National Civic Summit - Operation BRAVO Foundation - Carol Paquette and Pat Hollarn


  1. 1. Innovative Approaches for UOCAVA Voting: Remote Voting Kiosks National Civic Summit July 16, 2009
  2. 2. What is a Remote Voting Kiosk? • An “early voting center” overseas • Operates as adjunct to pollsite system • All ballot styles available • Voters checked in with voter registration database • Ballots cast electronically • Votes transmitted and stored in central data center 2
  3. 3. Okaloosa Distance Balloting Pilot (ODBP) Objective: Evaluate the effectiveness of remote voting kiosks to improve overseas voting access • Project conceived and conducted by the Supervisor of Elections, Okaloosa County, Florida • Authorized by Florida Administrative Rule 1S–2.030 Electronic Transmission of Absentee Ballots • Based on Scytl Pnyx secure voting system, tailored to meet Florida requirements • System certified by Florida as adjunct to pollsite system • Project managed by Operation BRAVO Foundation 3
  4. 4. Three Overseas “Early Voting Centers” • Staffed voting kiosks set up in England, Germany, Japan • Open for 10 days • 94 voters participated, 93 ballots cast • All 78 ballot styles available, 23 different styles voted • Paper records produced for all electronic ballots cast • Canvassing Board validated, decrypted, and tabulated electronic ballots • Kiosk officials set up and operated kiosk systems • Elections staff administered central office system 4
  5. 5. UK Kiosk : Mildenhall, England 5
  6. 6. Kiosk Voting System Security Elements • Voter identity and eligibility verified by kiosk officials • Secure laptops used for voting • Voting software verified by Florida Division of Elections • Voted ballot signed by voter’s digital signature, then encrypted with Canvassing Board key • Encrypted ballot transmitted by secure communications to a BS7799 certified Tier 3 secure data center for storage • All system transactions logged in immutable system logs • System performance validated by comparing manual count of all races on 100% of paper records with electronic tabulation 6
  7. 7. Some Lessons Learned • Kiosk components easy to deliver overseas by commercial carrier • Kiosk system easy for kiosk officials to set up and operate with minimal training (< 8 hours) • Only technical issue encountered was setting up network connection in hotels where kiosks were located • System easy for voters to use; would like to continue voting this way; experienced greater sense of participation and confidence that ballot would be counted • Ability to verify system performance through paper record audit provided high degree of trust in system integrity 7
  8. 8. Proposed Project for 2010: Combat Zone Kiosks Objective : Assess feasibility of kiosk concept to enfranchise military and civilian voters in combat zones • Expand scope to 35 counties in 5 states ( 2-3000 voters) • Establish shared kiosk sites in several combat zone locations, e.g., Green Zone in Baghdad • Staff with local personnel, e.g., Voting Assistance Officers • Open 45 days before Election Day 8
  9. 9. Combat Zone Voting System Shared Central Data Center Kiosk Sites Authentication Voting Servers Terminal Registration System Kiosk Secure VPN Workers County Interface Certification Authority Voter Network Voting Terminal Secure VPN Secure VPN Statewide Voter County Elections Offices Registration Access Laptop Canvassing Server Systems Interfaces Canvassing Board 9
  10. 10. Why Try This Solution? Other voting methods are not feasible in combat zones • Postal mail will never be reliable or timely due to nature of the environment • FAX capability is non-existent • Access to computers for personal e-mail is limited, especially if a printer is needed • Entire kiosk system can be shipped in, set up, and operated by local personnel • Only needs electricity and an Internet connection 10
  11. 11. Logical Follow-on to Previous UOCAVA Projects • ODBP demonstrated practical feasibility and effectiveness in benign overseas environments • ODBP established an easy and scalable method to provide voters with digital signatures • Single county proof of concept is capable of expansion to multiple jurisdictions • Security and auditability of system acceptable to e-voting critics • Voting Over the Internet and SERVE showed feasibility of multiple jurisdictions sharing a common system while keeping each election office’s data separate and private 11
