CLEAR BALLOT GROUP

ClearDesign 1.0 System Overview

Abstract: This document provides information about the functional and physical components of the ClearAccess system, including how components are structured and interfaced.

© 2012-2015 Clear Ballot Group

© 2012-2015 Clear Ballot Group ClearDesign System Overview ClearDesign Part Number: 100043-10001 Copyright © 2012-2015, Clear Ballot Group All rights reserved. This document contains proprietary and confidential information, consisting of trade secrets of a technical and/or commercial nature. The recipient may not share, copy, or reproduce its contents without express written permission from Clear Ballot Group. Ballot Resolver, Clear Ballot, ClearDesign, ClearAudit, ClearVote.com , ClearData, ClearAccess, Image-to-Ballot Traceability, MatchPoint, ScanServer, ScanStation, “ Speed, Accuracy and Transparency”, “Visual Verification”, “Visualization of Voter Intent”, and “Vote Visualization” are trademarks of Clear Ballot Group. ScandAll PRO is a trademark of FUJITSU LIMITED. All rights reserved. Other product and company names mentioned herein are the property of their respective owners. Clear Ballot Group 71 Summer Street, Suite 3 Boston, MA 02110 (857) 250-4957 http://www.clearballot.com Document history

Date Description Version Authors 2015-05-02 Initial version 1.0 Larry Moore

ClearDesign System Overview ii

Contents 1 Abstract ........................................................................................................................................ 1

1.1 About this document............................................................................................................. 1

1.2 Scope of this document......................................................................................................... 1

1.3 Intended audience ............................................................................................................... 1

2 System description ....................................................................................................................... 1

2.1 User Interface Design ............................................................................................................ 3

2.2 Software Design .................................................................................................................... 5

3 Operational environment of the system ..................................................................................... 7

3.1 Pre-election phase ................................................................................................................ 8

3.2 Audit logging and reporting ................................................................................................ 10

4 COTS components in the ClearDesign system ............................................................................ 10

4.1 COTS hardware ................................................................................................................... 10

4.2 COTS software .................................................................................................................... 10

4.3 COTS communications services ......................................................................................... 10

5 Interfaces among internal components ..................................................................................... 11

5.1 Physical interfaces among system components ............................................................... 11

5.2 Functional interfaces between components .................................................................... 11

5.3 Benchmark directory structure.......................................................................................... 11

5.4 Performance characteristics of each component ............................................................ 11

5.5 Ballot Layout and Generation Performance ....................................................................... 11

6 Quality attributes ....................................................................................................................... 12

6.1 Safety ................................................................................................................................... 12

6.2 Security ................................................................................................................................ 13

6.3 Continuity of operation ...................................................................................................... 13

6.4 Design constraints .............................................................................................................. 13

6.5 Applicable standards .......................................................................................................... 13

6.6 Compatibility ....................................................................................................................... 13

ClearDesign System Overview iii

1 Abstract This section defines the purpose of this document. It contains the following sections:

• About this document • Scope of this document • Intended audience

1.1 About this document This System Overview document provides information about the functional and physical components of the ClearDesign system, how the components are structured, and the interfaces between them. It also reviews system performance characteristics. It corresponds to the VVSG Volume 2 Section 2.2 requirement for the Technical Data Package (TDP). 1.2 Scope of this document This section provides summary information about the following aspects of the ClearDesign system:

• High level system description • Functional components and subsystems • Operational environment of the system • System performance • Quality attributes

1.3 Intended audience This document is intended for voting system regulatory bodies and their delegated Voting Systems Test Laboratory, as part of the TDP required to certify the ClearDesign ballot design, layout and production system.

2 System description ClearDesign is a multi-user interactive ballot design, layout, proofing and production system created by the Clear Ballot Group (Clear Ballot). As shown Figure 2-1, ClearDesign is the ballot design component of the ClearVote product family.

ClearDesign System Overview 1

Figure 2-1 ClearDesign configuration

The ClearDesign system consists of the following physical components (all of which are unmodified COTS hardware and are connected via closed, wired Ethernet connections):

• DesignServer: A laptop or desktop computer running the ClearDesign software and hosting its election database and the web server that serves its election reports. The DesignServer uses the Linux operating system (a configured version of which is installed with the ClearDesign software). The DesignServer is an appliance; all user access (including administration) is done through a DesignStation by a user with the proper credentials.

• DesignStation(s): One or more laptop/scanner pairs used to scan and tabulate ballots. The DesignStation™ computers use the Windows 8.1 Pro operating system.

• Router: Used to connect the DesignStations to the DesignServer using a wired, closed Ethernet. (Optionally, a switch may be added for situations requiring more DesignStations.)

All connections between devices in the ClearDesign system are private and wired. ClearDesign does not utilize wireless connectivity. Wireless capabilities present on any hardware used with the ClearDesign system must be disabled.

