Public Comment

[comment-form@oasis-open.org]

Comment from: david@drrw.info

Review of EML 4.0 draft

Line 331 - figure 2A - typo - Resluts - Results

Line 332 - figure 2B - this is a useful diagram -in that it documents the components of the process - but it does not show the exact flows, control of artifacts and separations needed to ensure a trusted election process.

This also relates to figure 2F - line 437. Again - since the paper and eVoting systems are separate - there is no method to independently verify the eVotes.  Unfortunately this leaves any pure play eVote system open to any number of insider manipulations.  A secure voting process combining and requiring both paper and eVotes together can address this.

Figures 2G and 2H would then show the reconcilation process - matching paper ballots to eVotes and reconciling with electoral roll counts by district to ensure counts match available number of voters.  Paper ballots can be scanned to obtain independent count totals.

Line 533 - Data requirements.  Some mention here should also be made of media and storage requirements.  For example write-once and read-only techniques should be used throughout to ensure that digital information is preserved as best as can be.  Notice firmware in reader and writer devices is vulnerable to tampering.  Humans are unable to directly verify content on digital media, nor know if a device is only reading or also writing to a media format that it contains.

Transfer and handling of digital media and its information therefore requires strict handling guidelines.

Line 612 under security relate to this.  Notice that during an eVoting process a voter has no way of verifying if the voting options displayed to them by the DRM device actually are sent to the balloting process, or are recorded differently.  This is why paper ballot verification is essential.  Line 623 alludes to this - but does not formally state it.

And the reason that voting cannot be made all-electronic like eBanking, eCommerce, and such is that fundamentally there are three key differences and factors at work here:
 
1) Voting must be anonymous yet verifiable
2) Electronic media content cannot be directly verified by humans
3) Entitlement is based on access and not individually reconcilable, so trust has to be around fair and visible open access with clearly understood safeguards, not technology gimmicks.

A general comment would be that the EML 4.0 does an excellent job of defining voting practice externally - eg facing the voter and election officials.  Where it lacks currently is internally facing to ensure the operations performed by the solution providers are equally trustable.  It also does not highlight the need for combined evote and paper ballots to ensure this integrity - and enable a broader access to voting.

Some additional areas then would be the use of XML to configure the voting process itself - defining the inter-process exchanges - such as between the eVoting device and the ballot printing device.  And for the printing and displaying devices - multi-lingual formatting scripts to ensure fair presentation of the candidate and election choices.

Of course not all votes are anonymous - however developing a trusted process for the toughest scenarios allows use for less constrained scenarios, but not the reverse.

I believe devloping a more formal trusted voting process definition is needed as a next step, and then showing where EML provides XML formats and scripts at all the crucial points in that process.  Cornerstone exchanges should be identified - and this can then lead to certification and conformance tests so that solution providers can verify that their components meet these requirements.

Thanks, DW