edemocracy pilot - oasis | advancing open standards · web viewmake the message relevant to...

Office of the Deputy Prime Ministere-Vote II Solution Architecture

Author: Naz MullaLast Updated:Document Ref: PS/ODPM/3027468/HLD/001

Version: Issue 1

Approvals:

Keith Linfoot, Oracle Programme Manager

Office of the Deputy Prime Minister PS/ODPM/3027468/HLD/001e-vote II - Solution Architecture 18/2/2003

Document Control

Change Record

3

Date Author Version

Change Reference

01-OCT-02 Naz Mulla Draft 1a

Initial Creation

10-OCT-02 Naz Mulla Draft 1b

Update

12-NOV-02 Naz Mulla Draft 1c

Update

15-FEB-03 Naz Mulla Draft 1d

Update

18-FEB-03 Naz Mulla Issue 1 RCL093, RCL098

Reviewers

Name Position

Keith Linfoot Oracle Programme ManagerJohn Abel Oracle Technical Architect

Distribution

No Name Location

1 Master Copy Project Library2

NOTE To Holders:

If you receive an electronic copy of this document and print it out, you should write your name on the front cover (for document control purposes).

If you receive a hard copy of this document, please write your name on the front cover (for document control purposes).

File Ref: document.doc Copyright © 2003, Oracle Corporation. All rights reserved.

Introduction 1


Contents

Document Control..............................................................................................i

1Introduction....................................................................................................41.1Purpose..................................................................................................41.2Glossary Of Terms.................................................................................41.3Related Documents...............................................................................5

2e-Democracy Process Architecture................................................................62.1e-Democracy Election Context Model...................................................62.2Actors.....................................................................................................62.3Election Communication.......................................................................72.4Election Administration and Management...........................................82.5Vote Management.................................................................................92.6Electronic Election Count......................................................................92.7Electronic Election Closure....................................................................9

3Election Architectural Principles and Standards.........................................103.1Security................................................................................................103.2Anonymity............................................................................................103.3Accuracy .............................................................................................103.4Integrity ..............................................................................................103.5System Audit.......................................................................................103.6Accessibility.........................................................................................113.7Data Retention.....................................................................................113.8Election Mark-Up Language Standards (EML)....................................11

4Solution Overview........................................................................................134.1Pre-Election Management...................................................................134.2Vote Management...............................................................................144.3Front Office Management....................................................................144.4Electronic Election Count and Audit...................................................144.5Post Election Reports...........................................................................15

5Pre-Election Management............................................................................165.1Overview..............................................................................................165.2Pre-Election Initial Data Capture.........................................................165.3Event Management.............................................................................205.4Credential Management......................................................................205.5Election Official Administration...........................................................235.6Election Registers................................................................................245.7Mark Registers (Postal)........................................................................26

6Vote Management........................................................................................276.1Overview..............................................................................................276.2Common Services................................................................................276.3Internet, iDTV and Kiosk Channels.....................................................286.4Postal and Paper Votes .......................................................................336.5Marked Registers.................................................................................33


Introduction 2


7Front Office...................................................................................................34

8Voter Support Centre...................................................................................37

9Electronic Count and Audit..........................................................................389.1Overview..............................................................................................389.2Count Access.......................................................................................389.3Count and Recount..............................................................................389.4Audit and Scrutiny...............................................................................409.5Reveal Vote.........................................................................................41

10Post Election ..............................................................................................4210.1Overview............................................................................................4210.2Survey ...............................................................................................4210.3Voting Patterns..................................................................................44


Introduction 3


1 Introduction

1.1 Purpose

Oracle, Election.com and the BT Group, have formed a consortium to deliver an e-Democracy Election Framework consisting of election services and a technical application for the spring 2003 UK Local Government Elections and subsequent elections within the public sector.

The purpose of this document is to detail the high-level solution architecture for the e-Vote Application from a business perspective, it highlights:

· The e-Democracy Process Architecture;· The election principles and standards that must be adhered to;· A high level overview of the e-Democracy Solution;· A description of the major components of the e-Vote Application.

The non-software solution components i.e. application support etc. are not detailed in this document.

The Technical Architecture for the e-Democracy Solution is detailed in ‘e-Democracy Technical Architecture’ document ref [1].

1.2 Glossary Of Terms

Abbreviation/Term Description

REV Remote Electronic Voting – This is the term CESG use when referring to voting that takes place by electronic means from any location e.g. Internet, IVR.

Voter Authenticity Ensure voters identify themselves using an agreed method to be entitled to vote.

Voter Anonymity Ensure votes are not associated with the voter’s identity unless warranted under UK election law.

Vote Confidentiality Ensuring that the vote is secret.

Vote Integrity Ensuring that each vote cast is recorded as intended

Personation The act of fraudulently voting in someone else’s name


Introduction 4


SMS Short Message Service – The method by which short ‘text messages’ are communicated primarily between mobiles.

PSTN Public Service Telephone Network

EML Election Markup Language – The name given to XML standards developed by the OASIS XML interoperability consortium for the structured exchange of election data between hardware, software an service vendors

Election Event The name given to a group of election contests managed by an Election Authority held over the same period.

Contest The name given to a single election of a specific type e.g. Parish, run by an Election Authority for a given geographic area.

VIN A random key generated by the e-Democracy Solution that forms one element of an Authentication Method used by voters to verify their identity.

PCIN Personal Candidate Identification Number – This is a randomly generated candidate number that is personal to a voter.

1.3 Related DocumentsNo.

Title Reference Number Date

1 e-Democracy Technical Architecture PS/ODPM/3027468/HLD/001 Issue 1


Introduction 5


2 e-Democracy Process Architecture

2.1 e-Democracy Election Context Model

This section provides an overview of the election processes in the context of the future e-Democracy Pilots. In England and Wales, over 21,000 people represent their communities by serving as Councillors on local authorities. Councillors are elected to represent geographical units called parishes, wards, etc. In traditional elections, citizens can vote in person at a designated polling station, by postal ballot or by proxy.

The following context model provides an overview of the e-Democracy election process in the context of supporting new electronic channels for citizens to cast their vote(s).

