Verification interface

Actors

Requirements

1. The executive must know that the results are correct.
2. The voter must know that the vote is properly counted.

Basic design

The admin reports all votes and results via public interfaces. Each report is backed by a specific snapshot that is named in the report. For example, see:

• http://reluk.ca:8080/v/w/Votespace?p=G!p!sandbox

The admin posts snapshots of voting data via public interfaces. Each snapshot includes copies of all the votes that were received, plus any results that were derived from those votes. For example, see:

• http://reluk.ca/system/host/obsidian/home/v/votorola/out/votrace
• http://reluk.ca/system/host/obsidian/home/v/votorola/in/vomir
• http://reluk.ca/system/host/obsidian/home/v/votorola/out/vocount

Each watchdog works from:

RV.	Reported votes spot copied (partial data) from admin's public interface. Verified against SVR.
RR.	Reported results copied from admin's public interface. Verified against SVR.
SVR.	Snapshot of votes and results copied from admin's public interface. Verified against AV.
AV.	Actual votes, an independently verified sub-sample of RV. Verified against the memory of the voter and that of her co-voters, candidate and own voters.
CV.	Complaints of vote tampering. Tested against RV and SVR. Recorded and analyzed statistically vs. normal voting data, known vote buyers and statistically implicated sellers, and equivalent data gathered from other vote-servers. Plaintiffs could be added to RV/AV checks. If any subsequent complaints are proven to be fraudulent, then the overall fraud rate might be estimated. But this part is rather fuzzy, yet.

Proposed rationalization

The verification architecture may alternatively be rationalized as follows.¹ A main site with (1) a count engine, reading from (2) a mirror database of translated image votes, reading from remote vote-servers and from (by null translation) a local vote-server (same vote form as the local mirror uses). It produces timestamped series of counts, and of the configuration parameters on which each count is based.

A count verification site with (1) the same design of count engine, reading from (2) a mirror database of translated image vote, reading from the same remote vote-servers as the main site and from (by null translation) the main site's local vote-server. The count verification site delays configuration-sensitive actions (such as counts) to ensure it has the same configuration as the main site for each timestamped action (e.g. the same remote source vote-servers for each count). It verifies only counts, not input data such as votes. It does this by producing counts at the same timestamps as the main site, each of which matches.

Vote verification facilities. These are not yet specified, except a personal vote verification facility which consists in comparing one's vote as locally recorded (voter's own record) on the voting client vs. the image on the count verification site. A match here guarantees that the vote was indeed counted as recorded on the client.

Notes

1.	From Christian Weilbach's ideas. Worked up together with Michael Allan into a rough design sketch, April 2013.