Skip to: Site menu | Main content

Election Day Procedure

Election Day Procedure

Starting a voting session

At the start of the voting session each of these operations are performed once:
  • Start up voting machine. The judges of election set up and turn on the voting appliance. The appliance performs a self test to validate the software that is running.
  • Initialize cryptographic keys. All records generated by the VoiceVote system are certified with a digital signature. The digital signature is calculated using the Digital Signature Standard approved by the U.S. government, or other secure scheme for generating digital signatures. The Digital Signature Standard is already in widespread use for applications requiring high security.

    The VoiceVote software automatically generates a pair of cryptographic keys: a verifying key and a signing key, which will be used to digitally sign ballots. A digital signature uses one key in the pair to sign a digital document, the other to verify the signature. At the same time that this second key verifies the signature, it also verifies that the signed document has not been altered.

    The VoiceVote software immediately records the verifying key on its write once storage medium. It uses the signing key throughout the session to sign each ballot that is cast. The signing key is never recorded on paper or on any other persistent storage medium. VoiceVote does not communicate the signing key or reveal it to any voter or to the voting authority. To safeguard its security, the VoiceVote voting appliance is not connected to any network. The signing key is discarded at the end of the voting session, rendering it impossible to forge signatures for this voting session.
  • Create startup record. The VoiceVote appliance examines the electronic ballot storage device to make sure the session is starting with zero ballots cast. It creates a digitally signed electronic record along with digitally signed paper records ("zero tape") for the election authority and the poll watchers, attesting to the clean start of the election session.
Casting a vote

The following procedure is repeated for each voter:
  • Authorize a vote. An election judge authorizes the casting of a single vote on a VoiceVote voting appliance. The VoiceVote machine is locked until a vote is authorized. Each appliance publicly displays a constantly updated count of the number of votes cast, confirming that each voter casts one, and only one, vote and that this vote is recorded. This permits an ongoing comparison of the number of votes cast with the number of applications for ballots.
  • Label the ballot. The VoiceVote voting appliance assigns a unique random identifier to the ballot. This identifier will be recorded on each representation of the ballot (paper or electronic). It does not compromise the anonymity of the voter because it is not based on any information about the voter.
  • Mark the ballot. The voter proceeds to mark his or her ballot on the ATM style input screen, with the opportunity to go back and change any choice until the ballot is actually cast. Overvotes are not permitted and the voter is warned of any undervotes before exiting any screen and once again before the voter confirms completion (casting) of the ballot.
  • Digitally sign the ballot. When the voter has finished filling out the ballot, the VoiceVote machine calculates a unique digital signature for the ballot, based on the ballot's unique random identifier and the way the voter has marked the ballot. The digital signature attests that the vote was cast in a particular election session and has not been altered. The digital signature is integral to each representation of the ballot (paper or electronic).
  • Create electronic and paper trails. The VoiceVote voting appliance generates an electronic record and two paper copies of the completed ballot. Each copy of the ballot contains both the unique identifier and the digital signature. One paper copy is retained by the voting authority, and can be used to conduct an election audit, if necessary. The other paper copy is given to the voter. Special VoiceVote features guard against use for vote buying. The electronic record is recorded on a write once storage medium in a manner that makes it impossible to determine the order in which the votes were cast. Information that is recorded on a write once storage medium cannot be erased or altered. An example is a write-once CD that is "burned."
Ending a Voting Session

At the end of each voting session each of these operations is performed once:
  • Process absentee ballots. The judges of election process the absentee ballots, commingling the ballots from qualified absentee voters with the votes cast during the current election session.
  • Produce session report. The VoiceVote software produces a summary report detailing all unique identifiers, the session verifying key, a tally for each candidate and/or question on the ballot and the serial number and digital digest of the program source. The electronic copy of the report is stored on the write once device and paper copies are produced for the election authority and poll watchers. All reports are digitally signed.
  • Discard the signing key so no new digital signatures can be created for this session.
  • Freeze the write once device so no additional records may be written.
  • Copy results to the reporting machine. Transfer the complete record of the voting session to a VoiceVote reporting appliance, where it is combined with reports from all the other voting machines in the polling place and transmitted to the central election authority.
  • Return equipment. The voting appliances, with the write-once storage medium and all other read and/or write devices still locked inside, are returned to the central election authority. The central election authority will publish the entire set of ballots on the Internet so that they are available to the public at large. The set of verifying keys will be published along with the ballots. The complete set of ballots and verifying keys may be effectively and cheaply published using, for example, BitTorrent technology.
Previous   Next