Figure 1 – e-Democracy Context Model

2.2 Actors

Actors are parties participating, or that have a vested interest, in the e-Election that will support electronic voting. Citizen A person who is eligible to vote in an election contest

sanctioned by the UK GovernmentCandidate A person who appears on a selection list on a ballot.

They may or may not belong to a Political Party.


Introduction 6


Political Party A political organisation that nominates members to appear as candidates on a ballot.

Independent A person who appears on a selection list on a ballot and does not belong to a Political Party.

Electoral Commission

A UK Government organisation responsible for communicating electoral rules by which a ballot should be conducted.

Returning Officer

The Returning Officer together with the Acting Returning Officer is responsible for officially managing an Election within an Election Authority as directed by election law.

Presiding Officer

Responsible for managing the Polling Locations under rules specified by Parliament.

ODPM Office Of the Deputy Prime Minister.Government The United Kingdom Government.Election Authority

An electoral region governed by boundary rules managed by an elected authority.

Councillors Current Council Members.Independent Technical Authority

Responsible for the deletion or validation of the deletion of the e-Vote database after the elections have been complete.

Internal Print & Post Office

Responsible for print and delivery of Poll Cards and any other communication material.

External Print & Post Office

Responsible for print and delivery of Poll Cards and any other communication material.

Communication Department

Responsible for the communication campaign for the e-Democracy Pilot.

Election Officer Responsible for managing the electoral register.Help Desk Responsible for answering calls from citizens over the

election period.Support Desk Responsible for directing support staff questions during

the election period.

2.3 Election Communication

Election Communication pertains to all the activities and processes involved in running the communication campaign, disseminating all electoral literature including Poll Cards and Vote Credentials to citizens to enable electronic voting and post election analysis.

2.3.1 Communication ConsultancyIn the context of the e-Democracy Pilots, this entails a well-managed Communications Outreach Programme to ensure all of the stakeholders are aware of their role in the elections.

Objectives are to:· Educate voters in the community venues they know and trust;· Make the message relevant to specific target audiences’ i.e. young

voters, the elderly, working mothers, the socially excluded;


Introduction 7


· Deploy innovative visual design and compelling tagline(s) to reinforce messages;

· Use creative, attention-grabbing incentives to generate attention and enthusiasm for the election;

· Engage local community leaders and other prominent figures to support the campaign i.e. MPs, Councillors, Head Teachers, local religious leaders, leading local business people, radio stations and so on;

· Maintain the momentum and reinforce the value of voting by widely distributing the post-election results.

The above will be managed by BT together with the Local Authorities.

2.3.2 Postal Voting AdministrationIn the context of the e-Democracy Pilots, this entails the printing of Polling Cards, Postal Ballot Papers and Proxy Letters. The authentication information may be incorporated onto the Poll Cards, printed and disseminated to the electorate.

The above will be managed by BT together with the Local Authorities.

2.4 Election Administration and Management

Election Administration and Management is the planning, execution and monitoring of processes and activities pertaining to the ballot structure, candidate list, polling & count location management, voter registration management, support desk and the help desk.

2.4.1 Election Event and Candidate ManagementThis is the management of all statutory election processes and procedures including the notice of election, nomination management, election rules compliance etc. This is the sole responsibility of Election Authorities.

In the context of the e-Democracy Pilot, Election Event, Polling Location details, Presiding Officers, Count staff and Candidate Lists are to be loaded into the e-Vote database in preparation for electronic voting. Candidate information will be provided when the Returning Officer has confirmed nominations.

2.4.2 Voter Registration ManagementVoter Registration Management is the planning and management of processes and activities pertaining to maintaining the electoral register. The provision of Electoral Register information is the responsibility of the Election Authorities.

Registration officers may arrange either to send forms to, or to call on every household in the constituency to obtain details of all occupants eligible to vote. The information is used to compile provisional lists. These lists are displayed in public places in order to give people the opportunity to check that their names are included or to object to inclusions. People who disagree with the final decision of the registration officer may appeal to the courts.

In the context of the e-Democracy Pilots, Election Authorities will provide Electoral Register files from their current Election Package(s) and any rules required to interpret these files. These will be consolidated in Interim


Introduction 8


Electoral Register and then provided to the e-Vote team for loading into the e-Vote database in preparation for electronic voting.

Vote Credentials and additional authentication details will be generated by the e-Democracy Solution for each citizen, the e-Vote Team will communicate these back to the Election Administration for delivery to the Election Authorities.

2.4.3 Polling Location ManagementPolling Location Management is the assessment, preparation, support and cleanup of Polling Locations.

2.4.4 Count Location ManagementCount Location Management is the assessment, preparation, support and cleanup of count location. This may entail the provision of hardware and software accessed via the Internet that will enable the Returning Officer to run the electronic count and audit reports.

2.4.5 Help Desk ManagementThis is the provision of a help desk service for the Election Authority.

2.4.6 Support Desk ManagementThis is the provision of a support desk service for the Internal Election Support team.

2.5 Vote Management

2.5.1 Postal/Paper VoteThis is the capture of individual or totals of Postal or Paper votes cast for an Election Contest over an election period.

2.5.2 Electronic VoteElectronic Voting is the capturing of citizens votes either via the Web, Kiosk, iDTV, SMS or via IVR Channels.

2.6 Electronic Election Count

The Electronic Election Count is the production of reports, which validate the integrity of the electronic vote, detail the number of citizens that voted electronically and the number of votes cast for candidates in a Contest. The Returning Officer will be responsible for performing the electronic results count.

2.7 Electronic Election Closure

The Electronic Election Closure entails the processes to archive the e-Vote database, the communication of this archive to the Returning Officer and the deletion of all data relating to an Election Event. It is assumed, an Independent Technical Authority approved by ODPM will validate the deletion of the actual vote data.


Introduction 9


3 Election Architectural Principles and Standards

This section contains the architectural principles and standards that will be followed in the design of the e-Democracy Solution. The word ‘principle’ has been used in many different contexts however, in this case applies to the election process and includes security, anonymity, accuracy, integrity, auditability, election management, and data retention.