Hardware Configuration ClearDesign: The ballot design component of ClearVote

ClearDesign System Overview 2

2.1 User Interface Design The ClearDesign software was designed from the ground up to run in a modern browser. To a user of the Internet, ClearDesign will feel very familiar. All of the familiar ways of interacting with a browser will work in ClearDesign. For someone who already understands elections, the learning curve is short. The generic (i.e. non-election-specific) user interface elements utilize modern browser-based controls and are modeled after the familiar Windows Explorer user interface. Examples of these elements and their descriptions have been taken from http://en.wikipedia.org/wiki/Graphical_user_interface_elements. They include:

• Menus allow the user to execute commands by selecting from a list of choices. Menus are

convenient because they show what commands are available within the software. • Controls (or widgets) which are software components that a user interacts with through

direct manipulation (click, touch, drag) to read or edit information. Common uses of widgets involve the display of collections of related items (e.g. list controls like dropdowns, combo boxes, etc.), initiation of actions and processes (via buttons and menus), navigation within the application (links, tabs and scrollbars, etc.) and to represent methods of manipulating data values (labels, check boxes, radio buttons, sliders, etc.)

• Tabs to allow the user to switch context quickly. In modern browsers, users can have multiple pages open at once and quickly move between them by clicking on the associated tabs.

In addition, there are interaction elements that will be familiar to anyone using browsers. Examples of these elements include:

• Cursor – an indicator used to show he position on a monitor that will respond to input from a text input (keyboard) or pointing device (mouse).

• Pointer – echoes the movement of the pointing device (mouse or touchpad). The pointer is the place where actions take place that are initiated through direct manipulation gestures such as click, touch and drag.

• Insertion Point – represents the pint of the user interface where the focus is located. It represents the object that will be used as the default subject of user-initiated commands such as writing text, starting a selection or a copy-paste operation through the keyboard.

• Selection - A selection is a list of items on which user operations will take place. The user typically adds items to the list manually, although the computer may create a selection automatically.

• Adjustment Handle - A handle is an indicator of a starting point for a drag and drop operation. Usually the pointer shape changes when placed on the handle, showing an icon that represents the supported drag operation.

Shown on the next page are two screen shots. Figure 2-2 shows some of UI elements that are made possible through a browser interface. Figure 2-3 shows and how a user can customize the default ballot layout using drag and drop to as well as to automatically remove line spacing in order to squeeze a little more room in order to avoid printing another card.

ClearDesign System Overview 3

Figure 2-2 User Interface Elements

Figure 2-3: User Interface Showing Direct Contest Manipulation of Contest

ClearDesign System Overview 4

2.2 Software Design The purpose of ClearDesign is to create, validate, produce and manage the informational elements that comprise an election. ClearDesign provides the tools, automated checking and reports to enable a jurisdiction to create ballots with a high degree of confidence that they will work as intended during the election. Figure 2-4 depicts the process of setting up ClearDesign to enable it to efficiently and accurately create an election.

Figure 2-4: ClearDesign Process Flow

Initial Setup & Data Entry – many of the items entered below are used to automatically populate menus, lists and drop-downs. • Jurisdictional Data Entry includes localization of terminology (e.g., precincts vs election

districts vs wards), enumeration of national languages, political parties, district categories, headers, commonly used graphical elements (e.g. county seal), and ballot layout styles (incl. party placement).

• Geographic Data Entry includes district listing, precinct and split listings and their relationship.

• Contest Templates includes the “Vote for”, contest type (candidate, measure, recall, etc.), cross-endorsement, assignment to a header, district assignment and rotation.

• Ballot Set Templates – refers to which ballot sets will be produced (e.g. federal only contests, sample ballots and different size ballots for accessible marking.

• Card Templates refers to the card height (5” – 22”), number of columns, front and back orientation (portrait or landscape) and the oval position (e.g., to the left or right of the candidate name).

ClearDesign System Overview 5

Election Creation • Election Definition refers to template selection, selection of contests to be included, entry

of candidate names and measure text. • Ballot Generation refers to the calculation of all ballot styles (i.e., based on the districts

included in the current election, which contests go on which ballot style). Once the ballot styles are generated, the actual ballot text can be dynamically laid out and the ballots can be examined for their aesthetics. Small manual adjustments can be made to, for example, reposition contests (see figure 4-3) and to “squish” the .

• Ballot Proofing reports are produced and examined to ensure that the geographic relationships are correct, all contests have been placed, candidate names are correctly spelled, etc.

• Ballot Production is where the PDF files and ballot definition files are produced to send to the printer and to program the tabulator as well as the HTML files to enable the voter to vote and then print a ballot that can be tabulated.

