The Center for True Democracy

Become a Citizen Lawmaker
Road to Freedom
Road Part Two
Road Part Three
Road Part Four
About Us
Frequently Asked Question
Contact Us
Membership
Bookstore
Resource Page
 
Road to Freedom Part Three

 

 

 The Voting System

 

Regardless of which system we use, the typical election involves registration, validation, collection, and tallying.  These functions should fulfill the following criteria satisfactorily:

 

(1)   Eligibility and Authentication – Only registered voters should be able to vote.

 

(2)   Uniqueness – No voter should be able to vote more than once.

 

(3)   Accuracy – Election systems should record the votes correctly.

 

(4)   Integrity – Votes should not be able to be modified, forged, or deleted without detection.

 

(5)   Verifiability and Audit Ability – It should be possible to verify that all votes have been correctly accounted for in the final election tally, and there should be reliable and demonstrably authentic election records.

 

(6)   Reliability – Election systems should work effectively without loss of any votes, even in the face of numerous failures, including failures of voting machines or total loss of phone connection and/or Internet communications.

 

(7)   Security and Non-Coercion of the Voter – No one should be able to prove how they voted so as to prevent vote selling and coercion.

 

(8)   Flexibility – Election equipment should allow for a variety of ballot question formats (e.g. write-in candidates, survey questions, multiple languages), be compatible with a variety of standard platforms and technologies, and be accessible to people with disabilities.

 

(9)   Convenience – Voters should be able to cast votes quickly with minimal equipment or skills.

 

(10)     The Ability to be Certified – Voters should be able to cast votes quickly with minimal equipment or skills.

 

(11)     Transparency – Voters should be able to possess a general knowledge and understanding of the voting process.

 

(12)     Cost Effectiveness – Election systems should be affordable and efficient.

 

For the purpose of The Center for True Democracy, we will focus on the two most recent technological innovations applicable to the voting process – telephone voting systems and Internet voting systems.  The reasons that we are doing this are, one, we are a public service corporation that does not have access to the voting machinery and administrative processes of the local, county, and state governments; and, two, we are convinced, based on our research, that a well designed and administered telephone voting system is as good, if not better, than the present voting systems used in most elections in fulfilling the criteria that we have established for the model voting system. To a lesser degree, we are convinced that an Internet voting system would also fulfill most of the criteria for the model voting system, but it has security problems that we feel we can correct by a significant modification on how votes will be verified.

 

In this proposal we will look at the telephone voting system and the Internet voting system from two perspectives.  First, we will look at the systems from the perspective of the voter and explain how the systems work and how it fulfills the criteria of eligibility, authentication, uniqueness, integrity, and flexibility.  Second, we will look at the systems from the perspective of their security and how they fulfill the criteria of accuracy, verifiability, audit ability, reliability, transparency, and secrecy.

 

The Telephone Voting System

 

How does it work?

 

Registration

 

Registration will be done much as it has been done in the past through registration campaigns where qualified voters can register at easily accessible public registration tables or through door-to-door and sidewalk solicitation.  In every instance the registrant will have to verify his or her name and address and qualifications to vote.  When they register the voter automatically becomes a member of The Center.

 

Even though updating and purging registration roles could be done by phone or Internet once the voter is registered, purely electronic or telephone voter registration would be dangerous because it might enable a third party to fraudulently register a large number of people using publicly available “phonebook” data bases.

 

Personal Identification Number (PIN) and Password

 

The member/registrant will be sent by mail his or her personal identification number (PIN).  Upon receipt of the PIN, the voter will call The Center to verify receipt.  At that time the registrant will enter his or her personal password into the system.

 

The Voting Period

 

So as to lessen the burden on the phone lines and give every voter easy access to the voting process, voting will be conducted for twenty days.

 

Free and Easy Access

 

The voter will be given a toll-free number to call from any phone, anywhere, anytime. This is particularly helpful to the elderly and the handicapped; but it makes voting far more accessible for everyone and eliminates the need for an absentee ballot altogether.

 

What Happens When the Voter Calls the Toll-Free Number of The Center?

 

When the voter calls the toll-free number to vote on an initiative, referendum, or recall, the voice-response-system (VRS) identifies itself and asks which language the caller wishes to proceed with in order to vote.  The voice-response-system will then ask for the caller’s personal identification number and password.  So as to protect the system against attempts to jam the system, the caller will only get three tries at recording the voter’s (PIN) and password.

 

When the voter records his or her (PIN) and password, the system will review the residence of the caller and determines what initiatives, referendums, or recalls that the caller qualifies for based on the data received by The Center at the time of the voter’s registration.  When the system has determined what initiatives, referendums, or recalls the voter qualifies for; the voice-response-system will then provide the caller with a menu of initiatives, referendums, and recalls available to the caller.  So as to inform the voter and limit the time that the voter is online and thereby reduce the number of phone lines needed, the voter will be sent a ballot worksheet with a pamphlet stating the purpose of the initiative, referendum, or recall with arguments for and against it written by the supporters and main opposition of the proposition.  If the voter has not filled out the worksheet, the caller can request a full explanation of each option.  The caller may then select all or some or none of the options.

 

With each selection the caller can request an explanation, a repeat of the instructions, or a return to the menu.  Once the caller votes, the computer will summarize the selections for the caller’s confirmation and final submission.

 

Summary

 

As you can see from the reading, the system is very easy to use, and the voter should be very familiar with how the system works.  He or she uses similar systems everyday in calling most large institutions (i.e. government offices, corporate offices, insurance companies, utilities, and educational institutions).  In addition, not only is it easy to use, it is far more convenient and accessible compared to commonly used systems of voting, especially for people with heavy workloads and/or children, the elderly, and the disabled.  Having looked at the system and how it works for the voter, let us now look at the system from the standpoint of security and how it fulfills the criteria of accuracy, verifiability, audit ability, reliability, transparency, and secrecy.

 

How secure is the telephone voting system?

 

The telephone voting system, unlike an Internet voting system, only accepts touchtone, pulses, or dials, not computer language.  The twelve tones cannot be used to break into the system anymore than a twelve tone ATM can be used to break into a bank system.  With a fifteen digit personal identification number the odds of a computer or person guessing the ID or PIN for a specific person would be 1 to 100,000.  To compound the difficulty, after three tries, the system would hang up and refuse a call from the same number.

 

To prevent jamming the system there will be a time limit on how long a caller can take to complete the initial steps of signing a petition or voting.  The system will also have an automatic number recognition feature to avoid repeating calls and jamming. 

 

To protect the secrecy of the vote and prevent coercion and the sale of votes, the voter will be able to vote from any phone and change his or her vote at any time before the close of the polls.  The part of the computer system that identifies the voter will be distinct and separate from the part of the system that records votes.  The votes will be recorded on an unalterable storage media; therefore, once the ballot is cast, it cannot be altered except by the voter and cannot be traced to the voter.

 

The system will have an open architecture that can be inspected by any qualified technician to ensure that the system has not been tampered with.  The voting process, the tabulation of votes, and the auditing and testing of the system will be monitored and supervised by a Board of Trustees.  The Board of Trustees will consist of five persons selected by a vote of the popular assembly for that political unit of The Center of True Democracy.  The representatives of the popular assembly will have been elected through a proportional representation election process so as to represent the widest scope of interests and ensure a multiparty supervision of the voting process. Each member of the Board of Trustees will have an equal vote, and each will have a personal code key and none can enter the system without all the members being present.

