Continued from p. 2E

III. APPENDICES.

A.1. FORMAL VOTING SYSTEM REQUIREMENTS

A Trustworthy Election has these requirements:

A. Secret ballot (Anonymity) --

Given the collection of voters and the collection of ballots --

1. a voter can not be identified with a given ballot or choice;
2. a ballot or choice can not be identified with a given voter.

B. Accurate tabulation (Accountability) --

1. People authorized to vote are allowed to vote.

a) No denial or deletion of valid registration.
b) No denial of voting process.

2. No multiple registration or phantom voters.

3. Each voter votes once.

4. Each vote is accurately tablulated --

a) A vote cast for an Item is counted for that Item, in the
manner the voter intended.
b) No votes are deleted (not counted) for some Items.

( An audit will not catch this problem, because the voter might
have actually chosen to NOT vote for this office or proposition. )

c) Votes are not shifted from one Item to another -- this activity
will escape detection in some types of audit.

1) Shift votes from Item A to Item B, to help B and hurt A.

( This may draw attention, if A is thought to be more popular
than B. )

2) Shift votes from Item A to Item C to help B and hurt A.

( If there are multiple Items (candidates) for a given election
(office), and plurality (50%) is NOT required, then B has a
better chance of winning, and votes for C are seen as a "protest
vote", thereby not arousing suspicions of a "rigged" election.
If plurality (50%) IS required, then if A, B, and C are
reasonably close, this shifting may cause an otherwise
"favorite" A to place third, allowing B to have a runoff
election with C, rather than with A. )

C. Transparency of the process (Visibility).

1. Voting process must be Visible to the voting public.

2. The interaction between Accountability and Anonymity must be clear.

3. Confidence that any failure of the process will, at least, be detected.

A.2. FORMAL DESCRIPTION OF A COMPUTERIZED VOTING MACHINE

This description relates to "dependable output" for a voting machine. As such, it addresses both the issue of a secret ballot (Anonymity -- NOT keeping track of who is voting) and the issue of accurate tabulation (Accountability -- correctly counting the votes). It also describes lack of transparency of the process (Visibility).

Realistically, a computerized (electronic) voting machine (DRE) is a composite of an application, an operating system, and at least two layers of "hardware" (microcode plus physical hardware).

Each layer represents a mapping on a set of command data (domain), producing data effects (range).

The process of a computerized voting machine is, therefore, a composite mapping:

H( Os( A[ P,La,V ], Lo ), M ] ), where

H is the physical Hardware (silicon chips, et al).

This is directed by the software instructions and by

M, the Microcode (which controls what to do with each "software" instruction).

Os is the Operating System function, which processes the Application, A, using

Lo, the Operating System Libraries.

A is the computer "Application", which processes

P, the computer Program,

La, the Application Libraries, and

V, the Voter input.

For this process to be accurate, each part of the composite must be a proper mapping.

The raw Hardware is invariably proprietary, and therefore not publicly checked or verified. It can have its own design and construction errors. The hardware dependability can even be affected by its speed and its operating voltage. Of the four "mappings", this operation typically comes the closest to being a valid "mapping".

The Microcode is merely a set of proprietary software, which uses one set of hardware to emulate another set of hardware. This software can often be modified "on the fly", so that the "hardware" works one way at one time, and it works differently at another time. ( There are times this is
desireable -- but not in a voting machine. ) The altered behavior would be nearly impossible to detect. Like other "software", microcode can have its own "bugs" and errors. Since multiple versions of the microcode may be stored within its own internal memory, the microcode operation is potentially multivalued, and can not be considered a proper mapping.

The Operating system is a complex set of software. Verifying that the operating system is truly what it claims to be is nearly impossible. If it did exactly what it claims to do, it would have no errors, or "bugs", which is not likely. Even an "open", inspectable operating system would be large enough to have bugs, and it would be difficult to check for "intent". An operating system is usually too complex to be considered a proper mapping.

The Application software provides the voter-user interface and the administration-user interface. (The voting administrator who oversees the voting process is as much of a "user" as the voter.) The Application software provides the computer's instructions for gathering and communicating the votes. If the software is proprietary, it is not subject to public scrutiny, and, therefore, portions may work one way during testing, and differently on election day. Even non-proprietary code can easily be obscure enough to be untrustworthy. In either case (proprietary or non-proprietary), most sophisticated applications are complex enough to have accidental errors. There are corporations which claim to "prove" software applications. However, such "proofs" assume that the operating
system and "hardware" work "as advertised". But without a guaranteed "Hardware"/"Operating System" underlayment, it would be difficult to claim the results of the Application software is a proper mapping.

Because the pieces of the composite function are potentially multi-valued, and not proper mappings, the composite funtion is not a single-valued (trustworthy) mapping from the votes intended (cast) to the votes expressed (counted).

-> Continued on p. 4: IV. REFERENCES.