  12. 12. Project Overview • Establish Pilot Management Board with representatives from participating jurisdictions • Operation BRAVO Foundation (OBF) provides daily project management under policy direction of Pilot Management Board • Scytl adapts features of Okaloosa kiosk system for other jurisdictions as needed • Scytl develops interfaces for local election management systems and statewide voter registration databases • OBF, Scytl, and Pilot Management Board revise Okaloosa training materials and system operation manuals for other jurisdictions as needed • Test and certify combat kiosk pilot system • Open kiosks for voting on September 18, 2010 12
  13. 13. Preliminary Cost Estimate • Scoping assumption: 5 states, 35 counties • Cost: $4 to 5 million • Includes: – Requirements analysis to identify any system modifications – Tailoring of existing system for new jurisdictions – System testing and certification – Software licenses – System implementation – Project management – Project evaluation 13
  14. 14. Why Participate? • Be a leader in enabling voting rights for military and overseas citizens • Develop specifications for a repeatable secure UOCAVA solution • Help define standards for remote voting for UOCAVA voters • Help define voting system data interchange requirements • Share costs among participating jurisdictions, federal agencies, foundations 14
  15. 15. How Does Kiosk Integrate With Local Systems? entication System 1 County uthentication Laptop Smartcard Reader KIOSK VRD B VOTING PC Voter PC LEO Tabulation Server rinter/Scanner Central Server LEO/State Election VRDB Management Interface Wizard Server System PKI Existing local system Kiosk system components LEO = Local Election Ofice 15
  16. 16. Frequently Asked Questions (FAQs) 1. How is voter’s identity and eligibility to vote determined? A. Kiosk worker checks voter ID and looks up voter in voter registration database to determine eligibility to vote. Voter signature on printed Voter’s Certificate verified against stored signature to ensure that the same person. 2. How is the correct ballot style matched to each voter? A. All ballot styles are configured in the voting system. When a voter is authenticated by the poll worker, the ballot style is coded in a smartcard that gives access to the voting laptop, which will show the appropriate races to the voter 3. How does local election official know which voters submitted which ballots? – Each ballot, once encrypted, is digitally signed by the voter; therefore, the system knows which ballots correspond to each county. Of course, this signature is stripped off when each local election authority decrypts the ballot, thus ensuring voters’ privacy. 16
  17. 17. FAQs (Continued) 1. How is the secrecy of the voter’s ballot choices protected? A. Two main complementary measures ensure voters’ privacy: encryption of the ballot using a digital envelope, and a one-way mixing process. Only each election official will be able to decrypt the ballots addressed to such county in a process that breaks the correlation between voters and ballots. 2. How do the voted ballots get to the local election office for tabulation? A. The voting system will have a special interface per county where local election officials will be able to process the encrypted ballots and obtain the decrypted ones for tabulation 3. Can the voter independently verify their ballot choices before submitting their voted ballot? A. The voting laptop prints a paper record for the voter to compare to the electronic summary screen. On-screen verification is available too. 17
  18. 18. FAQs (Continued) 1. How can the electronic results be audited? A. A sample (or all) of the paper records can be hand counted and the results compared with the electronic tabulation. In addition, each paper record can be compared to its corresponding electronic record through a randomly generated common code on each 2. How will this system affect the local election office workload? A. It depends on how much manual intervention is required to extract the election definition and ballot style data from the local election management system and import it into the kiosk voting system. Once these data have been transferred and verified, the kiosk system operates automatically. The kiosk voting system is relatively easy to set up and initialize; this work can be done by an elections IT support person with a small amount of training. The kiosk system provides a tabulation report of voting results. Depending on how local tabulation reports are prepared, the kiosk tabulation data may have to be manually entered into those reports 18
  19. 19. FAQs (Continued) 1. How will the system be tested? A. The Election Assistance Commission has begun work on defining a process for the testing and certification of pilot voting systems. Some states have their own system testing and certification process 2. Will the ballots be time-stamped to show they were cast before the deadline? A. Each ballot contains a time-stamp that clearly points out the time the ballot was cast. 11. Wouldn’t it be easier to send ballots to voters by email? A. Although some States allow it under certain circumstances, email voting has several serious shortcomings due to the lack of security measures. For instance, voters’ privacy can not be assured, and ballot integrity is complex to achieve in an scenario with dozens of voters all over the world. 19
