Remotegrity Frequently Asked Questions
From Scantegrity Wiki
This is the frequently asked questions page for the remote extension that is being developed to be compatible with Scantegrity. The main feature of this system is that it is an add-on to the regular absentee voting process. See below for more details, and if you have further questions, please submit them on the Talk page.
What is Remotegrity?
Remotegrity is an absentee voting system with the following distinctive properties:
- It uses both the physical (postal system, hand delivery/pick-up) and internet channels. The postal system delivers the ballots, and the voter uses the internet to send in his or her vote. A voter may choose to use only the postal system. Voters may not choose to use only the internet.
- Voters do not directly enter candidate names while voting. They instead enter numbers that correspond to candidates. The numbers corresponding to individual candidates vary at random across voters and candidates. This prevents the computer from knowing how the voter voted and from changing his or her vote.
- Voters can independently verify the tally. They are not required to trust the voting system or election authorities. This is a stronger property than that provided by regular polling-place voting systems, where voters do not know if the paper or electronic votes were correctly counted.
In more technical terms, it is a hybrid, coded-voting, end-to-end-independently-verifiable, remote voting system. Most importantly, it is a system that is designed to allow the voter to detect irregularities if they are occurring, so that the voter may then send his or her ballot by the postal system or vote in person.
Is Remotegrity the same thing as Scantegrity?
No. Remotegrity is an absentee voting system, while Scantegrity is a polling-place voting system. Polling-place systems are generally more secure. Remotegrity uses Scantegrity ballots, but can be used with ballots of some other types of cryptographic voting systems too. The two research teams have members in common. There are also new members in the Remotegrity team, in particular the Remotegrity lead is Dr. Filip Zagorski, who is a post-doctoral scientist at The George Washington University.
How does a voter vote online using Remotegrity?
An absentee voter receives a package with a paper ballot and some authentication codes. The ballot associates each candidate with a confirmation number. (See the picture below for a sample ballot in a ranked-voting election, where voters rank candidates -- here, each ranked choice of a candidate has a different confirmation number).
The confirmation numbers do not reveal information about the candidate. In order to enter his or her vote online, the voter enters the confirmation number instead of the candidate name. He or she also enters the ballot number (not shown in the picture) and an authentication code known as a one-use or one-time password. To understand how the voter obtains authentication codes, see the next question.
Some hours later, the voter then goes to another website, known as the Absentee Vote Bulletin Board. He or she goes to this website preferably---though not necessarily---from a different computer, and checks if the confirmation number(s) are correctly listed there. At this time, if the voter had entered an invalid confirmation number, that does not correspond to a candidate on the ballot number entered, this will be noted on the website.
If the confirmation numbers are correctly recorded as the voter intended on the Absentee Vote Bulletin Board, he or she enters another authentication code to lock them in. The voter is now done.
The voter is encouraged to visit the Absentee Vote Bulletin Board often till the election result is announced to check that his or her locked-in confirmation number is present on the website.
How does a voter obtain the one-use password and lock-in code?
In addition to the ballot, which is in a sealed envelope, the voter gets two additional envelopes in the absentee voter package. One of the two additional envelopes has a number of silver-grey scratch-off fields on its front (see picture).
To obtain a one-use or one-time password, or a lock-in code, the voter scratches-off a field when instructed.
The third envelope is a return envelope that the voter will use to return the marked ballot by mail if he or she chooses to.
What if I start voting and then find that it is too confusing or that I don't like it or am uncomfortable with using the Internet?
You can send in your paper ballot by mail at any time, as long as you send it in with the envelope with silver-grey scratch-offs. A paper ballot, when returned with valid authentication codes, over-rides all previous votes cast using that set of authentication codes. If you lose your ballot or envelope with silver-grey scratch-offs, you may request another package or vote in person, either as an early voter or on Election Day. Voting in person over-rules all previously-cast votes.
I don't like using the internet, and have difficulty trusting it. How will I vote if I want to return my vote through the postal system?
If you wish to return your vote by mail or hand delivery, you would proceed as usual. You would:
- Mark the paper ballot as you would a normal optical scan ballot (instructions are typically included in the package and on the ballot)
- Put the marked ballot in the scratch-off envelope
- Seal the scratch-off envelope
- Sign a statement on the back of the scratch-off envelope saying that you will not vote in person at the polling location
- Put the sealed scratch-off envelope containing your marked ballot into the return envelope and seal that
- Mail the sealed return envelope, or hand deliver it to the jurisdiction.
