Appendix A

California Internet Voting Task Force

Technical Committee Recommendations

 

Table of Contents

10  Requirements for the Internet Voting Process

The following sections list detailed requirements for each step of the i-voting process, more or less in the order they occur from the perspective of a single voter.

 

  1. Request for Internet balloting

    Requirement: Voters must request i-voting in writing with an original signature; they must re-request for each new election, and must not request both an absentee ballot and i-voting in any one election.

    Voters who wish to vote via the Internet must request it in writing, with an original hand-written signature, in a manner and under rules essentially the same as for requesting an absentee ballot in California. The two requests could be on the same form, with a check box indicating which the voter wants. A signed, written request for i-voting is essential, because comparison with the signature on file with the county registrar of voters is the only test there is in the current system that the requestor is eligible to vote. If other forms of voter authentication, such as thumb print, driverís license number, or digital signature are ever added to the requirements for voter registration, then this requirement for hand signature on the request for i-voting, or even the requirement for the request itself, can be changed accordingly.

    It is absolutely essential that all signatures on requests for i-voting be checked against the signature in the registration file before issuing authorization for i-voting. Unlike absentee ballots, which will be accompanied by another original hand signature that can be checked before counting, Internet votes will have no hand signature; hence checking the signature on the request for i-voting is mandatory.

    In accordance with California absentee balloting procedures, voters should not be permitted to request i-voting permanently (with the exception of voters with medical need, or voters living in rural precincts where there are no polling places), for the same reason that they cannot normally request to vote by absentee ballot permanentlyóit is too easy for Internet ballot authorization to be issue automatically over and over, long after the voter has moved away or died. Furthermore, the procedures for requesting absentee ballots, or the countyís response, may change in the first few elections in which i-voting is tried, so widespread permanent i-voting authorization may become a burden to administer.

    Voters should not be issued both authorization for i-voting and an absentee ballot, even if they intend to use only one or the other. The verification that they have not double or triple voted (by also showing up at the polls) is too much of a clerical burden on election staffs.

     

  2. Authorization for Internet ballot

    Requirement: The authorization for Internet balloting can be in various forms depending on the design of the i-voting system as a whole. But any authorization must provide a way of linking the eventual vote cast using that registration to the registration record for that voter, so that it can be determined beyond a reasonable doubt that each Internet vote is associated with a registered voter in the proper district, and that at most one vote is counted for any voter, whether at the polls, or by absentee ballot, or by Internet voting.

    A countyís response to the request for an Internet ballot will normally be to issue an authorization for Internet balloting to the voter who requested it. The authorization will be some combination of cryptographic keys, or PINs, or both, possibly accompanied by voting software. The authorization may be handed to or mailed to the voter on computer readable media, or it may be emailed to the voter, or it may be made available password-protected by a randomly-generated password over the Web; different i-voting systems may differ on this point.

    The fact that a voter has been authorized for i-voting, and any security information associated with it, must be stored by the county for use in authenticating the ballot and preventing double voting later. It must be possible to cancel a voterís authorization in case of it is lost or compromised in some way.

     

  3. Loss of Internet ballot authorization

    Requirement: Any system must be able to handle the voterís loss of, or failure to use, authorization for Internet balloting.

    If a voter loses, or claims to lose, his/her Internet ballot authorization, or if that authorization for some reason fails to work to allow voting, then the voter can request a new Internet authorization, or an absentee ballot. Before either such request is granted, the old authorization must be canceled. The voter may instead just go to the polling place on election day and vote with a provisional ballot even if his authorization for i-voting has not yet been canceled by the county.

     

  4. Voter authenticates himself/herself

    Requirement: Voters should be provided with an authentication code from the county that is combined with a personal identification number (P.I.N.) that will allow the voter to authenticate him/herself for the I-voting system.

    No single interception of an "out-of-band" transmission should allow an individual to cast a fraudulent ballot. Voter authentication codes provided by the counties can be combined with a number or password requested by the voter to ensure that at least the same level of security that is achieved in the absentee ballot process is available for Internet ballot. In paper absentee ballots, the theft or interception of a blank ballot would not necessarily result in the successful voting of an illegal ballot because the voter is required to affix is or her signature to the exterior ballot envelope. That same level of security should be mirrored in Internet voting.

