Modern Voting Essentials The Tour >
More Security Enabled by Transparency and
Verifiability in the Registration and Voting Process
BACKGROUND
The story begins with work completed with the Institute of Electrical and Electronics Engineers (IEEE) and United States Patent and Trademark Office (USPTO). The registered USPTO MetaProject-3V[TM] service plan complements the ratified IEEE 2418.11[TM] e-Voting standard, by providing education and consulting services for more security in modern voting ecosystems.
The USPTO registers patents, trademarks, and service marks in the United States. The IEEE) is a worldwide professional organization "... dedicated to advancing technology for the benefit of humanity." The IEEE Standards Association (SA) develops guides, recommended practices, and standards based on a rigorous review process. That IEEE SA process has created over 1000 active standards including Wi-Fi and e-Voting, and formal views of IEEE are in their valued products and services.
Clarity
Modern voting enables more security than traditional methods with transparency and verifiability in the registration and voting process, while protecting the identity of anonymous voters. There are no secrets in modern voting. Secrets can hide malicious activity. Trust in modern voting is achieved with evidence of verified valid registrations and voting, and detection of suspicious activity for investigation. In contrast, security in traditional voting is typically achieved by questionable verification of signatures at a polling location or on mail-in ballot envelops, with little or no transparency or verifiability in the registration and voting process.
Genius of MetaProject-3V and e-Voting
"Meta" represents an ecosystem with many interconnected parts that can be tailored for worldwide applications. "Project" is a reference to the Project Authorization Request for e-Voting that was approved by IEEE SA in year 2022. "3V" is the application of Web 1 thru Web 3 security technologies to paper or electronic voting. Those security technologies include Web 1: a) Media Access Control (MAC) codes in every device that communicates over Wi-Fi, and b) email with to@system; Web 2: web browsing with https, and Web 3: a) distributed ledger technologies (DLT) with transparent ledgers of cryptocurrency transactions between wallets, and b) wallet addresses that do not reveal the identity of sender or receiver of that transaction. More details on the transparent ledger for modern voting is in the FRAMEWORK PDF above.
How it Works
Registrations. Security is based on registration of voting materials and voters, that enables transparency and verifiability in a modern voting process. Voting materials include at least ballot materials and voter ID card materials that have unique identification (UID), with NO record or cross-reference to the identity of the voter or how that person voted. Registration of voting materials is like a serial number on a dollar bill that can be used to detect counterfeits. Registration of voting materials is very different than registration of voters. Registration of voting materials is a unique way to verify valid data and detect suspicious activity, and to help keep registered voters and how they voted anonymous. More details on the registration process are in the REGISTRATION AUTHORITY PDF above.
Phase-In. Beginning with paper-based modern voting, simplified security codes can be used to represent marked ballot sources such as an original marked ballot (e.g., SCo), the ballot received at a collection location (e.g., SCr), and the ballot that was recorded for counting (e.g., SCc). A marked ballot collected for counting would be valid when the ballot is registered, not duplicated, security codes exist and are the same; and the ballot was marked by a registered voter that voted only one time. Otherwise, the ballot would be suspicious and investigated. Examples for use of security codes are in 4.c) below. More details are in the PHASE-IN PDF above. More details for the end game of phase-in, would be with transparent records on an electronic DLT with examples in the CHAIN OF CUSTODY PDF above.
Public and Private Databases. For verification in paper-based modern voting, UIDs are used to register voting materials. Examples would be a UID for each Voter ID cards and each ballot material, where the UID keeps voters and how they voted anonymous. Also there is no record or cross-reference between a Voter ID card and its UID, other than what each voter keeps with their private password and voting records. Valid transactions can be recorded in a public database, that could be a paper or electronic ledger, where voters and how they voted would be kept anonymous. Suspicious transactions can be recorded in a private database that is viewable by publicly selected voting and election officials for further investigation for errors or fraud.
Detection and Compliance. Hacking may not be preventable but modern voting provides detection methods to separate valid ballots that are counted from suspicious ballots and activity that is investigated. Also, to make sure the process operates in a proper way, a compliance process would certify the process for material and voter registrations, and how registered marked ballots are confirmed as valid for counting or suspicious for investigation. More on five security certification levels are in the Terms of Use below.
Points of Failure
Traditional voting systems can have points of failure that enable bad actors to rig elections. The purpose of modern voting is to detect and investigate those points of failure, with paper or electronic security methods that are transparent and verifiable.
Points of failure include at least: unqualified voters, fake ballots, duplicated ballots, deleted ballots, and unauthorized changed ballots. Other points of failure may also be identified, and the examples below can serve as a template on how to address those points of failure.
A. Unqualified Voters. Voting roles must be maintained to remove unqualified voters, or voters that have moved or died. Voting and election officials would apply laws and regulations to potential voters when they register to vote. Qualified voters would have a Voter ID card that includes a Unique IDentification (UID) that represents the card material and not the voter--so the voter remains anonymous in a public audit and database. Voters without a Voter ID card or a card with a missing or invalid UID, would be referred to officials for investigation for possible errors or fraud.
B. Fake Ballots. Every ballot must have a UID that represents the ballot material and not a voter or marked votes on the ballot. That UID would be coded to represent a unique voting event, time, location, type UID, and index, as described in the REGISTRATION AUTHORITY pdf above. When the UID on a ballot is missing or not correct for the event, that ballot is not usable or counted, and would be investigated by voting and election officials for possible errors or fraud.
C. Duplicated Ballots. Uncertified or unapproved methods of harvesting, collecting, or recording ballots for vote counts can result in duplicated ballots. Every ballot must have a UID that represents the ballot material and not the voter or how voted. That UID can be used and recorded only one time, and cannot be duplicated. Otherwise, all ballots that use the same UID would be suspicious, not counted, and investigated by voting and election officials for possible errors or fraud.
D. Deleted Ballots. Unintentional errors or intentional fraud at postal, collection, or recording locations can result in deleted ballots. The voter can check if their ballot was received using traditional methods, and if not received the voter can report their missing and possible deleted ballot to officials for investigation. Alternatively, if the voting data is recorded in a public database, each voter would have a unique and private method to check if their data is securely coded in that database. See 4.c) below for examples of valid and suspicious database records.
E. Unauthorized Changed Ballots. A public audit and database would include received and recorded ballots for counting, using security codes that represents and protects the contents of marked ballots. That public database can be checked by voters or secure automated processes for missing, valid, or suspicious contents, including unauthorized changed (or deleted or duplicated) ballots. When that occurs, voting and election officials would be alerted to investigate for possible errors or fraud. See 4.c) below for examples of suspicious database records.
Security Codes
Electronic security codes, such as Secure Hash Algorithms (SHA), are defined by governments or private entities. They are a fixed length string of characters that can represent variable length text, or contents of a letter, spreadsheet, or marked voting ballot. For paper based voting, simplified security codes such as SCx defined above and in examples below can also be used until modern electronic methods for voting are applied.
SCr could represent the received ballot, and SCc the ballot that was recorded for counting. When either of those codes is missing or not the same for a particular ballot, the marked ballot would be suspicious and reported to election officials for investigation. SCo, representing the original marked ballot, could also be available for cross checking when a most secure form of voting is used as described in 3.c) below.
Access to Records.
Records in a public audit and database would be coded in a way that keeps voters and how they voted anonymous. For example, UIDb can represent a marked ballot material and UIDc can represent a Voter ID card material. Security codes SCo, SCr, SCc can represent the contents of the original, received, and recorded for counting marked ballot, respectively.
The voter would be able to check the database using their UIDb and UIDc for their ballot material and Voter ID card material. If the ballot record is missing or the security codes do not match, the voter could report the suspicious activity to voting and election officials for investigation.
Automated processes could also audit the database records in real-time, and alert officials for any suspicious registration or voting activity in real-time when it occurs, and not days or months after voting completes.
Maintenance, Compliance, and Registrations
Proper maintenance of voter roles and voter ID can help identify qualified voters. However, having qualified voters is not enough to assure transparency and verifiability in a process where voters remain anonymous. That requires a public method for UID registrations for both voters and voting materials.
Compliance certified UIDs from a Registration Authority would enable evidence: a) to verify that each counted ballot was properly registered and not duplicated, deleted, or changed, b) was marked by qualified registered voter that voted only one time; c) detects suspicious voters or ballots for investigation, curing, and/or adjudication, and d) assures that qualified voters and how they voted remains anonymous .
Paper and electronic methods for voting can be effective in providing transparent and verifiable voting results. Electronic methods can be more efficient than paper methods for large voter populations with short intervals for voting.
Voting and election officials for a voting county, state, or area could best decide the appropriate choice(s) for voters. Paper methods, for example, could be most appropriate for a small town with limited Internet capability. For an area with a large voter population and short voting interval, an electronic method or a mix of paper and electronic methods for voting could be most appropriate.
With the choice of most security with an electronic method for voting as described in 3.c) below, detection of a suspicious marked ballot confirmed to be fraudulent, could also enable the capability to identify the source of that fraudulent ballot with a legal subpoena process.
Funding
Funding for voting and elections comes primarily from tax money, with possible contributions from stakeholder or private sources when that does not cause bias in outcomes. Voting and elections are as important as defense, education, health and welfare, and depending on election outcomes can determine how those areas are funded.