- Note that your ballot has to be accompanied by the envelope with the silver-grey scratch-off codes, and you have to sign the back of this envelope.
Why are there so many numbers and codes?
The purpose of the confirmation numbers is to prevent the voter's computer from knowing how the voter voted.
The purpose of the one-use or one-time password is to ensure that only valid voters vote and to allow a single voter to modify her vote if the website does not have the correct numbers.
The purpose of the lock-in code is to allow the voter to communicate to all observers, through the bulletin board, that her confirmation numbers are correctly recorded.
What happens if I enter one of the numbers or codes incorrectly?
The website where you enter your codes does not know what the correct codes or numbers are. However, it can detect if:
- you made a single error in the confirmation numbers,
- you transposed two digits
- you made more errors in the longer one-use password or lock-in code.
The website will warn you if it detects one of the above errors.
Also, when you lock-in your confirmation number a few hours later, the Absentee Vote Bulletin Board will tell you if any of your numbers are wrong. The numbers are checked every few hours by a computer that is not on the internet and that knows what the correct codes and confirmation numbers are, though not what candidate they represent.
Why do you use scratch-off?
The condition of the scratch-off fields indicates what actions a voter has performed.
- For example, if election officials receive a ballot with an unscratched envelope, they know the voter did not attempt to vote online.
- For another example, if a voter received a damaged card he or she would know someone attempted to vote on their behalf.
There are other more subtle security-related reasons for these fields, which are helpful to protect both the voter and the integrity of the count.
How do I know that the website did not change my numbers after I locked-in?
Voters and other observers are encouraged to closely monitor the Absentee Vote Bulletin Board. In fact, the system is not secure if the Bulletin Board is not watched often and at random times during the day.
- A voter may visit the Absentee Vote Bulletin Board any number of times and from any number of computers to see that his or her confirmation numbers are still there, as well as to see if the Board is preserving the numbers of other voters.
- In addition to eyeballing numbers on the Bulletin Board, voters and observers may also wish to perform electronic checks which can prove that there are errors if there are any.
- We have written a Chrome browser app that voters and others can use to check the Bulletin Board at any time and note that older information is still correctly posted.
- In addition to checking the numbers, the apps can also check cryptographic digital signatures made on an offline server that uses a private key that is never stored or used on an online computer.
- Voters and others can also write their own apps for this purpose, including smartphone apps (we are also working on one).
- Remotegrity itself will be performing checks every time new data is uploaded to the website, as well as at other times.
- Libraries, schools, public interest groups and city officials can take paper print-outs of the Bulletin Board at any time and post them in public places to check that it continues to keep older data correctly, and to check that the digital signatures on the numbers have not changed either.
We encourage all public interest organizations interested in the verifiability of the voting process to participate in watching the Bulletin Board.
How do I know that the website understood which candidate I voted for? That is, how do I know that the confirmation number was not misprinted on my ballot?
We intend to request multiple public interest organizations to participate in ballot audits where ballots are chosen at random and the confirmation numbers on the ballots are checked. The ballots that are audited cannot be used to vote on, because the correspondence between candidates and confirmation numbers for those ballots is made public. However, because they are chosen at random, if no errors are found, we are assured that errors in the ballots we do use are very unlikely.
How do I know that my vote was counted correctly?
The Scantegrity voting system is used on election day by voters voting at the polling place, as well as by early voters who vote in person. The confirmation numbers obtained by both Scantegrity and Remotegrity are posted on a combined Election Bulletin Board, and all numbers are processed to obtain a single tally.
- Voters may check that the confirmation numbers from the Absentee Vote Bulletin Board are among those on the Election Bulletin Board.
- The voting system makes public, on the Election Bulletin Board, a digital audit trail. Anyone who wishes may write code to check the audit trail.
- In 2009, the City of Takoma Park ran a municipal election using the Scantegrity voting system, and, on the city's request, two cryptographers checked the audit trail, confirming the correctness of the tally.
Remotegrity is not so much a voting system as it is a mechanism for securely sending confirmation numbers to election authorities. Voters have the ability to check that their confirmation numbers made it securely, and can send in the paper ballot if they notice any problems. The paper ballot, when sent in with the authentication codes, overrides any other confirmation numbers sent by the voter.
