diff --git a/files b/files index 0027ed0..c8ba9e2 160000 --- a/files +++ b/files @@ -1 +1 @@ -Subproject commit 0027ed006735c566a08acc8e2e540db3e6d5b4ce +Subproject commit c8ba9e2807b988626a07873979bad2887bad4bb3 diff --git a/pages/background.md b/pages/background.md index 2891bb9..3872578 100644 --- a/pages/background.md +++ b/pages/background.md @@ -251,6 +251,9 @@ sip-and-puff, etc. If the computer is COTS, it may also need a custom casing or shell to increase durability and assist with polling-place transport and setup. +For a Remote Accessible Vote By Mail system (required by 2020), the +hardware used would likely be the voter's personal computer and printer. + **2\. Central Ballot Scanner** A device responsible for high-speed, high-volume ballot scanning (e.g. for @@ -309,6 +312,12 @@ semi-automated fashion, including support for multiple languages. This is the software corresponding to the Accessible Ballot-Marking Device hardware component. +A Remote Accessible Vote By Mail system would likely rely on a reasonably +updated web browser rather than requiring installation of OS-specific +software installation. Text to speech capabilities could be either the +voter's own accessibility software or a web browser component provided +with the ballot. + **5\. Ballot Picture Interpreter** This is a software library responsible for interpreting digital ballot pictures. It @@ -551,7 +560,24 @@ useful for the project. [Demo/prototype implementation by Free & Fair][prime-iii-faf-repo]. -#### 3.4.4. Open Source Voting Organizations +#### 3.4.4. Other Open Source Voting Projects and Research + + * [Pvote][pvote], a model for an open source voting application where + sensitive software is minimized-- 460 lines of python code, audited + in a security review. + + * [VoteBox][votebox], a prototype electronic voting machine based on + COTS hardware. Several technical publications are available with + detailed descriptions of the system components. + + * [Low Error Voting Interface][levi], research paper of a voting machine + GUI designed to reduce user errors. Used by Prime-III. + + * [Making Voting Accessible: Designing Digital Ballot Marking for People with + Low Literacy and Mild Cognitive Disabilities][jets-0202] research + paper on voting machine user interface design for accessibility. + +#### 3.4.5. Open Source Voting Organizations * [OSET Foundation][oset-foundation] 501c umbrella nonprofit to support [Trust the Vote][trust-the-vote], site with actual software. \[Currently, mostly Ruby-On-Rails in ruby @@ -559,9 +585,14 @@ useful for the project. Useful diagrams of voting software architecture: ([PDF][oset-arch-pdf], [broken interactive HTML][oset-arch-html]), Simpler [diagram of modules][oset-modules]. + + Prototype of [VoteStream][trust-the-vote-votestream] election results display. * [Open Voting Consortium][open-voting-consortium] Inactive (since 2011) prior effort to develop open source software. Efforts moved to CAVO. + A demo implementation was created and + [technical paper][open-voting-consortium-usenix-paper] with a + detailed description of the system using COTS hardware. * [California Association of Voting Officials][cavo] (CAVO) Nonprofit organization to promote open source voting. Election officials @@ -572,7 +603,7 @@ useful for the project. Has links and information on voting equipment and usage across the US. -#### 3.4.5. Election Data Standards & Organizations +#### 3.4.6. Election Data Standards & Organizations * [Voluntary Voting System Guidelines][eac-vvsg] (VVSG). In January 2016, the [U.S. Election Assistance Commission][eac] (EAC) adopted a plan @@ -612,7 +643,20 @@ useful for the project. only used for poll lookup. [git][vip-repo] -#### 3.4.6. Additional Links +#### 3.4.7. California Election Laws and Regulations + + * [Advisories to County Election Officials][sos-advisories], announcements + from the California Secretary of State on new regulations, required + procedures, and notices on statewide propositions and elected offices. + Includes certifications of new equipment including remote accessible + vote by mail. + + * [Elections Officers Digest][sos-digest], an annotated summary of election + laws prepared for local election officials, with procedures, + responsibilites and definitions of terms. + Includes references to code sections. + +#### 3.4.8. Additional Links * [GitHub][github] * [Open Source Initiative][osi] (OSI) diff --git a/pages/glossary.md b/pages/glossary.md index cdc9b0c..aad827d 100644 --- a/pages/glossary.md +++ b/pages/glossary.md @@ -4,8 +4,12 @@ * **agile**. [TODO] +* **ballot**. [TODO] + * **ballot on-demand**. [TODO] +* **ballot type**. [TODO] + * **cast-vote record (CVR)**. [TODO] * **central ballot scanner**. [TODO] @@ -57,10 +61,19 @@ * **outstack**. [TODO] +* **paper cast vote record**. an auditable document that corresponds to the + selection made on the voter’s ballot and lists the contests on the ballot and + the voter’s selections for those contests. A paper cast vote record is not a ballot. + * **precinct ballot scanner**. [TODO] * **remake**. [TODO] +* **remote accessible vote by mail system**. + Software or electronic system that allows a voter with + disabilities or a military or overseas voter to print a ballot + (_paper cast vote record_) at home and return by mail. + * **risk-limiting audit (RLA)**. [TODO] * **software**. [TODO] @@ -76,3 +89,10 @@ * **software stack**. [TODO] * **stack**. See ”software stack.” + +* **statement of vote**. [TODO] + +* **voter verified paper audit trail**. a _paper cast vote record_ containing a + copy of each of the voter’s selections that allows each voter to confirm his + or her selections before the voter casts his or her ballot for systems that + do not contain a paper ballot. diff --git a/pages/recommendations.md b/pages/recommendations.md index 3e74c74..31e4f8c 100644 --- a/pages/recommendations.md +++ b/pages/recommendations.md @@ -73,6 +73,8 @@ most of these components): 3. Ballot Picture Interpreter (Software) 4. Central Ballot Scanner (Hardware & Software) 5. Ballot Layout Analyzer (Software) +6. Ballot Batch Management (Software) +7. Audit Support (Software) Choosing the above as first components seems to mirror the approach that Los Angeles County is taking in its VSAP project. In particular, Los Angeles @@ -175,7 +177,9 @@ different components, so it is natural to start working on it first. * Even in the absence of deployed open source hardware components, it could be used by members of the public to “check” the scanning done by the interim -system, provided the digital ballot pictures are made public. +system, provided the digital ballot pictures are made public. The visually impaired +could use a ballot picture interpreter on their computer with a speech synthesis +application to validate/check a home printed or marked ballot. * The open source software OpenCount might go a long way towards implementing this component. @@ -266,6 +270,9 @@ elections. * tables for the Election Certification letter (e.g. in PDF format), +* computer-readable equivalent to the Statement of Vote (e.g. in spreadsheet (xls), +delimited text (tsv), and NIST-SP1500-100 (xml) formats), + * HTML pages for the Department website, and * Possibly also reports to facilitate the public observation and carrying out @@ -285,7 +292,9 @@ prototyping and testing. **Description.** This is a software-only component responsible for aggregating vote data and generating election results in a machine-readable format. This -includes running the RCV algorithm to generate round-by-round results. +includes running the RCV algorithm to generate round-by-round results. Normally +votes have subtotals reported by consolidated precinct, and may separate +election-day precinct voting and vote-by-mail ballot subtotals. **Interfaces / data formats.** Needs to accept as input: @@ -313,9 +322,16 @@ prototyping and testing. digital ballot pictures, namely by generating a cast vote record (CVR) given a digital picture of a ballot. The component must support ballots from “third-parties” (e.g. the interim voting system) to support incremental roll-outs like pilot -and hybrid rollouts. The open source software OpenCount developed at UC +and hybrid rollouts, or to support home-printed "remote accessible vote by mail" +ballots. The open source software OpenCount developed at UC Berkeley could be a foundation for this. +The picture interpreter should be able to identify and remove the base +printing and watermarks so any remaining extraneous marks can be identified. +The presence of a significant amount of extraneous marks might require +that ballot be identified for adjudication. Likewise, marks clearly not +present or not fully marked must be identified for adjudication. + **Applicability.