This document discusses a proposed pilot project to test remote voting kiosks in combat zones to allow overseas military and civilian voters to cast ballots electronically. It describes how previous pilots of remote voting kiosks in benign overseas environments were successful and evaluates expanding the concept to combat zones. The document outlines the objectives, components, costs, and anticipated benefits of the proposed combat zone kiosk pilot project.

1. Innovative Approaches for
UOCAVA Voting:
Remote Voting Kiosks
National Civic Summit
July 16, 2009
www.OperationBRAVO.org

2. What is a Remote Voting Kiosk?
• An “early voting center” overseas
• Operates as adjunct to pollsite system
• All ballot styles available
• Voters checked in with voter registration database
• Ballots cast electronically
• Votes transmitted and stored in central data center
2

3. Okaloosa Distance Balloting Pilot (ODBP)
Objective: Evaluate the effectiveness of remote voting
kiosks to improve overseas voting access
• Project conceived and conducted by the Supervisor of
Elections, Okaloosa County, Florida
• Authorized by Florida Administrative Rule 1S–2.030
Electronic Transmission of Absentee Ballots
• Based on Scytl Pnyx secure voting system, tailored to meet
Florida requirements
• System certified by Florida as adjunct to pollsite system
• Project managed by Operation BRAVO Foundation
3

4. Three Overseas “Early Voting Centers”
• Staffed voting kiosks set up in England, Germany, Japan
• Open for 10 days
• 94 voters participated, 93 ballots cast
• All 78 ballot styles available, 23 different styles voted
• Paper records produced for all electronic ballots cast
• Canvassing Board validated, decrypted, and tabulated
electronic ballots
• Kiosk officials set up and operated kiosk systems
• Elections staff administered central office system
4

5. UK Kiosk : Mildenhall, England
5

6. Kiosk Voting System Security Elements
• Voter identity and eligibility verified by kiosk officials
• Secure laptops used for voting
• Voting software verified by Florida Division of Elections
• Voted ballot signed by voter’s digital signature, then encrypted
with Canvassing Board key
• Encrypted ballot transmitted by secure communications to a
BS7799 certified Tier 3 secure data center for storage
• All system transactions logged in immutable system logs
• System performance validated by comparing manual count of all
races on 100% of paper records with electronic tabulation
6

7. Some Lessons Learned
• Kiosk components easy to deliver overseas by commercial
carrier
• Kiosk system easy for kiosk officials to set up and operate
with minimal training (< 8 hours)
• Only technical issue encountered was setting up network
connection in hotels where kiosks were located
• System easy for voters to use; would like to continue voting
this way; experienced greater sense of participation and
confidence that ballot would be counted
• Ability to verify system performance through paper record
audit provided high degree of trust in system integrity
7

8. Proposed Project for 2010: Combat Zone Kiosks
Objective : Assess feasibility of kiosk concept to enfranchise
military and civilian voters in combat zones
• Expand scope to 35 counties in 5 states ( 2-3000 voters)
• Establish shared kiosk sites in several combat zone
locations, e.g., Green Zone in Baghdad
• Staff with local personnel, e.g., Voting Assistance Officers
• Open 45 days before Election Day
8

9. Combat Zone Voting System
Shared Central
Data Center Kiosk Sites
Authentication
Voting Servers Terminal
Registration System
Kiosk
Secure VPN Workers
County Interface
Certification Authority
Voter
Network
Voting Terminal
Secure VPN
Secure VPN
Statewide Voter County Elections Offices
Registration Access Laptop Canvassing Server
Systems Interfaces
Canvassing Board
9

10. Why Try This Solution?
Other voting methods are not feasible in combat zones
• Postal mail will never be reliable or timely due to nature of the
environment
• FAX capability is non-existent
• Access to computers for personal e-mail is limited, especially
if a printer is needed
• Entire kiosk system can be shipped in, set up, and operated
by local personnel
• Only needs electricity and an Internet connection
10