 

 No system is perfect and all systems are open to abuse.  Every system is a compromise between secrecy versus accountability and the ability to audit the system; but we are convinced that a telephone voting system fulfills the criteria of a model voting system as well as if not better than most; and it is more cost efficient and the best choice for an organization like our own with limited resources and limited access to public institutional election processes and data resource. This being said, let us now look at the Internet voting system that we are proposing and see how it works in conjunction with a telephone voting system to create an easily accessible, leading edge, voting process that is both secure and efficient.

 

The Internet Voting System

 

How does it work?

 

Registration

 

Registration will be done much as it has been done in the past through registration campaigns where qualified voters can register at easily accessible public registration tables or through door-to-door and sidewalk solicitation.  In every instance the registrant will have to verify his or her name and address and qualifications to vote.

 

Even though updating and purging registration rules could be done by phone or Internet once the voter is registered, purely electronic or telephone voter registration would be dangerous because it might enable a third party to fraudulently register a large number of people using publicly available “phonebook” data bases.  If we were to allow Internet, telephone, and mail-in registration, the registration would have to be followed up by a face-to face visit to the home of the registrant to confirm identity.

 

Personal Identification Number (PIN) and Password

 

 The member/registrant will be sent by mail his or her personal identification number (PIN) and password.  The Internet voters will be given this password so that they can vote by telephone if they change their mind about voting by Internet or their Internet connection becomes dysfunctional for one reason or another.  For Internet voting they will make up their own password when they vote so that they can verify their vote with the Vote Checker.

 

Upon receipt of the PIN and password, the voter will got to The Center’s Internet site, link to the registration page, enter his or her PIN, confirm his or her initial registration information, and then enter his or her own individual password that they make up for Internet voting when they submit their vote.  When the voting is completed and the votes have been tabulated, this password and the voter’s PIN can be used to verify with the Vote Checker that their vote had been properly recorded. 

 

The Voting Period

 

So as to lessen the burden on the phone lines, avoid denial of service attacks, and give every voter easy access to the voting process, voting will be conducted for twenty days.

 

Free and Easy Access

 

 The voter can link to the voting site from their own personal computer or computers available at public institutions such as libraries and schools.  We could also set up kiosks in easily accessible public areas such as malls.  The easy access of Internet voting is particularly helpful to the elderly and the handicapped, but it is also very popular with young voters and eliminates the need for an absentee ballot altogether.

 

 What Happens When the Voter Links to The Center’s Internet Site?

 

When the voters link to The Center for True Democracy’s Internet site, they will first be asked to indicate in what language they wish to read.  Once they have selected the language, the voter will be able to access a ballot worksheet and a pamphlet stating the purpose of the initiatives, referendums, or recalls with arguments for and against the proposition written by the supporters and main opposition.  The pamphlet will aid in informing the voter; and the ballot worksheet will help economize on time and clarify the voting process.  In addition, everyone will have access to the following: (1) a complete draft of the proposition or propositions proposed as initiatives, referendums, or recalls, (2) on-line resources of articles, essays, research papers, and books on the initiative, referendum, and recall process as well as articles, essays, research papers, and books on the main issues involved in the propositions and topics that concern the voters, and (3) forums and chat-rooms in which the main issues involved in the propositions and topics that concern the voters will be discussed and debated by the population at large.

 

When the voter is ready to vote, the voter will link to the Vote Here page and enter his or her PIN and password.  The system will review the residence of the voter and determine what initiative, referendum, or recall the voter qualifies for and will then present the voter with the options available to the voter.  On the type of system that we are considering, the server software serves an applet to the voter’s computer, and the voter can work on his or her ballot on or off-line and complete it at the voter’s convenience.  The voter can vote on each or some or none of the propositions; or at any time, the voter can return to the menu for further instructions.  Once the voter makes his or her selections, the system will summarize the voter’s choices and request that the voter confirm the accuracy of the vote.  If the voter finds an error, the voter will be able to correct it before the voter finalizes his or her choices.  If the voter is off-line, he or she must go back on-line and enter a personal password (ID), like “vote” before he or she submits his or her vote.  When the voter submits his or her vote, the vote will be recorded, and the voter will receive a receipt with his or her PIN. 
When the ballot initiative is over, the voter can then go to the Voting Checker on our site, enter his or her ID and confirm whether or not his or her vote was tabulated correctly.