  5. Voter brings Internet ballot to screen

    Requirement: The screen on which the user views the ballot must be capable of rendering an image of the ballot in any of the languages and orthographies required by law for paper ballots.

    Today, federal law requires some California counties to print ballots in English, Spanish, Tagalog, Vietnamese, Japanese, and Chinese. Counties can add to this list; Los Angeles County, for example, includes Korean.

     

    Requirement: No contest, either for an office or a proposition, should be split across two screen pages.

    If there are six candidates for an office, then all six should be visible on a single screen page in order not to disadvantage candidates at the bottom of the list. For systems employing voting devices having displays other that those used for PCs, this puts a constraint on how small the screen should be.

     

    Requirements: The application used for voting should not display or play any advertising or commercial or logos of any kind, whether public service, commercial, or political.

    Web browsers and similar programs are capable of displaying text, graphic, audio, animation, and video advertising. Many times the ads are inserted by the providers of a Web site; sometimes they are added by another "framing" site; still other times they are inserted by the Internet service provider. To be consistent with the principle behind the law that there should be no advertising or campaigning within a certain radius of the polling place, we recommend that there should be no advertising in the "window" that contains the voterís ballot, or popped up as a result of retrieving the ballot. The ballot must not have the appearance of being "sponsored by" any person or organization. This requirement may have no simple technical solution, and may thus have to be backed up by law.

    However, this does not mean that voters cannot have political information and advertising in other independent windows at the same time they are viewing the ballot. Just as people are permitted to take any material they wish into the voting booth, there is no reason why they should not be able to visit other web sites, including political sites, while voting (as long as other security requirements are met, e.g. no ActiveX controls, JavaScript scripts, Java Applets, etc.).

     

    Requirement: Multi-page ballots should be easily navigable by voters, with no way to get lost or leave the balloting process except deliberately.

    If the ballot is in the form of a Web page it should contain no hyperlinks to other sites, which would be distracting, and might cause voters to get lost while voting.

  6. Voter makes choices

    Requirement: Over-voting (voting for more candidates than permitted for a single office) must be prevented.

    The voter should be notified, as soon as the he or she attempts to vote for too many candidates, and no ballot with over-voting should be transmitted to the server. This service to voters is similar to that provided in some other voting systems, e.g. mechanical voting machines and some mark-sense balloting systems.

     

    Requirement: Voters should be able to point and click to make their voting selections, or type a write-in name. They should be able to navigate back and forth within the ballot to change selections freely until the moment when they click the final button that irrevocably transmits their ballot.

    A smooth, easily understandable, navigable, and fairly platform-independent human interface is vital to voter acceptance.

     

    Requirement: Needs of voters with disabilities or impairments should be accommodated.

    It should be possible for an audio version of the ballot to be read by the computer to the sight-impaired, and the position of the screen and keyboard/mouse (or other input device), should accommodate wheelchair-bound voters.

    Requirement: Voters should be able to type write-in candidatesí names in any language or orthography required by law for paper ballots.

    Internet voting should be as accessible to non-English speakers as it is to English speakers, just as is true for paper ballots.

     

    Requirement: The actual contents of the voterís votes on the client computer should be kept only in volatile memory, if possible, so that it will be automatically erased in the event of a power failure or rebooting. Votes should not be written to long-term storage on the client machine or for any reason, even in encrypted form.

    A voterís vote should not be stored in a file on the client machine, even a temporary file, and it should not be paged out to secondary storage as a result of virtual memory. It also must not find its way into any log, cache, index, cookie, or any other long-term record. And since the encryption key(s) used in encrypting the vote may be stored in or near the voterís computer, this extends even to encrypted votes.

