Re: Trusted Persons

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Fri Apr 08 2005 - 19:58:33 CDT

On Apr 8, 2005, at 3:11 PM, Alan Dechert wrote:
> Suite yourself, David. I am concerned about the glossary from a
> strategic
> perspective. The high-priority terms for us are "OPEN VOTING SYSTEMS"
> and
> "SUMMARY PAPER BALLOT." If we can get these terms in there, it will
> be a
> coup for us strategically. On a strategy scale of one to ten, these
> are a
> ten while most of the other terms you have are low in importance
> strategically -- maybe a one or two.

Mostly I disagree on this. Open Voting System and SPB are pretty good
strategically. But I believe that even MORE important to advancing
OVC's purpose is getting some terms included that allow lawmakers to
clearly mandate *against* the faults of proprietary DREs. It's not
enough to have words for "the good stuff", we also need a standard way
to talk about what's bad about the bad stuff.

So in that regard, I believe the terms Anonymity and Covert Channel are
perhaps the most important ones of all. Also the clarification of
Privacy suggested by Joseph's paper with several coauthors. But
actually, the concept of Trust, or Trusted Person, is also *very*
helpful in discussing the flaws with some voting systems. In fact, I
think all of these are much more strategically important for the
glossary than Open Voting System is (VVPB is also crucial, the specific
subset SPB much less so).

I definitely insist on the use of Trust, which is clearly and well
established in security discourse. A fuzzy new concept like
"Authority" really misses the point of the precision of cryptology
work. That said, Ron Crane's recent revision that reflects the
specific sense used by Schneier and others is an improvement.

Attached is the full latest revision that incorporates (modest) changes
from several signers. Btw. No one who has expressed an interest in
signing has objected to the term Trusted Person. Only who I have
invited to sign, but have not indicated they wish to, have done so
(i.e. Alan & Arthur; Laird raised a related point on the misnomer
"Trusted Computing"--would you like to sign, Laird?). Ron Crane, Susan
Eustis, Joseph Hall, and I seem to be pretty strongly in favor of that
word, given its long history of precise use.

Btw. I'd like to get the signers nailed up pretty quickly here, and get
the comments submitted. If anyone else wishes to join, please let me
know (off-list), along with your full affiliations, title, contact
info, as you'd like them to read. And the few people with incomplete
extra information, please let me know how to describe you.

Yours, David...



Comments on Glossary for Voting Systems (DRAFT)

David Mertz, Ph.D.
   Technical Editor and Member, IEEE P-1622
   Chief Technology Officer, Open Voting Consortium
   Email: <>

Ronald E. Crane, J.D.
   Open Voting Consortium (OVC)
   Voting System Performance Rating (VSPR)
   Email: <>

Peter M. Zelechoski, CISSP, MBA-TM
   Chairman IEEE Voting Systems Electronic Data Interchange (SCC38 P1622)

David Webber

Jan Karrman

Joseph Lorenzo Hall
   Ph.D. Student, School of Information Management and Systems
   University of California at Berkeley
   Email: <>

Susan Eustis
   President, WinterGreen Research
   6 Raymond Street
   Lexington, MA 02421
   Tel: (781) 863-5078
   Cell: (617)852-7876

Peter Bohm
   Senior Software Engineer
   Hart Intercivic, 1650 Coal Creek Drive, Suite E
   Lafayette, CO 80026



We have had an opportunity to review the Election Assistance
Commission's Glossary for Voting Systems draft, and would like to
provide commentary on the draft.

Portions of the remarks concern the clarity and consistency of the
draft. For example, in certain cases, a term is used in one definition
but defined in an inconsistent manner elsewhere. In general, these
inconsistencies appear to reflect your efforts to integrate materials
from multiple sources, each using somewhat different terminology.

The most significant comments we provide here are suggestions for the
inclusion of several additional terms used in discussions of voting
systems. In support of the additional terms, and partially to support
our clarifications of existing terms, we suggest several additional
reference sources for inclusion in Appendix A.

The comments below have the form of proposed entries, with the list of
such entries containing both a subset of existing terms and our new
terms. Each entry is given as we believe it should read, and is often
followed by an explanation (indented) expanding on the motivation for
the entry. We do not recommend the explanation for inclusion in the
entry itself, but simply to provide context.

Signers of this commentary are listed with affiliations solely for
purposes of identification of their background and expertise. In no
case have the affiliated organizations formally endorsed these comments.


ABANDONED BALLOT: Ballot that the voter did not cast before leaving the
polling place. For DRE or mechnical voting machines failure to case a
ballot may reflect the absence of a performed finalization action in
interacting with the machine. See also Fled Voter.

   Explanation: the wording of the draft is grammatically awkward; no
   substantial content change is proposed.