Why are you proposing that voters use the internet to vote?
We are not proposing that voters use the internet to vote. Absentee voters may return their votes via mail or the internet.
We understand that each voter decides whether to vote absentee or not based on his or her unique abilities and constraints. Similarly, of those voting absentee, some voters are not comfortable with the internet, while others are curious to know if their votes were received by the jurisdiction and counted correctly. Remotegrity enables interested absentee voters to check if their votes were correctly included in the tally.
Some of us were involved in the use of the Scantegrity voting system by the City of Takoma Park in 2009. Then, for the first time in election history, voters voting at the polling location were able to independently verify the outcome of a secret-ballot public election. Absentee voters did not, however, have the ability to verify in the 2009 election. Remotegrity would level the field by enabling absentee voters to verify their votes too.
But isn't internet voting known to be very insecure? For example, the DC pilot internet voting system was hacked into in little over a day. Why would Remotegrity be any different?
Internet voting is a very general term. The DC internet voting system was not a hybrid system, and used only the internet to both deliver ballots and collect votes. A virus on the voter's computer could hence tell how a voter voted and could change the vote. Further, a virus or the voter herself could enter a computer command instead of a vote. Finally, a voter had no way of confirming that the vote made it to the election computer as intended, and whether it was also included in the tally.
With Remotegrity, voters enter confirmation numbers from their ballots instead of candidate names. The confirmation numbers are generated by a computer that is never online, and are wiped off that computer once the ballots are printed. They are re-generated from scratch, jointly by election officials, to compute the tally.
- Hence no computer on the Internet, including the voter's computer, can tell what the vote was, unless it has access to the information on the voter's ballot.
- Additionally, no computer can modify the vote to one for another candidate as it would need access to the voter's ballot to know what the valid confirmation number would be.
We will be maintaining two independent online servers, with multiple mirrors. That is, we will back-up both -- the website that accepts confirmation numbers, and the bulletin board that displays them -- using multiple computers with the same data, allowing us to recover if data is lost on a single computer. Additionally:
- Our website server will check that the confirmation numbers entered are indeed confirmation numbers and not computer commands.
- Our bulletin board server will inform voters if the confirmation number they turned in was invalid when they try to lock in.
- An offline server will sign data obtained from the website every few hours. It will also sign data from the Bulletin Board (that is, it will sign newly-locked-in votes) at the same time. The signed data will be posted on the Bulletin Board. When new data is posted, the old data is checked for consistency.
- A hacker who breaks into either of the Remotegrity servers cannot tell how voters voted (because there are only confirmation numbers on the servers).
- If the hacker tries to change the numbers on the website before they are locked-in, the voter will notice this while locking-in.
- If the hacker tries to change these after they are locked-in, the numbers will be changed on the Bulletin Board, and this will be noticed by those watching the Bulletin Board. It will also be noticed during the consistency check performed when new data is posted
Finally, Remotegrity provides maximum transparency while maintaining ballot secrecy. Thus it also protects voters against any attempts by insiders to change vote counts. All the information sent by the voter to the election server is made available on the Bulletin Board and can be followed by any observer, either by physical comparison or using software. Independent observers, cryptographers, programmers can use their own software or software written by Remotegrity to verify that the tally is correctly computed from the confirmation numbers.
What can go wrong with Remotegrity, and how will you protect against it?
We provide a summary here. A more detailed listing of possible attacks and corresponding countermeasures are described at the end of this FAQ.
- An outside attacker can try to perform a denial of service attack by repeatedly deleting confirmation numbers or lock-ins -- whether on the voter's computer itself, on the website, or on the Bulletin Board -- even if a voter tries to resend confirmation numbers. An inside attacker can also attempt to change confirmation numbers.
The voter will notice that his or her confirmation number is not in when he or she tries to lock-in. If the lock-in is itself deleted, he or she will notice when visiting the Bulletin Board at another time. If the correct confirmation number or lock-in was ever on the Bulletin Board, it would have been signed by the offline server, observers would also detect that it had changed, and the voter would have proof that there was a problem. Similarly, if a voter notices that his or her ballot is already locked-in before it has voted, the unscratched fields on the scratch-off envelope provide proof of this (the attacker would have to correctly guess which lock-in she scratched off, if she did).
