EDemocracy Pilot - OASIS
Office of the Deputy Prime Minister
e-Vote II
Solution Architecture
Author: Naz Mulla
Last Updated:
Document Ref: PS/ODPM/3027468/HLD/001
Version: Issue 1
Approvals:
|Keith Linfoot, Oracle Programme Manager | |
Document Control
Change Record
3
|Date |Author |Version |Change Reference |
| | | | | |
|01-OCT-02 |Naz Mulla |Draft 1a |Initial Creation |
|10-OCT-02 |Naz Mulla |Draft 1b |Update |
|12-NOV-02 |Naz Mulla |Draft 1c |Update |
|15-FEB-03 |Naz Mulla |Draft 1d |Update |
|18-FEB-03 |Naz Mulla |Issue 1 |RCL093, RCL098 |
Reviewers
|Name |Position |
| | | |
|Keith Linfoot |Oracle Programme Manager |
|John Abel |Oracle Technical Architect |
Distribution
|No |Name |Location |
| | | | |
|1 |Master Copy |Project Library |
|2 | | |
NOTE To Holders:
If you receive an electronic copy of this document and print it out, you should write your name on the front cover (for document control purposes).
If you receive a hard copy of this document, please write your name on the front cover (for document control purposes).
Contents
Document Control i
1Introduction 4
1.1Purpose 4
1.2Glossary Of Terms 4
1.3Related Documents 5
2e-Democracy Process Architecture 6
2.1e-Democracy Election Context Model 6
2.2Actors 6
2.3Election Communication 7
2.4Election Administration and Management 8
2.5Vote Management 9
2.6Electronic Election Count 9
2.7Electronic Election Closure 9
3Election Architectural Principles and Standards 10
3.1Security 10
3.2Anonymity 10
3.3Accuracy 10
3.4Integrity 10
3.5System Audit 10
3.6Accessibility 11
3.7Data Retention 11
3.8Election Mark-Up Language Standards (EML) 11
4Solution Overview 13
4.1Pre-Election Management 13
4.2Vote Management 14
4.3Front Office Management 14
4.4Electronic Election Count and Audit 14
4.5Post Election Reports 15
5Pre-Election Management 16
5.1Overview 16
5.2Pre-Election Initial Data Capture 16
5.3Event Management 20
5.4Credential Management 20
5.5Election Official Administration 23
5.6Election Registers 24
5.7Mark Registers (Postal) 26
6Vote Management 27
6.1Overview 27
6.2Common Services 27
6.3Internet, iDTV and Kiosk Channels 28
6.4Postal and Paper Votes 33
6.5Marked Registers 33
7Front Office 34
8Voter Support Centre 37
9Electronic Count and Audit 38
9.1Overview 38
9.2Count Access 38
9.3Count and Recount 38
9.4Audit and Scrutiny 40
9.5Reveal Vote 41
10Post Election 42
10.1Overview 42
10.2Survey 42
10.3Voting Patterns 44
1 Introduction
1 Purpose
Oracle, and the BT Group, have formed a consortium to deliver an e-Democracy Election Framework consisting of election services and a technical application for the spring 2003 UK Local Government Elections and subsequent elections within the public sector.
The purpose of this document is to detail the high-level solution architecture for the e-Vote Application from a business perspective, it highlights:
• The e-Democracy Process Architecture;
• The election principles and standards that must be adhered to;
• A high level overview of the e-Democracy Solution;
• A description of the major components of the e-Vote Application.
The non-software solution components i.e. application support etc. are not detailed in this document.
The Technical Architecture for the e-Democracy Solution is detailed in ‘e-Democracy Technical Architecture’ document ref [1].
2 Glossary Of Terms
|Abbreviation/Term |Description |
|REV |Remote Electronic Voting – This is the term CESG use when referring to voting |
| |that takes place by electronic means from any location e.g. Internet, IVR. |
|Voter Authenticity |Ensure voters identify themselves using an agreed method to be entitled to |
| |vote. |
|Voter Anonymity |Ensure votes are not associated with the voter’s identity unless warranted |
| |under UK election law. |
|Vote Confidentiality |Ensuring that the vote is secret. |
|Vote Integrity |Ensuring that each vote cast is recorded as intended |
|Personation |The act of fraudulently voting in someone else’s name |
|SMS |Short Message Service – The method by which short ‘text messages’ are |
| |communicated primarily between mobiles. |
|PSTN |Public Service Telephone Network |
|EML |Election Markup Language – The name given to XML standards developed by the |
| |OASIS XML interoperability consortium for the structured exchange of election |
| |data between hardware, software an service vendors |
|Election Event |The name given to a group of election contests managed by an Election |
| |Authority held over the same period. |
|Contest |The name given to a single election of a specific type e.g. Parish, run by an |
| |Election Authority for a given geographic area. |
|VIN |A random key generated by the e-Democracy Solution that forms one element of |
| |an Authentication Method used by voters to verify their identity. |
|PCIN |Personal Candidate Identification Number – This is a randomly generated |
| |candidate number that is personal to a voter. |
3 Related Documents
|No. |Title |Reference Number |Date |
|1 |e-Democracy Technical Architecture |PS/ODPM/3027468/HLD/001 |Issue 1 |
| | | | |
2 e-Democracy Process Architecture
1 e-Democracy Election Context Model
This section provides an overview of the election processes in the context of the future e-Democracy Pilots. In England and Wales, over 21,000 people represent their communities by serving as Councillors on local authorities. Councillors are elected to represent geographical units called parishes, wards, etc. In traditional elections, citizens can vote in person at a designated polling station, by postal ballot or by proxy.
The following context model provides an overview of the e-Democracy election process in the context of supporting new electronic channels for citizens to cast their vote(s).