ClearDesign System Overview 6

3 Operational environment of the system This section introduces the pre-election operational environment of the ClearDesign system. ClearDesign, as discussed above, is the ballot design component of ClearVote. Figure 3-1 shows the inputs and outputs between the various components of ClearVote.

ClearDesign inputs: 1) Election Definition ClearDesign outputs: 2) Ballot proofing reports, 3) PDF ballots styles 4) HTML Anywhere ballot marking files, 5) Ballot Definition files (used to program the tabulators).

Figure 3-1 Inputs and outputs of ClearVote system

The HTML Anywhere ballot styles are encapsulations of the contest and candidate choices for a given ballot style along with the logic to indicate voter intent, prevent over voting and mark a ballot that can be immediately tabulated.

ClearDesign System Overview 7

3.1 Pre-election phase Figure 3-2 shows the operational environment of ClearDesign.

Figure 3-2 ClearDesign System Overview

The information below is keyed to the black circled numbers in Figure 3-2. 1. Election definition data entry is performed via manual entry or two methods of imports.

One method is via Voter Registration import connectors which are custom programs that translate the fields from a state’s voter registration system into those of ClearDesign. The second method is via an import of the Ballot Definition Files produced by ClearAudit. This capability allows Clear Ballot to show a jurisdiction how ballots produced by their legacy voting system’s Election Management System would look in ClearDesign, how they would be marked in ClearAccess and how they would be tabulated in ClearCount.

2. Interactive ballot proofing is a critical step in creating an election. A library of reports is available for the ballot designer to determine visually, for example, that candidate names have been entered as intended, precincts have been correctly assigned to districts, contests appear on the correct ballot style, etc. Figure 3-3 shows the categorization and number of ClearDesign’s ballot proofing reports.

3. Ballot style production is done in a single step once the ballot designer has completed the proofing step. Two forms of ballots are produced simultaneously: the normal PDF files that

ClearDesign System Overview 8

are sent to the ballot printing company and HTML Anywhere files that can be loaded into a device capable of running a modern browser. When loaded into a browser, the Anywhere accessible ballot is displayed to enable in-person, accessible ballot marking. (see http://civicdesign.org/projects/anywhere-ballot/ )

4. The Anywhere Ballot is a single HTML file that contains all of the data needed by a modern browser to display a single ballot style, allow voters (disabled or not) to select and verify their choices, mark and print one or more ballot cards on a low-cost laser printer. In operation, all ballot styles in the election are packaged as a single ZIP file that can be copied to a memory stick for installation on the ClearAccess ballot marking device (e.g. a PC or tablet computer). Once loaded, the device can be used directly in a vote center or configured to allow only certain ballot styles to be displayed at a particular polling location. See the ClearAccess Software Overview for a more complete explanation.

5. A ZIP file is produced by ClearDesign that encapsulates all of the files needed to program the ClearCount central count tabulator. ClearDesign can lay out ballots having different lengths in the same election. With this feature, 18” long ballots may be mailed to voters while 11” long ballots may be printed on demand at a polling or vote center using a low-cost laser printer. For 11” long ballots, it may take two ballot cards to display all the contests that appear on an 18” ballot. The benefit is that all ballots can be tabulated in the same way and a low-cost laser printer can be used in lieu of expensive printer that is currently required to print an 18” two-sided ballot.

As referenced in item 2 above, this table categorizes over 70 ballot proofing reports.

Ballot Proofing Report Categories # Reports

Languages 2 Parties 5 District Categories 2 Districts 4 Precincts/Splits 5 Splits 6 Contests 9 Candidates 2 Headers 5 Ballot Sets 2 Ballot Group Styles 4 Ballot Groups 4 Ballot Styles 5 Ballots 5 Card Styles 5 Cards 4 Layout Styles 2 Logs 1 Total number of Ballot Proofing Reports 72

Figure 3-3 Ballot Proofing Report Categories

ClearDesign System Overview 9

3.2 Audit logging and reporting For additional information on logging in the ClearDesign System, including log-ins to the Linux operating system, see ClearDesign Election Administrator’s Guide and ClearDesign Installation and Preparation Guide. 4 COTS components in the ClearDesign system This section introduces the COTS hardware, software, and communications services utilized in ClearDesign. For details on the COTS components used in the ClearDesign System, see ClearDesign Approved Parts List and ClearDesign Hardware Specification. 4.1 COTS hardware All of the hardware used by the ClearDesign system is unmodified COTS. 4.2 COTS software All third-party software included in ClearDesign is unmodified. All software (ClearDesign and third-party) is stored in the CBG source control management system, as described in the Configuration control procedures chapter of ClearDesign Configuration Management Plan. 4.3 COTS communications services All hardware in a ClearDesign system is connected using a private wired Ethernet. Wireless connections are not supported. In order to distribute HTML files to ClearAccess, election officials may transfer the results to a flash memory drive. A printer may be connected to the DesignStation to print, for example, ballot proofing reports.