  20. 20. FAQs (Continued) 12. My state requires matching the voter’s signature on the absentee ballot with the signature on file to verify that the ballot was returned by an eligible voter. How will the kiosk system do this? A. This is done in two steps with the kiosk system. First, each voter is personally identified and checked against the voter registration database by the kiosk worker. In Florida, the voter is required to sign a printed Voter’s Certificate, and this signature is compared to the one on file. Secondly, as part of election set-up activities, each potential kiosk voter is assigned a unique digital signature that is linked to his voter ID code in the voter registration database. When the voter is checked in at the kiosk the voter registration database encodes the ballot style ID, the voter ID, and the digital signature PIN in a bar code on the Voter’s Certificate. This bar code is scanned to record this data on the smartcard used to activate the voting session. The voter’s digital signature is downloaded to the voting laptop along with the correct ballot style. When the voter submits their voted ballot, the system automatically applies the voter’s digital signature that ties the ballot to that particular voter’s identity. This linking is broken after the Canvassing Board reconciles the absentee voter list and is ready to download the ballots for decryption and tabulation. 20
  21. 21. FAQs (Continued) 13. How does a county configure its ballot styles on the kiosk-based voting system? A. It will depend on the number of participating counties and the EMS used by them, but two approaches are considered: (1) a ballot editor, where each ballot will be defined; (2) integration with the EMS to import the ballot definitions configured by election officials • What is the cost per vote for kiosk voting? A. In very simple terms, the cost per vote for any type of voting system is determined by the number of voters who use the system over its expected life cycle. The Okaloosa project was intentionally small scale as a technology proof of concept. It incurred development, documentation, and testing costs for a one time use that normally would be amortized over thousands of elections. The combat kiosk project is intended to include many more jurisdictions and thousands of voters. It will also re-use much of the development and other work done for the Okaloosa project. This project will provide a much better basis for projecting the cost per vote for kiosk voting when implemented as a standard voting method. 21
  22. 22. FAQs (Continued) 1. Why is Scytl the provider of the voting technology? – The Okaloosa Distance Balloting Pilot team conducted a market survey of potential vendors to provide the voting system for that project. Scytl was selected because they had a mature, proven remote electronic voting system that had been used for a number of public elections in several countries. This system includes a number of advanced, patented security features such as immutable chaining logs that allow comprehensive system performance auditing. Scytl also had the engineering design and development staff to implement the system enhancements necessary to comply with Florida legal and administrative rules and to interface the system to the Okaloosa local election management and voter registration systems. The system has been tested and certified by the State of Florida, and an independent team of experts has reviewed the system software. Since the combat kiosk project is a further expansion of the Okaloosa project, it reduces both cost and risk to remain with the same provider. Should any jurisdictions decide to implement remote kiosks as a regular voting channel in the future, they can use the specifications developed by these projects in their vendor solicitation. 22
  23. 23. Operation BRAVO Foundation • Non-profit 501(c)(3) organization • Established to foster exploration and development of practical and reproducible electronic solutions to improve overseas voting process • Partners with state and local governments, other organizations, to conduct demonstration projects • Provides project planning, budgeting, and management; functional requirements analysis; governmental coordination; legal and regulatory compliance assessment; and project evaluation 23
  24. 24. Contact Information Carol Paquette 703 532 0524 Pat Hollarn 850 585 7768 24