Re: Could you check this for me?

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Tue May 10 2005 - 05:17:06 CDT

I met today with Cheryl Lilienstein, a local voting activist and
explained to her our architecture and concepts. This is what she
wrote back to me. Comments and corrections welcome. Some are

Best regards,

At 10:31 PM -0700 5/9/05, Cheryl Lilienstein wrote:
>Hi Arthur,
>Thanks for the meeting. I am sending this out to the California
>Election Protection Coalition within the next couple of days, and
>would appreciate your corrections. It was a lot to take in all at
>once, without notes. I also need info on why the closed system for
>info transfer should be trusted.
>Thanks for your help.
>First: NO DATA IS STORED in the machines that create votes, and the
>equipment used is commercially available, not proprietary.

We plan to use COTS (commercial-off-the-shelf) computer equipment to
the extent feasible. Software and data loaded onto the voting
machines comes from a CD, not from the hard drive. Once voting
starts, an electronic audit trail of votes is stored on the voting
machine in flash memory and written onto the CD (in random order).

>At the county, ballot information for every precinct is loaded onto
>a CD. This means that the same CD is used for all machines in a
>particular election, and all information

audit trail of votes cast

> that is collected from a particular machine is collected on that same CD.
>How do you know the CD is the right one? There is a process that is
>used to make the CD generate a particular set of identifyers: a CD
>that was not correct would generate an erroneous set of identifyers.
>The correct identifyer would be published in the newspaper. (What
>was this called, again?)

These are security hash codes.

>So: the ballot information and the information collected from the
>machine is all stored on a CD, not as "votes" but as a visual copy
>of the voter's ballot, which can be compared to the paper ballot.

Not a visual copy, but an audit trail: An electronic copy of the
ballot contents.

>When a voter goes to vote, she is given a token or a smart card to
>start the process. The ballot shows up on the screen, the voter
>votes, and an electronically generated paper ballot is printed out.
>The electronic information is stored on the CD IN THE FORM OF AN
>IMAGE OF THE PAPER BALLOT. The paper ballot is the ballot of record.

Technically, we have an electronic ballot printer that prints a paper
summary ballot.

>The electronic ballot is given a randomly generated ID number, which
>corresponds to the paper ballots's ID number. This is used later to
>verify that there is the same number of paper votes as electronic
>votes, or, it could identify which ballot is missing from the paper
>ballot tabulation, if necessary. Also, provisional ballots are cast
>with special identifier codes so they are accounted for but not
>tallied with the regular votes.

Actually, provisional ballots have ordinary ID numbers, but they are
placed in a provisional ballot envelope for later determination about
whether they should be counted. One possibility is that the privacy
folder is distinctive for provisional ballots.

Note that we may remove the ID numbers from the printed ballot (but
encoded in the bar code) for voter privacy reasons. This particular
item is still under discussion.

>The paper ballot is printed with a bar code, which represents the
>voter's selections. This can be verified with earphones that use a
>barcode reader to tell you how you voted.

Yes, that is called a ballot verification station, and allows a blind
or otherwise reading impaired individual to verify his or her vote.
Note that auditory verification is the method recommended by Ted
Selker of MIT for all voters.

>The paper ballot is placed in a folder so the precinct worker does
>not see the ballot, and the ballot is slipped into the ballot box.
>Provisional ballots are set aside to be counted later in the county.
>If a ballot gets spoiled, there is a visual record of it in the CD.
>Provisional and spoiled ballots are accounted for in the precinct

Spoiled ballots are so marked at the time. There is no mark of a
spoiled or provisional ballot on the electronic voting machine's CD.
However, the CD from the ballot reconciliation station identifies the
audit trail records corresponding to paper ballots, marks the ones
corresponding to spoiled ballots, and sequesters the records
corresponding to missing ballots (which are presumed to be
provisional ballots, and so should match in quantity the provisional

>At the end of the day, the ballot box is opened, shuffled to protect
>identity, the ballots are counted to make sure the same number of
>ballots exist as in the electronic vote tally.

Ballots printed should equal ballots cast plus ballots spoiled plus
provisional ballots.
Number of voters should equal ballots cast plus provisional ballots.

Both of those checks are made in the end-of-day tallying process.

>Then they are fed through a bar code reader, which is more accurate
>than optical scan,

more accurate than optical character recognition (OCR). I'm not
comparing bar codes to optical scan ballots.

> and was the same off the shelf bar code reader that was used by the
>voter to verify the vote before casting the ballot.

Actually the bar code interpretation software is the same (although
one speaks the vote and one tallies them). The hardware is different
because the ballot verification station uses a "stationary" scanner
on which you place the ballot, while the ballot reconciliation
station uses a sheet-fed scanner for a precinct's worth of ballots.

We envision alternative configurations for the ballot reconciliation
station, one that does all the scanning at the end of the day, and
one that scans the ballots into the ballot box as they are cast. In
the latter case, the ballot is immediately rejected if it has a

>The vote total is posted in the precinct.

By contest, by candidate or choice.

>The vote total and the CDs are transported to the county.

The discussion that follows is about optical scan processing of
ballots. There is a component that identifies the marks on the
ballot (which positions are marked). That component does not know
which marks are for which candidates. It simply knows the positions
of the potential marks on the ballot. The locations of the marks on
the ballot are given to another component that does know which marks
are for which candidate, and so it interprets them and creates an
electronic ballot image.

>The county verifies the precinct vote using a system that cannot
>tell what a vote cast means. This is an important issue. It "sees"
>the marks on the paper, and piles them up, without being able to
>distinguish which marks are for what race. The marks are interpreted
>by human eyes once the accumulation is complete.( I think I am not
>quite describing this correctly: please help)
>Records from the county are transmitted via a completely closed
>system to the SOS office, and CDs are made of incoming data.

There is a tabulating system that is NOT networked to the outside.
Every 10 minutes (on election night, less often afterwards) a CD or
DVD is written containing new results is written. The CD or DVD is
removed from the tabulating system and hand carried to the unofficial
web-based reporting system for incorporating into the results on the

>Those CDs are taken out of the secure machine, and loaded onto the
>open access site to report to the public on the progress of the
>election, so that updates are available. On this site you can verify
>that your precinct total is the same as what you see in the
>precinct. If it's not, you can call the newspaper.

You can drill down the website of the unofficial web-based reporting
system on a precinct-by-precinct basis.

>Provisional ballots and absentee ballots are counted at the county,
>and once totalled, added as "provisional" and "absentee" to the
>tally. Any provisional ballots rejected have a reason provided, that
>can be found by matching the random ID number with the random ID
>number the voter received. (Is this correct?)

Whether a provisional ballot is counted is from the serial number of
the provisional ballot envelope, A tab on the envelope with the same
number is handed to the voter as a receipt. The voter can look up
that number (not the ballot ID) on the website to determine whether a
provisional ballot was counted.

>The certification process would be relatively fast, ensuring enough
>time for recounts. This is an issue, since recounts have to be
>completed AFTER certification but before the deadline that the state
>has set up.

Actually, we want the initial count to happen quickly, since we can't
have a recount until after the initial count. In the case of a
Presidential election, we need the initial count and recounts (if
any) to occur before the state selection of electors for the
electoral college.

Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue May 31 23:17:30 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT