March 14, 2011 Mr. Stephen J. Willertz Office of Labor-Management Standards United States Department of Labor 200 Constitution Avenue, NW, Room N-5119 Washington, DC 20210 RE: Request for Information Concerning Guidelines For the Use of Electronic Voting Systems in Union Officer Elections RIN 1245-AA04 Mr. Willertz: CCComplete, Inc. has been providing Labor Unions the ability to conduct officer elections for over ten years with the BallotPoint electronic (telephone and Internet) voting system. More than 1.1 million votes have been cast in more than 2,500 elections conducted by Labor Unions and federal agencies. The BallotPoint voting system is a standardized election process and methodology specifically designed for unions to meet the dictates of Title IV of the LMRDA. We offer our comments to assist OLMS in its pursuit of gaining an understanding of voting system technology in real-life application. Best regards Dan Hilderbrand COO CCComplete, Inc. BallotPoint Election Services 309 SW 6th Ave. – Suite 200 Portland, Or 97204 800-514-8810 x 8206 CCComplete©March 2011 Response to DOLOLMS RIN 1245AA04 re: Guidelines for Electronic Voting Systems INTRODUCTION The U.S. Department of Labor, Office of Labor‐Management Standards (OLMS) has requested interested parties to provide information regarding guidelines for the use of electronic voting in union officer elections. This response has been prepared by CCComplete, Inc. of Portland, OR. This response describes the general philosophy and construction of the BallotPoint voting system. This background will provide the foundation for answering the questions posed by OLMS in RIN 1245‐AA04. The BallotPoint system was conceived, designed, and built by CCComplete, and has been owned and operated by CCComplete as a commercial service since its inception in 2000. This response briefly distinguishes the Chao v. APA litigation, the only known court case with seeming relevance, and then provides an overview of BallotPoint’s process. This is followed by brief treatment of two concepts—the double‐envelope conundrum and the SERVE criticism—both of which distort and mislead one’s attempt to understand remote‐access voting. Next we provide detailed descriptive and analytic information about the BallotPoint remote‐access voting system. It is absolutely necessary to proceed in this fashion because systems which may fall within the electronic voting rubric vary widely in design and operation, making generalizations across such systems all but impossible. The descriptive and analytic material addresses the design and capabilities of BallotPoint’s system, the ways in which voting is accomplished, the ways in which candidates and their observers can fully gain information about the system in operation and view each stage of the process, and explains how audit trails are generated for the direct participants and, in the case of a protest, for OLMS. This portion of the response also presents in significant mathematical detail a CCComplete invention that can be used to assess the integrity of the vote‐count at each and every election, regardless of hacker and insider activity or faulty software. We do not offer comments on electronic voting machines used for casting votes at polling places. Lastly, we provide answers to the specific questions propounded in the RFI. It must again be emphasized that the answers presented only apply to BallotPoint’s remote‐access voting system and cannot be extended to other electronic voting systems. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 1 of 30 CCComplete©March 2011 CHAO v. ALLIED PILOTS ASSOCIATION, 2004 Please note that CCComplete used the business name “Allied Union Services” from February 2006 until June 2007. This name appears on an amicus curiae brief submitted to the Court regarding the Chao v. Allied Pilots Ass’n case described in RIN 1245‐AA04. The authors of that brief are the authors of this response. For the record, the disputed voting system was a product of the American Arbitration Association (AAA), not CCComplete. And despite the fact that the lawsuit was predicated upon the AAA voting system violating the LMRDA, OLMS nevertheless approved AAA to conduct the supervised election with mail balloting that resulted from an out‐of‐court agreement by the parties. OVERVIEW The BallotPoint system incorporates an election process and methodology developed and standardized across 10 years of providing election services to unions, the National Mediation Board, and the Federal Labor Relations Authority. Broadly, the BallotPoint system provides the Internet‐based tools for an organization—whether a union or a governmental agency—to self‐administer and conduct elections by telephone and/or Internet, using the server infrastructure developed, implemented, installed, and maintained by CCComplete at its Portland, OR offices. At the same time, election officials retain full responsibility for and control over their elections. All election methods must be based upon prudent practices that have been applied in the form of safeguards and controls that: • • • • • • • assure secrecy; guard against ill intent; guard against carelessness; provide separation of responsibilities; provide protection of confidential information; guard against and prevent misuse and abuse; provide a record to allow independent review and scrutiny of voters, administrators, and service provider personnel. The BallotPoint telephone/Internet voting system incorporates all these key elements to comply with the integrity and secrecy dictates of Title IV of the LMRDA. Some of the distinctive strengths of the BallotPoint system are listed below: • • The design, implementation, maintenance, and ownership of the processes, software, hardware, and intellectual property are and always have been exclusively CCComplete’s. A mix of 2,500 union officer, contract ratification, referenda, and representation elections have been run through the BallotPoint system in the last 10 years, with 1.1 million votes cast. Not a single complaint regarding ballot‐secrecy has ever been lodged in any type of BallotPoint election. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 2 of 30 CCComplete©March 2011 • • • • • • • The National Mediation Board (NMB) has been successfully running its representation elections using the telephone‐side of the BallotPoint system since October 2002 and by both telephone and Internet since December 2007. In December 2010 the Federal Labor Relations Authority (FLRA) also adopted the BallotPoint system to run its representation elections by telephone and Internet, and will conduct the Transportation Security Administration representation election in March/April 2011. The system is specifically designed to permit clients to conduct an election from beginning to end without direct, personal involvement (and the additional expense) of CCComplete employees. NMB and FLRA ballots are authored through a simple, secure, fill‐in‐the‐blank web interface, which incorporates exactly the set of input boxes needed to set up all varieties of NMB and FLRA elections. Union elections are authored off‐line by annotating a Microsoft Word document, and the resulting ballot‐definition is then uploaded to the BallotPoint system. Voters cast their ballots through high‐capacity telephony and web servers installed and maintained at CCComplete’s offices in Portland, OR. Ballot‐information documents required by the LMRDA and government agencies are generated automatically whenever a ballot is authored. Automation guarantees that the information printed and sent to eligible members/employees exactly matches the ballot‐definition. Ballot‐information documents may be printed and mailed by CCComplete’s long‐time printing partner, Allied Mailing & Printing of Fenton, MI (http://www.alliedmedia.net). CCComplete is committed to providing election services solely by telephone and Internet. This has fostered the development of a rigorous, efficient, accurate, auditable, and repeatable process that has proven itself in 2,500 elections over the last 10 years. MYTH of the DOUBLEENVELOPE In any discussion of voting methodologies, it is critical to recognize at the outset that any voting methodology is not simply the medium used to cast a ballot. In particular, a voting method combines a choice of what medium—paper, electronic bits, rocks—we use to cast a ballot, and procedures that ensure secrecy and provide protection against fraud: Voting method = Voting medium + Procedures to safeguard the election Too often the public discussion of voting systems focuses narrowly on the medium used to cast and transmit a vote, and ignores the more urgent question of how—given whatever medium we have chosen—we should go about protecting the integrity of the election. The choice of medium is driven by the convenience of voters and election administrators, and is specifically not constrained by OLMS; measures to ensure the integrity of the election are driven by law. For example, in a mail‐ballot election, you mark your answers on paper, put the marked ballot into an envelope, sign your name to it, and send it through the US Mail. The medium—a piece of paper showing how you voted, wrapped by an envelope with your name on it—directly links the content of a vote to CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 3 of 30 CCComplete©March 2011 you the voter. All anyone has to do is read the voter's name on the outside, open the envelope (no matter that there may be two or more envelopes in your way), and read how the member voted. If the ability to link a vote and the voter was the determining factor in ballot‐secrecy, every mail ballot ever conducted would be easily challenged and overturned. The only thing that saves mail balloting is that it surrounds the voting medium with processes designed to safeguard the secrecy and integrity of that ballot. In the absence of these processes, there can be no LMRDA‐compliant election by mail. No election using any medium—whether on‐site, mail, or electronic—will comply with democratic standards required by federal law unless accompanied by appropriate safeguards and controls. This observation applies equally well to on‐site voting. You vote by marking a piece of paper and placing the paper in a ballot box (double‐envelope not required). In the absence of processes that safeguard the election—e.g., provision of voting booths to prevent someone watching how you vote, or verification that there are no personally identifying marks on the paper, or observation to prevent ballot‐stuffing— on‐site voting would fail to provide LMRDA‐compliant elections. In exactly the same way, the BallotPoint voting system can be described as a medium—voting by phone or Internet, and storage of the vote on a BallotPoint computer—and a set of processes that provide ballot secrecy and integrity. The processes in the BallotPoint system have been created and put in place to account for the nature of using phones, the Internet, and server computers as the voting medium. These processes are necessarily different than those used in on‐site or mail‐ballot elections, but the purpose remains the same: to provide elections that comply with the LMRDA. To understand a voting system requires that the philosophy, media, and processes must be taken as a body or unit. Just as the recommendation of a double‐envelope must not be taken in isolation from the rest of the processes used in a mail‐ballot election, so too must we avoid the easy temptation to pick out one piece of any given electronic voting system as assuring or preventing compliance with the LMRDA. And we must avoid the trap of looking for electronic clones to processes that were designed to overcome inherent weaknesses in either on‐site or mail balloting. The double‐envelope was a reaction to a problem that arose with voting by mail; this problem did not exist in on‐site elections that preceded mail balloting. Each election must be judged—on its own—according to whether the safeguards employed are appropriate to the voting medium. Election safeguards must be designed specifically to match the medium being used. MYTH of the APPLICABILITY of the SERVE CRITICISM to the LMRDA In Section E, Recent Developments, RIN 1245‐AA04 refers to the “SERVE” report. The SERVE report is neither recent nor relevant to the discussion of LMRDA‐compliant officer elections. We have been hearing the question, “Yeah, but what about the SERVE report?” since March 2004. The implication seems to be that there is a direct applicability of the report’s criticisms to an LMRDA‐compliant union CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 4 of 30 CCComplete©March 2011 officer election that employs electronic voting. We would like to address this misunderstanding and invalid assertion that the SERVE report is relevant. A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE), co‐authored by Jefferson, Rubin, Simons, and Wagner (January 2004) was a report advising, due to security concerns, against Department of Defense use of Internet voting in 2004 political elections for military personnel serving overseas. For purposes of this writing we will use JRSW (from the authors’ initials) to refer to this report. A summary of the SERVE criticism was provided by co‐author Avi Rubin in an online discussion moderated by the Washington Post on January 23, 2004. Rubin summarized the criticism in the following way: We were invited by the [Department of Defense’s Federal Voting Assistance Program] to evaluate their absentee voting system for military and overseas civilians. Our conclusions were that the system cannot be secured because they require the use of PCs that can be found anywhere, including cyber cafes and in other public places. Also, we felt that denial of service attacks could potentially make the system unfair if someone wanted to selectively disenfranchise people. We had many other findings, but those are two of the key ones. Inadequate Registration Methodology First and foremost, SERVE relied solely on the Internet for both voter registration and actually casting ballots. This choice by itself causes many of the problems discussed in the report. As the SERVE report correctly observes, if the Internet is the only pathway between election officials and voters, then as a voter, you could not be 100% certain that you registered properly, or that your vote was received and logged by SERVE. There was no secondary communication path to verify a cast ballot or registration. This is a very serious deficiency. The further limitation of requiring the use of publicly available, essentially unpoliced voting machines is an equally serious criticism. In regular US precinct elections or in union on‐site elections, common sense dictates that voting machines must at a minimum be physically secured for some time preceding, during, and after an election. Personal, physically isolated, and secured Internet workstations were not part of the general SERVE design. By contrast, from the beginning, the BallotPoint system requires multiple media—Internet, phone, and US Mail—for communication between union election officials and their known membership. Known members do not register by Internet or telephone. Election rosters are validated union membership lists, open for inspection to observers before, during, and after the election period. Members are mailed the LMRDA‐mandated election notice, voting credentials, and a voting guide by first‐class US Mail. Please see BallotPoint Design and Capabilities, below, for a full explanation. Votes can be cast by authorized members from any telephones or Internet workstations that they feel comfortable in using. A member is not constrained to vote using equipment not under his or her control. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 5 of 30 CCComplete©March 2011 DenialofService Attacks? A second major focus in JRSW is that the SERVE system is highly susceptible to denial‐of‐service (DoS) attacks in a presidential election. This susceptibility derives primarily from three sources: (1) a high‐ profile US presidential election increases the reward for hackers attempting to achieve political goals or notoriety; (2) the Internet is established as the sole voting medium; and (3) the presidential election is a single‐day event. We have no argument with the observation that a US national election is an attractive target to both internal and foreign enemies of the US democratic process. But it is a singular, one‐day event with worldwide attention, as compared to the thousands of union elections taking place annually within the United States and Canada. As conceded in JRSW, the DoS attack is mitigated by conducting an election across multiple days (if not weeks). Union officer elections conducted through an electronic voting system such as BallotPoint run for multiple days, and typically three weeks. A DoS attack can be sustained for short periods, perhaps a day or two, but not for weeks. Granted, there can be pent‐up demand for voting on the last day—as service providers we have observed this in practice. However, unlike the SERVE system, votes may also be cast by telephone in a system like BallotPoint. The likelihood of a productive Internet DoS attack is dramatically diminished, because the likelihood of successfully subverting the election is reduced. The SERVE report is a theoretical response to a system that has never been deployed in practice, which assumes an Internet‐only architecture with obvious and serious security shortcomings, and which was intended for use in the highest‐profile election in the world. While we don’t take issue with their conclusions when applied to SERVE, the broad conclusions stated in JRSW cannot be taken as an indictment of electronic voting systems in general and certainly is not applicable to union officer elections. BALLOTPOINT DESIGN and CAPABILITIES This section describes the BallotPoint system at a level of detail needed to support answers to the technical questions posed in RIN 1245‐AA04. Please note that this is not a description of electronic voting systems in general. The discussion applies only to the BallotPoint system. Not all electronic voting systems are the same, and we doubt that any two of them are. It is important to understand our approach and philosophy generally before we describe the BallotPoint system design and capabilities. BallotPoint is a standardized election process and methodology specifically designed for unions to meet the dictates of Title IV of the LMRDA. The BallotPoint system provides unions with an integrated step‐by‐ step approach for conducting self‐administered union elections. It is convenient to think of this approach as a “hosted election,” wherein a union is neither conducting the election in isolation, nor has the election been “thrown over the wall” to a third‐party service provider. Instead, a union conducts its CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 6 of 30 CCComplete©March 2011 election in collaboration with BallotPoint, using a tested and proven process and procedures to comply with Title IV of the LMRDA. TwoServer Computer Architecture: the MRNS and the ES There are two secure computer systems that make up the BallotPoint voting system. One is the MRNS (for Member Registration and Notification Server), and the other is the ES (for Election Server). The simple explanation of the roles is that the MRNS is used to house member‐identifying information (member ID, name, address, etc), and the ES is where members log in using randomized VINs (voter identification numbers) to cast and store their votes. Union Member PC Administrator PC (browser) (browser) ballot def’n roster Observer (optional) PC (browser) Internet votes Union Member Identity Server (MRNS*) Election Server (ES) telephone secure CCComplete facility identities secure third‐party vault (Tier IV): cameras / palm‐prints / electronic cardkeys / 2‐person, logged access / passwords * Member Registration and Notification Server ¾ Access to both Servers is controlled by private ID numbers (VINs) and PINs MRNS and CodeControl The MRNS is physically located in a highly secured, off‐site facility owned and managed by an independent third‐party. The same facility houses bank computers conducting financial transactions, as well as computers owned and operated by federal government agency contractors. Access to the facility is controlled and logged by palm‐scan and cardkey, and physical access to the MRNS requires the use of two physical keys; CCComplete keeps the first key, and the second is kept by the third‐party that owns the facility. All physical access to the MRNS is logged. Only a single individual knows the MRNS system password, and remote login access to the operating system is not permitted; this individual who knows the computer system password does not know the Microsoft SQL Server database password. CCComplete writes all application software for the MRNS, but all such software is installed strictly by the third‐party from an encrypted CD that we provide to them. Installation takes place only over the secure CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 7 of 30 CCComplete©March 2011 web; application software installers do not physically access the MRNS. No application software is modified or added to the MRNS in any other way. Installation of application software by CCComplete is neither permitted nor possible. This discipline provides a complete‐from‐day‐1 archive, maintained by the third‐party, of every application software change made to the MRNS. In the event of any investigation, a competent authority may review this code‐record to verify that the MRNS has always protected the member‐identifying information. (This code is proprietary to CCComplete, so reasonable nondisclosure agreements would be expected.) It was strictly our invention to use an independent third‐party to install the MRNS application software. We intentionally set it up to make it impossible for us to alter the MRNS software without there being a permanent audit trail of exactly every change to it, archived by the third‐party. This is the key to protecting ballot secrecy. The software is designed to never release member‐identifying information from the MRNS in a way that could be used to associate a particular vote with a named voter. The proof is in the application software installed on the MRNS, a full and complete record of which is maintained by the independent third‐party, and which we would make available if necessary during an investigation by OLMS. Role of the Election Administrator(s) There are clearly defined tasks assigned to the one or more union election administrators (or admins) in a BallotPoint election. These tasks are outlined below. • • • Before the election: - define the ballot and submit it to the Election Server (ES) - submit to the MRNS a roster of all members who must be sent ballot‐information documents via US Mail - on the ES, approve the ballot‐information documents for printing/mailing Throughout the voting period: - replace voting credentials as necessary using MRNS facilities After the voting period ends: - command the MRNS to remove votes cast by ineligible voters - command the ES to perform the tally and display the results When an election roster is uploaded, the MRNS creates voter identification numbers—VINs—for each member in the list who was not previously assigned a VIN. It is critical to understand that VINs are many‐ digit numbers chosen at random and assigned to members; they are therefore completely anonymous identifiers if the association of names to VINs is not revealed to anyone. (It is an unfortunate fact that the term “voter identification number,” which was chosen back when we first designed the system, has led some to misinterpret it to mean that we can identify the actual, named voter. We cannot.) After generating or retrieving the VINs for a given roster, the MRNS provides to the Election Server that list of VINs—and no member‐identifying information—eligible to vote in that election. The integrity of this process is guaranteed by the software‐control methodology detailed in MRNS and Code‐Control, CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 8 of 30 CCComplete©March 2011 above. The VIN for a given member is stored in the MRNS along with name and address, but the ES never receives this member‐identifying information. Through the careful construction of the system— with accompanying audit trails and software archives—in the absence of collusion of multiple parties from different organizations, it is not possible to manipulate the system to associate a vote with a named voter without the manipulation being reflected by the permanent record. When the ballot‐information documents are approved on the ES, the approval is passed through to the MRNS with the VINs for this election, so that the MRNS can produce a list of names and addresses for the printing/mailing service provider. CCComplete never has access to this information: only our printing/mailing partner can access the mailing list. Instructions and credentials for accessing the voting system are provided in the documents delivered in secrecy envelopes by first‐class US Mail. Both CASS™ (Coding Access and Support System) and NCOA (National Change of Address) address‐checks are performed by our printing/mailing partner prior to printing. As a practical matter, members might not receive their ballot‐information documents due to outdated mailing addresses, or because they may be traveling throughout the voting period. This does not prevent their voting. The ballot‐information documents always include information on how to contact the election committee for assistance, which includes requesting replacement credentials; this information is common to all members and may be posted at job sites or union websites, or obtained from co‐workers. The methods used by election committees to verify the identities of those requesting credentials varies, but in all cases we recommend that they keep a permanent paper‐record—reviewable by OLMS during an investigation—of the date of a request and how the identity was verified. Using a publicly known ID of the member, an admin instructs the MRNS to provide a new credential (immediately retiring the old one) for the member. The new credential is communicated to the member through a union‐specific method, which lies outside the scope of the BallotPoint system. The new credential is valid for a configurable