[pic]
Figure 1 – e-Democracy Context Model
2 Actors
Actors are parties participating, or that have a vested interest, in the e-Election that will support electronic voting.
|Citizen |A person who is eligible to vote in an election contest sanctioned by the UK Government |
|Candidate |A person who appears on a selection list on a ballot. They may or may not belong to a |
| |Political Party. |
|Political Party |A political organisation that nominates members to appear as candidates on a ballot. |
|Independent |A person who appears on a selection list on a ballot and does not belong to a Political |
| |Party. |
|Electoral Commission |A UK Government organisation responsible for communicating electoral rules by which a |
| |ballot should be conducted. |
|Returning Officer |The Returning Officer together with the Acting Returning Officer is responsible for |
| |officially managing an Election within an Election Authority as directed by election |
| |law. |
|Presiding Officer |Responsible for managing the Polling Locations under rules specified by Parliament. |
|ODPM |Office Of the Deputy Prime Minister. |
|Government |The United Kingdom Government. |
|Election Authority |An electoral region governed by boundary rules managed by an elected authority. |
|Councillors |Current Council Members. |
|Independent Technical |Responsible for the deletion or validation of the deletion of the e-Vote database after |
|Authority |the elections have been complete. |
|Internal Print & Post |Responsible for print and delivery of Poll Cards and any other communication material. |
|Office | |
|External Print & Post |Responsible for print and delivery of Poll Cards and any other communication material. |
|Office | |
|Communication Department |Responsible for the communication campaign for the e-Democracy Pilot. |
|Election Officer |Responsible for managing the electoral register. |
|Help Desk |Responsible for answering calls from citizens over the election period. |
|Support Desk |Responsible for directing support staff questions during the election period. |
3 Election Communication
Election Communication pertains to all the activities and processes involved in running the communication campaign, disseminating all electoral literature including Poll Cards and Vote Credentials to citizens to enable electronic voting and post election analysis.
1 Communication Consultancy
In the context of the e-Democracy Pilots, this entails a well-managed Communications Outreach Programme to ensure all of the stakeholders are aware of their role in the elections.
Objectives are to:
• Educate voters in the community venues they know and trust;
• Make the message relevant to specific target audiences’ i.e. young voters, the elderly, working mothers, the socially excluded;
• Deploy innovative visual design and compelling tagline(s) to reinforce messages;
• Use creative, attention-grabbing incentives to generate attention and enthusiasm for the election;
• Engage local community leaders and other prominent figures to support the campaign i.e. MPs, Councillors, Head Teachers, local religious leaders, leading local business people, radio stations and so on;
• Maintain the momentum and reinforce the value of voting by widely distributing the post-election results.
The above will be managed by BT together with the Local Authorities.
2 Postal Voting Administration
In the context of the e-Democracy Pilots, this entails the printing of Polling Cards, Postal Ballot Papers and Proxy Letters. The authentication information may be incorporated onto the Poll Cards, printed and disseminated to the electorate.
The above will be managed by BT together with the Local Authorities.
4 Election Administration and Management
Election Administration and Management is the planning, execution and monitoring of processes and activities pertaining to the ballot structure, candidate list, polling & count location management, voter registration management, support desk and the help desk.
1 Election Event and Candidate Management
This is the management of all statutory election processes and procedures including the notice of election, nomination management, election rules compliance etc. This is the sole responsibility of Election Authorities.
In the context of the e-Democracy Pilot, Election Event, Polling Location details, Presiding Officers, Count staff and Candidate Lists are to be loaded into the e-Vote database in preparation for electronic voting. Candidate information will be provided when the Returning Officer has confirmed nominations.
2 Voter Registration Management
Voter Registration Management is the planning and management of processes and activities pertaining to maintaining the electoral register. The provision of Electoral Register information is the responsibility of the Election Authorities.
Registration officers may arrange either to send forms to, or to call on every household in the constituency to obtain details of all occupants eligible to vote. The information is used to compile provisional lists. These lists are displayed in public places in order to give people the opportunity to check that their names are included or to object to inclusions. People who disagree with the final decision of the registration officer may appeal to the courts.
In the context of the e-Democracy Pilots, Election Authorities will provide Electoral Register files from their current Election Package(s) and any rules required to interpret these files. These will be consolidated in Interim Electoral Register and then provided to the e-Vote team for loading into the e-Vote database in preparation for electronic voting.
Vote Credentials and additional authentication details will be generated by the e-Democracy Solution for each citizen, the e-Vote Team will communicate these back to the Election Administration for delivery to the Election Authorities.
3 Polling Location Management
Polling Location Management is the assessment, preparation, support and cleanup of Polling Locations.
4 Count Location Management
Count Location Management is the assessment, preparation, support and cleanup of count location. This may entail the provision of hardware and software accessed via the Internet that will enable the Returning Officer to run the electronic count and audit reports.
5 Help Desk Management
This is the provision of a help desk service for the Election Authority.
6 Support Desk Management
This is the provision of a support desk service for the Internal Election Support team.
5 Vote Management
1 Postal/Paper Vote
This is the capture of individual or totals of Postal or Paper votes cast for an Election Contest over an election period.
2 Electronic Vote
Electronic Voting is the capturing of citizens votes either via the Web, Kiosk, iDTV, SMS or via IVR Channels.
6 Electronic Election Count
The Electronic Election Count is the production of reports, which validate the integrity of the electronic vote, detail the number of citizens that voted electronically and the number of votes cast for candidates in a Contest. The Returning Officer will be responsible for performing the electronic results count.
7 Electronic Election Closure
The Electronic Election Closure entails the processes to archive the e-Vote database, the communication of this archive to the Returning Officer and the deletion of all data relating to an Election Event. It is assumed, an Independent Technical Authority approved by ODPM will validate the deletion of the actual vote data.
3 Election Architectural Principles and Standards
This section contains the architectural principles and standards that will be followed in the design of the e-Democracy Solution. The word ‘principle’ has been used in many different contexts however, in this case applies to the election process and includes security, anonymity, accuracy, integrity, auditability, election management, and data retention.
1 Security
Security can only be achieved through a combination of the technical implementation and administrative procedures. To provide security measures, the solution shall:
• Provide pre-election, vote management and post election components that are executable only in the intended manner and order, and only under the intended conditions;
• Provide access mechanisms that control and limit access to eligible voters;
• Provide access mechanisms that control and limit access to eligible officials; and
• Provide access mechanisms that control and limit access to critical components of the e-Democracy Solution to protect system integrity, confidentiality, and accountability.
2 Anonymity
To ensure anonymity of the voter and the result, the e-Democracy solution shall:
• Ensure that votes captured within the e-Democracy Solution cannot be tied to a voter unless by the Returning Officer;
• Ensure that the votes cannot be tied to candidates until the time of the count.
3 Accuracy
To ensure vote accuracy, the e-Democracy solution shall:
• Record the election events, candidate lists, and election lists as provided by election officials;
• Record the appropriate options for casting and recording votes;
• Record each vote precisely as indicated by the voter and be able to produce an accurate report of all votes cast; and
• Include control logic and data processing methods to demonstrate that the system has been designed for accuracy.
4 Integrity
To ensure system and data integrity, the e-Democracy solution shall:
• Protect against any attempt at improper data entry or retrieval;
• Record and report the date and time of normal and abnormal events; and
• Maintain a permanent record of all original audit data that cannot be modified or overridden.
5 System Audit
Election audit trails provide the supporting documentation for verifying the correctness of the election count. They represent a record of all system activity related to the election count, and are essential for public confidence in the accuracy of the count, for recounts, and for evidence in the event of election fraud. The timing and sequence of audit record entries is as important as the data contained in the record.
6 Accessibility
The principle is to meet the accessibility needs of a broad range of voters, some with disabilities. Efforts to meet the accessibility requirements shall not violate the privacy, secrecy, and integrity demands. As part of the design, the capability to provide access to voters with a broad range of disabilities will be factored. BT () are responsible for the specification and adherence to accessibility.
7 Data Retention
UK Election legislation required that election administrators preserve ballot papers for 6 months. Because, the purpose of this requirement is to assist the government in discharging its law enforcement responsibilities in connection with elections crimes, its scope must be interpreted in keeping with that objective. The appropriate Local Authority must preserve all records that may be relevant to the detection and prosecution of election crimes for the 6-month retention period.
8 Election Mark-Up Language Standards (EML)
EML UK v1.0 is in a pre-production phase and enhancements and corrections will be required to support the May 2003 Local Government elections.
The design team will enhance the EML standard to provide the level of functionality required to support the May 2003 Local Government elections.
The following provides examples of amendments that Oracle are considering in order to illustrate our approach to this area:
CESG - Key Principle
‘The signalling of intent, by the voter, into the electronic environment should have no observable properties, and the voter should receive assurance that their vote was recorded as it was intended’.
The CESG recommended solution involve(s) the use of Personal Candidate Identification Numbers (PCIN) and Response Identifiers (RID). Spoilt votes should also be made by using a PCIN and a Response Identifier.
The Cast Vote Response (EML 450) message does not allow for multiple Response Identifiers (as required by the CESG solution) to be communicated back to the voter as it does not have a repeating ‘ConfirmationReference’ element. There are two options to resolving this: (1) is to ‘fudge’ the EML and put in spaces between each response identifier or (2) update ‘ConfirmationReference’ element to be a repeating element. Oracle have opted for the more structured option i.e. (2).
The Authentication Response (EML 430) message communicates PCINs to the gateways but does not have an explicit element for the PCIN of a spoilt vote. To adhere to the CESG solution, Oracle has implemented a ‘SpoiltOption’ element at the same level as the ‘Candidate’ element.
The Polling Information (EML 340) message does not contain elements that can communicate candidates and their associated PCINs and Response Identifiers to the Printer Service providers.
Additionally, some errors have been identified with the EML xsd’s. An example of this is the Candidate List (EML 230) message, where the ‘any’ element below the ‘Contest’ element has been defined as ‘mandatory’. All ‘any’ elements should be defined as optional.
As security requirements for EML transportation have not been defined, Oracle will include a simple SOAP message for common service EML messages to include transport security features. For example, the EML is encrypted using a symmetric key, which in turn is encrypted using an asymmetric key and this encrypted key is place in the SOAP wrapper.
4 Solution Overview
This section provides an overview of the framework to support the UK Governments drive for implementing e-Democracy. The e-Vote Application design takes into account three approaches to electronic voting that may be requested by a Local Authority:
• Early Voting – where e-Voting ends a couple of days before traditional paper voting begins;
• Traditional Paper or Postal and e-Voting Overlap – where e-Voting and traditional paper voting overlap; and finally;
• Electronic Voting – where only e-Voting is available to the electorate.
[pic]
Figure 2 – e-Democracy Solution Overview
1 Pre-Election Management
1 Voter Central (Pre-Election Administration)
This component will manage all communication and transformation of election data required to support the execution of an election for a Local Authority into and out of a format (OASIS EML or EML-enhanced) required by the e-Vote Application.
2 Election Event Management
When a participating Local Authority publishes the notice of an election, details of the Election Event must be created within the e-Vote database. This entails setting up information e.g. event name, description, start date & time, end date & time, election, contests etc. required to support one or more election contests for a Local Authority.
3 Election List Management
The objective of this component is to capture a Local Authority’s Electoral Register and communicate the register to the e-Vote Team in preparation for the elections.
On completion of cleansing and transformation of the election lists pertaining to a particular Election Event, the electoral register containing eligible voters, proxy voters and disallowed reasons will be communicated to the e-Vote Application.
4 Candidate Management
The management of all statutory election processes and procedures concerning the notice of election, nomination management, election rules compliance etc. is the sole responsibility of the Local Authorities. On completion of nominations and acceptance of candidature, Election Administration will provide candidate information to the e-Vote Application.
5 Credential Management
Voter Identification Number (VIN) and Personal Identification Numbers (PIN) are numeric keys randomly generated by the e-Vote Application that will form the authentication information required by a citizen to identify themselves, and enable them to cast their vote for a specific Election Event. A number of Authentication Methods will be available for the Local Authorities in the future, but as a minimum will contain a VIN element e.g. VIN/PIN, VIN/Electoral Roll Number etc.
The component will generate Voter Credentials for an Election Event, assign it to citizens associated with the Election Event.