ENABLEMENT
Going forward, the social transformation to modern voting includes:
Unique Identities
1. Unique IDentities (UID) for registered voting materials, equipment, and facilities. UID for ballot materials, for example, would be similar to unique serial numbers on paper money that enables counterfeit detection, address keys on billions of cryptocurrency wallets that are like banks, and unique Media Access Control (MAC) codes that enables Wi-Fi in worldwide devices that communicate.
Unique identities that are essential for finance and communications, are also essential to verify qualified voters and valid ballots for vote counts, and detect suspicious registration and voting activity for investigation.
Features
2. More Security begins with evidence of who, when, and what had custody of ballots, and is enhanced with verification of valid ballots for vote counts and detection of suspicious voting activity.
a) Chain of Custody includes evidence of custody of ballots from creation, to
registration, to distribution, to marking, to collection, to received, to
recorded for counting, and to final disposition.
b) Verification of valid vote counts is performed with evidence that counts
were based on registered ballots that had a valid source and were not
duplicated, and were marked by qualified registered voters that voted only
one time.
c) Detection of suspicious voting activity occurs when voting materials or
voters are not properly registered; a valid registered ballot is not marked by
a qualified registered voter; a registered voter marks a ballot that is not
properly registered; a registered ballot is changed, deleted or duplicated
after being marked by a registered voter and without the voter's
authorization; a registered voter marks more than one ballot and votes
more than one time; there are missing links in the chain of custody of a
ballot from creation to final disposition; or an audit cannot be reproduced
when the same group of time-stamped valid ballots are re-counted.
Suspicious ballots are investigated and not counted unless cured or
adjudicated as valid.
3. More Choices and Efficiency for voters would be specified by voting and election officials that provide a secure process as in 1 and 2 above. At registration, a voter would choose how to vote from what is available. That choice could include voting with a paper or electronic method; at a polling place, home, work, travel, or military location; and with good, better, or most security as described below.
a) Good Security improves on traditional anonymous voting with a paper
ballot. This default method provides evidence, with a manual or electronic
process, that each counted ballot was registered and not duplicated and
was marked by a qualified registered voter that voted only one time.
Otherwise, the ballot is suspicious and investigated as in 2.c) above.
b) Better Security is anonymous voting with a paper ballot as in 3.a) above
with electronic authentication. The voter with a computer or smartphone, or
other official secure electronic process, can authenticate with a secure code
(i.e., SHA-384 or better) representing a marked registered ballot that was
received and then recorded for counting, are the same and were not
deleted, changed, or duplicated. Otherwise, the ballot is suspicious and
investigated as in 2.c) above.
c) Most Security is pseudo-anonymous voting and authentication with an
efficient electronic method. A marked registered ballot is counted when the
voter (or security process) authenticates that coded forms of the original
marked, received, and recorded ballot are the same and were not changed,
deleted, or duplicated. Otherwise, the ballot is suspicious and investigated
as in 2.c) above.
4. Databases that provide public records of valid results and private records of suspicious activity as follows:
a) Public Database with valid results including cured or adjudicated
unintentional errors, with data available to the public after voting has
completed.
b) Private Database with suspicious activity such as possible invalid
registrations, ballots, or other suspicious voting materials, equipment, or
facilities; possible fraud forwarded to authorities, or data archived for
continued investigation.
c) Examples for 3.a-c) above, are provided for public and private databases
that does not reveal voter identity or how they voted. Each record content
includes coded data, with examples for the first record in the public
database:
Database Index (A001), Type Security a, Ballot UID (B12), Voter ID
Card UID (C34); Original Ballot security code (SCo=blank unless Type
Security c, Received Ballot security code (SCr=ABC: from postal mail or
collection box), Recorded Ballot security code (SCc=ABC: for counting);
and Authentication (Valid: by voter or process).
Also included in each record, but not shown in the examples below are
Voting Event ID, Date, Time, and Location codes; and suspicious examples
when any of the Event, Date, Time, or Location code is/are not correct.
Public Database: (Authenticated valid ballots for vote counting)
A001,a,B12,C34;___,ABC,ABC;Valid (one ballot, one voter, voter authenticated)
A002,b,B74,C89;___,DEF,DEF;Valid (one ballot, one voter, process authenticated)
A003,c,B23,C56;___,LMN,LMN;Valid (one ballot, one voter, process authenticated)
A004,c,B34,C67;PQR,PQR,PQR;Valid (one ballot, one voter, voter authenticated).
. . .
