Is There an Effective Method in Place to Assure the Accuracy of Ballot Definition Files?
General Reference (not clearly pro or con)
The National Academy of Sciences 2005 report “Asking the Right Questions About Electronic Voting,” included the following description:
“Ballot definition is the process through which the ballot presented to the voter is laid out. It involves aspects such as the font size, graphics, placement and formatting of items, translation into other languages and so on…
Each jurisdiction has different ballot requirements. Even within the same jurisdiction, a number of different ballots may be involved. Ballot design directly affects the ability of voters to understand the issues, recall their decisions, and actually carry out their intentions.”2005
The Government Accountability Office (GAO) 2005 report titled “Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to be Completed,” stated:
“Ballot definition files tell the voting machine software how to display ballot information on the screen, interpret a voter’s touches on a button or screen, and record and tally those selections as votes.
Local jurisdictions can program these files before each election or outsource their programming to a vendor. For touchscreens, ballot information can be displayed in color and can incorporate pictures of the candidates.”2005
Aviel Rubin, PhD, Technical Director of the Johns Hopkins University Information Security Institute included the following description of ballot definition in his paper “Analysis on an Electronic Voting System” (Johns Hopkins University Information Security Institute Technical Paper TR-2003-19, July 23, 2003):
“Before an election takes place…election officials must specify the political offices and issues to be decided by the voters along with the candidates and their party affiliations. Variations on the ballot can be presented to voters based on their party affiliations. We call this data a ‘ballot definition’…The ballot definitions may be distributed [to each electronic voting machine] using removable media, such as floppy disks or storage cards, or over a local network, the Internet, or a dial-up connection…
The ‘ballot definition’ for each election contains everything from background color of the screen and information about the candidates and issues on the ballot to the username and password to use when reporting the results.”July 23, 2003
Ellen Theisen, CEO of the Vote-PAD Company, wrote a 2005 paper titled “Ballot Definitions Files: No Review Is Provided for a Key Component of Voting System Software,” which stated:
“Ballot definition data is constructed for each specific election and contains all the details about that election…
The ballot definition data is loaded onto all DREs, as well as the machine that performs the final tally…On a DRE, the content of the [ballot definition] file determines the ballot that is displayed on the screen for each voter; it also determines how the completed vote is recorded in the vote database…The tally software uses the ballot data as a ‘key’ when it interprets the content of the vote database and calculates the final tallies…
The ballot definition data is as critical to the operation of the system as the underlying software.”2005
Cathy Cox, the Georgia Secretary of State, released a document titled “Multilevel Equipment Testing Program Designed to Assure Accuracy and Reliability to Touch Screen Voting System,” available on the Georgia Secretary of State’s website (accessed Apr. 5, 2006) which stated:
“‘Logic and Accuracy’ testing assures that all candidates and questions for each ballot style in each precinct [ballot definitions] are properly loaded onto the system. Sample votes are cast on the equipment and these totals are verified. Logic and Accuracy differs from [other] rounds of examination because the testing is specific to the exact ballot that will be displayed in a specific precinct on election day.”Apr. 5, 2006
Dana DeBeauvoir, Travis County (Texas) Clerk, submitted a paper titled “Prevention of Attack, Not Detection After the Fact: A Note on Risk Assessment and Risk Mitigation” in conjunction with her public testimony before the U.S. Election Assistance Commission on May 5, 2004, which stated:
“Logic and Accuracy (L&A) testing proofs the ballot and proves that the system is properly adding votes to each candidate in the same quantity as the votes were manually entered. The system result is compared to a known set of data and must match.
There is a risk that inadvertently or deliberately a candidate would be left off the ballot or be assigned to the wrong precinct(s). Logic and Accuracy testing confirms that each candidate appears in the proper precinct, including split precincts, and does not appear in precincts outside that candidate’s jurisdiction. L&A testing is the most important tool in confirming that the ballot is correct.”May 5, 2004
Sequoia, a manufacturer of electronic voting machines, released a paper on its website on July 30, 2003 titled “Sequoia Discusses Safeguards of Electronic Voting” in response to the Aviel Rubin et al. paper “Analysis of an Electronic Voting System.” The Sequoia article stated:
“The Johns Hopkins researchers argue that if the [ballot definition] can be accessed by Internet connectivity or modem access…the system can be manipulated. The pre-election programming of Sequoia’s AVC Edge [a model of electronic voting machine] is conducted at the election headquarters and secured inside the physical hardware of the machine before it is sent to a polling place.
