine problems or operator errors) and resolves them Allows confidence in declared results of elections

Balancing information capture A trusted logic process allows the minimum effective information collection to effect a secure voting process Too much information compromises anonymous voting in subtle ways Too little information prevents effective audit trails Example: stamping votes with machine IDs good idea or bad idea? Next we look at how OASIS EML 4.0 instructs on the information exchange details

Quick Overview of EML History Work begun in May 2001 Charter: To develop a standard for the structured interchange of data among hardware, software, and service providers who engage in any aspect of providing election or voter services to public or private organizations UK government has implementations: UK Local Election pilots held in May 2003. http://www.oasis-open.org/committees/election Council of Europe Endorsement Council of Europe Ministers have endorsed the e- voting recommendations and with that the use of EML http://europa.eu.int/ida/en/document/3294/358 EML 4.0 is a committee draft for review and comment, other countries in Europe now exploring use Overview of EML and processing: http://www.idealliance.org/papers/xmle03/slides/spencer/spencer.ppt

Category Overview of EML One or more XML schemas series are provided to support each general process area: Pre election Election (100) Candidates (200) Options (600) Voters (300) Election Voting (400) Post election Results (500) Audit Analysis Some functions belong to the whole process and not to a specific part: Administration Interface Help Desk

Selected EML 4.0 Transactions Schema Name EML 110 election event EML 210 candidate nomination EML 230 candidate list EML 310 voter registration EML 330 voter election list EML 340 polling information EML 410 ballot EML 420 voter authentication EML 440 cast vote EML 460 votes group EML 480 audit log EML 510 - count EML 520 - result Purpose Information about an election or set of elections. It is usually used to communicate information from the election organizers Used to nominate candidates or parties, consenting or withdrawing Contest and candidates details Used to register voters for an election Details of actual voters for an election Notification to voter of an election, their eligibility and how to vote Describes the actual ballot to be used for an election Used for voter authentication during a voting process Actual record of vote cast Group of votes being transferred for counting Documents access to voting records and reason Results of election contest(s) and counts Communicating specific result details on candidates and elections

OASIS EML 4.0 transaction use Electoral Roll (EML 310, 330, 340) managed by election officials and administered by voting staff process designed to ensure anonymous vote Electronic voting records (EML 440, 460, 480, 510) generated by voter using voting system digitally recorded and stored by voting system (EML 510) Matching Paper voting records (EML 440, 480) generated by voter using voting system manually cast or mailed by voter scanned electronically (EML 440, 480, 510)

EML and US Voting Example Voting 1 EML formats: 310, 330, 340, 410, 420 Actions: -choose -print -confirm -complete -cast VVPB XML XML 2 e-vote record Storage process EML formats: 440, 480 Print process Printing device Digital ballot recorded Digital storage Media (write once) Printed ballot Voter Verified Hand Cast e-print record - Using EML formats in action - 3 4 EML formats: 440, 480, 410 Print record stored EML formats: 440, 460, 480 Paper ballot cast Digital storage Media (write once) EML formats: 440, 460, 480 EML formats: 440, 460, 480

Reality of real-world voting Good solutions have to be adaptive and survive in a complex unpredictable world; they have to administer well Today s paper-based voting have a culture around them and years of operational lessons learned Need to have formalized documented procedures Council of Europe Ministers have endorsed the comprehensive steps for e-voting recommendations and with that the use of EML http://europa.eu.int/ida/en/document/3294/358 Expecting 100% perfection is unrealistic; trusted system has to be a best case that allows people to be able to diagnose events and occurrences, e.g.: someone forgot a voting card left in a voting machine the machine jammed; the disk is unreadable someone keyed in the wrong setup code the computer hardware failed

EU Procedures* (Processing Layers) Items covered: Electoral roll and voter registration Voting process Counting process Verification and Certification Equipment deployment, setup and control *see: http://www.coe.int/t/e/integrated_projects/democracy/02_activities/02_e-voting/01_recommendation/default.asp#topofpage