 

 Summary

 

In many ways Internet voting systems are very similar to telephone voting systems; but in significant ways Internet voting systems have characteristics and qualities that put them in a class by themselves.  By putting the voter in the midst of all the links to information and educational resources, discussion groups, and debate forums for the public at large, Internet voting systems create a synergy that connects the voter to the local, state, and national voting process and discourse in a way that no other voting process is capable of doing for the citizen lawmaker.

 

However, Internet voting systems have vulnerabilities that are unique to them, especially when we look at the security of the system.  Therefore, we will now look at the Internet voting system from the standpoint of security and how it fulfills the criteria of accuracy, verifiability, audit ability, reliability, transparency, and secrecy.

 

 How secure is the Internet voting system?

 

 There are three vulnerable points in an Internet voting system: the home computer, the communications pathways, and the server.  Let us look at each point in turn and analyze the potential problems of an Internet voting system and then look at how the type of system that we are considering will secure us against these vulnerabilities.

 

The Home Computer

 

The client or home computer is the most vulnerable.  The home computer can be penetrated by the use of a delivery system that can send a Trojan horse or a remote control program that can spy on the vote, prevent voters from casting a vote, or change the vote.  What makes these attacks so dangerous is that they cannot be detected by security mechanisms such as secure socket layering and secure hypertext transport protocol.  These types of security mechanisms work above the level of the home computer and protect the communication pathways.  Virus and firewall software are also unlikely to be effective against a Trojan horse or a remote control program because they look for known signatures of malicious programs or known signs of unauthorized intrusions whereas these kind of attacks come from unknown sources; or they modify programs and alter the system so as to cause the system to falsely authorize the changes and disable the virus protections.  These attacks can come from input mediums such as floppy or CD-ROM drives, downloads, e-mail, or by exploiting existing bugs and security flaws in such programs as Internet browsers.  These attacks can occur without the active participation of the operator of the computer.  They can occur through the unintentional download from the Internet of device drivers, plug-ins, and applications or Active X controls associated with the pages the operator of the computer visits.  Even the simple viewing of a message in the preview screen or an E-mail could trigger the execution of an attachment.  Once the Trojan horse has penetrated the system, it can be activated at any time, either by remote control or a timer mechanism or through detecting certain events on the computer.

 

Basically, we can reduce these kinds of attacks to two kinds of viruses that we need to worry about.  The first is where the virus doesn’t care if it gets discovered.  These viruses are most likely to be designed to cause voter disenfranchisement.  They break the voter’s machine or try to point the voter’s computer to a fake site.  The second type of virus is the covert operation that attempts to change the voter’s vote or subtly invalidate it if the voter does not vote the right way.  The covert virus is a greater risk to the integrity of the voting process than the visible virus that doesn’t care if it is discovered.  The visible virus is easily detected, and the long voting period (twenty days) makes it difficult for this type of virus to disrupt the voting process.  The second form of virus, the covert virus, is not as big a threat as it seems.  It is very difficult to write and deploy the covert virus because of technical and time constraints and, the fact, that if any voter anywhere discovers it, the game is up.

 

There are two additional safeguards against an attack by this type of virus.  One, the applet that the server software serves to the home computer can run off-line.  The applet renders the ballot and determines what ballots the voter qualifies for.  If the voter is off-line while they are voting, it eliminates the most likely and most dangerous form of attack, the remote live observer/manipulator.  Two, the server and applet software that runs the voting system are made up new for every voting cycle, which means that the intruder has twenty days to come up with the virus that can attack the applet and can be applied to each of several JVMS and each of many possible browser versions; and, at the same time, it has to propagate undetected by the thousands of honey pot machines waiting to catch the virus.