ClearDesign System Overview 10

5 Interfaces among internal components This section describes interfaces between the components in the ClearDesign system. 5.1 Physical interfaces among system components ClearDesign utilizes the following physical interfaces between components:

• DesignServer computer to router: Ethernet CAT5 cable • DesignStation computer to router - wired Ethernet CAT5 cable • Printer to DesignServer – USB 2.0/3.0 cable • Memory Stick to Design Station. computer - USB 2.0/3.0

For details on hardware components, see ClearDesign Hardware Specification. 5.2 Functional interfaces between components For details of the functional interfaces between components, see the Software overview and Interfaces sections of ClearDesign Software and Design Specification. 5.3 Benchmark directory structure For the ClearDesign benchmark directory structure, see the Software Item Identification section of ClearDesign Software Design and Specification. This section contains performance information about the ClearDesign system. 5.4 Performance characteristics of each component During data entry, ClearDesign performance can be characterized by its:

• Responsiveness to typical browser based actions such as text insertion, deletion, etc. There should be no noticeable delay in performing these types of browser actions.

• Speed of navigation between tabs and saving changes made is critical to ClearDesign’s usability. ClearDesign saves additions or modifications to the election definition as they are made (e.g. entry of geographic data or contest information). In general, ClearDesign’s tab-to-tab response time should be < 5 seconds.

After all data entry, ClearDesign performance can be divided into four areas:

• Ballot style generation – refers to the calculation of which contests should appear on which ballot styles.

• Ballot styles laid out – refers to the dynamic placement of contests and measures on ballot cards suitable for printing. If the

• PDF Card printing – refers to rendering all PDF files that will be sent to the ballot printing company.

• BDF Export - refers to the packaging (into a ZIP file) of all the data necessary to tabulate and report on the election.

5.5 Ballot Layout and Generation Performance Ballot generation refers to the calculation of which contests should appear in which ballot styles.

ClearDesign System Overview 11

Ballot layout refers to the layout of each ballot style onto one or more cards of a designated size. Table 5-1 shows indicative performance on an election that had the following attributes:

Election Stats Item # # Districts 137 # Precincts 132 # Splits 295 # Contests 90 Ballot dimensions 8.5” x 18”

Performance # Time # Ballot styles generated 295 13 # Ballot styles laid out 80 3:42 # PDF Cards printed 590 4:51 BDF Export :10

Table 5-1 ClearDesign performance data

6 Quality attributes ClearDesign ensures product quality in the following areas.

• Provisions for safety, security, privacy, and continuity of operation • Design constraints • Applicable standards • Compatibility requirements

6.1 Safety The ClearDesign system and recommended methodology do provide safety risks to operators, as confirmed by the ClearDesign Quality Assurance Program. All of the COTS hardware used in the system has been tested by a Nationally Recognized Testing Laboratory (NTSL) and is marked with a UL or other safety mark. ClearDesign addresses physical safety in its product documentation concerning setup, maintenance, and scanning. For details, see:

• Clear Design Election Preparation and Installation Guide • ClearDesign System Maintenance Manual

ClearDesign System Overview 12

6.2 Security The ClearDesign system and recommended methodology ensure security through the following mechanisms:

• Access control • Use of a closed network • Security-minded administrative practices

For full details on ClearDesign security, see ClearDesign Security Specification. Because ClearDesign is ballot generation system, there is no direct voter interaction. Voter privacy is not at issue. The ballots that ClearDesign produces contain no information that could be used to personally identify a voter. Therefore, the ClearDesign system does not include any special privacy measures. 6.3 Continuity of operation ClearDesign runs on scalable, distributed hardware. To ensure continuity of operation, jurisdictions should ensure they have redundant hardware capacity. Backups should be take periodically. 6.4 Design constraints See the ClearDesign Software Specification. 6.5 Applicable standards The ClearDesign software is run on unmodified COTS computers and scanners. Each piece of COTS hardware used in the ClearDesign system has an FCC Class B declaration of conformity and a CE Mark affixed to it.

• The FCC Class B Mark certifies that an electronic product’s electromagnetic interference falls under the limits set by the Federal Communications Commission of the United States in its Declaration of Conformity and Certification procedures of 1998

• The CE Mark (1993) indicates a product’s conformance to relevant European Union regulations.

CBG recommends that COTS equipment also bear a safety testing mark by an OSHA Nationally Recognized Testing Laboratory (NRTL), such as the Underwriters Laboratory UL mark. 6.6 Compatibility The ClearDesign system produces Ballot Definition Files in text format that are compatible with ClearCount. It also produces HTML files that can be rendered on modern browsers. See the ClearDesign Software Specification for a listing of compatible browsers.

ClearDesign System Overview 13