Page 36 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 36
E. Gerck
28
selections in Braille, as may be used to communicate the voters selections to the
voter, for verification and authentication.
The witness device (230) makes an image record of the data evidencing the
voting event, such as the pixel data or other verifiable data record of the portion
of computer memory used for generating the ballot and corresponding selections
for each voter. Thus, the witness provides an efficient representation of voting
selections without parsing or interpreting the data. The witness module (230)
can be further seen as a means for taking a snapshot or image of pixel data
or other literal data in a selected portion of computer memory as such data
would represent, at the time of confirmation, the ballot and selections made
by each voter. An important aspect of the witness (230) is when it does not
interpret or effect any change in the voting data, also when any transformations
in the memory data recorded by the witness are independent of content. The
witness is applied in an example to generate an event record of the ballot and
voter’s selections, as evidence of the act of voting. Witness (230) thereby provides
transparency to the voter while ensuring reliability and accuracy of outcome as
intended by the voter (230). The witness further protects the system against
virus or attacks intended to change the data.
The witness device (230) approaches an ideal communication channel, with a
very simple code that can be verified to have zero loss, no viruses and no bugs;
however, absence of errors is not required (see Sections 8.3 and 2). The witness
(230) can thus make a video image, audio image or other snapshot of the specific
portion of computer memory used to generate the voting interface and the voter’s
selections at the point of authentication by the voter. Witness (230) also can be
adapted with a means for sending a verification of the voter’s selections back
to the voter (200) via a communication link and printer for providing the voter
with a voting receipt directly from the witness, that the voter can see but not
touch; the voting receipt should then be cut, for random storage purposes, and
dropped in a paper ballot box (not shown in the diagram).
The data corresponding to the authenticated vote by voter (200) is stored
in cartridge B and sent to the results module (232), which could be located at
a precinct. The memory image data from computer (220) may also be stored
in cartridge (B) to provide independent verification of the voting result. The
witness may be open to public scrutiny without having any effect on the data.
Computer (204), such as a DRE voting system, also records the voters selec-
tions from input device (202) and upon authentication by the voter, stores the
selections in cartridge A and sends a signal representative of the voter’s selec-
tions to the result (232). The results form cartridge A and from cartridge B are
stored for tallying at the results module (232), which is a reader object that may
be multiply provided by the EO and stakeholders.
The different witnesses and readers provide a means for auditing the accuracy
and reliability of various input data streams. In the event of a discrepancy, the
results are collected by a difference resolution module (234) and provided for
comparison against records of votes stored in cartridge B, representative of the
one or more cartridges attached to the witness.