If the voter is not able to correct the problem by resending confirmation numbers, he or she may send in the vote using postal mail or vote in person, which are the only options in traditional absentee voting in any case.
- A race condition between the Bulletin Board and observers can arise, where the Bulletin Board tries to change a confirmation number immediately after it is locked-in.
A change in a confirmation number will be noticed by observers and the change can be proven using digital signatures. In the very unlikely coincidence that the voter locked-in the number immediately after it was posted and before any observers viewed it, the voter would notice if he or she checked the Bulletin Board any time after locking-in. While they would not be able to prove there was a problem, they could vote in person or using snail mail.
- Someone can trash all the servers online and offline, close to the deadline, so that all electronic information is lost and voters do not have the time to replace it.
The offline server prints out all the information it signs, so that it has a paper copy of the Bulletin Board at the time of last signing. Only information provided by the voter in the last cycle before the thrashing will be lost.
The printed information can be used to count votes in the same manner that paper ballots are currently used. Any observers or voters who have previously checked the Bulletin Board can check the final one, reconstructed from the final paper printout, for consistency.
- A computer virus on all computers can present false information to voters even if they check from multiple computers.
In this case, voters are not able to detect if their votes were deleted or changed. Remotegrity requires the assumption that at least some voters and observers have access to at least one honest computer that presents the Bulletin Board as it is.
I hope all this new-fangled stuff will not affect my ability to vote as I usually do: absentee, by mail.
The process for the absentee voter who uses the postal system or hand delivery to return the marked ballot is identical to that with other voting systems. You would ignore the confirmation numbers on the ballot and the scratch-off fields on the envelope. Other than that, you would fill up your ballot and return it as usual.
What will the absentee voter receive in the mail?
Absentee voters receive a package containing:
- A ballot in a sealed envelope
- An envelope with a set of scratch-off fields on its front.
- A return envelope
The ballot is much like an optical scan ballot---except, associated with each oval is confirmation number. The confirmation numbers are chosen randomly per candidate per ballot, so someone knowing the confirmation number will not know the candidate unless they can see the ballot. For those familiar with the Scantegrity voting system, these are Scantegrity confirmation numbers.
The Scratch-Off Envelope
The scratch-off envelope contains authentication cards on its front, each under a scratch-off field. These codes enable the following:
- Election servers can determine that a vote comes from a valid voter who hasn't voted earlier in the election.
- A voter can change his or her confirmation numbers if the website does not display them as he or she intended.
- The codes are under scratch-off fields so that a voter would know if someone had already tried to vote on his or her behalf.
- There are also some additional security properties enabled by the use of scratch-offs.
The Return Envelope
This is the envelope meant for returning the ballot to the election officials for those who wish to use postal or hand delivery to turn in marked ballots.
How do I send my vote through the internet?
If you wish to use the internet to communicate your vote to election officials, you go to a website which gives you step-by-step instructions on the process. You may choose to abandon this process at any time and simply return the ballot by mail or in person. A paper ballot, when returned with valid authentication codes, over-rides all previous votes cast using that set of authentication codes. If you lose your ballot or authentication codes, you may request another package or vote on site. Voting in person - either as an early voter or at the polling location - over-rules all previously-cast votes.
How do you ensure that my vote is secret?
Your vote is never revealed to a computer on the internet. The confirmation numbers are generated to print ballots but thereafter all information is wiped off the computer generating the numbers. The numbers are re-generated in order to compute the tally, and again wiped off.
Further, your ballot arrives in a sealed envelope so that the election official sending you the package does not see the numbers on your ballot.
Similarly, the election official cannot see the authentication codes that are also under scratch-off.
If you return your ballot by the mail, election officials follow a time-honored procedure for separating the ballot from any information that identifies you before the ballots are counted.
What happens if someone changes or deletes information on the website server?
The entity trying to change or delete information on the website server could be an outsider who does not know confirmation numbers or authentication codes and hacks into the online website server(s), or an insider who knows valid confirmation numbers.
- If voters check confirmation numbers while locking-in, changes -- including deletions -- will be detected. The voter can then re-enter the correct confirmation number.
- Because the offline computer digitally signs all confirmation numbers before they are posted on the Bulletin Board, any observers watching the Bulletin Board will also notice changes, and anyone checking the digital signatures will be able to prove the changes have occurred.
