D- Due to the Florida Nov 2000 chaos, voting may go entirely electronic rather quickly. The below is a sample of what is going on in the real political world. Obviously there can be some real sample elections of various election methods (and how much confusion they produce with real sample voters). --- Testimony of Dr. Ed Gerck, CEO and CTO of Safevote, Inc., before the California Assembly Elections & Reapportionment Committee on January 17, 2001, in Sacramento. Assemblyman John Longville (D), Chair. My company participated in the Internet voting test in Contra Costa and I would like to report about this and how it works. First, however, I would like to begin by making two cautionary notes. The first one is about the term touch screen. There is nothing to prevent, and has been done, and in fact was demonstrated yesterday, an Internet voting system with a touch screen. A touch screen is simply a device where you touch and there is a sensitivity that tells you where the finger touched the screen. Our Internet voting systems have, from the viewpoint of the user as we tested in Contra Costa, an overwhelming majority of users who said would prefer to use a touch screen to vote. It is very hard for someone who has never used a mouse to use a mouse. And a keyboard has 103 keys. So we did the test in Contra Costa with a system where voters could use a mouse or a simulated touch screen. Indeed, "touch screen" as a name [for a voting system such as a DRE] is a bit misleading because, certainly, it describes just a device. Second, I would like to point out that it is very hard sometimes to take opinions, even though from a valued expert, at face value. I was hearing the former panel [on touch screen DRE systems] and Peter Neumann, who is a man beyond all best qualifications, made the affirmation that we cannot photograph what we can see [1]. As my background is in optics, with a doctorate in optics, I certainly know that is not correct. If we can see the ballot we can photograph it, some way or another. So, I think we need to see the whole context of what is happening here. My second cautionary note is that. rather then focus on technology issues, we should focus on requirements and let the technology come up to them. With this remark, I would say that the three requirements we need to have for a voting system are very simple. Voter privacy must be the first requirement, where voter privacy is the inability to know who the voter is. This requirement must be what I call fail-safe. Even if everything fails, all the hardware fails, all the software fails, everyone colludes, and there is a court order, still voter privacy must not fail. The second requirement is vote secrecy. Vote secrecy is defined as the inability to know what the vote is. In elections, contrary to e-commerce and other online applications, we don't have to decrypt [the ballots] immediately. In fact, we need to store the encrypted ballots for a short period of time, a day or two, maybe fifteen days in the case of early voting, and then we decrypt them and they become a matter of public record. So it is a completely different system in terms of vote secrecy than a standard cryptographic system, which is done online. We don't have to have the keys on the other side. It is a little bit easier in some ways. Vote secrecy is thus the second requirement. The third requirement is vote integrity, where vote integrity is defined as the inability to influence the outcome of the election except by properly voting. These are three requirements that need to be, in my opinion, technologically neutral. There are many innovations coming every time, at an ever faster pace, and if we focus on technology it is rather easy to become lost. Let me now address a practical example of how Internet voting works. First, if we look at the components of a voting system and reduce them to the bare bones, we find three parts. Three stations if you will. First is the voter authentication station where the voter is authenticated, usually by an election official. Second is the voting station where the voter actually goes and votes. Third is the ballot box. I am not talking about the tallying, I am not talking about the auditing. Those are added steps. I'm talking about the three essential systems we need to focus on. If we take these three systems or processes and consider where they might be located, we have only two possibilities. They can be at the precinct or outside the precinct. In other words, they can be local or remote. From the viewpoint of the election official, they are local if they are at the precinct. If we now take the three stations or processes and the two states [local or remote], we have eight possibilities. We can have the authentication station, the voting station and the ballot box entirely in the precinct. And we can have one of them remote, two of them remote or all three of them remote. As we understand these eight possibilities, we see that Internet voting is not just one case. Internet voting is seven cases. When we talk about Internet voting, and this is now my third cautionary note, we need to know which case we are talking about and what is involved. That is - what is remote, what is local, how the system is classified. In the case of Contra Costa County, this is what we did. The voter authentication was local. The voter went to the election official where his identity was checked by legal procedures and he received his ballot style. In Contra Costa there were 280 ballot styles. People vote for different school boards, for example, depending on where they live. So we need to authenticate not only the voter but also the voter's ballot style. On a screen, the election official entered the voter's password and ballot style and pressed a button. That would print a paper that was given to the voter face down. That paper had printed on it the instructions on how to vote and the DVC. The DVC is the Digital Vote Certificate, which is a digital certificate with the properties of encryption and certification that fit into six characters. Those six characters encode the password to use the DVC. We don't want the DVC to be like money in that anyone can find it and use it, even though it is in a precinct. The six characters also encrypt the ballot style and the authorization of the election official - which the voter cannot read and cannot change. The voter then takes this paper with the DVC to the voting station which is also local. So we have two local parts. The voter enters the DVC, which is a simple procedure, and enters the password. The voting station never had a copy of the DVC. So the DVC is not like a password where you need to have a copy to see if it matches. The DVC is verified by the way it works not by the way it looks. The main point here is that we don't use a smart card. We don't use any other device between the authentication station and the voting station but a piece of paper that has the six characters. Those six characters are enough to convey all the information necessary. So the voter now inputs the data [the DVC and password] into the voting station which is local in the precinct. The voting station verifies whether they all match, that is the DVC, the password and the signature, by means of the digital signature algorithm, and presents the correct ballot with the correct ballot style. The voter votes on a screen which we can demonstrate to you [2], if you so want we can set up a demonstration. We just did it yesterday at the Exposition. It is a simple interface. I am not going to go into details here. One hundred percent of the voters in Contra Costa, 307 people, liked it. Even two of them who said they would never vote on the Internet because they wanted to use the paper, they wanted to go to the precinct. In the end, the votes are cast and sent to six different servers on the Internet. So we have a remote ballot box. Also, the votes are stored locally, encrypted, and in other computers that may be networked in the same precinct. So we have redundant copies of the votes. In the machine we demonstrated yesterday we had two disks in a RAID configuration with redundant disks plus a memory card. So we have several different ways to store the ballots. The voter now does a step that is not available with paper ballots or DREs [Direct Recording Electronic machines]. The voter can take his DVC, go home and on the Internet he can verify in a voter list that his vote is actually there at the remote ballot box to be counted. Adding voter verification so that the voter can verify his vote is there is an important factor as well. If just 5% of the voters do verify, this helps protect the entire system. There are several steps after this which I will omit for the sake of time. They are described in this issue of The Bell newsletter [4] which I will leave here, together with the main 16 requirements [4] we think should cover the least number of items that one must have in a voting system. I would like to comment on one of the particular procedures used in the tallying. The votes are stored at the ballot box, and when the time for tallying arrives at the end of the election, they are added without being decrypted. The votes are only decrypted after they are added. This adds a second barrier to identifying the votes. There are also checks and balances between the registration system where the voter received the DVC and the final vote. There is verification whether that DVC was really issued. The DVC is a unique number issued to each voter and guaranteed by the system. So we can verify without identifying the voter. We can create a unique audit trail for each voter. In closing, I would just like to comment that the same system can be used without the plug, without the network, and can become a DRE (touch screen). So in fact we have a system which can work as Internet voting in the precinct with two parts local and one part remote, and also as a completely isolated system. This allows election officials and counties to buy equipment which conforms to current regulations, but yet is Internet ready. We also think that the issue that David Jefferson mentioned at the beginning of the other panel [on touch screen DRE] is very important - the question of obsolescence, of changing. So we need to have extensible products that can be applied, improved and upgraded. Thank you very much. FINAL COMMENT, ABOUT TRUST: ...I'd like to briefly comment on what Peter Neumann said before he left regarding trust. When we want to understand what trust is, trust is that which is essential to communication, but cannot be transferred in the same channel. We always need a parallel channel. So the question is having redundancy. When we look at the trust issue in voting, iti s simply not possible to rely on one thing, or two things. We need to rely on more than two so we can decide which one is correct. In this sense, the whole question of whether the Internet is secure or not is simply not defined. The Internet is a communication medium and whatever we do in terms of trust, it is something that must run on parallel channels. ************************** [1] Peter Neumann, testimony before the California Assembly Elections & Reapportionment Committee on January 17, 2001, John Longville, Chair, session on touch screen (DRE) voting systems: "...I have an additional constraint on it [a voter approved paper ballot produced by a DRE machine] that it is behind reflective glass so that if you try to photograph it with a little secret camera hidden in your tie so you can go out and sell your vote for a bottle of whiskey or whatever it is, you will get a blank image. Now this may sound ridiculous from the point of view of trying to protect the voter, but this problem of having a receipt in some way that verifies that what seems to be your vote actually was recorded properly, is a fundamental issue." [2] A demonstration of the Safevote system used in Contra Cost County in the November 2000 shadow Internet voting test is available at http://www.safevote.com/demo2000/ [3] RAID is short for Redundant Array of Inexpensive Disks and is a method whereby information is spread across several disks, using techniques such as disk striping (RAID level 0) and disk mirroring (RAID level 1) to achieve redundancy, lower latency and/or higher bandwidth for reading and/or writing, and recoverability from hard-disk crashes. [4] The Bell newsletter, ISSN 1530-048X, November 2000. Copy at http://www.thebell.net/archives/thebell1.7.pdf ===================================================================== This message was distributed through the e-lection mailing list. For info and archives see http://www.research.att.com/~lorrie/voting/ =====================================================================