RE: What is Data Model FOR?

From: Mark Winegar <mwinegar_at_mtmc_dot_edu>
Date: Thu Apr 29 2004 - 10:32:14 CDT

Doug,

Better accuracy is often achieved by eliminating the humor error factor.

In both scenarios discussed below there are opportunities for the human
error factor to contaminate the canvassing. We can improve the whole
process by having two distinct canvassing processes; one based on the
voter's computer input and the other based on paper ballots. I believe
the comparison of these distinct data sets will help detect, and
prevent, tampering.

Mark Winegar

-----Original Message-----
From: Douglas W. Jones [mailto:jones@cs.uiowa.edu]
Sent: Thursday, April 29, 2004 10:23 AM
To: voting-project@lists.sonic.net
Subject: Re: [voting-project] What is Data Model FOR?

On Apr 29, 2004, at 12:40 AM, dr-jekyll@att.net wrote:

> Does "vote aggregation" mean vote totals? The Data Model I submitted

> does have a place for accumulating vote totals. For the Ballot
> Questions, there is a Yes_Ctr and a No_Ctr. The Candidate For Office
> has Vote_Ctr.

The general term we ought to use is canvassing. The canvassing process
computes the overall vote totals. For a simple yes-no vote, canvassing
involves adding up the number of yes and no votes.

This is simple until you think about doing it jurisdiction wide, and
think about defending against all possible attacks by both insiders and
outsiders intent on corrupting the canvass. Also, you have to defend
against clerical error, which generally is as dangerous as deliberate
attack.

So, here's the canvassing model that is emerging as the best bet for DRE
and optical mark-sense systems, which suggests that it is also a good
bet for us:

    At each precinct, a precinct-level canvass is conducted, reporting:
      a The number of ballots counted
      b The number of votes for each candidate or position on an issue
      c The number of undervotes for each race
      d The number of overvotes for each race (always zero for DRE)
      e The number of voters who signed in to vote at this precinct
      f The number of provisional ballots distributed at this precinct

      All this information should be printed at the time the polls are
      closed, and posted in public at the precinct. Observers and
      precinct officials can verify that a+f = e, and that, for each
      race, b+c+d = a -- and if these don't come out equal, something is
      wrong and ought to be investigated. Some causes of problems
aren't
      disasters (the fleeing voter who takes his ballot home instead of
      voting it is a classic), but discrepancies should be very small.

      Note that item e is computed by people, outside the computer
system,
      and is therefore a significant check on the computer system.

   The ballot images from each precinct (electronic records of all
ballots
   cast) are transmitted electronically (internet, sneakernet, packet
radio,
   the technology used is not an issue) to the central canvassing
center,
   usually a county office.

   A precinct official telephones a person at the canvassing center and
reports
   at minimum, items a, e and f, but reading down the whole list of
numbers
   is wise. Items a, e and f should be read back and confirmed over the

phone.
   This phone conversation should be conducted loudly and in public, so
   witnesses at each end can take notes if they wish to confirm what was
   said.

   The physical ballots (if any), paper records and electronic records
   from the precinct are sealed in a ox, together with a copy of the
   printout that was posted on the at the precinct, are delivered by two
   election judges, representing opposing parties, to the canvassing
   center. The sealed box, envelope or whatever should never leave
their
   joint custody. (This delivery constitutes the sneakernet delivery
path
   mentioned above.)

   At the canvassing center, the box is unsealed and, after the
electronic
   records have been entered into the computer system used for
canvassing,
   the totals for that precinct are compared with the totals delivered
on
   paper from the precinct.

   Electronic delivery of precinct totals to the canvassing center is
   highly resistant to clerical errors such as transposition of digits
or
   numbers, but the omission of a file (for example, a PCMCIA card or a
   CDR disk) is a common clerical error too. The hand delivered records
   allow inspection of the electronic record to see that is is all
there,
   with no omitted machines and that all votes are accounted for, and
that
   nothing has changed since the data was reported from the precinct.

   All provisional ballots are delivered to the board that oversees
their
   certification. Once certified, they are tablulated and included in
the
   canvass. Similarly, absentee ballot tabulations for the precinct are
   certified and tabulated. Sums for provisional and absentee ballots
   should be maintained separately from the official ballot count, so
that
   they do not obscure the accounting.

   At the canvassing center, once the data from the precinct has been
checked,
   it may be incorporated into totals for the entire jurisdiction of
that
   canvassing center.

   If there is a hierarchy of canvassing centers, communication from the
   regional canvassing center to higher canvassing centers follows the
same
   model as outlined here. Once the canvass for the regional center is
   completed, totals are posted in public at that center prior to
transmission
   to a higher center, and any electronic transmission should be
protected by
   redundant transmission, for example, by voice and paper, to protect
   the integrity of the data.

> Regarding Data Models, they are not just for relational databases.

Right. Note that this is one of the most glaring failures of the
Compuware
report for the State of Ohio. They set a criterion for the voting
system,
that the data model of any database in the system be clearly documented,
and then, on determining that the system used binary files with no
database
management software, as such, they claimed that the criterion was
inapplicable.
In fact, the lack of a database management system made the criterion
all the
more relevant because the use of ad-hoc roll-your-own databases
generally
obscures the data model and makes it all the more crucial to carefully
investigate the data model and see if it is well thought out.

                Doug Jones
                jones@cs.uiowa.edu
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Apr 30 23:17:22 2004

This archive was generated by hypermail 2.1.8 : Fri Apr 30 2004 - 23:17:29 CDT