** This component can possibly be used in the following components: @@ -335,10 +351,16 @@ card for each ballot type, etc.). * the digital ballot pictures themselves. +* batch header/footer pages and/or box label codes + Needs to output for each ballot: * a cast vote record (CVR) of the markings on the ballot. +* a report of extraneous or ambiguous marks requiring adjudication, + with a data file referencing the CVR, ballot picture, and contest + selections. + **Sub-components.** This component can possibly have the following sub-component: * a “contest-unaware” interpreter that accepts a digital picture of a ballot @@ -408,7 +430,7 @@ not be completely automated, but rather will be semi-automated. * the “election definition” data (e.g. contests, candidates, districts, etc.). -* the digital ballot pictures. +* the digital ballot pictures (scanned images or PDF) Needs to output for each ballot type: @@ -426,6 +448,130 @@ interim voting system. _[Section added: Dec. 14, 2017 meeting.]_ +##### 5.2.3.6. Ballot Batch Management (Software) + +**Complexity:** Low + +**Description.** This is a software component that allows boxes of ballots +to be organized into batches for scanning and auditing. Labels may be +printed to be attached to ballot boxes collected, transported, and stored. +Batches of ballots might include a scannable header page, marking the +beginning of a batch of ballots, and a scannable footer page, marking the +end of the batch. The header/footer pages mark the consolidated precinct +and other information identifying the ballot batch, and might also include +signatures from poll workers, and digital audit information, e.g. +IDs, temporary digital signatures and keys, starting and ending hash chain +codes from a precinct scanner. An additional header/footer page might be +created to wrap and identify outstacked ballots. + +The batch management system would be used to: + +* create box labels and header/footer pages, + +* provide a database of batch IDs with associated precinct and grouping + IDs, + +* provide a means to scan box labels and log departure/arrival of ballot boxes + transported or stored/retrieved, + +* provide the input to the ballot picture interpreter identifying the + batch being processed, and associated information (e.g. precinct ID), + +* organize scan batches to associate CVR (Cast Vote Record) data + with ballot box storage ID and location, and + +* track progress of scanning, adjudication, and auditing of ballot batches. + +**Interfaces / data formats.** Needs to accept as input: + +* a definition of precincts, precinct consolidation, and ballot type + by precinct, used to organize batch collections. + +* bar code scans of box labels used for tracking + +* scans of batch header/footer pages + +Needs to output: + +* data files with batch IDs and associated precinct/group information + +* printable labels and header/footer pages + +* data with batch scan/audit status and transport logs + +**Other outcomes / deliverables.** The required input and output data and +formats should be spelled out. + +**Possible dependencies / pre-requisites.** Batch management procedures +need to be defined so batch IDs can be included with the Ballot Picture +Interpreter output CVRs and used with the Vote Totaler. + +##### 5.2.3.7. Audit Support (Software) + +**Complexity:** Medium + +**Description.** This is a software component that manges an audit +process that includes a manual count. A precinct-based audit might +be performed, where all ballots in ramdomly selected precincts are +hand-counted, or a RLA (Risk Limiting Audit) might be performed, +where a randomly selected set of ballots among all precincts are +selected for a hand-count. The number of ballot selected in an +RLA is based on a statistical formula depending on the closeness of +votes between top contenders. + +Audit support software could include the following: + +* Save or generate random number seeds or precinct selections. + +* For an RLA, a public high-quality random number generator is used to randomly + select ballots to be pulled. + +* For ballots selected by order within a batch (does not have a printed + and sorted ID), a scanner might be used to sheet feed ballots, stopping + where a ballot needs to be pulled. + +* If the order in a stored ballot batch does not match the order on stored + CVRs (cast vote records) and no ballot IDs are available, a new central scan + and picture image analysis might be required. + +* Retrieve the CVRs for selected ballots and pass them to the vote totaler + +* Enter hand-count results and compare totals with the official precinct + totals or the totaled CVR selection. + +**Interfaces / data formats.