amount of time (typically 12 hours). Unlike the ungainly process for receiving a duplicate mail ballot, this method of providing access can be used right up to the end of an election. Voting Through the Election Server At the ES (Election Server), members log in by either telephone or Internet to vote using the many‐digit, anonymous VINs that the MRNS randomly assigns to members when voting rosters are uploaded to the MRNS. No vote is ever stored outside the secured perimeter of the BallotPoint system. All votes are stored directly on hardware servers that reside within physically secured, access‐controlled facilities, and the servers are all protected from the outside world by DOD‐grade firewalls. Web votes are protected by 128‐bit encryption between the browser and the BallotPoint system. Contrast this with mail balloting, where there is effectively no secured perimeter. Mail ballots have mysteriously disappeared within post offices, or between the post office and the tally site. In an OLMS investigation there can be literally thousands of separate and distinct custody paths to check. The problem, of course, is not inherent in the mail‐ballot envelope; it’s in the failing by humans to rigorously and honestly take proper custodial care. In a BallotPoint election, there is only one physical location CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 9 of 30 CCComplete©March 2011 where votes are stored, with no need to account for the dangers associated with physical transport of ballots, or to monitor that transport. In the BallotPoint system, no one—including CCComplete engineers, the independent third‐party staff, the union's election administrator(s), and other members—ever has access to all of a member's identity, VIN, and PIN (a personal identification number chosen by the member), unless the member himself shares his VIN and PIN with someone else. No administrative process ever requires a member to divulge a VIN or PIN to anyone, and the voting documents always recommend keeping this information private. After a member casts a vote, a randomized, many‐digit vote confirmation number (VCN) is provided to the member. See Observability by Members, below, for a description of how this can be used to verify that the system has recorded your vote, and recorded it properly. In each ballot‐definition, the admin selects the number of times members may recast their ballots during an election (with only the last vote being tallied, of course). In Chao v. APA, OLMS highlighted a similar capability to recast a vote as evidence of a direct link between vote and voter. This argument was flawed, depending on “voter” being interpreted as identifying a person, rather than as an anonymous credential such as a BallotPoint VIN. To revote, the member must use the same, anonymous, randomly assigned VIN when logging in, and the system simply recognizes that this VIN has already been used to vote. OBSERVABILITY Observability by Members An essential aspect of the BallotPoint philosophy is to extend system observability all the way to the individual members. This is a major advance beyond the much weaker observability required by the LMRDA. We believe that if the BallotPoint electronic voting system was invented prior to mail balloting, widespread adoption of voting by mail would never have occurred: there is no provision for each voter being able to track his vote through the process. We vote by mail in all Oregon political elections, and there isn’t even a way to know that our votes were actually counted. Consistent with the way that the BallotPoint system creates audit trails to track the actions of election administrators, it creates audit trails on a per‐member basis, to permit the member to see when any activity of significance (e.g., activation of the voting account, logins, changes in voting credentials, or voting) has occurred on that member's account. A member can view his own activity log by logging in to the ES and selecting the View Activity Log command. Note that the activity log does not show how a member voted, only that he voted. Members may review their account activity logs at any time (even past the close of any election), to check that nothing out of the ordinary is occurring with their accounts. Each member can verify, for instance, that administrators are not inappropriately changing eligibility status, issuing new voting credentials on behalf of the member, or voiding that member’s votes. We believe this feedback to be critical in acceptance of the BallotPoint system by union members. Indeed, after 2,500 elections and CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 10 of 30 CCComplete©March 2011 1.1 million votes cast, there has not been a single formal complaint regarding the integrity of the BallotPoint system. After a member casts a vote, a randomized, many‐digit confirmation number is provided to the member, along with instructions to never share this confirmation number with anyone. After logging in to the ES (by either telephone or Internet) with the correct VIN and PIN (both of which are private to the member), the member is permitted to see the system's record of the vote by selecting the election and providing the exact confirmation number. Only if the confirmation number, VIN, PIN, and election all line up is a record of the cast vote displayed. Votes can reviewed through at least the end of the voting period, and can be configured to be available even after the election closes. For each member with an email address in the latest uploaded member‐list in which the member appears, the MRNS sends a notification email to the member each time a “significant” event occurs on the member’s account. Significant events include: activation code replaced; account activated; PIN changed; vote recorded; and others. The content of a vote is never included in the email. Members are advised to contact the election committee whenever an email is received for an action not performed or approved by the member. In 10 years, there hasn’t been a single verified case of someone fraudulently voting for someone else. We have received such reports, but in all instances (less than 50) further investigation determined that the member had simply forgotten he voted. Observer Access to Information Stored in the BallotPoint System Depending on how the union conducts business, observers nominated by candidates wishing to inspect any of the information described under Information Available to Candidates’ Observers, below, may do so by contacting the election committee and either scheduling times when such inspections can take place or by receiving login credentials to the the MRNS to view information at the observers’ convenience. Any information viewed outside the direct supervision of an election admin will be scrubbed prior to display, ensuring that no contact information (e.g., members’ US Mail or email addresses) is divulged. In addition, BallotPoint has an open invitation to any union member, including candidates and observers, to visit our Portland, OR facility at any time, including during the election period and on the day of the tally. BallotPoint firmly believes that any time spent educating union members about safe voting processes strongly promotes the spirit of the democratic self‐government called for by the LRMDA. Information Available to Candidates’ Observers The BallotPoint system produces several reports to document key aspects of election administration and voting. An observer is permitted to view the reports described below. • Member‐Lists – all membership lists that have been uploaded for the election. This allows the observer to see: exactly what members have been included in each member‐list; whether at any time during the election a member was included or excluded; whether member eligibility status was changed; and, if the observer is working alongside an election committee member, what CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 11 of 30 CCComplete©March 2011 • • • • • • • • address information was used to mail election notices or to email notifications. The date/time of a member‐list upload and the name of the administrator that performed the upload are included. (available anytime) Eligibility‐Change Log – a detailed list of changes to eligibility of member‐accounts with respect to the observed election. The report includes the name of the member whose account status was changed, the new eligibility status, the date/time of the change, and the name of the administrator who performed the operation. (available anytime) Participation – a list of the number (not names) of eligible voters who have cast ballots in this election, up to the present. Before the tally occurs, the report shows only the aggregate number of votes cast and the number of votes cast by phone or Internet. After the election is tallied, this report also shows participation broken down by member voting‐attributes. (available anytime) Support Requests – the full text of support requests sent by election administrators to BallotPoint, for issues relating to this election. Support requests are specially designed so administrators can be specific in describing some BallotPoint‐related procedural issue, while guarding the anonymity of voters. (available anytime) Void‐Ballot Proposal – a list of voters who cast ballots in this election, but who are currently marked as “ineligible” for this election. This report is available only after the election closes and before the election administrator clicks a screen button to mark that Yes, the votes made by all and only those voters appearing in this report should be removed before tallying the results. Use this report along with the Who‐Voted Report to verify that votes by only those members in good‐standing were counted, and that votes by those not in good‐standing were not counted. Who‐Voted Report – a list of members who have voted in this election. This report is available after the election closes, and can be used as a starting point when generating a list of challenged ballots. Any member who is on this list but is not in good standing with the union should have his or her vote voided. Members seeking to verify that their votes were actually logged can have an observer verify that their votes were included in this report. Note that it is possible for someone to be in the Who‐Voted Report but not in the most recent member‐list. In this case, the member was included in an earlier list and voted, but was dropped before the last list was submitted. The name of this individual will appear in the Void‐Ballot Proposal (see Void‐Ballot Proposal, above). Who‐Didn’t‐Vote Report – a list of members who did not vote in this election. This report is available after an election closes. Everyone in the last member‐list submitted for this election should be present in either the Who‐Voted Report or in this one. Voided Ballots – a list of ballots voided (i.e., cast but not counted) in this election. This report is available only after the election closes and the void‐ballot process is complete (see above). Recount‐Report – a table showing the selections made for every question of every ballot, organized as one ballot per row of the table. This report is available after the election has been tallied. The table is easily imported by Microsoft Excel (swipe through the table on the screen, copy the highlighted text, and paste into Excel), so that the counts listed in the tally can be confirmed using Excel. Or print it and count it by hand. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 12 of 30 CCComplete©March 2011 Optionally, such a report can be configured to include the confirmation number for each vote. In our opinion, this does not constitute a stray mark in the sense of voter‐introduced marks in a mail ballot. Why? Because the confirmation number is a random number generated by the BallotPoint system, not by the voter. Only the voter is provided the confirmation number; unless he chooses to share it with someone else, there is no way to associate his name to the confirmation number that is (optionally) displayed in the recount‐report. The apparent reasoning behind “no stray marks” is that a voter could be threatened to vote in a certain way, with the stray mark used to identify his ballot to the person threatening the voter. This reasoning makes sense in an on‐site election, where the individual voter must be the one physically marking the ballot. It certainly does not apply to mail balloting; mail ballots can be handed over (for pay, or due to threat, or simply ambivalence) to someone else, without the unnecessary step of waiting for a poll worker to notice and identify the stray mark. Or perhaps the reasoning in mail balloting is that stray marks can lead to ambiguity in the voter’s intent. But in electronic balloting, all such ambiguity has been removed. Duties of Candidates’ Observers Before the Election Before election notices are mailed and the election opens, observers may verify the accuracy of the information listed below. • • Member‐List – Before the member‐list is uploaded to the BallotPoint system, the observer may verify the list. Every part of the member‐list can be checked to ensure that names, mailing addresses, email addresses, voting attributes, and eligibility status are complete and accurate. Once the member‐list is uploaded, the observer may verify that the uploaded list matches the original list. Voting Notice and Instructions and Voting Guide – The observer may verify that these two PDF documents—both generated automatically by the BallotPoint system—are complete and accurate. Review these documents in detail to verify all dates, Internet addresses, phone numbers, and election information. It is not necessary to visit the union office to obtain review‐ copies of these documents, so the observer needs to contact the election committee with any concerns. Duties of Candidates’ Observers During the Election While the election is in progress observers may occasionally verify the information listed below. • • Member‐List – The observer may verify that if any new member‐lists have been uploaded, that those lists contain accurate information. Administrators can upload new member‐lists for a given election at any time prior to the tally to add new members and/or update existing member information in the BallotPoint system. Eligibility‐Change Log – The observer may view the eligibility‐change log to verify that any eligibility status changes performed by election administrators during the election are appropriate. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 13 of 30 CCComplete©March 2011 • • Support Requests – The observer may verify that support requests sent to BallotPoint contain no member‐identifying information, and that any issues raised in the requests are not reflecting a serious problem that could affect the outcome of the election. Potential Ballots to Void After Election Closes – The day before the election closes is a good time to prepare for the ballot‐voiding process. Refer to Duties of Candidates’ Observers After the Election, below. Duties of Candidates’ Observers After the Election Once the election has closed the observer may be present where election administrators have gathered to request the tally. At this time, observers may: • • • • Verify the completeness and accuracy of the final member‐list and the final eligibility status of all members. View the Who‐Voted Report to verify that any member not in good standing who has cast a vote is marked as ineligible. Marking a member as ineligible causes the BallotPoint system to not count that member’s vote in the tally. Examine the proposed list of ballots to void, to verify that votes of each listed member should indeed be voided (i.e., not counted). If it is agreed that a vote listed in the report should not be voided, then the election administrator can immediately change the eligibility of the corresponding member to “participant,” and then re‐run the Void Ballots function to generate a fresh void‐ballot proposal. Examine the proposed list of ballots to void, to verify that it includes all who voted (as shown in the Who‐Voted Report) but who are not in good standing. The election administrator can change the eligibility of these members to “ineligible,” and then re‐run the Void Ballots function to generate a fresh void‐ballot proposal. Recommendation: A day before the election closes, the scope of the ballot‐voiding process can be estimated by determining how many members were marked as eligible at some point during the election, but are currently marked as ineligible. This is the maximum number of names to be considered during the void‐ballot process. To avoid delays in producing the tally after the election closes, assume that each of these members voted, and determine whether removing such votes would be valid. Important: Once the election administrator has issued the command to void the ballots shown in the void‐ballot proposal, it can be a lengthy process requiring assistance from BallotPoint Election Services to un‐do the command, if even permitted at all. Once the election is tallied, any errors made by admins or observers during ballot‐voiding cannot be corrected, because to do so opens up the possibility of compromising ballot secrecy. Important: Once the election has been tallied, BallotPoint will not allow any changes to the election. Specifically: the election cannot be re‐opened to allow additional members to vote; additional member‐lists cannot be uploaded; and ballots cannot be voided or un‐voided. Once the tally is performed, the election results are final. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 14 of 30 CCComplete©March 2011 MRNS Log Available to OLMS During Investigation or Supervised Election A record of every significant MRNS action by election administrators is maintained in a permanent log on the MRNS. For instance, every time an admin issues replacement credentials to a member, a record of the action is put into the MRNS system activity log. A separate log is maintained for each BallotPoint client. The identity of the member requesting the change is not recorded (for secrecy reasons), but the action and the name of the admin are. If the union has maintained a separate paper log of administrative activity, the MRNS log and the paper log should match in the number of credentials reissued and in the times and dates of issuance. During training of new clients, we always make a point that the MRNS log documents all significant member‐related activities they perform, and that the log would likely be reviewed by OLMS during an investigation. We believe the existence of such a log is an effective deterrent to possible abuse of voting credentials. Note that the system activity log is stored on the MRNS, and is therefore inaccessible for subsequent manipulation by any party, including CCComplete. Please refer to the earlier section, MRNS and Code‐ Control, for a description of why any potential changes to a system activity log would be detectable in an OLMS investigation. In addition to recredentialing, the MRNS system activity log shows admins logging in and out of the MRNS, changes to eligibility status, requests of various kinds of reports, roster uploads, requests to print voter‐documents, authorization of other election committee staff or observers to access the MRNS, and many more actions. Such logging provides a rigorous activity record for all BallotPoint clients, for each and every election, regardless of the level of experience that a given admin has with administering elections governed by the LMRDA. Note that this log is also available to the client as well as to BallotPoint. The log has been carefully constructed to not include member‐identifying information that could be used by CCComplete to compromise secrecy, nor does it include voting credentials. So Who’s Watching CCComplete? The official players in an LMRDA‐governed officer election are voters, administrators, and observers. Third parties such as CCComplete aren’t officially recognized as a separate entity, but rather simply an extension of the union. The union retains sole legal responsibility for the proper conduct of the election. A third‐party service provider such as CCComplete, however, plays a critical role in any election, and it is in the union’s best interest to be sure that the third‐party is providing an honest, fair, and accurate service. BallotPoint votes are stored in databases that CCComplete employees can directly access, and identical copies are stored simultaneously in a remote database to which they have no access. Records are written to both local and remote databases at the time a vote is cast. In other possible electronic voting system implementations, though, storage on a remote, sequestered database may not be available. In these instances, manipulation of the outcome by addition, deletion, or modification of votes on the local database would seem to be an attractive approach for anyone with a mind to affect the outcome. So in these architectures, how can you check whether the EVS service provider is not altering the results? CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 15 of 30 CCComplete©March 2011 To meet this concern, we provide a description in Appendix A: Voting System Accountability of a method we invented that a union can use at every election to verify—to whatever degree of confidence is desired—that votes have not been added, removed, or changed. This method operates without the service provider’s knowledge, and does not require the client to access the physical facility or underlying software and log files. Importantly, it can be used to obtain a concrete measurement at each election of intentional manipulation (whether instigated by insiders or by hackers penetrating the system’s perimeter) and unintentional system errors that affect the outcome, the latter including programming bugs and malfunctioning hardware. (Computers are often accused by those resisting electronic elections of not providing trustworthy vote‐counts. This method is a tool that can counter that bias as well.) The odds that this process will catch manipulation are very high, and are an incredibly strong deterrent to service provider employees intentionally rigging the vote‐count. Because the process catches errors whether intentionally introduced or not, it’s also an incredibly strong motivation for the provider to produce a well‐designed, well‐protected system that properly accounts for each and every vote. Note that this same process is available to OLMS in the event of running a supervised election. Situations like mistakenly lumping valid ballots with voided ones in a mail‐ballot election can be replaced by a concrete measurement of whether the system has provided an accurate count. A Final Comment Regarding Observation Careful use of the data and processes described above provide extensive visibility into and oversight of the conduct of a BallotPoint election. There are, however, election processes that occur outside the BallotPoint system, and methods for observing those processes are outside the scope of this document. For instance, whether a candidate is even qualified to run for office is determined by a union’s constitution and by‐laws. These are not questions that the voting system can effectively address. On the other hand, the precision, rigor, uniformity of application, and extent of the BallotPoint observation processes far exceed those appearing in a mail‐ballot election. In one recent re‐run election conducted with mail ballots and supervised by OLMS, an entire stack of 50 paper ballots was ignored, because the topmost ballot was marked as voided, so it was assumed that the remaining 49 ballots were also voided. It turned out, however, that the bottom 49 ballots were not voided, and should have been counted. In the BallotPoint system, each and every vote must be accounted for, and inspection of various reports and the observable audit trail will support it. PARTICIPATION EXPERIENCE In 10 years of providing electronic election services, we have found that the voting medium has far less effect on participation than the ballot issues or candidates. We have seen lows of below 10% participation, and highs of over 95%. There may be an initial curiosity about voting by telephone or Internet, but it tends to wear off quickly, and the issues/candidates on the ballot soon are the prime determinant of participation. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 16 of 30 CCComplete©March 2011 It is also true—based on anecdotal reports from our clients—that participation has increased marginally over previous voting methods (on‐site and mail). More significantly, though, we have not heard of decreases in participation. If we provided voting by Internet only, that would definitely decrease participation within many to most groups that we currently serve. Telephones are ubiquitous, and people are accustomed to using an automated voice system for all sorts of activities. RESPONSES to QUESTIONS POSED in RIN 1245AA04 1. (general question) Should the Department issue guidelines concerning the use of electronic voting systems in union officer elections? What specific issues concerning electronic voting systems should be addressed? What specific standards should be included in the guidelines? Yes, guidelines should be issued, but our recommended approach is very different from that taken in the existing mail‐balloting guidelines. We would like to see balloting system guidelines homogenized into a single document that applies to any current as well as any future voting media. Guidelines should be based on the commonalities of all voting systems, regardless of the medium or implementation. There should be no specific technical details or advice included in guidelines, unless the details and advice include a description of the real‐life case(s) that gave rise to the guidance and a description of how the guidance relates back to the LMRDA. Helping unions understand how to approach new situations would provide valuable insight which is lacking in the existing mail‐balloting guidelines. Guidelines must not be dependent on current technology, and they must not be used as Pass/Fail criteria in any given OLMS investigation. CCComplete has been targeted in several well‐documented instances of DOL field personnel advising unions that electronic voting in union officer elections would violate the LMRDA. The kindest possible interpretation of this is that because the existing guidelines do not address electronic voting at all, electronic voting is not permitted. By not making the guidelines dependent on current technology, they have an extended shelf‐life, and do not become a tool later used to discourage new, advantageous methodologies. If you reexamine mail balloting in light of existing print technology, you quickly see how marks can easily be placed—essentially invisibly—on a paper ballot, to provide a unique “fingerprint” or “signature” to that ballot. Without any apparent manipulation or compromise, the vote can be tied forever to a particular voter, especially easily in those cases where ballots are counted by a machine. Indeed, since the mail‐balloting guidelines were established, the technologies for DNA and actual fingerprint identification have been created and refined, and both are now effectively automated and cheap. To associate an apparently anonymous ballot with a named voter is now just a matter of budget, not technology. Over time, guidelines become gospel, and the inertia to reexamine and update them is too great to overcome. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 17 of 30 CCComplete©March 2011 The lesson point here is that mail‐balloting guidelines have essentially remained the same over time, while the underlying subject of those guidelines has evolved. The potential for this being a problem with EVS guidelines is far greater, given the pace of technological innovation. Guidelines should state who OLMS believes are trusted parties in any voting implementation, and provide a certification path for a private individual to attain status as a trusted party. In many conversations with DOL, the Department has consistently argued that there are no trusted parties in a union officer election. But statutorily, the LMRDA asserts that its purpose is to provide for democratic self‐government by unions. This implies a measure of trust that unions can be responsible for conducting their private affairs. Second, trust in DOL to regulate officer elections is explicit in the statute. Third, the US Post Office is assumed sufficiently trustworthy to handle delivery of letters of notice, and to handle returned mail ballots during their stay at the Post Office, with no requirement of proof of proper custody. (The same, remarkably, is true for private companies that provide “post office” boxes.) And last, trust is placed in the ability of election observers to detect both errors in and compromise of the entire election process. A clear statement of who can be trusted, and what kind of certification can be obtained to demonstrate that trust, should be included in guidelines. 2. (general question) Describe the potential advantages and disadvantages of electronic voting systems in union officer elections. For unions that have considered electronic voting systems, what factors guided your decision to either adopt or reject electronic voting systems? As an electronic voting service provider, we have designed our system around the following advantages relative to on‐site or mail balloting: • • • • • • • • • • Uniformity of the process across elections and unions Centralized control and collection of data, simplifying policing and observation Speed and accuracy of the tally Reduced dependence on timeliness of US Mail delivery Detailed logging of administrative activities A complete, permanent, historical, automatically created record of all rosters and eligibility changes Transparency of the process for both new users and OLMS investigations Elimination of “spoiled” ballots and uncertainty of voter’s intent Absolute agreement of the ballot as described in voting materials with the ballot offered to the voter Far simpler process for DOL to be comfortable that large batches of elections are being conducted responsibly The following disadvantages are also clear: • A system that provides secrecy and protection against fraud is difficult to construct; there has been a widespread tendency to assume that mimicking mail‐balloting processes is sufficient to produce such a system CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 18 of 30 CCComplete©March 2011 • 3. A temptation for unions to produce in‐house implementations, especially if specific guidelines are issued and are viewed as sufficient to produce an LMRDA‐compliant system (general question) In elections other than union officer elections (for example, contract ratification votes, National Mediation Board elections, National Labor Relations Board elections, and national and local political elections), what are the voting system trends? Are there trends toward: (1) electronic voting machines used for casting votes at polling sites; (2) electronic voting from remote site personal computers via the Internet; and (3) electronic voting from remote site telephones? How do these systems protect ballot secrecy and have these protections been effective? Employees voting in representation elections held by both the NMB and the Federal Labor Relations Authority (FLRA)—both BallotPoint clients—now vote (essentially) exclusively by either remote‐site telephones, personal computers, or smartphones. Whether telephone or Internet voting predominates in a given election appears to depend on the craft or class seeking representation. On‐site elections are not used routinely in either case. Our union clients run officer elections, contract ratifications, and referenda through our system. The system used for all types of elections is exactly the same, held to the standard set by officer elections. Even though the LMRDA does not speak to contract ratifications and referenda, our clients understand the value of conducting these elections under the same rigorous process. Note that NMB and FLRA conduct their elections under statutes other than the LMRDA, so their balloting processes do not exactly match a union officer election. Regardless, elections conducted through the union, NMB, and FLRA variants of the BallotPoint system all enforce the level of secrecy demanded by the LMRDA. Regarding effectiveness of the ballot‐secrecy protections, we could make various self‐indulgent claims, but the statistics over 10 years of providing elections to unions, NMB, and FLRA are perhaps the best measure: There has not been a single registered complaint of violation of ballot‐secrecy in 2,500 elections and 1.1 million votes cast. In BallotPoint elections, ballot‐secrecy is achieved by a strict, verifiable separation of names from votes, with procedures and safeguards that enforce this separation. To compromise this separation requires collusion of multiple parties who do not share a common financial or political interest. 4. (verification/observability) Are voter verified ballots and paper audit trails necessary safeguards for union officer elections? If so, why? If not, why not? VVPATs are neither necessary nor sufficient, though they have certainly been elevated to celebrity status by academics, elected officials, and the media. This is an example of taking one technique that seeks to fix demonstrated problems of a given voting system implementation and thinking it should somehow apply to all voting system implementations. Specifically, the problems addressed by VVPATs are the difficulty of (a) policing the physical integrity of electronic voting machines used in on‐site CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 19 of 30 CCComplete©March 2011 elections, and (b) verifying the operation of each and every machine at each and every election, throughout the period of the election. If there were no concern about the integrity of the voting machines, and if there was a way of verifying the faithful operation of each voting machine throughout the period of the election, there would have been no reason to even dream up VVPATs. In the limited context of an on‐site election that uses current‐day electronic voting machines, they may be useful, however, because no one appears to have yet come up with any other practical method for policing and verifying each and every machine throughout the voting period. But VVPATs are certainly not sufficient and can never be in that context, because there is no guarantee that the paper copy will actually be delivered to the counting site, or that it will actually be counted if it does reach there. In other words, there can be no blanket guarantee that each and every vote from each and every voter will ever be counted, much less counted accurately. VVPATs are perhaps a way of getting closer to the correct answer, but they are based on an assumption that we are willing to accept something short of a complete, accurate, and verifiable count. Why should a voter have confidence in a system that can’t even guarantee that his/her vote was counted? The BallotPoint system addresses the proper concern of a complete and accurate count in a way that is appropriate to the media (phone and web) being used to cast votes. Please refer to: BallotPoint Design and Capabilities (above) for a description of confirmation numbers; Observability (above) for a description of the various reports produced by the system; and Appendix A, Voting System Accountability for a technique to verify the integrity of the vote‐count. 5. (verification/observability) If an electronic voting system has no voter verified paper ballots, how could a voter confirm that his or her vote was recorded accurately on the electronic ballot and stored accurately in the computer memory? Does the electronic display shown to the voter of the votes cast necessarily mean that the votes are stored or tallied as displayed? The BallotPoint system presents a vote confirmation number (VCN) to the voter after a ballot is successfully cast and stored. (Refer to Voting Through the Election Server, above.) To view the system’s record of a vote, the member must log in to the BallotPoint system using his personal voting credentials, and then supply the confirmation number. The VCN may be used until the end of the election to go back and verify that the system hasn’t lost or changed the vote. A second copy of each vote is also stored on a remote, code‐controlled, sequestered server. This is the BallotPoint analog to a voter‐verified paper audit trail: the unalterable data stored on the remote, code‐ controlled, sequestered server may be used to corroborate the Recount‐Report in the event of an OLMS investigation or audit (the Recount‐Report itself corroborating the computer‐count). Further, the sequestered copy of a given member’s vote can be made available for viewing by the member provided he has valid voting credentials and a corresponding confirmation number. How does the voter confirm that his/her vote was stored accurately in the computer memory of an on‐ site electronic voting machine? There is no electronic voting machine‐based system we know of where voters can return to the polls hours or days later to verify that the machine still has the vote recorded accurately, or that the slips of paper produced by machines with VVPATs haven’t been misplaced. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 20 of 30 CCComplete©March 2011 6. (verification/observability) If an electronic voting system has no voter verified paper ballots, can an observable recount be conducted? If so, how would this be accomplished? Yes. The observation process supported by the BallotPoint system is detailed in Observability, above. Combine the many post‐election reports (in particular see Recount‐Report) described therein with (a) the capability for members to review the stored votes throughout the voting period, and (b) the integrity check described in Appendix A: Voting System Accountability and you have meaningful observability that extends far beyond simple VVPATs or the observability required by the LMRDA. 7. (verification/observability) If the electronic balloting system includes a function that prints paper versions of electronically stored ballots, but individual paper ballots are not voter‐ verified, does this function allow for a meaningful recount? Would these non‐voter‐verified paper ballots produced by the electronic system be independent of the electronic votes stored in the electronic system? This is essentially a restatement of Question 6; see that answer for how the BallotPoint system addresses this. One point of confusion: The question seems to imply that the “non‐voter‐verified paper ballots” should be independent of the electronic votes in the system. This is exactly what you don’t want—you want the paper versions to be 100% dependent on the votes stored in the EVS. 8. (verification/observability) Are there technologies or systems that provide a check on the accuracy of the electronic system that is independent of the software in the system? If so, what are those technologies or systems? Yes. See So Who’s Watching CCComplete? (above) for an introduction to one such technology. 