Private Database: (Suspicious ballots for investigation, votes not counted)
Y001,a,B47,C92;___,KLM,RST;Suspicious (ballot changed)
Y002,a,B47,C22;___,STU,LMO;Suspicious (one ballot, two voters)
Y003,a,S39,C47;___,GHI,GHI;Suspicious (invalid ballot UID)
Y004,a,B92,C14;___,___,YZA;Suspicious (no received ballot)
Y005,b,B18,K27;___,MNO,MNO;Suspicious (invalid Voter ID card UID)
Y006,b,B62,K27;___,NOP,NOP;Suspicious (two ballots, one voter)
Y007,b,A58,D71;___,QXY,ZAB;Suspicious (invalid ballot and Voter ID card UIDs)
Y008,b,B72,C64;___,STU,___;Suspicious (no recorded ballot)
Y009,c,B89,C12;EFG,EFG,XBZ;Suspicious (recorded ballot changed)
Y010,c,E27,C29;BCD,BCD,BCD;Suspicious (invalid ballot UID)
Y011,c,B75,Q38;FGH,FGH,FGH;Suspicious (invalid Voter ID card UID)
Y012,c,B45,C78;GHI,GHI,___;Suspicious (no recorded ballot)
Y013,c,B15,C34;JKL,JKL,JKL;Suspicious (duplicated ballot)
Y014,c,B15,C34;JKL,JKL,JKL;Suspicious (duplicated ballot).
. . .
5. Transparency and Verifiability in modern voting ecosystems are enabled with the above four steps. An example of recorded activity for 4.a) above, describes how valid ballots are counted and becomes a permanent, transparent and verifiable record, similar to confirmed transactions on a Blockchain or equivalent explorer.
a) For the Public Database record A001 and ballot B12, there would be an
associated Comma-Separated Values (CSV) record of ballot vote content
along with a counter for each candidate (CA1, ..., CAm) and proposition
(PR1, ..., PRn) on that ballot.
b) For each candidate and proposition in real-time and thereafter, vote counts
are updated only when valid registered ballots are recorded for counting. A
compliance process would certify that ballots that have been counted and
would be tagged as such. Related vote counts cannot be changed
except for a new valid registered ballot (with associated CSV and security
codes} with candidate and proposition votes that have not yet been
counted.
c) To observe those vote counts, associated counter IDs for CAx, x = 1, ..., m
and PRy, y = 1, ..., n are used to view what is on a transparent ledger.
d) What's different from the traditional voting process (that shows total vote
counts without sources) is the permanent and transparent record of total
vote counts along with verifiable ballot sources as in 2.b) and 4.c) above,
and 5.e) below.
e) The original paper or electronic ballots and related summary and code data
can be preserved as long as required by applicable laws and regulations,
with a default of indefinite archival storage.
Ecosystem
6. Real-time Audits for verification of valid and suspicious voting activity.
7. Process Tailoring for voting in worldwide countries or administrative sub-
divisions such as states or counties in the USA or equivalent areas in other
countries .
8. e-Voting Alliance would be patterned after the Wi-Fi Alliance that supports
governments and stakeholders who fund, plan, build, test, operate, administer, and maintain deployed systems, and provide:
a) Proofs-of-concept, compliance certifications, chain of custody of
materials, and payment records.
b) Registration of voting materials, equipment, facilities, and support
personnel.
c) Voting data including Ievent D, date, time, location, number of registered
voters, and possible voting choices.
d) Phase-in that could begin with a secure paper manual process and
continue to a long-term process with choices for voting that includes
efficient electronic methods.
e) For each voting event, transparent records that includes the source of vote
counts for each candidate and proposition.
9. Roadmap for phase-in of above capabilities, and governance of ongoing
enhancements with efficient, effective, user friendly, proven sources and methods, and quantum or post-quantum technologies.
Support
10. Support and Services. For educational support or technological consulting services, provide requirements and schedules to:
John Wnuk, Co-Founder and CTO,
Terms of Use
Terms of Use are specified on pages 3-6 of the ratified IEEE 2418.11 standard. Beyond that standard, Terms of Use would be specified in separate contract(s) with an e-Voting Alliance, SJW SmarTech Consulting, LLC, or equivalent.
The MetaProject-3V website is provided to help plan, build, test, certify, deploy, operate, administer, and maintain ecosystems that comply with the e-Voting standard. It is a personal interpretation of one way to implement e-Voting, and is not part of that standard. In that interpretation, voting security (votsec) would have five certification levels as defined below:
1. Most Security as in 3.c) above.
2. Better Security as in 3.b) above.
3. Good Security as in 3.a) above.
4. Phase-In Security as in the PDF above.
5. Traditional Security, without registration of voting materials, as would
typically exist in the reader's home voting area.