Election Officials are required to perform specific tasks in the e-Vote Application (i.e. checking/marking the Election Register at a Polling Location, etc.). The authentication of Election Officials will consist of an Officer Identification Number (OID) and a personal password. Similar to a VIN an OID is a numeric key randomly generated by the e-Vote Application.
2 Vote Management
Citizens will be provided with a number of channels to cast their vote (e.g. iDTV, Internet and Kiosk). Additionally, the channels and timing selected by a particular Local Authority for an Election Event will influence election rules applied for that Election Event. For example, citizens that have elected to vote by post will either not have a VIN generated for them or will have their VIN revoked as once this method has been selected they will not be able to vote via any of the direct electronic channels.
3 Front Office Management
Local Authorities will be provided with a number of administration functions to support e-Voting . These include:
• Replacing credentials;
• Marking the Electoral Register;
• Revoking a VIN;
• Enabling a tender vote.
4 Electronic Election Count and Audit
The electronic count and audit is the production of reports contain the results of Contests, and features which validate the integrity of the Contest.
5 Post Election Reports
Citizens may have completed surveys as part of casting their votes electronically. These will be stored in the e-Vote database. On completion of the Election Events, the Local Authorities can produce a CSV file containing the results of the surveys. An additional vote channel breakdown report will be available to the Local Authorities.
5 Pre-Election Management
1 Overview
The objective of Pre-Election Management is to setup the e-Vote Application in preparation of electronic voting based on the type of Local Authority elections to be supported. The functions to set up the e-Vote Application include:
• Pre-Election Initial Data Capture - a set of pre-election message services to capture election event, candidate and election register information into the e-Vote database;
• Event Management – after the initial data capture, all changes to Local Authority data will be managed directly on the e-Vote Application;
• Credential Management – a set of voter credentials will be generated for all Local Authorities and then assigned to voters as part of the load process;
• Election Official Management- all officials that require access to the e-Vote Application must be created and credentials generated for them;
• Election Register – prior to the start of the voting Local Authorities will require access to their Electoral Registers.
• Mark Register (Postal) – Prior to or during electronic voting the receipt of postal votes must be recorded to disallow multiple voting from occurring.
2 Pre-Election Initial Data Capture
1 Overview
The e-Vote Application design is based on an open architecture containing a set of Pre-Election Services that will enable external vendors to develop pre-election specific solutions and communicate with the e-Vote database using standard and enhanced OASIS EML– election messages.
will interact with the e-Vote Application through these messages generated from their Voter Central application. These applications must be connected to a secure network. The messages must be routed from Voter Central to the e-Vote Application for processing.
[pic]
Figure 3 – Message and Data Flow
must develop a gateway to act as the translator between the Local Authority information systems and the e-Voting Application. This gateway must use the following EML schemas when interfacing with the e-Vote Application:
• Election Event 110;
• Logo – 930 (new);
• Candidate List – 230;
• Election Register – 330;
• Polling Information – 340.
These schemas are irrespective of the client device or ’s choice of technology.
2 Message Management
1 Incoming Messages from
All incoming messages must be placed by into the “landing” directory on a designated e-Vote Application Server. The messages must be sent with a Controller Message. This Controller Message details the messages that are included as part of the batch. The e-Vote Application will validate the message structure and content and create a report of any errors in an ‘outgoing’ directory to be retrieved by for inspection.
The load process will take an “all or nothing” approach to loading messages identified in the Controller message. If an error occurs at any point during the load, then all the messages identified in the Controller Message will be rejected.
2 Outgoing Messages to
All outgoing messages will be placed by Oracle into the “outgoing” directory to be retrieved by . The messages will be sent with a Controller Message. This details the information messages that are included as part of the batch.
3 Message Controller Module
A single Message Management control form module will manage all incoming and outgoing messages.
For incoming messages the Message Management module will:
• Validate the digital signatures sent within the Controller Message to verify the messages came from and have remained unaltered;
• Load the message into a staging area of the database. This process will simultaneously verify the messages against its relevant schema.
• Processes the data in the stage tables of the database. This will move some of the data into the e-Vote database,
Throughout all of the above stages, error and audit logging will take place.
For the outgoing Polling Information (EML 340) message the Controller module will:
• Create digital signature of the message to be included in the Controller Message;
• Place the message into the outgoing directory for retrieval by .
Throughout all of the above stages, error and audit logging will take place.
3 Controller Message
All messages communicated to the e-Vote Application must be sent with a Controller Message. This details the EML messages that are included as part of the batch.
[pic]
4 Information Messages
The solution design recognises the importance of the ODPM objective to ensure that EML is employed as a ‘foundation stone’ to provide interoperability between the various participants within the e-Voting marketplace. A holistic approach has been taken in the design to ensure amendments that have been identified to the EML UK 1.0 standard are kept to absolute minimum and address specific issues in order to provide the level of functionality required during the 2003 election.
The following information messages have been detailed as being supported by Pre-Election Services.
1 Logo Message (930)
These include(s) logo’s pertaining to particular political parties that are to be included on the ballot page or Local Authority logo’s that are to be included on the Screen based channels.
2 Election Event Message (110)
This message is an EML message and the starting point of the whole process and is used for providing information about an election or set of elections. It contains information such as event start and end date and time, a list of allowed voting channels, and a list of the languages etc.
3 Candidate List Message (230)
This EML message is used for transferring candidate lists for specific contests. It has the election event name, contest name, optionally a contest description and then a list of candidates, each with a name and optional affiliation.
4 Election List Message (330)
This EML message is used for communicating the list of eligible voters, proxies or disallowed voters for a contest.
5 Polling Information Message (340)
This outgoing EML message is used for providing with details of the electorate and their voting credentials. It will contain all the information about the voter that may be included to print a polling card.
5 Digital Signatures
1 Incoming Message
Messages must be sent from ’s Voter Central Application containing details and a digital signature. The message has to be verified against its signature to ensure that the data has been sent from and not an unauthorised third party.
2 Outgoing Message Creation
The outgoing 340 EML message generated by the Polling Extract module contains highly confidential information concerning voter credentials and therefore needs to be handled with strict security procedures. The message must be digitally signed before being sent to the Pre-Election Service provider. It is assumed that the Pre-Election Service provider will physically transport the 340 EML message to the Printers.
6 Message Communication
must send sets of messages to their own specific “incoming” file directory on the e-Vote Application Server. The messages must be grouped, and the grouping must be defined within a “Control” message sent with the actual message data files.
7 Auditing and Error handling
1 Incoming Message Errors
Errors will be detailed in a series of error reports that will be placed in the appropriate directory of the Pre-Election service provider. The Pre-Election Service provider will use the error reports to diagnose and fix the problems with the message. The provider must then re-send the set of message(s) as a new control set in the normal way.
3 Event Management
Once the initial data has been communicated to the e-Vote Application all updates to the data will occur via Web-forms. The purpose of Event Management is to setup a new Election Event or maintain the details of an Election Event previously created using an Election Event (110), Election Register (330) and Candidate List (230) message.
4 Credential Management
1 Overview
This component, under the secure trusted domain of the e-Vote Operations Team is responsible for accepting voter data and transmitting credential data into and out of the e-Vote database.
[pic]
Figure 4 – Credential Management
1 Voter Credentials
The approach to authentication is based on the submission of a two-part Voter Credential (i.e. Voter Id – VIN and Password - PIN) by the citizen.
• Voter Identification Number (VIN) - a randomly generated number that is unique to each eligible voter in a given Election Event and forms one part of a voters credentials that will be used by the citizen to authenticate themselves before casting their vote;
• Personal Identification Number (PIN) - a randomly generated number that is unique to each eligible voter in a given Election Event and forms the second part of a voters credentials that will be used by the citizen to authenticate themselves before casting their vote.
The use of Voter Credentials for authentication provides anonymity of the voter whilst casting their vote.
The approach to security is based on the key CESG principle:
‘The signaling of intent, by the voter, into the electronic environment should have no observable properties, and the voter should receive assurance that their vote was recorded as it was intended’
2 Personal Option Identification Number (POIN)
These are randomly generated numbers for every candidate and eligible voter combination within an Election Event, thus giving a voter a unique personal candidate number for each candidate in an Election Event. Note that the uniqueness goes across Contests to avoid confusion if more than one Contest are being run. POINs may be the same for different voters but the combination of VIN and POIN will make them unique.
3 Response Identifier (RID)
These are randomly generated numbers for every POIN and VIN combination within an Election Event, thus giving a citizen unique response for each candidate in an Election Event.
A Simple Example
David O’Leary
VIN: 1234 5678 9123 4567
|Candidate |Party |PCIN |Response Id |
|Martin O’Neil |Celts |1235 |1233567 |
|Terry Venables |WideBoys |6432 |647474 |
|Magic Johnson |Amex |4675 |636943 |
| | | | |
|Spoilt Ballot | |2343 |535794 |
Jon Smith
VIN: 1456 4554 5454 4347
|Candidate |Party |PCIN |Response Id |
|Martin O’Neil |Celts |5678 |364313 |
|Terry Venables |WideBoys |5965 |468790 |
|Magic Johnson |Amex |4696 |555345 |
| | | | |
|Spoilt Ballot | |2532 |467688 |
As shown above the POIN and Response Id’s are personal to each citizen. Using REV, the voter will cast their vote using their personal VIN and POIN and will be returned a Response Id personal to them. This will make it impossible to identify who is being voted for and modifying or deleting a vote that had been cast.
4 Alternative Responses
The Response Identifier (RID) is one form of responses available to the Local Authorities. Alternative forms of responses are (1) a general thank you message or (2) a Receipt Id per Contest.
2 Voter Credential Generator
A set of voter credentials (VIN/PIN) will be generated prior to loading data from the Local Authority election events.
1 VIN & PIN Generator
[pic]
Figure 5 – Credential Management
VINs are globally unique for each voter and are sufficiently random to make it very difficult for somebody to guess a valid VIN. The key functions of the VIN/PIN Generator include:
• generate VIN/PIN for an Election Event - the operator will specify the number of VINs to generate;
• destroy VIN/PIN for an Election Event. – VIN/PIN may require destroying if too many have been generated for the Election Events being managed.
The type of number generation that will be used for May 2003 is random data which is encrypted using an asymmetric key.
3 Voter Credential Assignment
As part of loading the Electoral Register (EML 330) from ’s Voter Central application the pre-generated voter credentials will be assigned to the Local Authorities voters.
4 Personal Option Identification Number (POIN) Generator
POINs are unique for each voter and candidate combination and will be sufficiently random to make it very difficult for somebody to guess a valid POIN. These are generated after the candidate (EML 230) lists for Contests have been loaded into the e-Vote database.
5 Polling Information Management
Once Voter credentials, POINs and response identifiers have been generated for an Election Event, the e-Vote Team will extract the information required by the Printer in an enhanced EML 340 format for communication to .
5 Election Official Administration
Election Officials require access to the e-Vote Application in order to perform secure functions prior to and during the election (e.g. mark register, replace credentials etc). In order to maintain the security and integrity of actions performed on the e-Vote Application, the approach to Officer Credential creation must be the responsibility of the Local Authority. The only credentials created by the e-Vote Team will be that of the Returning Officer. They will be forced to change their password the first time they attempt to log into the e-Vote Application. All the other Officer Credentials will be created by the Returning Officer or designated officer.
Election Official Administration will enable responsible officers (e.g. Returning Officer) to create new Election Officers, generate credentials for them, print credential details etc. for an Election Event.
Election Official Administration will perform the following actions:
1 Create Officers
In order to create a new officer the Responsible Officer will be able to select an officer role (e.g. Presiding Officer) and then enter a surname and forename for the new officer.
2 Generate Credentials
This will create a new Officer Id and Password for all Officials that have been selected and do not have credentials already created. All officers will be forced to change their password, the first time that they log into the system. Passwords will be stored encrypted in the e-Vote database to prevent internal administrators (e.g. Database Administrators) from viewing the passwords.