3.1 Security

Security can only be achieved through a combination of the technical implementation and administrative procedures. To provide security measures, the solution shall:

· Provide pre-election, vote management and post election components that are executable only in the intended manner and order, and only under the intended conditions;

· Provide access mechanisms that control and limit access to eligible voters;

· Provide access mechanisms that control and limit access to eligible officials; and

· Provide access mechanisms that control and limit access to critical components of the e-Democracy Solution to protect system integrity, confidentiality, and accountability.

3.2 Anonymity

To ensure anonymity of the voter and the result, the e-Democracy solution shall:

· Ensure that votes captured within the e-Democracy Solution cannot be tied to a voter unless by the Returning Officer;

· Ensure that the votes cannot be tied to candidates until the time of the count.

3.3 Accuracy

To ensure vote accuracy, the e-Democracy solution shall:· Record the election events, candidate lists, and election lists as

provided by election officials;· Record the appropriate options for casting and recording votes;· Record each vote precisely as indicated by the voter and be able to

produce an accurate report of all votes cast; and· Include control logic and data processing methods to demonstrate

that the system has been designed for accuracy.

3.4 Integrity

To ensure system and data integrity, the e-Democracy solution shall:· Protect against any attempt at improper data entry or retrieval;


Introduction 10


· Record and report the date and time of normal and abnormal events; and

· Maintain a permanent record of all original audit data that cannot be modified or overridden.

3.5 System Audit

Election audit trails provide the supporting documentation for verifying the correctness of the election count. They represent a record of all system activity related to the election count, and are essential for public confidence in the accuracy of the count, for recounts, and for evidence in the event of election fraud. The timing and sequence of audit record entries is as important as the data contained in the record.

3.6 Accessibility

The principle is to meet the accessibility needs of a broad range of voters, some with disabilities. Efforts to meet the accessibility requirements shall not violate the privacy, secrecy, and integrity demands. As part of the design, the capability to provide access to voters with a broad range of disabilities will be factored. BT (election.com) are responsible for the specification and adherence to accessibility.

3.7 Data Retention

UK Election legislation required that election administrators preserve ballot papers for 6 months. Because, the purpose of this requirement is to assist the government in discharging its law enforcement responsibilities in connection with elections crimes, its scope must be interpreted in keeping with that objective. The appropriate Local Authority must preserve all records that may be relevant to the detection and prosecution of election crimes for the 6-month retention period.

3.8 Election Mark-Up Language Standards (EML)

EML UK v1.0 is in a pre-production phase and enhancements and corrections will be required to support the May 2003 Local Government elections.

The design team will enhance the EML standard to provide the level of functionality required to support the May 2003 Local Government elections.

The following provides examples of amendments that Oracle are considering in order to illustrate our approach to this area:

CESG - Key Principle

‘The signalling of intent, by the voter, into the electronic environment should have no observable properties, and the voter should receive assurance that their vote was recorded as it was intended’.

The CESG recommended solution involve(s) the use of Personal Candidate Identification Numbers (PCIN) and Response Identifiers (RID). Spoilt votes should also be made by using a PCIN and a Response Identifier.


Introduction 11


The Cast Vote Response (EML 450) message does not allow for multiple Response Identifiers (as required by the CESG solution) to be communicated back to the voter as it does not have a repeating ‘ConfirmationReference’ element. There are two options to resolving this: (1) is to ‘fudge’ the EML and put in spaces between each response identifier or (2) update ‘ConfirmationReference’ element to be a repeating element. Oracle have opted for the more structured option i.e. (2).

The Authentication Response (EML 430) message communicates PCINs to the gateways but does not have an explicit element for the PCIN of a spoilt vote. To adhere to the CESG solution, Oracle has implemented a ‘SpoiltOption’ element at the same level as the ‘Candidate’ element.

The Polling Information (EML 340) message does not contain elements that can communicate candidates and their associated PCINs and Response Identifiers to the Printer Service providers.

Additionally, some errors have been identified with the EML xsd’s. An example of this is the Candidate List (EML 230) message, where the ‘any’ element below the ‘Contest’ element has been defined as ‘mandatory’. All ‘any’ elements should be defined as optional.

As security requirements for EML transportation have not been defined, Oracle will include a simple SOAP message for common service EML messages to include transport security features. For example, the EML is encrypted using a symmetric key, which in turn is encrypted using an asymmetric key and this encrypted key is place in the SOAP wrapper.


Introduction 12


4 Solution OverviewThis section provides an overview of the framework to support the UK Governments drive for implementing e-Democracy. The e-Vote Application design takes into account three approaches to electronic voting that may be requested by a Local Authority:

· Early Voting – where e-Voting ends a couple of days before traditional paper voting begins;

· Traditional Paper or Postal and e-Voting Overlap – where e-Voting and traditional paper voting overlap; and finally;

· Electronic Voting – where only e-Voting is available to the electorate.

Figure 2 – e-Democracy Solution Overview

4.1 Pre-Election Management

4.1.1 Voter Central (Pre-Election Administration)This component will manage all communication and transformation of election data required to support the execution of an election for a Local Authority into and out of a format (OASIS EML or EML-enhanced) required by the e-Vote Application.


Introduction 13


4.1.2 Election Event ManagementWhen a participating Local Authority publishes the notice of an election, details of the Election Event must be created within the e-Vote database. This entails setting up information e.g. event name, description, start date & time, end date & time, election, contests etc. required to support one or more election contests for a Local Authority.

4.1.3 Election List ManagementThe objective of this component is to capture a Local Authority’s Electoral Register and communicate the register to the e-Vote Team in preparation for the elections.

On completion of cleansing and transformation of the election lists pertaining to a particular Election Event, the electoral register containing eligible voters, proxy voters and disallowed reasons will be communicated to the e-Vote Application.

4.1.4 Candidate ManagementThe management of all statutory election processes and procedures concerning the notice of election, nomination management, election rules compliance etc. is the sole responsibility of the Local Authorities. On completion of nominations and acceptance of candidature, Election Administration will provide candidate information to the e-Vote Application.

4.1.5 Credential ManagementVoter Identification Number (VIN) and Personal Identification Numbers (PIN) are numeric keys randomly generated by the e-Vote Application that will form the authentication information required by a citizen to identify themselves, and enable them to cast their vote for a specific Election Event. A number of Authentication Methods will be available for the Local Authorities in the future, but as a minimum will contain a VIN element e.g. VIN/PIN, VIN/Electoral Roll Number etc.