 

Communication Pathways

 

The communication pathway between the home computer and The Center’s main computer can also be compromised by a denial of service attack which involves the use of one or more computers to interrupt communications between the home computer and server by flooding the target with more requests than it can handle.  A refinement of this sort of attack is a distributed denial of service in which software programs called daemons are installed in many computers without the knowledge of the owner of the home computer; and it can be activated by the means referred to earlier in the discussion of Trojan horses.  Once activated the daemon can access the bandwidth of many computers and flood the communications pathways.

 

We minimize the vulnerability of the system to be flooded with more traffic than the server can handle by a long voting period of 20 days; and, if for some reason, the internet pathways are jammed, all the voter would have to do is pick up the phone and dial the toll-free number of the voting center and cast his or her vote by phone.

 

The Server and Election Administration

 

Virus and Trojan horses can attack the mainframe computer in the same way that they attack the home computer, and the voting administrators or any person responsible for supervising the vote may try to corrupt the system or collude with one another to manipulate the vote; but of all the points at which the system could be attacked, The Center’s mainframe computer is the least vulnerable.  We only need to look at the amount of Internet commerce being conducted today to see that the secure socket layering and secure hypertext transport protocol along with encryption programs used for credit card transactions, stock and bank transactions provide a secure means for transacting business on the Internet.  However, there is one important difference between Internet commerce and voting on the Internet.  In Internet commerce the parties to the transaction can identify one another and confirm the accuracy of the transaction.  When we vote, we are accustomed to having our identity kept secret.  Given the fact that studies have shown that 60% of the voters don’t care if their vote is secret or not, we have decided that the way around the security problems of an Internet voting system is to create a means by which the voter and his or her vote can be identified for the purposes of auditing the vote for accuracy and authenticity.  The Voting Checker that we discussed earlier accomplishes this.  The voter’s vote remains encrypted and secret at all points, unless the voter finds that there is an error in the tabulation.  Then the voter can alert the administrators of the ballot initiative, and the administrators can audit the vote and compare the ballot number to the voter’s receipt.

 

As for the possibility of corruption within the voting administration or by any person responsible for supervising the vote, we have many safeguards.  First of all, the type of system that we are considering is not a black box system with proprietary coding.  The server and applet software that controls and operates the vote are both open architecture and can be audited.  In addition, the password the voter uses to access the Voting Checker remains in the applet on the voter’s home computer, and there is no way the server can access it and fake the results or the recording of how the voter voted in the election.  Finally, and most importantly, to secure the integrity of the administration of the voting process, a five member Board of Trustees will supervise our voting process.  The members of the board will be elected by a popular assembly of our members who were elected through a proportional representation system of voting.  Much like a proxy vote, each representative will represent as many votes as they received.  The five members of the Board of Trustees will also be elected through a proportional representation system of voting; but, unlike the representatives to the popular assembly, their vote on the board will not represent the number of members who voted for them.  Each member will have one vote and any single member of the board can call for an audit.  We are convinced that, in this way, we can insure the broadest representation of all parties involved and thereby secure a fair, accurate, and honest election.

 

In conclusion, we are convinced that with the system that we are proposing, the benefits of an Internet voting system outweigh its limitations.  In addition, at the same time that we are benefiting from the synergy of Internet voting, its convenience and accessibility to the aged and handicapped, its appeal to the young voter, and its capacity to reduce the cost of slow mail; we can also advance the technology and functioning as a laboratory for freedom and democracy.

 

Copyright Marcello Tino 2000I

 

How much will it cost us to set up, maintain, and operate our Internet and telephone voting system?

 

 

 

 
The Road to Freedom
Part Four
 
 

The Center for True Democracy

(607)273-3644

19 Baker Hill Road

Townhouse Number Eight

Freeville, New York 13068

mtino@twcny.rr.com