Voting Security Requirements

Ka-Ping Yee, last updated 2006-12-29

This outline list breaks down high-level desiderata for an election into progressively more detailed requirements. At each level, the refinement of an item into sub-items represents both a logical requirement (all the sub-items must be true in order to make the parent item true) and a design choice (our chosen method for upholding the parent item is to uphold the sub-items). Each sub-item at the most detailed level is classified according to how it can be upheld: for example, is it enforced by software, a human being, or something else?

Breaking down requirements in this way clarifies where responsibilities lie. Laying out a requirement tree surfaces our assumptions, helps us ensure that all the bases are covered, and enables us to identify when a particular part of the election system has failed to meet a security commitment.

Here are definitions for a few terms used in the text below:

ability class
In order to make any sort of verifiable claim about meeting the accessibility needs of voters with disabilities, there has to be a definition of what needs the election must meet. Here this definition is assumed to consist of a list of ability classes, where each class is a profile of voter abilities (for example, "voters that have normal vision" would be an ability class). The election system lives up to its claimed accessibility standard if it enfranchises voters of every claimed ability class.
option
An option is something voters can choose in a contest, such as a candidate for a position or a choice in a referendum.
selection state
At any given moment during a voting session, the selection state is the set of selections that will be recorded if the voter takes the shortest possible sequence of actions to cast the ballot.
voting session
In-person voting is assumed to take place in discrete voting sessions in which a single voter interacts with a single ballot. A session ends when the ballot is either cast or discarded.

The categories of responsibility for upholding requirements are as follows:

Click on the little triangles or use these buttons to expand and collapse the requirement tree. (The second level is supposed to provide an implementation-independent elaboration of the top-level requirements; further levels of detail are implementation-specific.)

    1. One voter, one vote: Each authorized voter can cast exactly one ballot containing the contests for which that voter is authorized to vote.
      1. Only authorized voters are allowed to cast ballots.
        1. Only in voting sessions may ballots may be cast.
        2. Only authorized voters are allowed to begin voting sessions.
      2. Each voter is presented with a ballot containing the correct set of contests for which that voter is authorized to vote.
        1. For each voter, there exists a ballot definition containing the exact set of contests for which they are authorized to vote.
        2. For each voting session, the correct ballot definition is loaded and present in the machine for the voter using it.
        3. For each voting session, the correct ballot definition is selected and activated for the voter using it.
      3. Each authorized voter has the opportunity to cast a ballot.
        1. Each voter has access to a polling location they can use.
        2. Each voter can begin a voting session in a reasonable time.
          1. For each voter-ability class, enough voting equipment that meets their accessibility needs is made available for the number of such voters expected at each polling location.
          2. The voting equipment does not become unavailable.
            1. The voting hardware does not break down.
            2. The voting software is always ready to start a new session if signaled to do so.
          3. The voting procedure does not require excessive time.
        3. Each voting session provides the opportunity to cast a ballot.
          1. The voting session terminates only after casting a ballot.
            1. The voting software does not abort during a voting session.
            2. The voting software does not become unresponsive during a voting session.
          2. There always exists a sequence of user actions that leads to casting a ballot.
          3. The sequence of actions necessary to cast a ballot is always made apparent to the voter.
      4. No voter may cast more than one ballot.
        1. No voting session allows more than one ballot to be cast.
          1. Casting a ballot terminates the voting session.
        2. Each voter is allowed at most one voting session in which a ballot was cast.
          1. Only pollworkers can cause a new voting session to begin.
          2. At the end of a voting session, it is always apparent whether or not a ballot was cast.
            1. Casting a ballot causes a specific screen to appear.
            2. The completion screen only appears when a ballot is cast.
            3. No other display states resemble the completion screen.
            4. The completion screen stays on the display until the machine begins a new voting session.
          3. The pollworkers allow each voter at most one voting session that resulted in the display of the completion screen.
    2. Fairness: The election is not biased toward any voters or options.
      1. All voters are equitably franchised.
        1. All voters have equitable access to their polling places.
        2. All voters have equitable access to voting machines.
        3. All voters have equitable opportunity to begin voting sessions.
        4. All voting sessions that vote on a particular contest yield a uniform likelihood of a voting error in that contest.
          1. All ballot designs that contain a particular contest yield a uniform likelihood of a voting error in that contest.
          2. All voting sessions with the same ballot definition yield the same deterministic interaction behaviour.
      2. All options have equitable opportunity to receive votes.
        1. For each contest, all the options are presented in the same style on each ballot and across all ballots.
        2. For each contest, the voters are presented with ballots that yield a uniform distribution of biases in favour of every option.
        3. Within each contest, for each option, the voters that intend to vote for that option are presented with ballots that yield a uniform distribution of voting errors in favour of every other option.
    3. Cast as intended: Each cast ballot corresponds to its voter's intent.
      1. The voting instructions, contests, and options presented to the voter are complete and accurate.
        1. For each ballot definition, all the correct contests and options are present in the ballot and accurately represented.
        2. For each ballot definition, all options are clearly associated with the contest to which they belong.
        3. For each ballot definition and each contest, the means of making selections and the range of allowable selection states is correctly made apparent to the voter.
        4. The machine displays all instructions, contests, and options exactly as specified in the ballot definition.
        5. At any point in the session before casting, all contests and options are reachable through some sequence of user actions.
        6. Before the ballot can be cast, the voter must be presented with the opportunity to vote in every contest.
      2. Navigation within the ballot takes place in a way that matches the voter's intentions.
        1. Navigation within the ballot occurs only when the voter takes an explicit navigation action or together with an accurate notification perceivable to all voter-ability classes.
          1. Every user action that the ballot definition specifies as causing a navigation transition is described or implied to do so in the display presented to the voter.
          2. Every navigation transition that is specified to occur spontaneously in the ballot definition is accompanied by the specification of a notification perceivable to all voter-ability classes that accurately describes the transition.
          3. Navigation transitions can occur during a voting session only by a user action that the ballot definition specifies to cause the transition, or according to a specification of a spontaneous transition in the ballot definition.
        2. Any user action that is described or implied as navigating within the ballot has exactly the expected effect and no other effect.
          1. Every user action that is described or implied to navigate somewhere within the ballot is indeed specified in the ballot definition to cause the expected transition and no other transition.
          2. Any user action that is specified in the ballot definition to cause a particular navigation transition actually causes that transition and no other transition. (Examples of transitions would include navigating among pages showing instructions, contests, options, parts of contests, or multiple contests.)
      3. A particular selection state is achievable if and only if that selection state is valid to cast.
          Assumption: the only constraint on a castable ballot is a maximum number of selections per contest.
        1. The ballot definition specifies the correct maximum number of selections for each contest.
        2. In each contest, the selection state never exceeds the maximum number of allowed selections specified in the ballot definition.
        3. In each contest, the selection state can come to have any combination of options containing up to the maximum specified in the ballot definition.
      4. The selection state is empty at the start of every voting session.
      5. Changes to the selection state match the voter's intentions.
        1. The selection state can change only by an explicit user action that is described or implied to change the selection state.
          1. Every user action that the ballot definition specifies as changing the selection state is described or implied to do so in the display presented to the voter.
          2. The selection state can change during a voting session only by a user action that the ballot definition specifies will change the selection state.
        2. Any user action that is described or implied as having an effect on the selection state indeed has exactly the expected effect and no other effect, unless the change would yield a set of selections that is invalid to cast, in which case it has no effect.
          1. Every user action that is described or implied to change the selection state in the display presented to the voter is indeed specified in the ballot definition to cause that change and no other change.
          2. Any user action that is specified in the ballot definition to cause a change to the selection state actually causes that change and no other change, unless the change would yield a set of selections that is invalid to cast, in which case it has no effect on the selection state. (Examples of such actions include selecting, deselecting, toggling, and radio-selecting individual options; clearing a contest and clearing all contests; and setting all selections according to a predetermined configuration such as a straight-ticket ballot.)
      6. The voter receives accurate feedback on the selection state.
        1. Each option has a selected appearance and an unselected appearance.
        2. The selected appearances are similar in a way that makes them recognizably selected and distinct from unselected options.
        3. Wherever information about selected options is displayed, it is clearly associated with the correct contest.
        4. Wherever options are displayed for selection, any options that are in the current selection state have their selected appearance, and those that are not have their unselected appearance.
        5. Wherever options are displayed for review, any options that are in the current selection state are displayed, and no options that are not in the current selection state are displayed.
      7. The voter has adequate opportunity to review selections and correct mistakes before casting the ballot.
        1. For every contest, a review of that contest's selection state is always presented after the last time the selection state changes and before the ballot is cast.
        2. The voter is always notified of any undervoted contests after the last time the selection state in a contest changes and before the ballot is cast.
        3. The voter has the option to change the selections in any contest at any time during a session before casting the ballot.
      8. The action of casting the ballot matches the user's intention to cast.
        1. The ballot can be cast only by an explicit user action that is described or implied to cast the ballot.
          1. Every user action that causes a transition to the last page is described or implied to cast the ballot in the display presented to the voter.
          2. The ballot can be cast only by a transition to the last page of the ballot definition.
        2. Any user action that is described or implied as casting the ballot indeed casts the ballot.
          1. Every user action that is described or implied to cast the ballot in the display presented to the voter is specified in the ballot definition to cause a transition to the last page.
          2. A transition to the last page of the ballot definition always causes the ballot to be cast.
    4. Counted as cast: The resulting totals correctly reflect ballots cast.
      1. The selections made on the ballots are published anonymously so that anyone can verify the count.
      2. The selections on the ballots are not altered or lost between the time they are cast and the time they are published.
      3. Every published selection corresponds to a ballot cast in an authorized voting session.
    5. Privacy: The system does not expose how any particular voter voted. (Not yet elaborated. Mention: determinism, anonymous storage.)
    6. Anti-coercion: Voters are unable to reliably expose how they voted. (Not yet elaborated.)
    7. Verifiability: The public can ascertain the fairness of voting procedures and the correctness of the ballots counted. (Not yet elaborated.)