3 Print Credentials
This will print credentials for all Officials that have been selected. The password will only be printed if the password has not been changed.
4 Reset Password
If an Election Official perceives that the security of their password has been compromised or if they have forgotten their password, the Responsible Officer can reset the password.
5 Block/UnBlock
If the Responsible Officer wishes to stop an Official from logging into the e-Vote Application they can block the credential of an Official.
[pic]
Figure 6 - Election Official Management
6 Election Registers
This component can be used pre-election, during the election, or even after voting has been completed and is responsible for printing the Election Register. The Election Register that is printed is based on various parameters passed by the Election Registration or Returning Officer.
• Election – Valid Elections within the Election Event;
• Contest – Valid Contests within the Election;
• Polling Station – Valid Polling Station for the Election Event;
• Register Type – This can be:
• Un Marked – Does not include ‘Vote’ status of elector i.e. whether they have voted or not;
• Marked – Includes ‘Vote’ status of elector i.e. indicate if elector has voted. The Marked option is only available to the Returning Officer.
• Blocked Type – Only include in the register electors of a particular block type;
• As At date – This can only be used in conjunction when the Register Type is ‘Marked’ and will only show marked votes made on or before the as at date & time .
[pic]
Figure 7 – Election Register Management
[pic]
Figure 8 – Election Register
7 Mark Registers (Postal)
For those Local Authorities (LA) that do not require pre-registration for postal voting, this component will enable the LA to mark the electronic register on receipt of the Postal Vote from the voter therefore preventing multiple voting from electronic and postal channels.
6 Vote Management
1 Overview
The Vote Management design is based on a Remote Electronic Voting (REV) architecture where voting can take place by electronic means from any location via any electronic channel (e.g. Internet, iDTV). Vote Management includes:
• A set of common services available to all channels providing voter authentication, ballot information, vote casting and survey completion functions against the e-Vote Application;
• Configuration modules for screen based channels;
• A set of channels whose user interface is primarily based on information stored in the e-Vote database;
• A set of Election Administration functions.
2 Common Services
All channels will communicate to the e-Vote Application through EML messages generated from their preferred client devices and gateways. These devices will be connected to a public network e.g. Internet, Public Switch Telephony Network (PSTN) etc., via a service provider. The messages will be routed from the service providers to the e-Vote Application for processing. The following common services will be available to all channels to interact with the e-Vote Application:
1 Authentication
This component is responsible for validating a voter’s credentials based on the Authentication Method chosen by the Local Authority and if successful, returning the ballot details containing the valid POIN’s unique to the voter for a given Contest. This is performed by transmitting an Authentication Message (EML 420). Once received, the e-Vote Application will validate the authenticity of the message and return a success or failure by transmitting the Authentication Reply Message (EML 430). If returning a success the message will contain ballot information for the channel to display the ballot details relevant to the Voter.
2 Cast Vote
This component is responsible for authenticating the voter’s credentials, and if valid, generating a Response Id for each VIN and POIN combination. The VIN and POIN will be validated against valid POIN’s stored against the Voter in the e-Vote database. If valid, the resulting VIN and POIN will be stored in the e-Vote database and the Response Id communicated back to the voter as confirmation as to the vote being accepted and stored correctly. The citizen’s virtual ballot paper will also be marked as having been completed. This will be performed by transmitting a Cast Vote Message (EML 440). The e-Vote Application will validate the authenticity of the message and return a Confirmation Message (EML 450) indicating success or failure.
3 Survey
This component is responsible for authenticating the voter’s credentials, and if valid accepting the results of the optional survey that the Local Authority has selected for their Election Event. The receipt of the result will be performed by transmitting an XML Survey Message (910).
3 Internet, iDTV and Kiosk Channels
The e-Vote Application design is based on an open architecture containing a set of common services that will enable external vendors to develop channel specific solutions and communicate with the e-Vote database using agreed interpretations and implementation of the OASIS EML– election messages.
The following channels will be made available by Oracle as part of the e-Vote Application:
• Internet;
• Polling Station – Kiosk/Lightweight PC;
• Interactive Digital TV.
The design of the screen based channels is a template-based architecture where boilerplate text on the election web pages is refreshed at runtime from data set up against Election Event in the e-Vote database.
The main components of the design include:
• Maintenance Screens for standard and Election Event boilerplate text;
• A series of mandatory and optional template Web Pages that form the Web Site for an Election Event;
• EML Messages that will be used to authenticate voter(s), cast their vote(s) and record the details of a survey – See Common Services.
1 Channel Configuration
A special feature of the e-Vote Application is to allow Local Authorities to ask voters questions pertaining to their voting experience. These can be specific to the Local Authority and can be different for each electronic channel.
This component will enable the internal e-Vote Team to set questions pertaining to the survey.
Note: For the Internet and Kiosk channels, the maximum no. of questions is 8.
[pic]
Figure 9 – Survey Management
The e-Voting screen based channel interfaces (internet, iDTV and Kiosk) are based on a scalable design to satisfy the requirements to deliver multiple screen based channel interfaces to multiple Local Authorities in a relatively short time period.
Each channel (internet, kiosk and iDTV) has it’s own set of templates consisting of template pages, items (text) on a page, default item values and Local Authority item values, which vary by channel, language and election event. During the pre-election period, forms will be used to store in the e-Vote database template item text and image details according to channel, language and Local Authority.
[pic]
Figure 10 – Channel Configuration
Prior to voting the default and configured items will be extracted from the e-Vote database and provided to a JSP for use at runtime. This extracted information will dynamically populate the JSP with data at runtime according to the voter’s preferred language.
This is illustrated in the following diagram:
[pic]
Figure 11 – Channel Runtime Overview
2 Election Information Portal (EIP) and voting flow
The Screen Based Voting Channels consist of two main components:
• Election Information Portal;
• Voting Application.
The Election Information Portals (EIP) will exist for all screen-based channels and will be the entry point into the e-Voting Application for all the Local Authorities.