     

  7. Voter casts ballot

     

    Requirement: No vote must be transmitted before the voter clicks on a next-to-final button labeled, for example, "Send Ballot". After clicking, the voter must be told that sending the ballot is irrevocable and must be asked to confirm his or her intention to send the ballot by clicking a "Confirm" button. If the voter does not then click the "Confirm" button, he or she should be able to return to the ballot to continue voting; but if he or she does, then voting is complete.

    It is important that the voter not accidentally send the ballot prematurely, because there can be no way to retrieve it, complete it, or vote again, and the voter would then be at least partially disenfranchised.

     

    Requirement: Immediately after the ballot is sent to the vote server, and without waiting for feedback from the server, or immediately after the voter clicks on the "cancel" button, all record of the vote must be deliberately erased from the voterís computer.

    Any choices the voter made should first be erased from the screen. Also, the voterís choices are presumably held unencrypted in the computerís RAM, and would remain so indefinitely unless the voting application deliberately zeroís them. (Memory deallocation is not sufficient.) If the voter walks away from the computer after voting, it must be infeasible for someone else to walk up to it and apply any software tool to recover the votes. If feedback from the vote server indicates that the vote was not accepted, and the voter wants to try again to vote by Internet, he or she must start over.

     

  8. Ballot transmitted to vote server

    Requirement: The ballot, along with a timestamp, voterís identification, precinct, and any other appropriate information, must be transmitted to the vote server in encrypted form to protect the privacy and integrity of the information.

    It must be infeasible for anyone who taps the communication links between the voterís computer and the vote server to read the ballot, or any of the associated information, or to tamper with any of it in a way that might go undetected. It must also be infeasible to inject a duplicate of the encrypted ballot and have that counted as an additional vote.

     

  9. Vote server receives ballot

    Requirement: The ballot transaction is atomic. A ballot must be either wholly accepted, or wholly not accepted, by the vote server. There must be no middle ground.

    If it is accepted, the voter should not be able to vote again; if it is not accepted (including the case of not being received), the voter is permitted to vote again, either by Internet or at the polls by provisional ballot.

    Requirement: The vote server that receives a ballot should immediately check it to ensure that it is formatted correctly. If it is, the vote server should immediately store the ballot, still encrypted, on a permanent medium (e.g. a CD-R disk) so that any subsequent power or equipment failure will not lose the ballot.

    If the check of the ballot fails, the voter should be notified and given advice about what to do, i.e. try again, or give up and vote at the polls. In either case, valid or not, the vote server should store the vote permanently and redundantly for later decryption and canvass. The encrypted ballot, valid or not, may be considered part of the audit trail in case a recount is called for, or the election is challenged in court.

     

    Requirement: If the vote servers are managed by contractors, rather than by election officials, then no keys or other tools for decrypting ballots should reside on the vote servers or be available to the contractors.

    All such keys must remain strictly in the hands of election officials.

     

  10. Vote server sends feedback to voterís screen

    Requirement: Within a few seconds of receiving the ballot, the vote server should attempt to notify the voter of whether or not the vote was successfully accepted.

    When the voter is finished, i.e. any time after hitting the "confirm" or "cancel" button (even if feedback from the server has not arrived) then the voter and should be able to just walk away without "closing" or "shutting down" anything, and still be guaranteed the privacy of the vote. If the vote was not accepted, then the voter may start over, or may vote by provisional ballot at the polls.

     

    Requirement: If no feedback comes back to the voterís computer within a reasonable time, for any reason, then the voter is entitled to assume that the vote was not accepted, and may try again to vote by Internet, or may vote by provisional ballot at the polls.

    There are many reasons why the feedback might not arrive at the voterís computer. Computer failures, software crashes, or communication failures, either at the vote server, or at the client, or in the Internet infrastructure in between, are all capable of preventing the ballot from being delivered to the vote server, or preventing the feedback from being delivered back to the voter. Most of these cases are completely out of control of the voter, and are all indistinguishable from his point of view. In particular, the voter cannot tell, in the absence of feedback, whether the vote was rejected for some reason, or was accepted but the feedback was lost. So the voter should be entitled to vote again.