The AVC Edge also stores all election data, including ballot definition, in redundant memory. The accuracy and content of these redundantly stored files is validated at power-up and again after every single vote is cast. If there is ever a discrepancy, the machine will halt operation.”July 30, 2003
Diebold Election Systems, Inc. released a paper titled “Checks and Balances in Elections Equipment and Procedures Prevent Alleged Fraud Scenarios” on July 30, 2003 on its website as a direct response to the Aviel Rubin et al. paper “Analysis of an Electronic Voting System.” The Diebold article stated:
“Rubin et al. allege that ‘by simply changing the order of the candidates as they appear in the ballot definition, the results file will change accordingly. However, the candidate information itself is not stored in the results file.’
This is incorrect. Changing the order of the candidates in the ballot definition would result in a change in the order of the results as well. Candidates would simply be listed in the wrong order on the ballot. It does not matter that the candidates are not stored in the results file. In reality, it is the very fact that the candidate keys are not stored with the results that makes the system immune to such tampering.”July 30, 2003
Barbara Simons, PhD, Computer Scientist and Former President of the Association for Computing Machinery (ACM) wrote in her paper “Electronic Voting Systems: The Good, the Bad, and the Stupid” ACM Queue, Oct. 2004:
“Although critical to elections, BDFs [ballot definition files] are never independently inspected by an ITA [Independent Testing Authorities]. While properly conducted pre-election testing should uncover errors in BDFs, such testing is not routine in many jurisdictions, where state laws merely require that the tests include casting at least one vote for each candidate in each race on the ballot, using each ballot style in use in the jurisdiction.
When errors in BDFs do occur – leading, for example, to votes for one candidate being credited to a different candidate – they can be detected with optical scan voting systems, because anomalous computer-reported results can be discovered through manual recounts of paper ballots. With paperless DREs, however, there is no way to perform such a recount.”Oct. 2004
Ellen Theisen, CEO of the Vote-PAD Company, stated in her 2005 paper “Ballot Definition Files: No Review Is Provided for a Key Component of Voting System Software”:
“The ballot definition file is not subject to any certification other than whatever Logic and Accuracy (L&A) testing a jurisdiction chooses to do. Since L&A tests are performed in a different operating mode than actual elections, the ballot data is never subjected to a true field test before the election…
If an error, intentional or accidental, went undetected, the election outcome could easily be both incorrect and uncontested…With so many documented cases of ballot data errors on optical scan machines, it is unreasonable to believe they have not occurred on DREs, yet none have been documented. This is not surprising, since there would be no way to detect a ballot data error without paper ballots.
In response to the warnings of computer experts, many election officials have claimed that their security procedures guard against vulnerabilities. However, security procedures do not guard against the possibility of flawed ballot definition data. Furthermore, since the software underlying the ballot data is a trade secret of the vendor, there is no way for election officials to know precisely how the ballot data is being used.”2005
Aviel Rubin, PhD, Technical Director of the Johns Hopkins University Information Security Institute wrote in his paper “Analysis on an Electronic Voting System” (Johns Hopkins University Information Security Institute Technical Paper TR-2003-19, July 23, 2003):
“If the voting terminals download the ballot definition over a network connection, then an adversary could tamper with the ballot definition file en-route from the back-end server to the voting terminal…[T]he adversary need not be an election insider; the adversary could, for example, be someone working at the local ISP [Internet service provider]. If the adversary knows the structure of the ballot definition, then the adversary can intercept and modify the ballot definition while it is being transmitted. Even if the adversary does not know the precise structure of the ballot definition, many of the fields inside are easy to identify and change, including the candidates’ names, which appear as plain…text.
Because no cryptographic techniques are in place to guard the integrity of the ballot definition file, an attacker could add, remove, or change issues on the ballot, and thereby confuse the result of the election.
More subtle attacks are also possible. By simply changing the order of the candidates as they appear in the ballot definition, the results file will change accordingly. However, the candidate information itself is not stored in the results file, which merely tracks that candidate 1 got so many votes and candidate 2 got so many other votes. If an attacker reordered the candidates on the ballot definition, voters would unwittingly cast their ballots for the wrong candidate.”July 23, 2003