EU Procedures clarifying items (1) These trusted logic items should be added: 1. Explicit reference to the importance of using write-once media for vote recording - either paper or digital 2. Need for voters to be able to physically verify their vote directly - via paper ballot or equivalent physical representation of an actual ballot - not an electronic ephemeral representation, and to cast that physical representation by hand 3. Need to separate the layers of the process - so the same component provider is not doing all vote creating, printing, and counting the total votes (no single solution provider) 4. Need to use trusted logic principle so that the voter can verify that the digital voting choice recorded matches the physical voting choice they selected

EU Procedures clarifying items (2) These ballot processing items should be added: 5. Need to compare 100% of all counts - electronic and physical ballot counts and electoral record counts to ensure they tally* 6. Explicit call-out of the need to avoid sequential processing information compromising vote privacy and anonymity 7. Explicitly call-out that overall election counts should be tallied independently for each of the sources - electoral roll, digital votes, and voter verified (paper) ballot counts (after scanning - EBI - Electronic Ballot Imaging**). * More in-depth technical operation level discussions here: http://gnosis.cx/publish/voting/privacy-electronic-voting.pdf ** Electronic Ballot Imaging - http://www-128.ibm.com/developerworks/xml/library/x-matters36.html

How OASIS EML views process steps and separations Election: Candidates Ballot / Referendum Voters Voting Results Audit

Procedural requirements One implementer cannot supply solutions across more than one layer or process Each layer must be autonomous and passes information to next layer in open formats that can be inspected and verified Software involved must be published to open source Physical separation of layers and devices associated with them

Process Overview Confirm voter eligibility and verification Maintain independent voter electoral roll Provide lists of voters for access to polls 1 Electoral roll and voter registration Dual path: paper and e-voting records Processing uses open exchange formats Not sole vendor solution Voting process 2 Scans paper ballots; tallies e-votes media Verifies e-vote signatures and status logs Compares counts from all three sources: paper, e-votes, electoral roll Artifacts storage to open public spec s Each component lab tested for interop Version control and signature on software Guidelines for equipment behaviours Access and deployment needs Counting process + audit logs Verification and Certification Equipment operational needs 3 4 5

OASIS EML process details The OASIS EML provides details for each part of voting process (see specification for exact details) Next few slides show how these can be applied to a trusted logic voting process more process details NIST / HAVA: http://vote.nist.gov/tgdc/process%20model%2020050223.pdf

Projected US implementation flow 1 Actions: -choose -print -confirm -complete -cast VVPB DRE device display ballot; make choices e-print record 2 Digital storage Media (write once) digital ballot recorded Printed ballot Print process e-vote record Storage process 3 4 Digital storage Media (write once) paper ballot cast Precinct level consolidations (canvassing) 5 Send Send Polls close Precinct level consolidations (canvassing) 8 6 Media delivered to tallying center Media delivered to tallying center e-vote counts Reconcile votes ballot counts (EBI) e-print counts + voter counts (electoral roll) Results Declared + + 7

Action Process : Voting DRE entry Actions: -choose -print -confirm -complete -cast VVPB 2 1 Process A e-vote capture EML 440 Dual-track trusted logic voting Submit request XML XML Confirm print done Printed ballot ballot printing 4 Process B 3 EML 410 Hand Cast Ballots (scanned to EBI) XML XML EML formats: 440, 460, 480 Local Storage Device e-vote records XML XML Digital storage Media (write once) EML formats: 440, 460, 480 Records of what printed XML XML Digital storage Media (write once) EML formats: 440, 460, 480 Local Storage Device

Action Process : Counting Initial Counting 1 e-vote e-vote records tallying Print ballot records Digital storage media Retrieve from storage devices collected Digital storage media Retrieve from storage devices collected Review / deferred ballots Rejected ballots Review Process Provisional results Compare Vote records and counts Verified Results ballot scanning Count Verification 3 Accepted ballots 4 2 Ballot Tally (EBI*) Electoral Roll XML XML *Electronic Ballot Imaging - http://www-128.ibm.com/developerworks/xml/library/x-matters36.html

Action Process : Voter Verification 1 Electoral Roll Token enabling device 2 Provide random voting token Recycle voting token Electoral records 3 Proceed to Voting booth 4 Deposit ballot Digital storage media Digital voting records KEY FACTOR: Avoid inadvertent sequential local information imprinting! Digital storage media