- Remotegrity itself will be checking the bulletin board and its digital signatures frequently from a distributed set of clients. The records of the offline machine are compared with the bulletin board every time a new batch is signed. This will also detect the absence/change of a confirmation number.
- If the problem persists in spite of the voter re-entering confirmation numbers, the voter experiences a denial of service and has to vote in person or by using the postal service.
What happens if an insider who knows valid confirmation numbers changes those coming from mailed-in paper ballots?
This attack can be uncovered (only) by a manual count if a secure chain of custody is maintained. This reflects the fact that voters returning paper ballots do not have the ability to verify the election outcome.
What happens if a virus on the voter's computer prevents a voter from casting a vote by repeatedly modifying the confirmation number or not sending it in?
To avoid this possibility, voters should not use the same computer if they need to modify their confirmation numbers. If, however, they do not have the option to use another computer, and/or notice that their confirmation numbers are being changed often, they should mail-in the ballot or vote in person.
If such a virus is present on many/all of the computers a voter can use, this would be a distributed denial of service attack.
In this case, the voter's options are reduced to those of a typical absentee voter who does not have the internet option.
Can something like a race condition affect the voter's ability to verify?
A race condition-like scenario arises when the bulletin board presents a correct condition number to the voter, who then locks-in. The Bulletin Board now changes the confirmation number or drops the fact that it was locked-in, effectively changing or deleting the vote.
If the voter never comes back to the bulletin board, she will not detect the absence/change of the confirmation number and/or lock-in.
This problem, however, can be detected by the following:
- Anyone using an app that checks digital signatures will notice the deletion/change of a confirmation number, but not that of a lock-in. This is because all information on the bulletin board is signed in chronological order, and all confirmation numbers placed on the Bulletin Board are signed. On the other hand, the lock-in code would have been signed in the next batch.
- Remotegrity itself will be checking the bulletin board and its digital signatures frequently from a distributed set of clients.
- The records of the offline machine are compared with the bulletin board every time a new batch is signed. This will also detect the absence/change of a confirmation number but not the (deleted/changed) fact of a lock-in.
- The offline machine could recreate the correct record of the confirmation number, but it would not know if there was a lock-in or not.
If the Bulletin Board itself modifies the information, voters who are constantly checking the bulletin board will notice the changes in their own numbers or lock-in only. Voters who make an electronic copy, with valid digital signatures, of the bulletin board immediately before locking-in are able to prove there was a problem with a lost or modified confirmation number. They are not, however, able to prove there was a problem if the lock-in is lost.
If voters notice problems after their votes are locked-in, their only recourse is to vote using the postal system or to vote in person.
Recall that the bulletin board can also change confirmation numbers in non-remote voting systems such as Scantegrity; however, a manual count of the paper record of Scantegrity would reveal the problem if the secure chain of custody is maintained.
What happens if an insider, who knows valid authentication codes and valid confirmation numbers, changes or deletes information on the Bulletin Board?
This attack too can be uncovered by the voter who constantly checks the Bulletin Boards, though again the absentee voter would not have proof of a deleted lock-in. He or she might have proof if the system locked-in a confirmation number before he or she got down to doing it, because he or she might scratch-off a different lock-in. Similarly, if the system attempts to vote on behalf of the voter before the voter does so, the voter can display an unscratched card, or a different scratched-off one-use password.
A voter who notices the above problem can vote in person or by postal mail.
What happens if a last-minute thrashing of all online servers and all electronic records, including the offline server, leads to the loss of all votes cast electronically?
There are no paper ballots to recover the votes from, and it is too late for voters to send ballots by snail mail or vote in person.
The system keeps a paper record of all confirmation numbers and lock-ins as they are cast, and/or corresponding paper ballots, except for those entered in the last cycle. The system can recover from these, which are equivalent to paper ballots. An honest offline server and secure chain of custody of the paper print-outs is equivalent to a secure chain of custody of ballots.
Notice, however, that if there is not sufficient time for voters to check these, the system can cheat, but this is no worse than the current absentee voting system which relies on postal mail and does not provide voters with the ability to verify.
What happens if a virus on all computers ensures all voters see the confirmation numbers they entered on the website, while the bulletin board actually bears other numbers?
This would prevent voters from knowing that their votes were changed or deleted. Remotegrity does not protect against an attack of this scale. It requires that most voters have access to at least one trustworthy computer that displays the Bulletin Board honestly.