ACCESSIBILITY: [...draft text...] See also Usability.

   Explanation: Accessibility is a specific subset of usability concerns,
   and the relationship should be emphasized.

ANONYMITY: Preventing the disclosure of the identity of the voter
associated with a Cast Ballot. Neither the individual identity nor the
aggregate characteristics of voters may be associated with Cast Ballots,
except those characteristics mandated by law. For example, an election
authority might be permitted to disclose the aggregate votes of
party-unaffiliated voters, but will be prohibited from dislosing the
aggregates of only blind voters. See also Confidentiality, Privacy.
Association: Security
Source: No Attribution

AUDIT TRAIL FOR DRE: Paper printout of both votes cast, and all other
actions performed on the system, by Direct Record Electronic Voting
Systems, which election officials may use to crosscheck electronically
tabulated totals.

   Explanation: The term DRE was expanded in a fashion inconsistent with
   its definition elsewhere. Multiple usages of the same acronym exist
   elections discussions, but this glossary should choose a consistent

BALLOT INSTRUCTIONS: Text and graphics describing the procedure for
voting a ballot.

BALLOT MEASURE: Legislation pertaining to the adoption of laws,
statutes, resolutions, and/or amendments to state constitutions that
appear on the ballot for approval or rejection.

   Explanation: Particularly at a municipal or county level, some ballot
   measures are neither laws nor amendments. Adding statutes and
   resolutions seems inclusive.

BALLOT SCANNER: Device used to read the data from a paper Ballot.

   Explanation: Marksense is only one of numerous technologies used, or
   potentially used, for electronic recognition of ballots. OCR, barcode
   scanners, or other data encoding are possible and used. For example,
   see which states: "marksense
   technology is only one of several methods for recognizing marks on
   paper through optical reading techniques."

COUNTED BALLOT: A Cast Ballot whose selections have been added to the
respective totals for each Contest.

   Explanation: The definition of Contest includes items not listed in
   the draft definition of Counted Ballot, such as referenda,
   propositions, etc. A uniform reference to Contest, defined elsewhere,
   assures uniformity. Phrasing generally clarified.

COVERT CHANNEL: A communications channel that transfers information
using a method not documented in the formal description of a protocol or
document format. For example, a Ballot Image or Audit Trail may disclose
information that would violate Anonymity and/or Confidentiality, through
either design error or malice.
Association: Security, Software Engineering
Source: OVC

CRYPTOGRAPHY: [draft text, but delete the final "or" and the period at
the end, and add:] , or establish their authenticity.

CUMULATIVE VOTING: Practice where voters are permitted to cast multiple
votes distributed among multiple candidates. Voters are not limited to
giving exactly one vote to each candidate. Instead, voters may cast
multiple votes on one or more candidates, limited by the total votes
they are assigned.

   Explanation: While the most common cumulative method may give voters a
   number of votes equal to the number of candidates, such a relationship
   is not defining of cumulative voting. A particular system within the
   definition might give voters exactly 10 votes to distribute, or 1/2
   the number of the candidates, or 2x the number of candidates, etc.

DIRECTLY VERIFIABLE: Voting system that allows the voter to verify at
least one representation of his or her ballot with his/her own senses,
not using any software or hardware intermediary. Examples of directly
verifiable voting systems include Voter Verifiable Paper Ballots and
Marksense ballots. A DRE cannot be directly verifiable, since it by
definition relies on an Electronic Voting Machine as an intermediary.
See also Indirectly Verifiable.
Association: Voting, Security
Source: OASIS, OVC, IEEE 1583

DRE DISPLAY: Part of the DRE that displays the Ballot Format.

   Explanation: Just adjusting the definition to use the term Ballot
   Format rather than the undefined term 'electronic record'.

E-VOTING: [...] , but may be misleading as it suggests remote access via
a computer network or the Internet [...]

   Explanation: "Implies" is too strong. Strictly speaking, the 'e' in
   names derives from 'electronic' and is only indirectly associated with

ELECTION MARKUP LANGUAGE (EML): Open public specification developed by
OASIS for XML structures and process procedures for election management
by computer systems. Adopted by the European Council of Ministers as
preferred approach to electronic voting. See also Ballot Image, Ballot
Form, Ballot Format.
Association: Voting, Standardization, Software Engineering
Source: OASIS, IEEE 1622

Association: Voting
Source: OVC, EML

   Explanation: The term EBI is widely used to refer to sense (1) of the
   Ballot Image definition.

ELECTRONIC BALLOT PRINTER (EBP): Device that prints Voter Verified Paper
Ballots with selected vote choices for tabulation by a separate Ballot

   Explanation: Describing an EBP as "DRE-like" is highly misleading.
   The main contrast among electronic voting machines is between DREs and
   EBPs. The word "fully" is awkward and superfluous.