The component will generate Voter Credentials for an Election Event, assign it to citizens associated with the Election Event.

Election Officials are required to perform specific tasks in the e-Vote Application (i.e. checking/marking the Election Register at a Polling Location, etc.). The authentication of Election Officials will consist of an Officer Identification Number (OID) and a personal password. Similar to a VIN an OID is a numeric key randomly generated by the e-Vote Application.

4.2 Vote Management

Citizens will be provided with a number of channels to cast their vote (e.g. iDTV, Internet and Kiosk). Additionally, the channels and timing selected by a particular Local Authority for an Election Event will influence election rules applied for that Election Event. For example, citizens that have elected to vote by post will either not have a VIN generated for them or will have their VIN revoked as once this method has been selected they will not be able to vote via any of the direct electronic channels.

4.3 Front Office Management

Local Authorities will be provided with a number of administration functions to support e-Voting . These include:


Introduction 14


· Replacing credentials;· Marking the Electoral Register;· Revoking a VIN;· Enabling a tender vote.

4.4 Electronic Election Count and Audit

The electronic count and audit is the production of reports contain the results of Contests, and features which validate the integrity of the Contest.

4.5 Post Election Reports

Citizens may have completed surveys as part of casting their votes electronically. These will be stored in the e-Vote database. On completion of the Election Events, the Local Authorities can produce a CSV file containing the results of the surveys. An additional vote channel breakdown report will be available to the Local Authorities.


Introduction 15


5 Pre-Election Management

5.1 Overview

The objective of Pre-Election Management is to setup the e-Vote Application in preparation of electronic voting based on the type of Local Authority elections to be supported. The functions to set up the e-Vote Application include:

· Pre-Election Initial Data Capture - a set of pre-election message services to capture election event, candidate and election register information into the e-Vote database;

· Event Management – after the initial data capture, all changes to Local Authority data will be managed directly on the e-Vote Application;

· Credential Management – a set of voter credentials will be generated for all Local Authorities and then assigned to voters as part of the load process;

· Election Official Management- all officials that require access to the e-Vote Application must be created and credentials generated for them;

· Election Register – prior to the start of the voting Local Authorities will require access to their Electoral Registers.

· Mark Register (Postal) – Prior to or during electronic voting the receipt of postal votes must be recorded to disallow multiple voting from occurring.

5.2 Pre-Election Initial Data Capture

5.2.1 OverviewThe e-Vote Application design is based on an open architecture containing a set of Pre-Election Services that will enable external vendors to develop pre-election specific solutions and communicate with the e-Vote database using standard and enhanced OASIS EML– election messages.

election.com will interact with the e-Vote Application through these messages generated from their Voter Central application. These applications must be connected to a secure network. The messages must be routed from Voter Central to the e-Vote Application for processing.

Figure 3 – Message and Data Flow


Introduction 16


election.com must develop a gateway to act as the translator between the Local Authority information systems and the e-Voting Application. This gateway must use the following EML schemas when interfacing with the e-Vote Application:

· Election Event 110; · Logo – 930 (new);· Candidate List – 230;· Election Register – 330;· Polling Information – 340.

These schemas are irrespective of the client device or election.com’s choice of technology.

5.2.2 Message Management5.2.2.1 Incoming Messages from Election.com

All incoming messages must be placed by election.com into the “landing” directory on a designated e-Vote Application Server. The messages must be sent with a Controller Message. This Controller Message details the messages that are included as part of the batch. The e-Vote Application will validate the message structure and content and create a report of any errors in an ‘outgoing’ directory to be retrieved by election.com for inspection.

The load process will take an “all or nothing” approach to loading messages identified in the Controller message. If an error occurs at any point during the load, then all the messages identified in the Controller Message will be rejected.

5.2.2.2 Outgoing Messages to Election.com

All outgoing messages will be placed by Oracle into the “outgoing” directory to be retrieved by election.com. The messages will be sent with a Controller Message. This details the information messages that are included as part of the batch.

5.2.2.3 Message Controller Module

A single Message Management control form module will manage all incoming and outgoing messages.

For incoming messages the Message Management module will: · Validate the digital signatures sent within the Controller Message to

verify the messages came from election.com and have remained unaltered;

· Load the message into a staging area of the database. This process will simultaneously verify the messages against its relevant schema.

· Processes the data in the stage tables of the database. This will move some of the data into the e-Vote database,

Throughout all of the above stages, error and audit logging will take place.

For the outgoing Polling Information (EML 340) message the Controller module will:

· Create digital signature of the message to be included in the Controller Message;


Introduction 17


· Place the message into the outgoing directory for retrieval by election.com.

Throughout all of the above stages, error and audit logging will take place.

5.2.3 Controller MessageAll messages communicated to the e-Vote Application must be sent with a Controller Message. This details the EML messages that are included as part of the batch.

5.2.4 Information MessagesThe solution design recognises the importance of the ODPM objective to ensure that EML is employed as a ‘foundation stone’ to provide interoperability between the various participants within the e-Voting marketplace. A holistic approach has been taken in the design to ensure amendments that have been identified to the EML UK 1.0 standard are kept to absolute minimum and address specific issues in order to provide the level of functionality required during the 2003 election.

The following information messages have been detailed as being supported by Pre-Election Services.

5.2.4.1 Logo Message (930)

These include(s) logo’s pertaining to particular political parties that are to be included on the ballot page or Local Authority logo’s that are to be included on the Screen based channels.

5.2.4.2 Election Event Message (110)

This message is an EML message and the starting point of the whole process and is used for providing information about an election or set of elections. It contains information such as event start and end date and time, a list of allowed voting channels, and a list of the languages etc.

5.2.4.3 Candidate List Message (230)

This EML message is used for transferring candidate lists for specific contests. It has the election event name, contest name, optionally a contest description and then a list of candidates, each with a name and optional affiliation.

5.2.4.4 Election List Message (330)

This EML message is used for communicating the list of eligible voters, proxies or disallowed voters for a contest.