9. (verification/observability) How can observers participate meaningfully in all phases of the election process in an electronic voting system environment? How can remote site electronic voting systems ensure that candidates have the right to observe all aspects of the election? Are there features of electronic voting systems that establish or replicate processes to have observers at the polls and at the counting of the ballots? If so, what are those features? The BallotPoint system provides a rich set of observation capabilities. Please see Observability, above. The BallotPoint system provides for all the traditional observation, but extends the opportunity for observation to members themselves. This, we believe, is how early adopters of the BallotPoint system quickly became comfortable with the integrity of the process. 10. (safeguards/access) Most remote site electronic voting systems use a voter identification number (VIN) for each voter to log into the system and vote. In these systems, what safeguards exist to prevent the connection of a voter’s identifying information and his or her vote? CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 21 of 30 CCComplete©March 2011 In the BallotPoint system, there is a clear physical and logical separation between where votes are cast and stored, versus where member identities (names and addresses) are stored. This is described in detail in BallotPoint Design and Capabilities (above); in particular, refer to the subsection entitled Two‐ Server Computer Architecture: the MRNS and the ES. Please note that this describes the BallotPoint system only. This question also highlights the conflicting definitions of what a “VIN” is. For BallotPoint, a VIN is a randomly generated, many‐digit number assigned to a voter. On the Election Server, this is a completely anonymous credential. If you took all the VINs that can be used in an election and spread them out on a table, you would have no way of associating any given VIN with any given voter’s name. By virtue of the BallotPoint architecture, this random number is never tied to a name. In other electronic voting systems, a VIN might be the member’s employee ID, so that from this kind of VIN, seeing the content of a vote alongside a VIN would immediately compromise secrecy. In any discussion about VINs and their custody within a given EVS, it is critical to understand what identity information is revealed by a VIN. 11. (safeguards/access) Some systems separate the VINs from the particular voted electronic ballots so that one individual or server controls access to the VINs and a separate individual or server controls access to the voted electronic ballots. In those systems, can the voter and the vote be reconnected? How can voters have confidence that there is no connection of voter and vote and that their votes remain secret? This question seems to be using “VIN” in the employee ID (or similar) sense, in which the name of a voter is easily determined by looking up the VIN in records maintained outside the voting system. We cannot speak to systems that use employee ID‐like VINs as voting credentials. The BallotPoint system does not use such VINs. Employee IDs (or similar) are known only on the MRNS (see BallotPoint Design and Capabilities, above, for details), which is locked away in a physical vault, accessible only by passing through several logged security steps. 12. (safeguards/access) Is there a software protocol that can restrict the transfer of any information that could potentially link a voter to his or her vote? If there is such a software protocol can it be reprogrammed to permit the link? Can such re‐programming be detected afterwards? Yes. The BallotPoint system contains a proprietary protocol designed to restrict such transfer. Being software, yes, it could be reprogrammed to permit a linkage between a vote and the name of a voter. However, as described in MRNS and Code‐Control (above), we have intentionally created a software‐ change methodology that provides a permanent record of changes to any code that has access to member identities. MRNS software updates can only be installed by a third‐party, and only over the Internet, and a physical copy of all such changes is permanently retained by that third‐party. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 22 of 30 CCComplete©March 2011 13. (voiding/retraction) In a remote site electronic voting system, if a determination is made that a voter is ineligible after he/she has already voted, can that vote be removed from the system without reconnecting the voter and vote? If not, can an observer challenge a voter’s eligibility after voting has begun or must all such challenges be made prior to balloting? Yes, in the BallotPoint system, the vote is removed without ever knowing the voter’s actual name. Remember that a BallotPoint VIN is an anonymous credential, and does not reveal the actual identity of a voter. Challenges can be marked into the BallotPoint system at any time before, during, or after the election, right up until the time the election administrator and any observers reach agreement on the validity of the challenge. 14. (voiding/retraction) How does a remote site electronic voting system deal with a “spoiled” ballot situation, i.e., when a member marks and submits a ballot in error, such as failing to vote for a particular race? Can that ballot be identified and voided and can that member be allowed to vote again? How does the system accomplish this without reconnecting the voter and vote? At the union’s choice, on an election‐by‐election basis, members may vote a selectable number of times in an election; the last‐cast vote is the only one counted. Many elections permit only a single vote per member; many permit members to recast votes any number of times. There is no such thing as “spoiled” ballot in a BallotPoint election. In the ballot‐definition the author of the election specifies the minimum number and the maximum number of selections to be made for each question. If someone “forgets” to vote in a particular race that requires at least one candidate be selected, the system prevents the ballot from being submitted until the member makes a selection in that race. If someone wishes to vote for no candidate on a question which has been defined to require at least one selection, then that is a problem that should have been addressed by administrators and observers when the ballot‐definition was submitted prior to the election, and it can’t be changed in the middle of an election. The design of the ballot could have included an Abstain selection, or the question could have been set up to permit no selection. And again, to the repetitive question of “reconnecting the voter and vote”: Remember that a BallotPoint VIN is an anonymous, randomly generated, many‐digit voting credential, and does not reveal the actual identity of a voter. The implication of the term “voter” in this question is that we know the actual name of the member. In the BallotPoint system, we do not: There is NEVER an association of a name with a vote, so recasting a vote merely entails overwriting the previous vote that was associated with the BallotPoint VIN. 15. (safeguards/access) In a remote site telephone voting system, can the system log and store the caller/voter’s telephone number as well as the caller/voter’s VIN and voting data? CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 23 of 30 CCComplete©March 2011 Yes, although we store only the caller’s area code. In our experience of tracking down issues raised by election administrators, retaining only the area code removes the possibility of associating a name with a phone call, but has enough specificity to describe to election administrators (and from them to the member who reported the issue) that we have truly identified the cause of the issue. We are also at present attempting to have our telephone carrier remove the “caller ID” before passing BallotPoint calls to our system. 16. (safeguards/access) What safeguards exist to prevent malicious or fraudulent software (e.g., software that would delete or change vote totals) from being embedded in an Internet voting system? If such code was introduced or embedded, would it be possible to detect? If so, how? How would an allegation of software tampering be resolved? If electronic voting system software is proprietary, would a third party, such as OLMS, be allowed to inspect the software to resolve an allegation of tampering? If so, how? How would a third party, such as OLMS, be allowed access to the proprietary software codes to resolve the allegation of tampering? Please refer to our answer to Question 8, and see MRNS and Code‐Control, above. Yes, OLMS would be allowed access to proprietary software, although use of the technology described in Appendix A: Voting System Accountability essentially renders the question moot. 17. (safeguards/access) If OLMS receives an election complaint challenging the software code in an electronic voting system, how can OLMS ensure that the code examined by OLMS in the investigation is the same code that was in place and operational during the election? A full archive of all MRNS software is retained by a third‐party, and is available for inspection by OLMS during an investigation. The MRNS software is the only software with access to members’ identities. Please see BallotPoint Design and Capabilities (above). This will address any questions of secrecy violations. If the union has used the technology described in Appendix A: Voting System Accountability, then whether or not the Election Server software has changed during the election is irrelevant, as the technique described in Appendix A operates effectively even if the code changes. The technology verifies the integrity of the whole process, including whether hackers or insiders changed code that affected the results. Even if the Appendix A technology has not been used in a given election, the members themselves can check (a) whether their votes were changed or removed during the election, and (b) whether their names show up on the who‐voted report produced at the end of the election. During the investigation OLMS can interview members to get a sense of whether they saw any odd behavior of their stored votes. 18. (safeguards/access) In the electronic voting systems with which you are familiar, are all system activities of the union or third party election administrators permanently recorded or logged into the system? What safeguards exist to prevent accidental deletion from or CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 24 of 30 CCComplete©March 2011 tampering with the log? How could a third party, such as OLMS, investigate alleged tampering with the log? Does this log file, or other similar system file or database, include each voter’s entry into the system, along with that voter’s IP address, VIN, and voting data in sequential order? We can only speak to the BallotPoint system, but Yes, all administrative activity is logged. Multiple copies of log files are stored in many places, including removable media. We have utilities that can cross‐check the various logs to be sure they reflect identical information. These are then checked for consistency with the votes stored in the database. This makes it extremely unlikely that an attack from the outside could go undetected, as physical access to off‐line media would be required. Regarding insider attacks, the ability of voters to verify that their votes haven’t been lost or changed during the election provides full opportunity for them to assist in an OLMS investigation. Please note that IP addresses are very unspecific, because in practice, static IP addresses are used almost exclusively by institutional servers (corporate, governmental, or similar). An IP address is anonymous because it does not identify an individual. 19. (safeguards/access) What safeguards exist to prevent vote manipulation by “insiders” such as computer programmers, equipment manufacturers, technicians, system administrators, or election officials who may have legitimate access to election software and/or data? How could a third party, such as OLMS, investigate allegations of insider attacks? Please refer to our answer to Question 8. 20. (general question) How would the use of electronic balloting affect the issue of voter intimidation, if at all? For any voter intimidation that might take place in the context of an election using electronic balloting, what safeguards have been or could be used to address the issue? The potential for voter‐intimidation is exactly the same as it is for mail‐balloting. Voter‐intimidation is an activity that occurs outside the bounds of either mail‐balloting or an electronic voting system. 21. (safeguards/access) What safeguards exist to prevent denial of service attacks, “spoofing” (i.e., when one person masquerades as another and gains illegitimate access), automated vote buying, and viral attacks on voter personal computers? How could a third party, such as OLMS, investigate allegations of such activity? As discussed in the Myth of the Applicability of the SERVE Criticism to the LMRDA (above), denial‐of‐ service attacks against union officer elections are extremely unlikely, due to the length of typical elections, and the fact that the closing date of an election could possibly be moved out if the attack occurred on the last day of the election. For the so‐called “spoofing” method as defined, the illegitimate access may occur in two ways. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 25 of 30 CCComplete©March 2011 First, an election administrator may provide himself with replacement voting credentials that really belong to one of the members. This action is permanently logged on the MRNS and in the member’s activity log on the Election Server (ES); further, if the member’s email address is known to the MRNS, an email will be sent to the member alerting him to the recredentialing. Finally, if the member later tries to log in to the ES, he would be prevented from doing so. If there is any question about the operation of the voting system, members are advised in all official election notices how to contact the union office. In any case, the election administrator has no capability to alter any of the logs, so an investigation would turn up the fraudulent activity. The second way in which illegitimate access may occur is by an outsider successfully guessing some voter’s login credentials. This kind of attack is unlikely to succeed, as there are 9 million possible VINs for a given union, and every VIN is associated with a PIN selected by the corresponding member. The BallotPoint system will lock out further access if more than a few login failures occur within a many‐ minute time period. The potential for vote‐buying is exactly the same as it is for mail‐balloting. Vote‐buying is an activity that occurs outside the bounds of either mail‐balloting or an electronic voting system. The potential for viral attacks on personal computers used for voting can be reduced or prevented by voting only from computers whose software is kept up to date, with the latest browsers, the latest security patches, and a commercial‐grade anti‐virus package that runs continuously. We recommend that votes not be cast from computers outside the control of the voter, or someone the voter trusts. In 2,500 union and federal agency elections, we have never received a single report or even rumor of a viral attack on computers used for voting. To investigate any allegations relating to denial‐of‐service, “spoofing”, vote‐buying, or viral attacks, a prudent first step is to require at least some first‐person, hard evidence with the allegation. It is not possible to successfully investigate unsubstantiated rumors. Helpful information includes: date/time of an apparent denial‐of‐service; a first‐person report from a member about someone else accessing his voting account; documented payments for voting credentials; and identification of a virus that has targeted a voter’s web browser and its interaction with the voting system. 22. (safeguards/access) There are reported cases of electronic voting system malfunctions in civic elections where votes have either not been recorded or have not been recorded accurately. These cases include: Volusia County, Florida (2000), Broward County, Florida (2004), Franklin County, Ohio (2004), Sarpy Count, Nebraska (2004), Carteret County, North Carolina (2004), and Sarasota County, Florida (2006). What safeguards exist to detect such malfunctions? How could a third party, such as OLMS, investigate allegations that such malfunctions occurred? Problems with electronic voting machines are outside the scope of our expertise. However, it seems on first principles that investigating such problems would be almost impossible post‐election if the voting machines had been packed up and moved out of the protective custody of the election site. It may be CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 26 of 30 CCComplete©March 2011 reasonable to expect that voting machines be placed in protective custody for three or six months after the completion of the election, until all OLMS investigations that might occur have a chance to complete. 23. (safeguards/access) What safeguards exist to prevent “phishing” in remote Internet voting systems? “Phishing” is a scheme that uses a web page set up to look just like the union’s voting web page. Union members are brought to the site by email, links, or reminders to vote with an embedded link. The union member “votes” on the fake site. The person who sets up the fake site then has the voter’s VIN and other identifying information which the person then uses to log onto the real site and vote place of the real voter. How could a third party, such as OLMS, investigate allegations of phishing? The web addresses for BallotPoint voting sites are clearly and accurately published in the LMRDA‐ mandated election notice that is sent to members prior to the election. Often this document, along with the accompanying voting guide (which lists the entire, exact text of the ballot questions), is posted on a union’s website or in the workplace. Direct entry of the indicated address into the browser’s address bar will place the member at the correct voting site. Further, the SSL certificate for www.ballotpoint.com is available for review. In our experience of 2,500 elections, we have never even heard a rumor about such a site being used to defraud voters. However, in the event of “phishing” allegations being made, OLMS should require the precise URL used to reach the faked voting site, and verify that the address was typed into the browser’s address bar, and not the textbox presented by search engines. 24. (general question) Are there any other potential issues with the legality or practicality of electronic voting systems that have not been addressed in the preceding questions? If so, explain. No other issues. CONCLUSION The U.S. Department of Labor, acting in the case of unions conducting officer elections through the Office of Labor‐Management Standards, enforces those portions of the Labor‐Management Reporting and Disclosure Act which address the conduct of union officer elections. Legislation enacted in the public interest by Congress may be of two kinds. Congress may enable legislation which is prescriptive in nature or is proscriptive. Prescriptive legislation is typically used where the public runs a high risk and is largely unable to evaluate the risks. Examples of this include the various securities and exchange laws which tell those who would offer to sell stocks or bonds to the public how to present information about the offering. Similarly, food and drug laws require that those who would sell drugs and foods to take certain steps to ensure a safe product before making the product available to the public. The regulator will tell a security offeror what information must be imparted to the public CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 27 of 30 CCComplete©March 2011 and precisely how it is presented. An administrator of food and drug laws meticulously details testing before the approval for sale, and requires side effects to be presented to purchasers on labels or printed material accompanying the product. Prescriptive statutes require and the regulator enforces not just what must be done but the process steps which must be followed. One may not proceed to sell stock or sell drugs or many foods without prior approval of the government. In short, the government as regulator is proactive. In the the case of proscriptive legislation the role of the regulator is fundamentally different. Certain standards are set which may be either positive (a party must do certain things) or negative (the party may not do certain things). This type of statutory scheme is not complete in telling a citizen or organization how to proceed and permission to proceed is not required. The Labor‐Management Reporting and Disclosure Act is a proscriptive act. The law, for example, requires a secret‐ballot election, one vote per eligible voter, and adequate safeguards to ensure a fair election. A labor organization does not submit its election plan for approval by OLMS. A labor organization conducts its elections in accordance with its constitution. OLMS’s involvement occurs only after an election, upon filing of an election protest based on specific items of protest. The OLMS role is reactive; it is proscriptive. Congress was wise in adopting such an approach because unions are private actors, albeit infused with some public interest, and strong private institutions can materially strengthen democratic processes. The existing mail‐balloting guidelines prescribe a step‐by‐step, cookbook‐style method for conducting elections. This conflicts with OLMS’s proscriptive role. Accordingly, in the response to Question 1 we have expressed our desire that any voting system guidelines be homogenized into a single package, which applies to any type of voting system—present or future. Essentially, we are advocating that guidelines be a restatement in nonlegal language of the election requirements listed by the LMRDA. No details concerning the construction of a voting system should be included, except where those details arguably apply to all types of voting systems, even as technology changes, or have been added as a result of real‐life cases. The discussion and direction provided by system‐independent guidelines would then be useful to unions and service providers for all time, as well as to OLMS as it encounters new technologies. We speak from experience as early providers of electronic balloting services that it has not been a smooth road leading to OLMS RIN 1245‐AA04. If two years from now a new technology arises that can be gainfully integrated with union officer elections, we hope that system‐independent guidance would prevent having all parties—unions, service providers, and OLMS—having to go through the significant expense and delay of fashioning yet further guidelines. The current mail‐balloting guidelines have led many to design electronic voting systems around some analog to the double‐envelope paradigm, which ignores the facts that the double‐envelope was only invented to fix a problem with mail balloting, and that electronic voting systems have a different set of issues to address. This problem did not arise in on‐site elections, and there is no reason to force‐fit to those just because it’s advised for mail balloting. In the same way, crafting EVS‐specific guidelines right now will effectively force future designers to look backward, to emulate some current detail with the CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 28 of 30 CCComplete©March 2011 new technology. This handcuffs a labor organization in its rightful search for a voting methodology that best matches its needs. OLMS should only issue voting system guidelines consistent with its proscriptive duty to ensure that the specific duties and responsibilities defined by the LMRDA are fulfilled. The choice of voting methodology belongs to each local labor organization, and must not be limited by OLMS guidelines. The legal standard is already set by the LMRDA; guidelines should be used to help unions understand the LMRDA, not to limit their choices. CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 29 of 30 CCComplete©March 2011 CCComplete Response to RIN 1245‐AA04, 2011‐01‐11 3/14/2011 12:17 PM page 30 of 30 CCComplete©March 2011 Appendix A: Voting System Accountability BACKGROUND OLMS RIN 1245‐AA04 (issued 2011‐01‐11) seeks information regarding use of electronic voting systems in LMRDA‐governed union officer elections. Among the many players involved in an election, the election service provider is unique in its access to stored votes, and so must be prepared to be scrutinized and monitored to a degree beyond the other players. At CCComplete we have been advocating this philosophy for several years, resulting in a system design which we believe uniquely exposes the system to outside scrutiny. We have developed a practical, sampling‐based method whereby a client‐organization such as the union (or OLMS in a supervised election) can easily check the accuracy and integrity of each and every election, without compromising the secrecy of any ballots. This development has resulted in a method‐patent application. The technique is described in the remainder of this appendix. SUMMARY of the METHOD In cases where the reputation and demonstrated trustworthiness of the election service provider is not sufficient to allay concerns about mishandling of vote‐data, a method of objectively measuring the voting system’s performance is sought. Herein we describe such a measure. The results are applicable to remote‐access elections conducted by many kinds of organizations, including trade unions, public governments, and federal agencies. A block diagram showing typical communication paths between entities involved in a remote‐access election is presented in Figure A‐1. Typical features of this architecture are: • • The Election Service Provider (ESP) and the Organization Conducting the Election are independent entities. The Organization does not have direct physical or electronic access to the equipment held by the ESP. Voters identify themselves to the voting system maintained by the ESP using a unique, anonymous access code conveyed to them by some means not involving the ESP. We will use the term VIN (vote identification number) to denote this access code. (In practice, there might be secondary credentials such as a PIN to augment the VIN. For this description, assume the VIN incorporates all the credential information.) In the