ELECTRONIC VOTE CAPTURE SYSTEM (EVCS): Election system than encompasses
DREs as well as EBPs when the latter are combined with a Ballot Scanner.

   Explanation: The term ABP is not used in the draft. Since Ballot
   Scanner is defined elsewhere the dependent clause explaining its
   meaning is superfluous or misleading. Several concepts other than
   VVP* are equally or more closely associated with EVCS.

ELECTRONIC VOTER INTERFACE: Subsystem within a DRE or EBP which
communicates ballot information to a voter [...]

   Explanation: An EBP uses the same range of communication means as a
   DRE. The extra noun phrase 'voting system' is redundant.

ERROR CORRECTION CODE: A coding system that uses a partially redundant
representation of data to detect and/or correct certain kinds of errors
in data transmission or storage.

   Explanation: "Parity bits" is only a limited subset of ECC.

FIRMWARE: Software that provides basic system operations, often (but not
exclusively) related to the operation or control of hardware devices.
Firmware might, but need not be, contained in a read-only memory (ROM)
device, and it might be alterable during ordinary system operations.

   Explanation: The previous definition was too narrow and emphasized
   something that is often incorrect. Firmware is often loaded or
   loadable from mass-storage devices, such as BIOS updates for PCs.
   Firmware need not be contained in ROM, and might, depending upon the
   system's design, be alterable at runtime.

FREE SOFTWARE: Software which individuals, including voters and and
voting officials, have the freedom to examine and modify, and to
redistribute either with or without modifications, either commercially
or noncommercially, either gratis or charging a nominal distribution
Association: Security, Software Engineering
Source: no attribution

   Explanation: This concept is based on the Free Software Definition of
   the Free Software Foundation,

HASH: [Replace the first sentence with:] An algorithm that maps a bit
string of arbitrary length to another bit string, usually shorter and
of fixed length.

   Explanation: Hashes are not necessarily fixed-length (e.g. ).

INFORMATION SECURITY: [...] See also Crytography.

NONVOLATILE MEMORY: [delete "Static RAM" from the list of "example of
nonvolatile memory" and replace with "Flash RAM"]

   Explanation: Unlike dynamic RAM (DRAM), static RAM (SRAM) retains its
   contents without periodic refresh cycles. However, both forms of RAM
   lose their contents when disconnected from power. Flash RAM is
   nonvolatile, and has replaced ROMs, EPROMs, and EEPROMs in many
   (most?) applications.

OPEN VOTING SYSTEM: A Voting System in which every Component is
available to the general public under non-restrictive licensing terms or
is in the public domain. For hardware components an Open Voting System
relies entirely on COTS devices. See also Free Software, COTS.
Association: Security, Standardization, Software Engineering
Source: OVC

   Explanation: This term is in wide use since Irwin Mann's paper at

PAPER RECORD: [Eliminate this term]

   Explanation: The term paper record is used loosely for many different
   and incompatible types of documents within an election system. No
   single definition is predominant, and defining this term simply
   muddies the several terms that refer to varieties of paper records.

PRIVACY: The degree of protection that a voting system provides a voter
against attempts to learn how said voter voted. A voting system is said
to provide perfect privacy if it is impossible to improve a guess of how
a voter voted through information obtained through the election
technology and poll place process/procedures. See also Anonymity.

RANKED ORDER VOTING: Practice that allows voters to rank candidates in
a contest in order of choice: 1, 2, 3 and so on. Tabulation of ranked
votes may be done by any of several methods, depending on jurisdictional
rules. Well known tabulation methods include: Instant Runoff Voting
(IRV) in which votes are reassigned over rounds of tabulation, until a
majority is reached; Condorcet in which a total order is treated as a
set of pairwise preferences between candidates; Borda in which different
ranks are worth different numbers of "points." Ranked order voting is
also sometimes referred to as preferences, preferential voting, or
choice voting.
Association: voting
Source: VSS, IEEE 1583, IEEE 1622

   Explanation: Unfortunately, the draft version was just plain dead
   wrong. IRV is perhaps the most widely used and advocated tabulation
   method in the US. But the concept of ranked order pertains to how a
   ballot is voted; how it is tabulated is an independent concept. The
   American Mathematical Society has a nice web page on this issue:

all votes cast by a single voter that is created by scanning a Voter
Verified Paper Ballot. A REBI may be compared to its corresponding EBI
in the course of a Canvas and/or Audit.
Association: Voting, Security
Source: OVC

SECURITY ANALYSIS: An inquiry into the existence of security flaws in a
voting system. Includes an analysis of the system's software, firmware,
and hardware, as well as the procedures surrounding their production,
deployment, and use. Security analysis may discover flaws and means of
tampering invisible to testing, such as Trojan Horses programmed to
operate only during an election, or only when a specified signal is
broadcast via electromagnetic means such as WIMAX or power-line
Association: Security