Introduction 18


5.2.4.5 Polling Information Message (340)

This outgoing EML message is used for providing election.com with details of the electorate and their voting credentials. It will contain all the information about the voter that may be included to print a polling card.

5.2.5 Digital Signatures5.2.5.1 Incoming Message

Messages must be sent from election.com’s Voter Central Application containing details and a digital signature. The message has to be verified against its signature to ensure that the data has been sent from election.com and not an unauthorised third party.

5.2.5.2 Outgoing Message Creation

The outgoing 340 EML message generated by the Polling Extract module contains highly confidential information concerning voter credentials and therefore needs to be handled with strict security procedures. The message must be digitally signed before being sent to the Pre-Election Service provider. It is assumed that the Pre-Election Service provider will physically transport the 340 EML message to the Printers.

5.2.6 Message Communication election.com must send sets of messages to their own specific “incoming” file directory on the e-Vote Application Server. The messages must be grouped, and the grouping must be defined within a “Control” message sent with the actual message data files.

5.2.7 Auditing and Error handling5.2.7.1 Incoming Message Errors

Errors will be detailed in a series of error reports that will be placed in the appropriate directory of the Pre-Election service provider. The Pre-Election Service provider will use the error reports to diagnose and fix the problems with the message. The provider must then re-send the set of message(s) as a new control set in the normal way.


Introduction 19


5.3 Event Management

Once the initial data has been communicated to the e-Vote Application all updates to the data will occur via Web-forms. The purpose of Event Management is to setup a new Election Event or maintain the details of an Election Event previously created using an Election Event (110), Election Register (330) and Candidate List (230) message.

5.4 Credential Management

5.4.1 OverviewThis component, under the secure trusted domain of the e-Vote Operations Team is responsible for accepting voter data and transmitting credential data into and out of the e-Vote database.

Figure 4 – Credential Management


Introduction 20


5.4.1.1 Voter Credentials

The approach to authentication is based on the submission of a two-part Voter Credential (i.e. Voter Id – VIN and Password - PIN) by the citizen.

· Voter Identification Number (VIN) - a randomly generated number that is unique to each eligible voter in a given Election Event and forms one part of a voters credentials that will be used by the citizen to authenticate themselves before casting their vote;

· Personal Identification Number (PIN) - a randomly generated number that is unique to each eligible voter in a given Election Event and forms the second part of a voters credentials that will be used by the citizen to authenticate themselves before casting their vote.

The use of Voter Credentials for authentication provides anonymity of the voter whilst casting their vote.

The approach to security is based on the key CESG principle:

‘The signaling of intent, by the voter, into the electronic environment should have no observable properties, and the voter should receive assurance that their vote was recorded as it was intended’

5.4.1.2 Personal Option Identification Number (POIN)

These are randomly generated numbers for every candidate and eligible voter combination within an Election Event, thus giving a voter a unique personal candidate number for each candidate in an Election Event. Note that the uniqueness goes across Contests to avoid confusion if more than one Contest are being run. POINs may be the same for different voters but the combination of VIN and POIN will make them unique.

5.4.1.3 Response Identifier (RID)

These are randomly generated numbers for every POIN and VIN combination within an Election Event, thus giving a citizen unique response for each candidate in an Election Event.

A Simple ExampleDavid O’LearyVIN: 1234 5678 9123 4567Candidate Party PCIN Response IdMartin O’Neil Celts 1235 1233567Terry Venables WideBoys 6432 647474Magic Johnson Amex 4675 636943

Spoilt Ballot 2343 535794

Jon SmithVIN: 1456 4554 5454 4347Candidate Party PCIN Response IdMartin O’Neil Celts 5678 364313Terry Venables WideBoys 5965 468790Magic Johnson Amex 4696 555345

Spoilt Ballot 2532 467688

As shown above the POIN and Response Id’s are personal to each citizen. Using REV, the voter will cast their vote using their personal VIN and POIN and will be returned a Response Id personal to them. This will make it


Introduction 21


impossible to identify who is being voted for and modifying or deleting a vote that had been cast.

5.4.1.4 Alternative Responses

The Response Identifier (RID) is one form of responses available to the Local Authorities. Alternative forms of responses are (1) a general thank you message or (2) a Receipt Id per Contest.

5.4.2 Voter Credential GeneratorA set of voter credentials (VIN/PIN) will be generated prior to loading data from the Local Authority election events.

5.4.2.1 VIN & PIN Generator

Figure 5 – Credential Management

VINs are globally unique for each voter and are sufficiently random to make it very difficult for somebody to guess a valid VIN. The key functions of the VIN/PIN Generator include:

· generate VIN/PIN for an Election Event - the operator will specify the number of VINs to generate;

· destroy VIN/PIN for an Election Event. – VIN/PIN may require destroying if too many have been generated for the Election Events being managed.

The type of number generation that will be used for May 2003 is random data which is encrypted using an asymmetric key.

5.4.3 Voter Credential AssignmentAs part of loading the Electoral Register (EML 330) from election.com’s Voter Central application the pre-generated voter credentials will be assigned to the Local Authorities voters.


Introduction 22


5.4.4 Personal Option Identification Number (POIN) GeneratorPOINs are unique for each voter and candidate combination and will be sufficiently random to make it very difficult for somebody to guess a valid POIN. These are generated after the candidate (EML 230) lists for Contests have been loaded into the e-Vote database.

5.4.5 Polling Information ManagementOnce Voter credentials, POINs and response identifiers have been generated for an Election Event, the e-Vote Team will extract the information required by the Printer in an enhanced EML 340 format for communication to election.com.

5.5 Election Official Administration

Election Officials require access to the e-Vote Application in order to perform secure functions prior to and during the election (e.g. mark register, replace credentials etc). In order to maintain the security and integrity of actions performed on the e-Vote Application, the approach to Officer Credential creation must be the responsibility of the Local Authority. The only credentials created by the e-Vote Team will be that of the Returning Officer. They will be forced to change their password the first time they attempt to log into the e-Vote Application. All the other Officer Credentials will be created by the Returning Officer or designated officer.

Election Official Administration will enable responsible officers (e.g. Returning Officer) to create new Election Officers, generate credentials for them, print credential details etc. for an Election Event.

Election Official Administration will perform the following actions:

5.5.1 Create OfficersIn order to create a new officer the Responsible Officer will be able to select an officer role (e.g. Presiding Officer) and then enter a surname and forename for the new officer.

5.5.2 Generate CredentialsThis will create a new Officer Id and Password for all Officials that have been selected and do not have credentials already created. All officers will be forced to change their password, the first time that they log into the system. Passwords will be stored encrypted in the e-Vote database to prevent internal administrators (e.g. Database Administrators) from viewing the passwords.

5.5.3 Print CredentialsThis will print credentials for all Officials that have been selected. The password will only be printed if the password has not been changed.

5.5.4 Reset PasswordIf an Election Official perceives that the security of their password has been compromised or if they have forgotten their password, the Responsible Officer can reset the password.


Introduction 23


5.5.5 Block/UnBlockIf the Responsible Officer wishes to stop an Official from logging into the e-Vote Application they can block the credential of an Official.

Figure 6 - Election Official Management

5.6 Election Registers

This component can be used pre-election, during the election, or even after voting has been completed and is responsible for printing the Election Register. The Election Register that is printed is based on various parameters passed by the Election Registration or Returning Officer.

· Election – Valid Elections within the Election Event;· Contest – Valid Contests within the Election;· Polling Station – Valid Polling Station for the Election Event;· Register Type – This can be:

· Un Marked – Does not include ‘Vote’ status of elector i.e. whether they have voted or not;

· Marked – Includes ‘Vote’ status of elector i.e. indicate if elector has voted. The Marked option is only available to the Returning Officer.

· Blocked Type – Only include in the register electors of a particular block type;

· As At date – This can only be used in conjunction when the Register Type is ‘Marked’ and will only show marked votes made on or before the as at date & time .


Introduction 24


Figure 7 – Election Register Management

Figure 8 – Election Register

5.7 Mark Registers (Postal)

For those Local Authorities (LA) that do not require pre-registration for postal voting, this component will enable the LA to mark the electronic


Introduction 25


register on receipt of the Postal Vote from the voter therefore preventing multiple voting from electronic and postal channels.


Introduction 26


6 Vote Management

6.1 Overview

The Vote Management design is based on a Remote Electronic Voting (REV) architecture where voting can take place by electronic means from any location via any electronic channel (e.g. Internet, iDTV). Vote Management includes:

· A set of common services available to all channels providing voter authentication, ballot information, vote casting and survey completion functions against the e-Vote Application;

· Configuration modules for screen based channels; · A set of channels whose user interface is primarily based on

information stored in the e-Vote database;· A set of Election Administration functions.

6.2 Common Services

All channels will communicate to the e-Vote Application through EML messages generated from their preferred client devices and gateways. These devices will be connected to a public network e.g. Internet, Public Switch Telephony Network (PSTN) etc., via a service provider. The messages will be routed from the service providers to the e-Vote Application for processing. The following common services will be available to all channels to interact with the e-Vote Application:

6.2.1 AuthenticationThis component is responsible for validating a voter’s credentials based on the Authentication Method chosen by the Local Authority and if successful, returning the ballot details containing the valid POIN’s unique to the voter for a given Contest. This is performed by transmitting an Authentication Message (EML 420). Once received, the e-Vote Application will validate the authenticity of the message and return a success or failure by transmitting the Authentication Reply Message (EML 430). If returning a success the message will contain ballot information for the channel to display the ballot details relevant to the Voter.

6.2.2 Cast Vote This component is responsible for authenticating the voter’s credentials, and if valid, generating a Response Id for each VIN and POIN combination. The VIN and POIN will be validated against valid POIN’s stored against the Voter in the e-Vote database. If valid, the resulting VIN and POIN will be stored in the e-Vote database and the Response Id communicated back to the voter as confirmation as to the vote being accepted and stored correctly. The citizen’s virtual ballot paper will also be marked as having been completed. This will be performed by transmitting a Cast Vote Message (EML 440). The e-Vote Application will validate the authenticity of the message and return a Confirmation Message (EML 450) indicating success or failure.

6.2.3 SurveyThis component is responsible for authenticating the voter’s credentials, and if valid accepting the results of the optional survey that the Local


Introduction 27


Authority has selected for their Election Event. The receipt of the result will be performed by transmitting an XML Survey Message (910).

6.3 Internet, iDTV and Kiosk Channels

The e-Vote Application design is based on an open architecture containing a set of common services that will enable external vendors to develop channel specific solutions and communicate with the e-Vote database using agreed interpretations and implementation of the OASIS EML– election messages.

The following channels will be made available by Oracle as part of the e-Vote Application:

· Internet;· Polling Station – Kiosk/Lightweight PC;· Interactive Digital TV.

The design of the screen based channels is a template-based architecture where boilerplate text on the election web pages is refreshed at runtime from data set up against Election Event in the e-Vote database.

The main components of the design include:· Maintenance Screens for standard and Election Event boilerplate text;· A series of mandatory and optional template Web Pages that form the

Web Site for an Election Event;· EML Messages that will be used to authenticate voter(s), cast their

vote(s) and record the details of a survey – See Common Services.

6.3.1 Channel Configuration A special feature of the e-Vote Application is to allow Local Authorities to ask voters questions pertaining to their voting experience. These can be specific to the Local Authority and can be different for each electronic channel.

This component will enable the internal e-Vote Team to set questions pertaining to the survey.


Introduction 28


Note: For the Internet and Kiosk channels, the maximum no. of questions is 8.

Figure 9 – Survey Management

The e-Voting screen based channel interfaces (internet, iDTV and Kiosk) are based on a scalable design to satisfy the requirements to deliver multiple screen based channel interfaces to multiple Local Authorities in a relatively short time period.

Each channel (internet, kiosk and iDTV) has it’s own set of templates consisting of template pages, items (text) on a page, default item values and Local Authority item values, which vary by channel, language and election event. During the pre-election period, forms will be used to store in the e-Vote database template item text and image details according to channel, language and Local Authority.


Introduction 29


Figure 10 – Channel Configuration


Introduction 30


Prior to voting the default and configured items will be extracted from the e-Vote database and provided to a JSP for use at runtime. This extracted information will dynamically populate the JSP with data at runtime according to the voter’s preferred language.

This is illustrated in the following diagram:

Figure 11 – Channel Runtime Overview

6.3.2 Election Information Portal (EIP) and voting flowThe Screen Based Voting Channels consist of two main components:

· Election Information Portal;· Voting Application.

The Election Information Portals (EIP) will exist for all screen-based channels and will be the entry point into the e-Voting Application for all the Local Authorities.


Introduction 31


The EIP will integrate with the e-Voting Application by communicating the election event and language as set up within the e-Voting Application. BT will provide the EIP for all the screen-based channels.

6.3.3 Internet ChannelThis design will enable the Internet Channel to be rapidly configured in preparation for an Election. Once an Election Event has been created and the ‘Internet’ has been identified as a chosen channel, the configuration of the Web Site for the Election Event can begin. Information such as event description, event date etc. will be defaulted from information entered against the Election Event and other information will be defaulted as standard e.g. Exit button. The Internet pages that form part of the Web Site design include:

· Login Page;· Legal Message Page;· Contest (optional);· Candidate Page;· Verification Page; · Confirmation Page;· Survey Page (optional);


Introduction 32


Figure 12 – EIP and Internet, iDTV and Kiosk voting flow

6.3.4 Polling Station Channel – Kiosk/Light Weight PC’sSimilar to the Internet design the Polling Station Channel design is based on a template-based Election Web Site architecture where boilerplate text is refreshed at runtime from data set up against an Election Event within the e-Vote database.

6.3.5 Interactive Television (iDTV)Similar to the Internet design the Interactive Television Channel design is based on a template-based Election Web Site architecture where boilerplate text is refreshed at runtime from data set up against an Election Event within the e-Vote database.


Introduction 33


6.4 Postal and Paper Votes

The Postal and Paper Channel will enable the manual recording of totals counted at the Count Location to be recorded into the e-Vote database using a Postal/Paper data entry screen.

Once all the Postal/Paper Ballot Papers have been received and counted, the totals can be entered for inclusion in the overall count. The component will allow the following:

· Record Ballot Totals for each candidate in a given Contest; · Record spoilt vote totals for a given Contest by reason; · Correct previously entered totals, giving the reason for the correction.

6.5 Marked Registers

The ability to print a ‘marked’ register during the voting period is only available to the Returning Officer and is audited when a request is made. The Returning Officer will only be allowed to output an Electronic Electoral Register from the e-Vote database that relates to their Election Event.

The following information will be printed on the Electoral Register Report:

For a given Contest· Polling Station;· Polling District;· Electoral Roll Number;· Name & Address Details;· Status i.e. Absent Voter, Disallowed, Vote Complete etc.


Introduction 34


7 Front OfficeLocal Authorities at the front office (i.e. Polling Stations) will be given access to the following functions depending on the type of election event being conducted by the Local Authority:

· Change Password;· Voter Credential Management; and/or· Mark Election Register.

Local Authorities that will be running only electronic voting at Polling Stations will not require the ‘Mark Election Register’ option.

7.1.1 Change Password ScreenThe first time an Election Official attempts to log in they are directed to this screen to change their password. The Official can also change their password at any other time.

Figure 13 – Change Password Screen

7.1.2 Voter Credential ManagementA citizen must still be permitted to vote under UK electoral law, if they are on the Electoral Register and can prove their identity to the Presiding Officer. The purpose of Voter Credential Management is to issue a citizen with new voting credentials, if they have misplaced them, forgotten them; or there is a need to issue tender credentials if personation may have taken place. Request for new credentials can either be at a Polling Station or in person at the Council Offices.

The issuing of new credentials is a very privileged function and has the potential of being misused, therefore the Local Authority can determine whether they require one or two officers to be authenticated prior to issuing new credentials.


Introduction 35


There are two types of credentials that can be issued:· Replacement Credentials;· Tender Credential.

Figure 14 – Voter Credential Management

7.1.2.1 Replacement Credentials

This enables the Official to issue a replacement credential for the citizen. This is only available if the citizen still has Contests, which have not been completed and does not have a blocked status. All existing credentials associated with the citizen will be blocked including the credentials of the Proxy.

7.1.2.2 Tender Credentials

This enables the Official to issue a tender credential for the citizen. This is only available if the citizen does not have a blocked status associated with them. All existing credentials associated with the citizen will be blocked including the credentials of an associated Proxy.

7.1.3 Mark Register For Local Authorities that are running traditional paper based and electronic channels over the same period there must be the mechanism to mark the electoral register (i.e. destroy the electronic voting credentials), if the citizen wishes to cast their vote over the traditional paper based channel.


Introduction 36


Figure 15 – Mark Register

7.1.3.1 Mark Register (Normal)

This enables the Official to mark the register of all the outstanding Contests and is only available if the citizen still has Contests, which have not been completed and does not have a blocked status. All existing credentials associated with the citizen (including their proxy) will be blocked.

7.1.3.2 Mark Register (Tender)

This enables the Official to mark the register as having issued a Tender Ballot for the citizen and is only available if the citizen does not have a blocked status associated with them. All existing credentials (including proxy) associated with the citizen will be blocked.


Introduction 37


8 Voter Support CentreAs part of the support for Local Authorities, a BT Call Centre will receive calls from citizens and either answers them if related to the e-Election or re-directs them to Local Authorities. During the voting period queries regarding whether an elector’s vote has been received successfully must be answered.

This component will provide the Help Desk Official with a function to determine if a citizens vote has been received without knowing the identity of the voter. The Help Desk Official must select an Election Event and Electoral Roll Number/Voter Reference Number of the caller.

Figure 16 – Contest Status

The Help Desk Official will then be able to inform the citizen whether their vote has been received successfully.

Additionally, all interaction between the voter and the e-Vote Application will be available to the Help Desk Official as well as functionality to record the interaction with the voter.


Introduction 38


9 Electronic Count and Audit

9.1 Overview

This section covers, the approach to performing the Electronic Count and verifying the integrity of the Count. This is the process where votes cast electronically and/or manually in a particular Election Contest are tallied and reported by the Returning Officer.

The primary objectives of the electronic count and audit component are to:· To transfer individual votes into the Electronic Count according to the

rules of the Election, and· To establish and prove the validity of the Election, consistent with the

rules under which the Election was conceived. This is critical to retaining the ‘trust’ of the Electronic Count, and thus the integrity of the Election.

One of the key principles of voting is a set of “rules and conditions” which form the basis of the trust and integrity of the Election.

The key rules are generally accepted to be:· Only eligible voters can influence a Count;· All eligible voters are given equal influence to affect the Count;· The Count accurately reflects voters intentions that were made.

The first two rules are satisfied by the use of a cryptographic voting protocol (i.e. voter and other credentials generated by the e-Vote Application) and communicated to the eligible voters by the Local Authority. The voter interacts with the e-Vote Application via an electronic channel to record their intent on the Contest. The voter reviews the electronic ballot for correctness, and makes their selection(s). The completed ballot is digitally signed and encrypted at the channel gateway to preserve privacy in transit to the e-Vote Application. The third rule is discussed below.

9.2 Count Access

Access to an Election Count is only available to the Returning Officer of a Local Authority via the entry of valid Returning Officer credentials. The Count Module will be available to the Returning Officer over the Internet in SSL mode. The Returning Officer will not be able to initiate a count for any Contests within an Election Event until voting for the Election Event has been closed.

9.3 Count and Recount

The Count component is responsible for performing the actual count or re-count under the secure trusted domain of the Returning Officer responsible for the Election Event. Once the Returning Officer has been authenticated, he/she will be able to select a Contest and begin the count. The count can be broken into four logical stages:

· Increment Count;· Perform Count against system generated candidate numbers;


Introduction 39


· Reveal the Candidate Number; and· Publish the results.

9.3.1 Count ManagementThe first initiation of a Count against an Election Contest will be given a Count Number of 1. Any subsequent counts performed for that Contest, known as re-counts, will increment the Count Number by 1. All votes included in a count/re-count will have an audit record created and associated with the Count Number. These will be used to print the results of an old Electronic Count.

9.3.2 TallyThis component is responsible for counting the electronic votes accepted via the various e-Channels. The VIN and POIN will have been stored encrypted in the e-Vote database for each authenticated vote. For each vote pertaining to a Contest selected by the Returning Officer the encrypted POIN will map onto a specific candidate id in a Contest. The Candidate Id’s count will be incremented by 1. It should be noted that Spoilt Reason id’s will also be incremented if a spoilt vote is identified.

Note, the process of initiating a re-count is performed by re-running the Count for a particular Contest. If no amendment to the votes have been made the results will be the same. If amendments have been made after the initial count (e.g. inclusion of a previously excluded Tender Vote or correcting a clerical error), then the re-count totals may be different.

The next step is to incorporate the paper and postal votes totals into the electronic count and de-anonymises the candidates thus revealing the results of a contest.

9.3.3 PublisherThis component has the responsibility of displaying the results for printing by the Returning Officer.


Introduction 40


9.4 Audit and Scrutiny

Count Integrity is the process whereby the validity of a Count is verified (i.e. prove that all votes counted were from votes cast using the approved Voter Credentials and that manually entered totals were accurately recorded and counted).

9.4.1 Vote AuthenticationThe method by which an electronic vote is captured is via the receipt of a valid EML 440 cast vote message containing the citizens’ voter credentials together with a vote seal. In order to prove that no votes have been lost by the e-Vote database Seal Logs containing the digital signatures of the cast vote messages (EML 44) from the various channels will be loaded into the e-Vote Application. These logs will be compared against the seals in the e-Vote database to ensure that no votes were lost.

The following diagram shows the high level view of the process flow for the e-Counting component.

Figure 17 – Count and Audit process flow

In summary, the e-Count component of the e-Vote Application tallies and reports on the votes cast electronically and/or manually in a particular Election Contest. Features include:

· Access to the Election Count module is restricted by Returning Officers credentials;

· All access and actions on the Count Module are fully audited;


Introduction 41


· The Returning Officer can only initiate the Election Count for Contests, which he/she is responsible for managing;

· The Election Count can only be instigated by the Returning Officer once the voting end date and time have been reached;

· Once the Count has been instigated, the Contest counter is incremented by 1. Any subsequent execution of the Count will increment the counter by 1, to provide an audit trail of counts and related actions performed;

· An audit record is written for every vote that is decrypted and included in a Count to permit scrutiny.

9.5 Reveal Vote

Under UK Electoral Law, a judge can order a Returning Officer to find a citizens ballot paper to prove that their vote was counted in a specific Contest. This functionality will only be available to the Returning Officer. As part of the Reveal Vote functionality the Returning Officer will be able to generate two separate reports, which together contain information of the voter and selection made by the voter. The following details will be displayed in the resulting reports:

Voter Report

· Returning Officer Name;· Date & Time; · Reason for revealing details of the vote;· Election Event details;· Election details;· Contest details;· Voter details (including VIN and Electoral Roll Number);

Vote Report

· VIN and Electoral Roll Number;· The Candidate(s)/Option(s) selected;· Details of the vote(s) i.e. channel, date&time vote was made, type of

vote etc..The execution of the Reveal Vote function will result in the creation of an audit record in the e-Vote database.


Introduction 42


10 Post Election

10.1 Overview

At the end of the Election Event, Local Authorities will analyse the success of the electronic election. This section covers, the approach to providing the Local Authority, the results of the survey that formed part of the Election Event and the voting patterns across the various channels. This includes:

· Count for the options selected on the Election Survey questionnaire; · A CSV file containing the election survey results;· Channel Voting Patterns.

10.2 Survey

The following enables the Returning Officer to produce the results of the survey. The surveys that can be selected are those that are associated with the Election Event or the Event Channels. Note that channels can have their own surveys.

The Returning Officer must select an Election Event and Survey for which they wish to generate a report or a CSV file.

Figure 18 – Survey


Introduction 43


10.2.1 Survey Report

Figure 19 – Survey Report


Introduction 44


10.3 Voting Patterns

The following enables the Returning Officer to produce the channel voting patterns for an Election Event. The Returning Officer must select an Election Event.

Figure 20 – Voting Patterns

Figure 21 – Voting Patterns Report


Introduction 45