    If the vote in fact did arrive and was accepted, but the feedback was lost, then the fact that the voter votes a second time, either by Internet or by provisional ballot, must be detected, and the second (and subsequent) ballots excluded from the canvass. Double voting, in this case, should not be held against the voter. Since the two ballots need not agree in all contests, there needs to be a strict rule about which one takes precedence, and the choosing the first one is the most reasonable; choosing the second one would be tantamount to allowing the voter to change his or her vote.

     

  11. Voter can ask for confirmation that he/she voted

    Requirement: There must be a mechanism that voters can use to determine the status of their vote, i.e. whether or not it has been accepted and authenticated.

    Voters should also be able to authenticate themselves online and then query whether or not their vote has been accepted and authenticated. The original feedback a voter receives only indicates, if positive, that their vote was accepted, i.e. stored securely. But, depending on the voting protocols, it may be that the vote is authenticated only later.

    In order for voters to be confident that their Internet vote will be counted in the election, and that they do not have to vote again, there must be a mechanism for voters to query whether their ballot was accepted and authenticated. They may want to check that it was accepted in case the acceptance feedback did not get to them for some reason when they tried to vote. And they may want to know that it was later authenticated so that they need not go to the polls to cast a provisional ballot.

    Note that this requirement goes slightly beyond what is possible for current absentee ballots.

    Requirement: After the voter has sent the ballot to the vote server, there must be no way for anyone, even the voter, to determine how he or she voted in any contest. In particular, there must be no way that a voter can prove to a third party how he or she voted.

    Because of the danger that voters might be coerced or paid to vote a certain way, it is important that voters have no way of proving after the fact how they voted, even voluntarily.

    Of course, it is possible that someone might be watching over the shoulder of a voter while he or she is filling out an Internet ballot, and no technical requirement can prevent that. But such a possibility applies also to someone filling out a paper absentee ballot as well, so i-voting is no less private.

     

  12. Votes transmitted from vote server to canvassing machines

    Requirement: Internet Voting systems must be capable of accurately tabulating the results and integrating the results with the countyís primary voting system.

  13. Authentication of votes and separation from voter identification

    Requirement: The county election system must be able to verify the authenticity of a ballot before the votes on the ballot are viewed or counted.

    Similar to a paper absentee ballot, Internet ballots should be verified for authenticity before the authenticating information is stripped from the ballot. The verification of the authenticity of the ballot should ensure the true source of the message. This must ensure that an electronic ballot really is from the person it claims to come from, and not just from someone trying to electronically impersonate that person.

    As in the paper absentee ballot process, once the ballot is separated from the authenticating information on the envelope, the ballot must be incapable of being traced to the voter who cast it.

    The voted ballots are decrypted and counted after the authenticating information is reviewed and removed from the ballot.

  14. Canvassing of votes

    Requirement: The Internet voting system must be capable of accurately tabulating the results of all ballots cast. The canvass should only be conducted after the close of polls on election day.

  15. Maintenance of auditing information

    Requirement: Decrypted ballots must retained in a secure format to allow for subsequent auditing and recount procedures.

  16. Human security

    Requirement: In accord with the rules for handling absentee ballots, no single election official should be able to delete, change, forge, or violate the privacy of Internet ballots.

    Election officials are bound by rules and procedures governing the handling of ballots that are designed to ensure that the privacy of votes is respected, that no ballot is lost or unaccounted for, and that no single employee can change, forge, or destroy a ballot. Absentee ballots, for example, are always handled in the presence of at least two employees. Ballot envelopes are face down so that the signature on the ballot envelope is not visible when the ballot is separated from the envelope. And all absentee ballots mailed out are coded and accounted for, even if they are not returned by the voter.

    Analogous procedures are also necessary for "handling" Internet ballots. Internet ballots will be held in files and operated upon by software tools for validation, for separating voter identification from votes, and for canvassing. Any i-voting system must have security mechanisms in place that guarantee at that at least 2 employees should concur whenever any critical operation regarding the processing of Internet ballots takes place, i.e. the passwords or cryptographic keys of at least 2 employees are required to operate on votes.