Market
- global: any jurisdiction wanting to hold an election
- watchdog organizations: location independant.
- All language contained on ballot
Key Differentiators
- Cheap, secure and easy to use
- Very low total cost of ownership
- Very low margin of error
- Votes on CD instead of paper
- more reliable, durable and less costly
Current Solutions ( proprietary, high margin )
- Incorporate Hardware and Programs
- Ballots encoded by their Programs
- Ballots counted by their Programs
- ( bundling )
Our Solution (open, low margin)
- Separated Hardware from Programs
- Separated Programs from Ballots
- Made Software Free
- Nothing Proprietary
How it works
- Voter inserts key and selects language
- Voter is prompted through ballots one Item at a time
- Voter is presented with a summary screen and asked for verification
- Vote record is written to CD
- Vote record is reread from CD and summary screen reshown
- If voter chooses to change something then
- a nullification record is written to the CD
- Voter recasts ballot
- Voter withdraws key from machine and returns it to poll worker
The Vote CD
- Blank CD is inserted in machine at boot
- CPU_ID and software signatures written to CD
- All records written as ASCII text
- Balloting log consists of Ballots and nullificaiton records
- Any finalization records written when machine is shut down.
Hardware
- tablet pc with 2 CDs 1 SD and Audio I/O
- no data comm
- no hard drive
- Fast Chip not necessary
- small RAM OK
tablet computer
- no writable internal permanant storage
- no motherboard battery
- ROM (minimal BIOS)
- commodity chips
- CPU/RAM/AGP/Audio/IDE (pre-vetted by market)
- CD reader (only bootable device)
- CD writer (for recording votes)
- SD card reader for key
- No connectivity ports
- simple layout
- easily opened for tamper verification
- folding plastic privacy screens
- power supply
Software Development
- Open Source
- Internet project management
- (SourceForge.net)
- Existing OpenSource commponents
- (Linux kernel, X11, Grub)
- Configuration Management ( reproducability )
- CVS, subversion
Secretary of State
- Assembles, Certifies and Signs software bundle.
- Composes and signs state-wide ballots
- Makes software and ballots available for secure download
County Election Officer
- Pull Voting Software bundle from state
- pull state-wide ballots form state
- compose ballots for local jurisdictions
- compose voting machine boot CD
- allocate voting machines to precincts
- allocate voting machine keys to precincts
- assemble precinct package
precinct package
- voting machines
- voting machine keys
- boot CDs
- vote keys
- ( rest of stuff like voter lists ...)
Voting machine Boot CD
- digitally signed Voting Software
- digitally signed State Ballots
- digitally signed Ballots for local jurisdictions
- CPU_ID's of machines assigned to precinct
- key ID's of key SD cards assigned to the precinct
software (on bootable CD)
- boot loader with (kernel/ballot) signiture and CPU_ID validation
- minimal linux kernel
- required device drivers only (touchScreen, CD, SD)
- globalized vote application (sourceForge.net managed project)
- i18n ballot XML schema and composition application (sourceForge project)
- includes all sample ballot and voter pamphlet materials
What's new
- BIOS: boot CD signiture verification
- application: completely new sourceforge.net project
- boot loader with ballot, CPU_ID and kernel signiture validation
Voting Software
- BIOS
- - CPU_ID && Boot Loader signature verification
- Boot Loader
- - Grub extended for software signature verification
- Linux Kernel
- X11
- Voting Application
Ballot XML
- <Ballot jurisdiction="Oakland City">
- <Item title="Measure A - Fire Bond" type="boolean" />
- <Item title="Office of Mayor" writein="yes">
- <Choice>Ignacio De La Funtes</Choice>
- <Choice>Ron Dellums</Choice>
- </Item>
- </Ballot>
- Choice Attributes: profession, current job
- Item Attributes: title, type: boolean | radio | multichoice
Software to make a boot CD
- Inputs:
- CPU_ID's of machines to be used at precinct
- kernel and election software
- ballots
- key card ID's
- Outputs:
- bootLoader with CPU_ID's it's good on
- kernel and device drivers
- signed ballot software with X11 support libraries
- signed ballots
Security
- openness: anyone can audit all software
- commodity: all HW is pre-vetted by years of ubiquitous use
- bootCD digital signiture verifiable by BIOS
- boot CD's pressed by local election authorities
- digitally signed authorized downloadable software (state level: article II)
- digitally signed jurisdiction ballots
- digitally signed CPU_ID set for this CD
- log CD header written at boot, closed at shutdown
- logs written to write-once media
- logs stamped with CPUID
- logs stamped with key
- key verifiable by bootCD software based on precinct's CPU_ID set
- log read after write allows voter to nullify and recast vote
- log vote and nullification records written directly to log
- log nullification record immediately follows vote
- log human readable on any computer with CD and text editor
- log is tamper resistant
- log is durable
- signed log files can be posted to internet
Vote counting and Ballot composition software
- Can be done using ASCII text editor
- Easy to write
- Easy to write audit programs
Cost
- software FREE
- very light HW resource requirements
- can use lowest cost items at time of production
- 100s ballots per CD means reduced per ballot handling cost vs. paper
- reduced recount costs
- SD reader $5
- CD reader $5
- CD rw $5
- motherboard: $50 w/CPU (surplus)
- power supply: $20
- RAM: $5
- case: custom; $100k tooling, $.05/unit
- touch screen: ??