Creating an open marketplace Open trusted logic voting (TLV) that underpins voting in the digital age A healthy and open marketplace where a broad range of service providers can deliver solutions to citizens, using off-the-shelf cost-effective components, that support and enhance the voting system and experience Based on open specifications that have free use licensing and not encumbered by any specific proprietary technology Inform and guide legislators and administrators

TLV Implementation Components 1. Voter registration and ballot day sign-in - separate system, with separate counts and reporting at end of day. Providers voters with access to voting system to cast their ballot; uses OASIS EML formats 2. Separate Voting system that voters access to select choices, make vote, passes choices to VVPAT printing system, creates electronic record of vote (uses simple ballot-id to provide crosscheck and realtime auditing). Supports disabled access and multilingual access. 3. Ballot printing system - creates paper record, and printing audit electronic record. Voter confirms paper ballot detail, and casts vote into ballot box. Ballot-ID printed on ballot; ballot is scanned into EBI*. 4. Real-time counting - after polls close provides 100% crosscheck via ballot-id between counts from 1), 2) and 3). Takes OASIS EML records and counts them. Counting software is open source. Using 3 separate count systems gives banking system level of robust auditing and trust. 5. The goal is to provide the underlying functions as OSI - and then allow solution providers to provide localization and value-add above that.

Summary What EML supports Allows implementation of trusted logic process combining paper and digital ballots Details of the core elements and their interactions, safeguards and cornerstones Mechanisms and separations to secure process and provide audit crosschecks XML required to run all the exchanges Open international public specifications

Useful Resources Website of Professor Rebecca Mercuri - http://www.notablesoftware.com/evote.html Brookings Institute Report - Agenda for Election Reform - http://www.brook.edu/comm/policybriefs/pb82.htm CalTech site on ensuring voting integrity - http://vote.caltech.edu/reports NYVV - Advantages of ballot scanners over DREs - http://www.nyvv.org/paperballotvsdre.htm Analysis of counting irregularities in US elections - http://ideamouth.com/voterfraud.htm MIT Study on accuracy of voting systems - http://vevo.verifiedvoting.org/vendors/studies/20040601_ansolabeherepaper.pdf Verified Voting site http://www.verifiedvoting.org West Virginia procedures for optical scanning ballots - http://www.wvsos.com/elections/eday/procedureselectronic.htm Administration and Cost of Elections (ACE) - http://www.aceproject.org/main/english/index.htm Anecdotal reporting on 2004 US elections - http://www.lionsgrip.com/voting2004.html NIST Glossary of Terms document http://vote.nist.gov/tgdc/voting glossaryv2feb28.doc IEEE P1622 - http://grouper.ieee.org/groups/scc38/1622/p1622_documents.htm Overview of EML: http://www.idealliance.org/papers/xmle03/slides/spencer/spencer.ppt Technical aspects vote processing: http://gnosis.cx/publish/voting/privacy-electronic-voting.pdf Trusted Logic Voting: http://drrw.net/backup/trusted-ballot-processing-nutshell.pdf

DRE + VVPAT Sealed Printer Analysis DRE entry Actions: -choose -print -confirm -complete Local Storage Device 1 e-vote capture e-vote records Submit request Confirm print done Digital storage Media (write once) Fails Trusted Logic! Audit record printing 2 Printed audit record Voter verifies Printed details 3 4 Printer dumps sheet into sealed container A B C D E F G H I J K TRUST ISSUES Voter unable to directly verify what the printer dumps into the container Sequence of paper in container may not be random enough compared to single central ballot box Printer could print information that is not verified by voter (not anonymous) Single vendor for voting and printing devices Requires special printer instead of familiar everyday printer More difficult for visually impaired voters to verify printed ballot behind plexi-glass shield Use of special embossed paper in printer would increase voter trust Equipment reliability and failures DRE can manipulate vote and printing without needing voter intervention, or by ignoring / misleading voter Voter cannot be assured that spoiled or incomplete ballots really are ignored Missing use of standard XML to configure Ballot forms and manage printing

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback