FAQ
The system our grantees are developing works as a digital version of paper absentee voting. Instead of receiving a ballot by mail, eligible voters can download the voting app from their app store. When they open the app, voters must enter some personally identifiable information (which will vary from state to state), generally including their name, year of birth, address, and other PII such as a driver's license number, or in some cases, the last four digits of their Social Security number. That information is matched to the voter's registration record to determine the voter's eligibility to vote in the election and which ballot the voter should receive. This process is similar to the procedures used at polling places when voting in person or when requesting a mail ballot.
Voters will then mark their ballot on their device. For voters with disabilities, they can use their own assistive technology to read and mark their ballot. When finished voting, voters must follow other requirements for mail absentee voting, including signing an affidavit attesting to their identity and providing a photo of an acceptable ID, where required.
Their completed ballot packet, including the voted digital ballot and signed affidavit, may be printed and sent back to the election office by mail, in person, or at a dropbox. Or the voter can choose to return the ballot digitally from their phone. With digital ballot return, the ballot packet is encrypted and transmitted to a digital ballot box where it is stored under double seal until it is time to print the ballot for tabulation. All digital ballots will be printed onto scannable paper ballots and tabulated with all other absentee ballots cast in the election.
How will this voting app work?
How is this different?
The system is based on the requirements for digital absentee voting identified by the U.S. Vote Foundation, including transparency, usability, and end-to-end verifiability. The documentation and use of open-source software form a key part of the universal verification of the online voting system and gives security experts and other developers the opportunity to scrutinize the code and help mitigate potential threats.
Unlike other digital voting solutions, our system will offer end-to-end verification so that voters can verify their votes are recorded as cast, and the public can verify all ballots are tallied as recorded.
End-to-end verification (E2E-V) is a collection of techniques for replicating and, in some cases, exceeding the evidence available to voters casting a ballot in person. With E2E-V, voters and the public do not need to trust blindly that the election system will count their ballots correctly. E2E-V enables individual voters to verify their ballots are cast as intended by verifying their vote choices are recorded and sealed correctly. It also enables members of the public to verify the results are tallied as cast by independently verifying that every recorded vote is included in the tally. For more on how end-to-end verification works in this system, check out our one-page explainer.
What is End-to-End Verification?
All digital ballots will be printed onto scannable paper ballots and tabulated following the same procedures used for all other absentee ballots.
How are mobile votes tabulated?
What is the digital ballot box?
The digital ballot box is the digital storage box containing ballots cast by voters using digital absentee voting. It is a digital version of a traditional ballot box. In a traditional ballot box, ballots are secured in envelopes and stored under lock and key, and the ballot box can only be opened by election officials following chain of custody procedures. The ballots in the digital ballot box are sealed in a digital version of a secrecy envelope and can only be accessed when a majority of trustees are present with their security keys to unlock the digital ballot box and decrypt or "open" the ballot envelopes. The sealed digital envelopes are mixed before they are unsealed to protect voter anonymity and ensure no ballot is traced to a specific voter. The digital ballot box may be housed in a state-hosted cloud configuration or third-party hosted government cloud solution such as Amazon Web Services or Microsoft Azure.
A trustee is an individual appointed to represent a political party, candidate, or interest who is tasked with securing the digital ballot box. A minimum of three trustees must be appointed for each election, each representing a different interest, party or candidate, and each trustee holds a part of the key needed to unlock the digital ballot box. At least two trustees are needed to unlock the box, which prevents any single person from being able to access or tamper with votes cast using the system.
What is a trustee?
From the very inception of the project, cybersecurity has been a forefront consideration. The application and its supporting systems will be hardened using best practices outlined by NIST, SANS, and other industry-recognized standards. During the development phase alone, two threat models, three penetration tests, multiple code reviews, and multiple iterations of system and application hardening will be conducted.
The system is also being built for deployment in a trusted third-party cloud environment, including AWS Govcloud, which is used by the Department of Defense, Department of Homeland Security, and the IRS, among other government agencies. We are also collaborating with leading industry experts, including the certified voting system testing labs, and will align to security and technical standards for voting, including the Voluntary Voting System Guidelines 2.0.
How does this system mitigate the risk of a cyber attack?
The app is designed for use as a native application on the most up-to-date mobile device operating systems that provide embedded security features to protect voter identity and the security of the voting process. But the system does not force voters to trust that their phones are secure. Instead, the system will provide voters with the tools to verify independently and on a separate device that their ballot choices were recorded correctly in the voting app before casting their ballot. This process of end-to-end verification will require voters to have access to a computer, laptop or other mobile device or tablet. By using a separate device to perform the verification check, voters will also be able to confirm that there is no malware or other threat on the device they use to vote that could manipulate how their votes are recorded.
How does the app mitigate the risk of malware on the voter’s device that could alter a voter's ballot?
How does the system mitigate the risk of voter fraud?
Our grantees are developing a digital version of absentee voting that exceeds the minimum requirements for voter verification used with traditional mail ballots. The system uses a three-factor authentication process to verify voters and prevent successful voter impersonation:
1. Voters must provide personally identifiable information that is matched to their voter registration record. This process also confirms that users are eligible to vote using digital absentee voting based on local election requirements.
2. Voters must prove they have access to the email address in their voter registration record by entering a time-sensitive one-time access code sent to their email before they can proceed with digital ballot return.
3. Voters must sign an affidavit attesting to their identity and provide any other identifying information, such as a photo of an ID or witness signature, as required of all absentee voters in their local jurisdiction. The signature affidavit is verified by the local election office following the same procedures used for all other mail and absentee ballots.
The system has the potential to incorporate additional verification steps, including biometric authentication (e.g., facial recognition) to enhance this process.
The system is designed to protect voter anonymity throughout the voting process. As with paper absentee voting, voters will be required to provide some personally identifiable information in order to confirm their eligibility to vote using the voting app and to ensure they receive the correct ballot. When voters finish the voting process, all data will be deleted, including any personally identifiable information about the voter and their marked ballot choices. As a result, the deletion ensures that no one with access to the voter's device can then use that access to determine the voter's ballot choices.
When using digital ballot return, voters can choose to check their ballot was recorded correctly through an external Verify My Ballot site will remain anonymous. The checking process does not involve any indication of the voter's identity.
Digitally sealed ballots initially associated with the voter's signature affidavit are separated from those affidavits when signature matching and other verification checks are complete. This separation occurs before the ballots are mixed and unsealed for printing onto scannable paper ballots. This process mirrors the procedures for paper absentee voting in which signature verification and other checks are completed before voted paper ballots are removed from envelopes and separated from voter identifying information.
How does the system protect voter anonymity throughout the voting process?
The system is built for integration into existing election security procedures and follows the same processes used to mitigate the risk of insider tampering with paper absentee ballots. Before voting begins in an election, the system will undergo logic and accuracy testing that helps to affirm that votes marked in the mobile app will record correctly, cast ballots will print correctly, and the scannable paper ballots will tabulate correctly. This testing process is the same used for all other voting methods, including ballot marking devices used for in-person voting and hand-marked optical scan ballots used in paper absentee voting.
The trustee process used to secure the digital ballot box also mitigates the risk that any single person can access cast digital ballots. A minimum of two trustees representing different political parties or interests must be present to unlock the digital ballot box and unseal voted ballot envelopes. And the ballot verification process directly mirrors paper absentee voting, supporting local procedures that integrate a bipartisan signature verification process.
Finally, the system will support public review of the entire voting process on a digital ballot audit site, including reviewing the security seals used to secure voted ballots as well as affirm the tabulated results themselves match what the election system reports.
This collection of checks and processes ensures that any successful insider attack would require collusion of multiple insiders, including insiders who represent different interested parties.
How does this system mitigate the risk of an insider attack from an election administrator or employee of the vendor?
This technology will benefit any voter by adding a secure and convenient voting option and increasing the transparency of the election process. The technology has immediate benefits for voters who face barriers to traditional voting options, including disabled voters, military and overseas voters, voters on Tribal lands, hospitalized voters, and voters in emergencies. That is why we are working with disability advocates such as the National Federation of the Blind to test the application and ensure it will be fully accessible for all voters, regardless of ability.
Who is this for?
Our grantees anticipate having a finished system ready for election pilots in 2023.
When will this technology be ready?
Does a voter need to give up their right to a secret ballot to use this system?
No. Unlike other electronic return options that rely on email or fax, voters will not need to give up their right to a secret ballot to use digital ballot return in this system. The voter's ballot will remain sealed in the digital ballot box until the voter's signature affidavit is verified by local election officials, just as paper absentee ballots remain in sealed envelopes until signature verification is completed. Once the signature affidavit is verified and removed, the digital ballot will be mixed with other digital ballots before being unsealed and printed to ensure no ballot can be traced to a specific voter. Ballots can only be unsealed when at least two trustees are present to unlock the digital ballot box.
For Press Inquiries:
info@mobilevoting.org
