[EM] Gerck testimony

DEMOREP1 at aol.com DEMOREP1 at aol.com
Sat Jan 27 02:33:28 PST 2001 

D- Due to the Florida Nov 2000 chaos, voting may go entirely electronic 
rather quickly.  The below is a sample of what is going on in the real 
political world.  

Obviously there can be some real sample elections of various election methods 
(and how much confusion they produce with real sample voters).
---
Testimony of Dr. Ed Gerck, CEO and CTO of Safevote, Inc., before the 
California Assembly Elections & Reapportionment
Committee on January 17, 2001, in Sacramento. Assemblyman John Longville (D), 
Chair.


My company participated in the Internet voting test in Contra Costa and I 
would like to report about this and how it
works. First, however, I would like to begin by making two cautionary notes.

The first one is about the term touch screen. There is nothing to prevent, 
and has been done, and in fact was
demonstrated yesterday, an Internet voting system with a touch screen. A 
touch screen is simply a device where you touch
and there is a sensitivity that tells you where the finger touched the 
screen. Our Internet voting systems have, from
the viewpoint of the user as we tested in Contra Costa, an overwhelming 
majority of users who said would prefer to use a
touch screen to vote. It is very hard for someone who has never used a mouse 
to use a mouse. And a keyboard has 103
keys. So we did the test in Contra Costa with a system where voters could use 
a mouse or a simulated touch screen.
Indeed, "touch screen" as a name [for a voting system such as a DRE] is a bit 
misleading because, certainly, it
describes just a device.

Second, I would like to point out that it is very hard sometimes to take 
opinions, even though from a valued expert, at
face value. I was hearing the former panel [on touch screen DRE systems] and 
Peter Neumann, who is a man beyond all best
qualifications, made the affirmation that we cannot photograph what we can 
see [1]. As my background is in optics, with
a doctorate in optics, I certainly know that is not correct. If we can see 
the ballot we can photograph it, some way or
another.

So, I think we need to see the whole context of what is happening here. My 
second cautionary note is that. rather then
focus on technology issues, we should focus on requirements and let the 
technology come up to them.

With this remark, I would say that the three requirements we need to have for 
a voting system are very simple.

Voter privacy must be the first requirement, where voter privacy is the 
inability to know who the voter is. This
requirement must be what I call fail-safe. Even if everything fails, all the 
hardware fails, all the software fails,
everyone colludes, and there is a court order, still voter privacy must not 
fail.

The second requirement is vote secrecy. Vote secrecy is defined as the 
inability to know what the vote is. In elections,
contrary to e-commerce and other online applications, we don't have to 
decrypt [the ballots] immediately. In fact, we
need to store the encrypted ballots for a short period of time, a day or two, 
maybe fifteen days in the case of early
voting, and then we decrypt them and they become a matter of public record. 
So it is a completely different system in
terms of vote secrecy than a standard cryptographic system, which is done 
online.  We don't have to have the keys on the
other side. It is a little bit easier in some ways. Vote secrecy is thus the 
second requirement.

The third requirement is vote integrity, where vote integrity is defined as 
the inability to influence the outcome of
the election except by properly voting.

These are three requirements that need to be, in my opinion, technologically 
neutral. There are many innovations coming
every time, at an ever faster pace, and if we focus on technology it is 
rather easy to become lost.

Let me now address a practical example of how Internet voting works. First, 
if we look at the components of a voting
system and reduce them to the bare bones, we find three parts. Three stations 
if you will.

First is the voter authentication station where the voter is authenticated, 
usually by an election official. Second is
the voting station where the voter actually goes and votes. Third is the 
ballot box. I am not talking about the
tallying, I am not talking about the auditing. Those are added steps. I'm 
talking about the three essential systems we
need to focus on.

If we take these three systems or processes and consider where they might be 
located, we have only two possibilities.
They can be at the precinct or outside the precinct. In other words, they can 
be local or remote. From the viewpoint of
the election official, they are local if they are at the precinct.

If we now take the three stations or processes and the two states [local or 
remote], we have eight possibilities. We can
have the authentication station, the voting station and the ballot box 
entirely in the precinct. And we can have one of
them remote, two of them remote or all three of them remote. As we understand 
these eight possibilities, we see that
Internet voting is not just one case. Internet voting is seven cases. When we 
talk about Internet voting, and this is
now my third cautionary note, we need to know which case we are talking about 
and what is involved. That is - what is
remote, what is local, how the system is classified.

In the case of Contra Costa County, this is what we did. The voter 
authentication was local. The voter went to the
election official where his identity was checked by legal procedures and he 
received his ballot style. In Contra Costa
there were 280 ballot styles. People vote for different school boards, for 
example, depending on where they live. So we
need to authenticate not only the voter but also the voter's ballot style.

On a screen, the election official entered the voter's password and ballot 
style and pressed a button. That would print
a paper that was given to the voter face down. That paper had printed on it 
the instructions on how to vote and the DVC.
The DVC is the Digital Vote Certificate, which is a digital certificate with 
the properties of encryption and
certification that fit into six characters. Those six characters encode the 
password to use the DVC. We don't want the
DVC to be like money in that anyone can find it and use it, even though it is 
in a precinct. The six characters also
encrypt the ballot style and the authorization of the election official - 
which the voter cannot read and cannot change.
The voter then takes this paper with the DVC to the voting station which is 
also local. So we have two local parts.

