Voting Integrity, Confidence and Empowerment
Election Day Procedure
Election Day Procedure
Starting a voting session
At the start of the voting session each of these operations are performed once:
The following procedure is repeated for each voter:
At the end of each voting session each of these operations is performed once:
At the start of the voting session each of these operations are performed once:
- Start up voting machine. The judges of election set up and turn on the voting appliance. The appliance performs a self test to validate the software that is running.
- Initialize
cryptographic keys. All records generated by the VoiceVote
system are certified with a digital signature.
The digital signature is calculated using the Digital Signature
Standard approved by the U.S. government, or other secure scheme for
generating digital signatures. The Digital Signature Standard is
already in widespread use for applications requiring high security.
The VoiceVote software automatically generates a pair of cryptographic keys: a verifying key and a signing key, which will be used to digitally sign ballots. A digital signature uses one key in the pair to sign a digital document, the other to verify the signature. At the same time that this second key verifies the signature, it also verifies that the signed document has not been altered.
The VoiceVote software immediately records the verifying key on its write once storage medium. It uses the signing key throughout the session to sign each ballot that is cast. The signing key is never recorded on paper or on any other persistent storage medium. VoiceVote does not communicate the signing key or reveal it to any voter or to the voting authority. To safeguard its security, the VoiceVote voting appliance is not connected to any network. The signing key is discarded at the end of the voting session, rendering it impossible to forge signatures for this voting session.
- Create startup record. The VoiceVote appliance examines the electronic ballot storage device to make sure the session is starting with zero ballots cast. It creates a digitally signed electronic record along with digitally signed paper records ("zero tape") for the election authority and the poll watchers, attesting to the clean start of the election session.
The following procedure is repeated for each voter:
- Authorize a vote. An election judge authorizes the casting of a single vote on a VoiceVote voting appliance. The VoiceVote machine is locked until a vote is authorized. Each appliance publicly displays a constantly updated count of the number of votes cast, confirming that each voter casts one, and only one, vote and that this vote is recorded. This permits an ongoing comparison of the number of votes cast with the number of applications for ballots.
- Label the ballot. The VoiceVote voting appliance assigns a unique random identifier to the ballot. This identifier will be recorded on each representation of the ballot (paper or electronic). It does not compromise the anonymity of the voter because it is not based on any information about the voter.
- Mark the
ballot.
The voter proceeds to mark his or her ballot on the ATM style input
screen, with the opportunity to
go back and change any choice until the ballot is actually cast.
Overvotes are not permitted and the voter is warned of any undervotes
before exiting any screen and once again before the voter confirms
completion (casting) of the ballot.
- Digitally
sign the ballot. When
the voter has finished filling out the ballot, the VoiceVote
machine calculates a unique digital signature for the ballot, based on
the
ballot's unique random identifier and the way the voter has marked the
ballot. The digital signature attests that the vote was cast in a
particular election session and has not been altered. The digital
signature is integral to each representation of the ballot (paper or
electronic).
- Create electronic and paper trails. The VoiceVote voting appliance generates an electronic record and two paper copies of the completed ballot. Each copy of the ballot contains both the unique identifier and the digital signature. One paper copy is retained by the voting authority, and can be used to conduct an election audit, if necessary. The other paper copy is given to the voter. Special VoiceVote features guard against use for vote buying. The electronic record is recorded on a write once storage medium in a manner that makes it impossible to determine the order in which the votes were cast. Information that is recorded on a write once storage medium cannot be erased or altered. An example is a write-once CD that is "burned."
At the end of each voting session each of these operations is performed once:
- Process absentee ballots. The judges of election process the absentee ballots, commingling the ballots from qualified absentee voters with the votes cast during the current election session.
- Produce session report. The VoiceVote software produces a summary report detailing all unique identifiers, the session verifying key, a tally for each candidate and/or question on the ballot and the serial number and digital digest of the program source. The electronic copy of the report is stored on the write once device and paper copies are produced for the election authority and poll watchers. All reports are digitally signed.
- Discard
the signing key so no new digital signatures can be
created for this session.
- Freeze the
write once device so no additional records may be written.
- Copy
results to the reporting machine.
Transfer the complete record of the voting session to a VoiceVote
reporting appliance, where it is combined with reports from all the
other voting machines in the polling place and transmitted to the
central election authority.
- Return
equipment.
The voting appliances, with the write-once storage medium and all other
read and/or write devices still locked inside, are returned to the
central election authority. The central election authority will publish
the entire set of ballots on the Internet so that they are available to
the public at large. The set of verifying keys will be published along
with the ballots. The complete set of ballots and verifying keys may be
effectively and cheaply published using, for example, BitTorrent technology.