** Needs to accept as input: + +* the “election definition” data (e.g. contests, candidates, districts, etc.). + +* a definition of batches with precincts, precinct consolidation, and ballot type. + +* results of the vote totaler. + +* random number seed + +* Cast Vote Records (for an RLA) + +* Hand-count results + +Needs to output: + +* for an RLA, the randomly selected ballots with either ID or sequence in + a batch. + +* comparison of hand counts and machine counts + +* scanner controls if used to pull RLA selected ballots + +**Other outcomes / deliverables.** The required input and output data and +formats should be spelled out. + +**Possible dependencies / pre-requisites.** If an RLA audit is performed +and stored ballots might not match ordered CVRs, then the central ballot +scan and picture interpreter would be required to perform an electronic +recount of all ballots and generate matching CVRs. If the picture interpreter +can run at the speed of the scanner, regenerating CVRs (for an electronic +recount) adds no extra cost. + #### 5.2.4. Deployment Strategies The components listed above can be deployed and used in conjunction with a @@ -442,7 +588,6 @@ results of an election run with the interim system. It would only require taking in the non-aggregated numeric results from the interim system, and then feeding the aggregate results into the results reporter. - ##### 5.2.4.1. Central Ballot Scanner Phases For the central ballot scanner, there are a number of options for diff --git a/reference-links.md b/reference-links.md index 14ce3be..3be909d 100644 --- a/reference-links.md +++ b/reference-links.md @@ -34,12 +34,14 @@ [github]: https://github.com/ [ict-plan-2008]: files/SF_ICT_Plan_2018-22.pdf [ieee-1622]: http://grouper.ieee.org/groups/1622/ +[jets-0202]: https://pdfs.semanticscholar.org/30c0/9a87a67516ce91a339d7059ff6a211872e41.pdf [la-vsap-application-tally]: files/la-vsap/LA_Application_VSAP_Tally_1.0_2017-09-19.pdf [la-vsap-rfi]: files/la-vsap/LA_RFI_20170524.pdf [la-vsap-rfp-phase-1]: files/la-vsap/LA_RFP_20170918.pdf [la-vsap]: http://vsap.lavote.net/ [lafco-report]: files/LAFCo_Report_Open_Source_Voting.pdf [lafco]: http://sfgov.org/lafco/ +[levi]: https://dspace.mit.edu/handle/1721.1/96560 [mayor-budget-press-release]: http://sfmayor.org/article/mayor-lee-signs-citys-balanced-budget-fiscal-years-2016-17-2017-18 [nist-itl]: https://www.nist.gov/itl/voting [nist-voting]: http://collaborate.nist.gov/voting/bin/view/Voting/WebHome @@ -48,6 +50,7 @@ [open-count]: https://github.com/FreeAndFair/OpenCount [open-rla-repo]: https://github.com/FreeAndFair/OpenRLA [open-voting-consortium]: http://www.openvotingconsortium.org +[open-voting-consortium-usenix-paper]: http://gnosis.cx/publish/voting/electronic-voting-machine.pdf [oset-arch-html]: https://trustthevote.org/our-work/framework/ [oset-arch-pdf]: http://www.dubberly.com/wp-content/uploads/2014/09/TTV_Framework_Book.pdf [oset-foundation]: http://www.osetfoundation.org/ @@ -60,6 +63,7 @@ [prime-iii-repo]: https://github.com/HXRL/Prime-III [prime-iii]: http://www.primevotingsystem.com/ [proposed-budget-2016]: files/SF_Mayor_Proposed_Budget_2016-18.pdf +[pvote]: http://pvote.org/ [rfp-business-case-pdf]: files/SF_Business_Case_RFP_FINAL.pdf [sf-digital-services]: https://digitalservices.sfgov.org/ [sf-digital-services-strategy]: files/SF_DigitalServiceStrategy.pdf @@ -68,6 +72,8 @@ [slalom-contract-appendix-a]: files/slalom/contract/Business_Case_Appendix_A.pdf [slalom-contract-appendix-b]: files/slalom/contract/Business_Case_Appendix_B.pdf [slalom-contract]: files/slalom/contract/Business_Case_Contract.pdf +[sos-advisories]: http://www.sos.ca.gov/elections/advisories-county-elections-officials/ +[sos-digest]: http://www.sos.ca.gov/elections/publications-and-resources/elections-officers-digest-2018/ [slalom-rfp-response]: files/slalom/REG_RFP_2017-01_Slalom_Response.pdf [star-vote-entity]: files/star-vote/STAR-Vote_Statement_of_Intent.pdf [star-vote-final-press-release]: http://www.traviscountyclerk.org/eclerk/Content.do?code=star-vote-a-change-of-plans @@ -79,5 +85,6 @@ [verified-voting-foundation]: https://www.verifiedvoting.org/ [vip-project]: https://votinginfoproject.org/ [vip-repo]: https://github.com/votinginfoproject +[votebox]: http://votebox.cs.rice.edu/ [vstf-report]: files/VSTF_Report.pdf [vstf]: http://sfgov.org/ccsfgsa/voting-systems-task-force