The EIP will integrate with the e-Voting Application by communicating the election event and language as set up within the e-Voting Application. BT will provide the EIP for all the screen-based channels.
3 Internet Channel
This design will enable the Internet Channel to be rapidly configured in preparation for an Election. Once an Election Event has been created and the ‘Internet’ has been identified as a chosen channel, the configuration of the Web Site for the Election Event can begin. Information such as event description, event date etc. will be defaulted from information entered against the Election Event and other information will be defaulted as standard e.g. Exit button. The Internet pages that form part of the Web Site design include:
• Login Page;
• Legal Message Page;
• Contest (optional);
• Candidate Page;
• Verification Page;
• Confirmation Page;
• Survey Page (optional);
[pic]
Figure 12 – EIP and Internet, iDTV and Kiosk voting flow
4 Polling Station Channel – Kiosk/Light Weight PC’s
Similar to the Internet design the Polling Station Channel design is based on a template-based Election Web Site architecture where boilerplate text is refreshed at runtime from data set up against an Election Event within the e-Vote database.
5 Interactive Television (iDTV)
Similar to the Internet design the Interactive Television Channel design is based on a template-based Election Web Site architecture where boilerplate text is refreshed at runtime from data set up against an Election Event within the e-Vote database.
4 Postal and Paper Votes
The Postal and Paper Channel will enable the manual recording of totals counted at the Count Location to be recorded into the e-Vote database using a Postal/Paper data entry screen.
Once all the Postal/Paper Ballot Papers have been received and counted, the totals can be entered for inclusion in the overall count. The component will allow the following:
• Record Ballot Totals for each candidate in a given Contest;
• Record spoilt vote totals for a given Contest by reason;
• Correct previously entered totals, giving the reason for the correction.
5 Marked Registers
The ability to print a ‘marked’ register during the voting period is only available to the Returning Officer and is audited when a request is made. The Returning Officer will only be allowed to output an Electronic Electoral Register from the e-Vote database that relates to their Election Event.
The following information will be printed on the Electoral Register Report:
For a given Contest
• Polling Station;
• Polling District;
• Electoral Roll Number;
• Name & Address Details;
• Status i.e. Absent Voter, Disallowed, Vote Complete etc.
7 Front Office
Local Authorities at the front office (i.e. Polling Stations) will be given access to the following functions depending on the type of election event being conducted by the Local Authority:
• Change Password;
• Voter Credential Management; and/or
• Mark Election Register.
Local Authorities that will be running only electronic voting at Polling Stations will not require the ‘Mark Election Register’ option.
1 Change Password Screen
The first time an Election Official attempts to log in they are directed to this screen to change their password. The Official can also change their password at any other time.
[pic]
Figure 13 – Change Password Screen
2 Voter Credential Management
A citizen must still be permitted to vote under UK electoral law, if they are on the Electoral Register and can prove their identity to the Presiding Officer. The purpose of Voter Credential Management is to issue a citizen with new voting credentials, if they have misplaced them, forgotten them; or there is a need to issue tender credentials if personation may have taken place. Request for new credentials can either be at a Polling Station or in person at the Council Offices.
The issuing of new credentials is a very privileged function and has the potential of being misused, therefore the Local Authority can determine whether they require one or two officers to be authenticated prior to issuing new credentials.
There are two types of credentials that can be issued:
• Replacement Credentials;
• Tender Credential.
[pic]
Figure 14 – Voter Credential Management
1 Replacement Credentials
This enables the Official to issue a replacement credential for the citizen. This is only available if the citizen still has Contests, which have not been completed and does not have a blocked status. All existing credentials associated with the citizen will be blocked including the credentials of the Proxy.
2 Tender Credentials
This enables the Official to issue a tender credential for the citizen. This is only available if the citizen does not have a blocked status associated with them. All existing credentials associated with the citizen will be blocked including the credentials of an associated Proxy.
3 Mark Register
For Local Authorities that are running traditional paper based and electronic channels over the same period there must be the mechanism to mark the electoral register (i.e. destroy the electronic voting credentials), if the citizen wishes to cast their vote over the traditional paper based channel.
[pic]
Figure 15 – Mark Register
1 Mark Register (Normal)
This enables the Official to mark the register of all the outstanding Contests and is only available if the citizen still has Contests, which have not been completed and does not have a blocked status. All existing credentials associated with the citizen (including their proxy) will be blocked.
2 Mark Register (Tender)
This enables the Official to mark the register as having issued a Tender Ballot for the citizen and is only available if the citizen does not have a blocked status associated with them. All existing credentials (including proxy) associated with the citizen will be blocked.
8 Voter Support Centre
As part of the support for Local Authorities, a BT Call Centre will receive calls from citizens and either answers them if related to the e-Election or re-directs them to Local Authorities. During the voting period queries regarding whether an elector’s vote has been received successfully must be answered.
This component will provide the Help Desk Official with a function to determine if a citizens vote has been received without knowing the identity of the voter. The Help Desk Official must select an Election Event and Electoral Roll Number/Voter Reference Number of the caller.
[pic]
Figure 16 – Contest Status
The Help Desk Official will then be able to inform the citizen whether their vote has been received successfully.
Additionally, all interaction between the voter and the e-Vote Application will be available to the Help Desk Official as well as functionality to record the interaction with the voter.
9 Electronic Count and Audit
1 Overview
This section covers, the approach to performing the Electronic Count and verifying the integrity of the Count. This is the process where votes cast electronically and/or manually in a particular Election Contest are tallied and reported by the Returning Officer.
The primary objectives of the electronic count and audit component are to:
• To transfer individual votes into the Electronic Count according to the rules of the Election, and
• To establish and prove the validity of the Election, consistent with the rules under which the Election was conceived. This is critical to retaining the ‘trust’ of the Electronic Count, and thus the integrity of the Election.
One of the key principles of voting is a set of “rules and conditions” which form the basis of the trust and integrity of the Election.
The key rules are generally accepted to be:
• Only eligible voters can influence a Count;
• All eligible voters are given equal influence to affect the Count;
• The Count accurately reflects voters intentions that were made.