11. Logical Follow-on to Previous UOCAVA Projects
• ODBP demonstrated practical feasibility and effectiveness in
benign overseas environments
• ODBP established an easy and scalable method to provide
voters with digital signatures
• Single county proof of concept is capable of expansion to
multiple jurisdictions
• Security and auditability of system acceptable to e-voting
critics
• Voting Over the Internet and SERVE showed feasibility of
multiple jurisdictions sharing a common system while keeping
each election office’s data separate and private
11

12. Project Overview
• Establish Pilot Management Board with representatives from
participating jurisdictions
• Operation BRAVO Foundation (OBF) provides daily project management
under policy direction of Pilot Management Board
• Scytl adapts features of Okaloosa kiosk system for other jurisdictions as
needed
• Scytl develops interfaces for local election management systems and
statewide voter registration databases
• OBF, Scytl, and Pilot Management Board revise Okaloosa training
materials and system operation manuals for other jurisdictions as
needed
• Test and certify combat kiosk pilot system
• Open kiosks for voting on September 18, 2010
12

13. Preliminary Cost Estimate
• Scoping assumption: 5 states, 35 counties
• Cost: $4 to 5 million
• Includes:
– Requirements analysis to identify any system modifications
– Tailoring of existing system for new jurisdictions
– System testing and certification
– Software licenses
– System implementation
– Project management
– Project evaluation
13

14. Why Participate?
• Be a leader in enabling voting rights for military and overseas
citizens
• Develop specifications for a repeatable secure UOCAVA solution
• Help define standards for remote voting for UOCAVA voters
• Help define voting system data interchange requirements
• Share costs among participating jurisdictions, federal agencies,
foundations
14

15. How Does Kiosk Integrate With Local Systems?
entication System
1 County
uthentication Laptop
Smartcard Reader KIOSK
VRD
B
VOTING
PC
Voter PC
LEO
Tabulation
Server
rinter/Scanner Central
Server
LEO/State Election
VRDB Management
Interface Wizard
Server System
PKI
Existing local system
Kiosk system components LEO = Local Election Ofice
15

16. Frequently Asked Questions (FAQs)
1. How is voter’s identity and eligibility to vote determined?
A. Kiosk worker checks voter ID and looks up voter in voter registration database to determine
eligibility to vote. Voter signature on printed Voter’s Certificate verified against stored signature
to ensure that the same person.
2. How is the correct ballot style matched to each voter?
A. All ballot styles are configured in the voting system. When a voter is authenticated by the poll
worker, the ballot style is coded in a smartcard that gives access to the voting laptop, which
will show the appropriate races to the voter
3. How does local election official know which voters submitted which ballots?
– Each ballot, once encrypted, is digitally signed by the voter; therefore, the system knows which
ballots correspond to each county. Of course, this signature is stripped off when each local
election authority decrypts the ballot, thus ensuring voters’ privacy.
16

17. FAQs (Continued)
1. How is the secrecy of the voter’s ballot choices protected?
A. Two main complementary measures ensure voters’ privacy: encryption of the ballot using a
digital envelope, and a one-way mixing process. Only each election official will be able to
decrypt the ballots addressed to such county in a process that breaks the correlation between
voters and ballots.
2. How do the voted ballots get to the local election office for tabulation?
A. The voting system will have a special interface per county where local election officials will be
able to process the encrypted ballots and obtain the decrypted ones for tabulation
3. Can the voter independently verify their ballot choices before submitting their
voted ballot?
A. The voting laptop prints a paper record for the voter to compare to the electronic summary
screen. On-screen verification is available too.
17

18. FAQs (Continued)
1. How can the electronic results be audited?
A. A sample (or all) of the paper records can be hand counted and the results compared with
the electronic tabulation. In addition, each paper record can be compared to its
corresponding electronic record through a randomly generated common code on each
2. How will this system affect the local election office workload?
A. It depends on how much manual intervention is required to extract the election definition
and ballot style data from the local election management system and import it into the
kiosk voting system. Once these data have been transferred and verified, the kiosk system
operates automatically. The kiosk voting system is relatively easy to set up and initialize;
this work can be done by an elections IT support person with a small amount of training.
The kiosk system provides a tabulation report of voting results. Depending on how local
tabulation reports are prepared, the kiosk tabulation data may have to be manually entered
into those reports
18