SECURITY AUDIT: See Security Analysis

STANDALONE BALLOT VERIFICATION STATION: Machine that provides assistance
to voters who are visually impaired, who have difficulty reading
English, or in other cases where voters have difficulty correctly
verifying a Voter Verified Paper Ballot. In contrast to an
Electronically-Assisted Ballot Marker, a Standalone Ballot Verification
Station is a distinct component from an Electronic Ballot Printer, and
may be produced by an separate "second source" vendor.
Association: Voting, Human Factors, Security
Source: OVC

SUMMARY PAPER BALLOT (SPB): A type of VVPB in which only affirmative
voting preferences are contained on a human-readable ballot. For
example, a SPB might contain the name of a voter's preferred candidate,
but omit the names of non-preferred candidates for typographic and
handling convenience
Association: Voting
Source: OVC.

TOUCH SCREEN VOTING MACHINE: Machine that displays ballot choices on a
video screen, and that permits a voter to make her selections by
touching designated locations on that screen.

   Explanation: The voting machine itself does not necessarily tabulate
   the votes. It may, in some DREs. But it does not in any EBP. The
   voting machine does not necessarily tabulate even in a DRE: the
   machine might simply record an electronic record of individual votes,
   which is then tabulated by some other machine or some other software.

TROJAN HORSE: Refers to the existence of hidden content within a system
or its software.  Such content is frequently associated with the
execution of undocumented or surreptitious functions.  In a voting
context, it is a piece of software intended (a) to alter, or to permit
the alteration of, the outcome of any election; or (b) to release, or to
permit the release of, non-public data concerning an election to a
person not authorized to receive it. A Trojan Horse may alter the
outcome of an election by modifying the presentation of information to
the voter; by changing, adding, or deleting votes; by making it
difficult or impossible to vote; or by any other means tending to
achieve the desired outcome. A Trojan Horse may release non-public
information concerning an election via networks, wireless devices,
encoded printouts, or otherwise. See also Covert Channel, Security
Association: Security

TRUSTED LOGIC VOTING (TLV): An Open Voting System approach and
infrastructure that combines procedural needs, such as those detailed by
the OASIS EML work and adopted by the European Council of Ministers,
with a mathematical logic-based approach to ensure voting process
integrity and underpinning. Association: Security Source: OASIS EML TC

TRUSTED PERSON/ENTITY: A person or entity whose assertions we accept as
true, and whose acts we accept as correct, for some purpose or set of
purposes. This term does not imply that trust is warranted, only that a
system's security or correctness is contingent upon a trusted person or
entity exercising her or its powers truthfully and correctly. In the
context of Voting Systems, a vendor may be a trusted entity, since,
unless the system is subject to total public verification, we trust that
the vendor has not incorporated a Trojan Horse into it. A person or
entity may be trusted to perform one function (e.g. the creation of a
ballot form) but remain untrusted for others (e.g. the modification of a
voting system's software).
Association: Security

UNTRUSTED PERSON/ENTITY: Any person or entity who is not a Trusted
Association: Security


   Explanation: The acronym VVPAT is both widely used, and used in the
   definition of DRE-VVPAT and VVPAT-Ballot Box. Its sense is covered in
   the entry for VVAR.

VOTER VERIFIED PAPER BALLOT (VVPB): A human-readable Voted Ballot
produced with the aid of an Electronic Ballot Printer. In contrast to a
Voter Verified Audit Record which is generally treated as a secondary
safeguard against failures in electronic records, a VVPB is considered
the Fundamental Representation. See also Voted Ballot, Voter Verified
Audit Record, Electronic Ballot Printer.
Association: Voting
Source: OVC

VOTING MACHINE: Mechanical, electro-mechanical, or electrical equipment
used for the recording and tabulation of votes. See also Voting System.

   Explanation: For consistency with several other definitions,
   "electro-mechanical" should not be excluded. Also, recording is not
   necessarily "direct" (as in an EBP), so that word should be dropped.


IEEE 1622
   IEEE P1622 Voting Systems Electronic Data Interchange

   Organization for the Advancement of Structured Information
   Standards, Election and Voter Services TC. Producer of Election Markup
   Language (EML).

   Open Voting Consortium [CA 501(c)6]

mertz@ | The specter of free information is haunting the `Net! All the
gnosis | powers of IP- and crypto-tyranny have entered into an unholy
.cx | alliance...ideas have nothing to lose but their chains. Unite
       | against "intellectual property" and anti-privacy regimes!

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sat Apr 30 23:17:04 2005

This archive was generated by hypermail 2.1.8 : Sat Apr 30 2005 - 23:17:22 CDT