diagram, an intermediate Printing and Mailing Service Provider (Print Svc) receives documents and VINs from the ESP, and then prints and mails them through the US Post Office. CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐1 of 10 CCComplete©March 2011 Figure A‐1: Typical Communication Paths in a Remote‐Access Election CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐2 of 10 CCComplete©March 2011 • • • For any given election, the Organization specifies to the ESP the number of VINs that will be needed; the ESP generates exactly that many, and delivers the VINs to the Print Svc for delivery to the voters. Votes are stored in equipment held by the ESP, and tallies are produced from these stored votes. The ESP produces a who‐voted report after the election; the report lists every VIN used to cast a vote in this election. Clearly, without direct access to the ESP’s equipment, the Organization must use a remote method if it wishes to assure itself that a tally accurately reflects the actual votes. The simple trick here is to allocate enough VINs to assign to all eligible voters, and some number of additional VINs to be used strictly for assuring the quality of this particular election. These additional VINs are not given to voters, but are instead reserved for use by the Organization itself (or by a third‐ party service provider retained by the Organization). We refer to these as QA (quality‐assurance) VINs in this appendix, and votes cast using these VINs are termed QA votes. Some of the QA VINs are never used at all; the remaining ones are used to cast QA votes through the telephone and/or Internet. The purpose here is to detect mishandling by the ESP, regardless of whether the errors are caused by bad engineering, faulty hardware, or intentional fraud. The source of the problem is irrelevant—from the perspective of the election outcome, they are all bad. For simplicity, we collectively refer to these sources as “fraud” in the remainder of this appendix. STATEMENT of the FRAUD DETECTION PROBLEM Fraud can occur in the following three ways: • • • Votes are added. Votes are removed. Votes are modified. For the purpose of detecting fraud, the Organization specifies a number of eligible voters greater than the number of actual people who are eligible to vote. The resulting excess VINs can be used by the Organization to detect fraud with any selectable probability; these VINs are not passed to the real members. The fraud‐detection problem can then be stated as: How many QA VINs must be created to detect that votes were added, removed, or modified in a remote‐access election, with a selectable probability of detection? CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐3 of 10 CCComplete©March 2011 GENERAL MODEL of VINs and VOTES For any election, it is convenient to group all VINs into exactly four categories: A. B. C. D. VINs assigned to eligible voters, and that were used to cast a vote VINs assigned to eligible voters, but that were not used to cast a vote VINs assigned for QA use by the Organization, and that were used to cast a QA vote VINS assigned for QA use by the Organization, but that were not used to cast a QA vote In the following sections, NA, NB, NC, and ND are used to denote the number of VINs in each category, respectively. TO DETECT ADDED VOTES To detect added votes, the Organization allocates some number of excess VINs which will not be used to cast QA votes in this election; these VINS belong to Category D. At closing, the Organization requests a who‐voted report of all VINs used to cast votes. If any of these unused QA VINs appear in the list, then the ESP has mishandled the vote‐data. This scheme works because the ESP is unaware of which VINs the Organization is using for QA, and which ones have been handed to eligible voters. For this to be a useful scheme, we need a formula that tells us how many such excess VINs to allocate to detect fraudulent addition of votes, at some selectable probability of detection. Note: Probabilities are always in the range 0 to 1. A probability of 0.8 is the same as saying the probability is 80%. A probability of 1 says the event is a certainty. We will use the 0‐to‐1 range here and in the accompanying Excel spreadsheet. Note: The probability of a particular event occurring is always equal to “one minus the probability of that particular event not occurring.” The easiest way to calculate the probability of detecting fraudulent vote‐additions is to find “one minus the probability of not detecting fraudulent vote‐additions,” so we start by identifying how such additions could be made without the Organization detecting them. Out of the four VIN‐categories (A, B, C, and D, defined above), only a fraudulent vote‐addition cast using one of the Category B VINs would not be detectable by the Organization. (A and C are out, because these VINs are already used to vote, and D is out because the Organization would detect additions tied to the Category D VINs simply by examining the who‐voted report.) So, whether by error or intention, the ESP can use NB out of (NB+ND) possible VINs to cast an undetectable, fraudulent vote. Therefore the probability of not detecting the addition of a single vote is: PUNDET(1) = NB / (NB+ND) Example: Suppose NB and ND both equal 10. Then PUNDET(1) is 10/(10+10), or 0.5. This means the ESP has a 50% chance of not getting caught adding a single vote. If more Category D VINS had been created, CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐4 of 10 CCComplete©March 2011 say 20, then PUNDET(1) would be 10/30, or 0.33. You can drive down the probability of not detecting single fraudulent additions simply by creating more Category D VINs. Using a similar strategy, we can continue the analysis to find a formula for calculating the probability of not detecting any particular number of fraudulent additions; this analysis can be provided to OLMS if of interest. What we are really interested in, though, is the probability of detecting the fraudulent addition of at least one vote out of NFA fraudulent additions. This formula is: PDET(NFA) = 1 ‐ ((1‐fA)/(1‐fA +fD))**NFA Here we have introduced the parameter fA to represent the fraction of the roster‐count that actually voted, so this parameter is always in the range 0 to 1. We have also introduced the parameter fD to represent how many Category D QA VINs we generate, as a fraction (or multiple) of the roster‐count; fD can have any value from 0 on up. (fD = 1 says that we generate the same number of Category D QA VINs as there are eligible voters in the roster.) It is important to recognize that the only three quantities that affect this detection‐probability are: (1) fA, which is the fraction of eligible voters that actually voted in this election; (2) fD, which expresses the number of Category D QA VINs the Organization requests be generated, as a multiple of the roster‐ count; and (3) NFA, the number of fraudulently added votes. To put some numbers on it, suppose there is a 75% turnout (fA=0.75). Assume the Organization requests that the same number of Category D QA VINs be generated as there are eligible voters (fD=1.0). Then for the first few values (1, 2, 3) of NFA we see: PDET(1) = 1 ‐ ((1‐0.75)/(1‐0.75 + 1.0))**1 = 1 ‐ (0.25/1.25) = 1 ‐ 0.2 = 0.8 PDET(2) = 1 ‐ ((1‐0.75)/(1‐0.75 + 1.0))**2 = 1 ‐ 0.2**2 = 1 ‐ 0.04 = 0.96 PDET(3) = 1 ‐ ((1‐0.75)/(1‐0.75 + 1.0))**3 = 0.99 In other words, regardless of the size of the roster, when there is 75% turnout and we generate the same number of Category D VINs as roster‐count, the probability of being able to detect even a single added vote is 80%, and rises close to a certainty when three votes are added. These odds heavily favor detecting fraud on the part of the service provider in an election with these parameters. To reiterate, “fraud on the part of the service provider” here is intended to include not only manipulation introduced intentionally by service provider insiders, but also manipulation due to hackers or errors due to faulty software. Here’s the important conclusion: With this very simple method—involving nothing more than generating some VINs that will never be used to vote, and checking a who‐voted report after the election closes—any error or fraud by the ESP (or hackers) that injects even a single fraudulent vote has a high likelihood of being detected by the Organization, and it becomes a near certainty to detect with CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐5 of 10 CCComplete©March 2011 only a couple more added votes. This is an incredibly strong deterrent to the ESP stuffing the ballot box, and strong motivation to produce a system with correct software and protection against outside attacks! Please refer to the Excel spreadsheet in Figure A‐2 to see how varying values of fA, fD, and NFA affect the probability of detecting fraudulently added votes. An important conclusion to draw from staring at the spreadsheet is that, based on the Organization’s comfort‐level for the probability of detecting added votes, and on some reasonable expectation of turnout for a given election, an appropriate value for fD can be selected. CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐6 of 10 CCComplete©March 2011 Figure A‐2: Probability of Detecting Fraudulent Votes Added by the Election Service Provider CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐7 of 10 CCComplete©March 2011 TO DETECT REMOVED VOTES To detect removed votes, the Organization allocates some number of excess VINs (Category C) which will be used by the Organization to cast QA votes. If the who‐voted report is missing any of these VINs, then fraud by the ESP has been detected. This scheme works because the ESP is unaware of which VINs the Organization is using for QA, and which ones have been handed to eligible voters. The analysis leading to the probability of detecting that a vote has been removed is almost identical to that for detecting added votes, and won’t be repeated here. It is sufficient to note that not being detected entails removing only Category A votes; removing any Category C votes will be detected through the who‐voted report. (Of course, an actual voter—who is in Category A—can consult the same who‐voted report and raise objections should his name not appear, which only increases the likelihood of detection.) At the end of the analysis we arrive at: PDET(NFR) = 1 ‐ (fA/(fA +fC))**NFR where NFR is the number of fraudulently removed votes, and fC represents how many Category C QA VINs were generated (and used to vote), as a fraction (or multiple) of the roster‐count; fC can have any value from 0 on up. (fC = 1 says that we generate the same number of Category C QA VINs as there are eligible voters in the roster.) To put some numbers on it, suppose there is a 75% turnout (fA=0.75). Assume the Organization requests that the same number of Category C QA VINs be generated as there are eligible voters (fC=1.0). Then for the first few values (1, 2, 3) of NFR we see: PDET(1) = 1 ‐ (0.75/(0.75 + 1.0))**1 = 1 ‐ (0.75/1.75) = 1 ‐ 0.43 = 0.57 PDET(2) = 1 ‐ (0.75/(0.75 + 1.0))**2 = 1 ‐ 0.43**2 = 1 – 0.18 = 0.82 PDET(3) = 1 ‐ (0.75/(0.75 + 1.0))**3 = 0.92 In other words, regardless of the size of the roster, when there is 75% turnout and we generate the same number of Category C VINs as roster‐count and use the Category C VINs to register QA votes, the probability of being able to detect even a single removed vote is 57%, and rises close to a certainty when three votes are removed. Refer to the Excel spreadsheet in Figure A‐3 to see how varying values of fA, fC, and NF affect the probability of detecting fraudulently removed votes. CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐8 of 10 CCComplete©March 2011 Figure A‐3: Probability of Detecting Fraudulent Deletions or Changes by the Election Service Provider CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐9 of 10 CCComplete©March 2011 TO DETECT CHANGED VOTES Detecting changed votes is really a variant of detecting removed votes, except that the Organization needs a software tool to retrieve from the ESP the QA votes that were cast, and compare them to what selections were made when casting the votes using the known Category C VINs. Such a tool is simple for the ESP to build and to make available to the Organization (or to a third‐party providing the quality‐ assurance service). With such a tool, the Organization can both detect removals and changed votes at once. Because detecting removed votes and changed votes both rely on casting QA votes using Category C VINs, the same analysis and spreadsheet (Figure A‐3) developed for detecting removed votes can be used for changed votes, yielding identical formulas and probabilities. CONCLUSION The three ways that an electronic election service provider can alter the outcome of an election are by adding, removing, or changing votes. By using the methodology described in this Appendix, the Organization running the election—in the present circumstance, a union or OLMS—can exploit the allocation of additional voting credentials to verify both the accuracy and honesty of the service provider. CCComplete Response to RIN 1245‐AA04 (2011‐01‐11) 3/9/2011 6:34 PM page A‐10 of 10
© Copyright 2026 Paperzz