19. FAQs (Continued)
1. How will the system be tested?
A. The Election Assistance Commission has begun work on defining a process for the testing
and certification of pilot voting systems. Some states have their own system testing and
certification process
2. Will the ballots be time-stamped to show they were cast before the
deadline?
A. Each ballot contains a time-stamp that clearly points out the time the ballot was cast.
11. Wouldn’t it be easier to send ballots to voters by email?
A. Although some States allow it under certain circumstances, email voting has several
serious shortcomings due to the lack of security measures. For instance, voters’ privacy
can not be assured, and ballot integrity is complex to achieve in an scenario with dozens
of voters all over the world.
19

20. FAQs (Continued)
12. My state requires matching the voter’s signature on the absentee ballot with
the signature on file to verify that the ballot was returned by an eligible
voter. How will the kiosk system do this?
A. This is done in two steps with the kiosk system. First, each voter is personally identified
and checked against the voter registration database by the kiosk worker. In Florida, the
voter is required to sign a printed Voter’s Certificate, and this signature is compared to the
one on file. Secondly, as part of election set-up activities, each potential kiosk voter is
assigned a unique digital signature that is linked to his voter ID code in the voter
registration database. When the voter is checked in at the kiosk the voter registration
database encodes the ballot style ID, the voter ID, and the digital signature PIN in a bar
code on the Voter’s Certificate. This bar code is scanned to record this data on the
smartcard used to activate the voting session. The voter’s digital signature is downloaded
to the voting laptop along with the correct ballot style. When the voter submits their voted
ballot, the system automatically applies the voter’s digital signature that ties the ballot to
that particular voter’s identity. This linking is broken after the Canvassing Board reconciles
the absentee voter list and is ready to download the ballots for decryption and tabulation.
20

21. FAQs (Continued)
13. How does a county configure its ballot styles on the kiosk-based voting
system?
A. It will depend on the number of participating counties and the EMS used by them, but two
approaches are considered: (1) a ballot editor, where each ballot will be defined; (2)
integration with the EMS to import the ballot definitions configured by election officials
• What is the cost per vote for kiosk voting?
A. In very simple terms, the cost per vote for any type of voting system is determined by the
number of voters who use the system over its expected life cycle. The Okaloosa project
was intentionally small scale as a technology proof of concept. It incurred development,
documentation, and testing costs for a one time use that normally would be amortized
over thousands of elections. The combat kiosk project is intended to include many more
jurisdictions and thousands of voters. It will also re-use much of the development and
other work done for the Okaloosa project. This project will provide a much better basis for
projecting the cost per vote for kiosk voting when implemented as a standard voting
method.
21

22. FAQs (Continued)
1. Why is Scytl the provider of the voting technology?
– The Okaloosa Distance Balloting Pilot team conducted a market survey of potential
vendors to provide the voting system for that project. Scytl was selected because they
had a mature, proven remote electronic voting system that had been used for a number of
public elections in several countries. This system includes a number of advanced,
patented security features such as immutable chaining logs that allow comprehensive
system performance auditing. Scytl also had the engineering design and development
staff to implement the system enhancements necessary to comply with Florida legal and
administrative rules and to interface the system to the Okaloosa local election
management and voter registration systems. The system has been tested and certified by
the State of Florida, and an independent team of experts has reviewed the system
software. Since the combat kiosk project is a further expansion of the Okaloosa project, it
reduces both cost and risk to remain with the same provider. Should any jurisdictions
decide to implement remote kiosks as a regular voting channel in the future, they can use
the specifications developed by these projects in their vendor solicitation.
22

23. Operation BRAVO Foundation
• Non-profit 501(c)(3) organization
• Established to foster exploration and development of
practical and reproducible electronic solutions to improve
overseas voting process
• Partners with state and local governments, other
organizations, to conduct demonstration projects
• Provides project planning, budgeting, and management;
functional requirements analysis; governmental coordination;
legal and regulatory compliance assessment; and project
evaluation
23

24. Contact Information
Carol Paquette
Carol.Paquette@operationbravo.org
703 532 0524
Pat Hollarn
Pat.Hollarn@operationbravo.org
850 585 7768
24