The first two rules are satisfied by the use of a cryptographic voting protocol (i.e. voter and other credentials generated by the e-Vote Application) and communicated to the eligible voters by the Local Authority. The voter interacts with the e-Vote Application via an electronic channel to record their intent on the Contest. The voter reviews the electronic ballot for correctness, and makes their selection(s). The completed ballot is digitally signed and encrypted at the channel gateway to preserve privacy in transit to the e-Vote Application. The third rule is discussed below.
2 Count Access
Access to an Election Count is only available to the Returning Officer of a Local Authority via the entry of valid Returning Officer credentials. The Count Module will be available to the Returning Officer over the Internet in SSL mode. The Returning Officer will not be able to initiate a count for any Contests within an Election Event until voting for the Election Event has been closed.
3 Count and Recount
The Count component is responsible for performing the actual count or re-count under the secure trusted domain of the Returning Officer responsible for the Election Event. Once the Returning Officer has been authenticated, he/she will be able to select a Contest and begin the count. The count can be broken into four logical stages:
• Increment Count;
• Perform Count against system generated candidate numbers;
• Reveal the Candidate Number; and
• Publish the results.
1 Count Management
The first initiation of a Count against an Election Contest will be given a Count Number of 1. Any subsequent counts performed for that Contest, known as re-counts, will increment the Count Number by 1. All votes included in a count/re-count will have an audit record created and associated with the Count Number. These will be used to print the results of an old Electronic Count.
2 Tally
This component is responsible for counting the electronic votes accepted via the various e-Channels. The VIN and POIN will have been stored encrypted in the e-Vote database for each authenticated vote. For each vote pertaining to a Contest selected by the Returning Officer the encrypted POIN will map onto a specific candidate id in a Contest. The Candidate Id’s count will be incremented by 1. It should be noted that Spoilt Reason id’s will also be incremented if a spoilt vote is identified.
Note, the process of initiating a re-count is performed by re-running the Count for a particular Contest. If no amendment to the votes have been made the results will be the same. If amendments have been made after the initial count (e.g. inclusion of a previously excluded Tender Vote or correcting a clerical error), then the re-count totals may be different.
The next step is to incorporate the paper and postal votes totals into the electronic count and de-anonymises the candidates thus revealing the results of a contest.
3 Publisher
This component has the responsibility of displaying the results for printing by the Returning Officer.
4 Audit and Scrutiny
Count Integrity is the process whereby the validity of a Count is verified (i.e. prove that all votes counted were from votes cast using the approved Voter Credentials and that manually entered totals were accurately recorded and counted).
1 Vote Authentication
The method by which an electronic vote is captured is via the receipt of a valid EML 440 cast vote message containing the citizens’ voter credentials together with a vote seal. In order to prove that no votes have been lost by the e-Vote database Seal Logs containing the digital signatures of the cast vote messages (EML 44) from the various channels will be loaded into the e-Vote Application. These logs will be compared against the seals in the e-Vote database to ensure that no votes were lost.
The following diagram shows the high level view of the process flow for the e-Counting component.
[pic]
Figure 17 – Count and Audit process flow
In summary, the e-Count component of the e-Vote Application tallies and reports on the votes cast electronically and/or manually in a particular Election Contest. Features include:
• Access to the Election Count module is restricted by Returning Officers credentials;
• All access and actions on the Count Module are fully audited;
• The Returning Officer can only initiate the Election Count for Contests, which he/she is responsible for managing;
• The Election Count can only be instigated by the Returning Officer once the voting end date and time have been reached;
• Once the Count has been instigated, the Contest counter is incremented by 1. Any subsequent execution of the Count will increment the counter by 1, to provide an audit trail of counts and related actions performed;
• An audit record is written for every vote that is decrypted and included in a Count to permit scrutiny.
5 Reveal Vote
Under UK Electoral Law, a judge can order a Returning Officer to find a citizens ballot paper to prove that their vote was counted in a specific Contest. This functionality will only be available to the Returning Officer. As part of the Reveal Vote functionality the Returning Officer will be able to generate two separate reports, which together contain information of the voter and selection made by the voter. The following details will be displayed in the resulting reports:
Voter Report
• Returning Officer Name;
• Date & Time;
• Reason for revealing details of the vote;
• Election Event details;
• Election details;
• Contest details;
• Voter details (including VIN and Electoral Roll Number);
Vote Report
• VIN and Electoral Roll Number;
• The Candidate(s)/Option(s) selected;
• Details of the vote(s) i.e. channel, date&time vote was made, type of vote etc..
The execution of the Reveal Vote function will result in the creation of an audit record in the e-Vote database.
10 Post Election
1 Overview
At the end of the Election Event, Local Authorities will analyse the success of the electronic election. This section covers, the approach to providing the Local Authority, the results of the survey that formed part of the Election Event and the voting patterns across the various channels. This includes:
• Count for the options selected on the Election Survey questionnaire;
• A CSV file containing the election survey results;
• Channel Voting Patterns.
2 Survey
The following enables the Returning Officer to produce the results of the survey. The surveys that can be selected are those that are associated with the Election Event or the Event Channels. Note that channels can have their own surveys.
The Returning Officer must select an Election Event and Survey for which they wish to generate a report or a CSV file.
[pic]
Figure 18 – Survey
1 Survey Report
[pic]
Figure 19 – Survey Report
3 Voting Patterns
The following enables the Returning Officer to produce the channel voting patterns for an Election Event. The Returning Officer must select an Election Event.
[pic]
Figure 20 – Voting Patterns
[pic]
Figure 21 – Voting Patterns Report
-----------------------
[pic]
-----------------------
Introduction 44
Introduction 44
Introduction 44
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- in stuart hall s the spectacle of the other he talks
- what was nafec
- 20085 install non load bearing accessories on electricity
- home by christmas
- edemocracy pilot oasis
- the number of listing your office has will directly
- electrical power generation transmission and distribution
- safety policy manual ohio concrete
- june 16 2008
- intro what is biogenerator fundamentals