The voter enters the DVC, which is a simple procedure, and enters the 
password. The voting station never had a copy of
the DVC. So the DVC is not like a password where you need to have a copy to 
see if it matches. The DVC is verified by
the way it works not by the way it looks. The main point here is that we 
don't use a smart card. We don't use any other
device between the authentication station and the voting station but a piece 
of paper that has the six characters. Those
six characters are enough to convey all the information necessary.

So the voter now inputs the data [the DVC and password] into the voting 
station which is local in the precinct. The
voting station verifies whether they all match, that is the DVC, the password 
and the signature, by means of the digital
signature algorithm, and presents the correct ballot with the correct ballot 
style. The voter votes on a screen which we
can demonstrate to you [2], if you so want we can set up a demonstration. We 
just did it yesterday at the Exposition. It
is a simple interface. I am not going to go into details here. One hundred 
percent of the voters in Contra Costa, 307
people, liked it. Even two of them who said they would  never vote on the 
Internet because they wanted to use the paper,
they wanted to go to the precinct.

In the end, the votes are cast and sent to six different servers on the 
Internet. So we have a remote ballot box. Also,
the votes are stored locally, encrypted, and in other computers that may be 
networked in the same precinct. So we have
redundant copies of the votes. In the machine we demonstrated yesterday we 
had two disks in a RAID configuration with
redundant disks plus a memory card. So we have several different ways to 
store the ballots.

The voter now does a step that is not available with paper ballots or DREs 
[Direct Recording Electronic machines]. The
voter can take his DVC, go home and on the Internet he can verify in a voter 
list that his vote is actually there at the
remote ballot box to be counted. Adding voter verification so that the voter 
can verify his vote is there is an
important factor as well. If just 5% of the voters do verify, this helps 
protect the entire system.

There are several steps after this which I will omit for the sake of time. 
They are described in this issue of The Bell
newsletter [4]  which I will leave here, together with the main 16 
requirements [4] we think should cover the least
number of items that one must have in a voting system.

I would like to comment on one of the particular procedures used in the 
tallying. The votes are stored at the ballot
box, and when the time for tallying arrives at the end of the election, they 
are added without being decrypted. The
votes are only decrypted after they are added. This adds a second barrier to 
identifying the votes. There are also
checks and balances between the registration system where the voter received 
the DVC and the final vote. There is
verification whether that DVC was really issued. The DVC is a unique number 
issued to each voter and guaranteed by the
system. So we can verify without identifying the voter. We can create a 
unique audit trail for each voter.

In closing, I would just like to comment that the same system can be used 
without the plug, without the network, and can
become a DRE (touch screen). So in fact we have a system which can work as 
Internet voting in the precinct with two
parts local and one part remote, and also as a completely isolated system. 
This allows election officials and counties
to buy equipment which conforms to current regulations, but yet is Internet 
ready.

We also think that the issue that David Jefferson mentioned at the beginning 
of the other panel [on touch screen DRE] is
very important - the question of obsolescence, of changing. So we need to 
have extensible products that can be applied,
improved and upgraded. Thank you very much.

FINAL COMMENT, ABOUT TRUST: ...I'd like to briefly comment on what Peter 
Neumann said before he left regarding trust.
When we want to understand what trust is, trust is that which is essential to 
communication, but cannot be transferred
in the same channel. We always need a parallel channel. So the question is 
having redundancy. When we look at the trust
issue in voting, iti s simply not possible to rely on one thing, or two 
things. We need to rely on more than two so we
can decide which one is correct. In this sense, the whole question of whether 
the Internet is secure or not is simply
not defined. The Internet is a communication medium and whatever we do in 
terms of trust, it is something that must run
on parallel channels.

**************************
[1] Peter Neumann, testimony  before the California Assembly Elections & 
Reapportionment Committee on January 17, 2001,
John Longville, Chair, session on touch screen (DRE) voting systems: "...I 
have an additional constraint on it [a voter
approved paper ballot produced by a DRE machine] that  it  is behind 
reflective glass so that if you try to photograph
it with a little secret camera hidden in your tie so you can go out and sell 
your vote for a bottle of whiskey or
whatever it is, you will get a blank image. Now this may sound ridiculous 
from the point of view of trying to protect
the voter, but this problem of having a receipt in some way that verifies 
that what seems to be your vote actually was
recorded properly, is a fundamental issue."

[2] A demonstration of the Safevote system used in Contra Cost County in the 
November 2000 shadow Internet voting test
is available at http://www.safevote.com/demo2000/

[3] RAID is short for Redundant Array of Inexpensive Disks and is a method 
whereby information is spread across several
disks, using techniques such as disk striping (RAID level 0) and disk 
mirroring (RAID level 1) to achieve redundancy,
lower latency and/or higher bandwidth for reading and/or writing, and 
recoverability from hard-disk crashes.

[4] The Bell newsletter, ISSN 1530-048X, November 2000. Copy at 
http://www.thebell.net/archives/thebell1.7.pdf


=====================================================================
This message was distributed through the e-lection mailing list.
For info and archives see http://www.research.att.com/~lorrie/voting/
=====================================================================

More information about the Election-Methods mailing list