Minutes interim-2014-iab-15 2014-04-16
minutes-interim-2014-iab-15-20140416-00

Minutes of the 2014-04-16 IAB Teleconference (Tech Chat & Business Meeting)

1. Roll-call, agenda-bash, administrivia, minutes

1.1. Attendance

PRESENT

• Jari Arkko (IETF Chair)
• Mary Barnes
• Marc Blanchet
• Alissa Cooper (IESG Liaison)
• Joel Halpern
• Ted Hardie
• Joe Hildebrand
• Russ Housley (IAB Chair)
• Eliot Lear
• Xing Li
• Cindy Morgan (IAB Executive Administrative Manager)
• Erik Nordmark
• Dave Thaler
• Brian Trammell
• Amy Vezza (IETF Secretariat)

REGRETS

• Lars Eggert (IRTF Chair)
• Heather Flanagan (RFC Editor Liaison)
• Mat Ford (ISOC Liaison)
• Alexey Melnikov (RSOC Chair)
• Andrew Sullivan

GUEST (present through item 2 only)

• Dan Wallach

1.2. Administrivia

No administrative items were discussed.

1.3. Meeting Minutes

The minutes of the 2 April 2014 business meeting were approved.

2. Tech Chat: STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System

Dan Wallach, professor at Rice University, led the IAB in a discussion of electronic voting systems, focusing on STAR-Vote:

STAR-Vote is a collaboration between a number of academics and the Travis County (Austin), Texas elections office, which currently uses a direct-recording electronic (DRE) voting system and previously used an optical scan voting system. STAR-Vote represents a rare opportunity for a variety of sophisticated technologies, such as end-to-end cryptography and risk limiting audits, to be designed into a new voting system, from scratch, with a variety of real world constraints, such as election-day vote centers that must support thousands of ballot styles and run all day in the event of a power failure.

Dan Wallach noted that the project began in 2011, when Dana DeBeauvoir, Travis County Clerk, asked for help designing a new voting system from scratch. The new system would have to meet the following constraints:

1. A DRE user interface, consisting of
   • a consistent user interface for all voters, with accessibility features
   • off-the-shelf hardware with cheaper support contracts
   • a printer attached to the DRE so machine-printed ballots can go into a ballot box
2. Papers ballots that give a tangible, hand-countable record of voter intent
3. Vote centers that include
   • the ability for any voter to go into any precinct and vote
   • an online voter registration database
   • offline voting machines
   • the ability to accommodate thousands of distinct ballot styles
4. Management of power constraints, so that battery life is sufficient that power failures should not close the polls

Russ Housley asked what would happen if there was a power failure at the central database. Dan Wallach replied that currently, the back-end is run in the election county’s warehouse, in a single location with a large UPS; there is an open question about whether that is enough.

Dan Wallach continued that STAR-Vote will have sophisticated new features: a VoteBox-style in-precinct network (hard-wired locally; no Internet and no wireless); end-to-end cryptography with homomorphic, verifiable tallies and a public bulletin board of full-election ciphertexts; risk limiting audits to verify that the paper corresponds to the electronic records; and usability features to help both voters and poll workers, and ensure that the security features do not limit usability.

Russ Housley asked how the vast number of questions that can appear on a ballot affects the statistical analysis for the risk limiting audits. Dan Wallach replied that it would depend on which questions were being audited, and more ballots would need to be sampled in races with tighter margins of victory.

Dan Wallach explained the STAR-Vote system’s workflow. The user will enter the polling place, look up their registration on a machine connected to the voter registration database, and print out a barcode. The voter will then go to a separate, unconnected controller machine to scan the barcode and get a 5-digit authorization number. The authorization number is then used at the voting terminal; to prevent fraud, the authorization number expires after a certain time limit. After voting at the voting terminal, the user puts the ballot in a ballot box that reads the barcode and is able to notify other voting machines that the ballot was cast. If the user finds a mistake on their ballot before depositing it in the ballot box, they can spoil the ballot and start over. The final step of confirming the vote is by depositing the ballot in the ballot box.

Marc Blanchet asked how this system could be used to prevent people from being paid to vote a certain way. Dan Wallach replied that once the ballot is deposited in the ballot box, there is no evidence of how one voted; if the ballot is not deposited in the ballot box, then the vote is not counted.

After the ballot is deposited, the user will get a separate page to take home with a hash of the ciphertext of their vote; they can verify that the ciphertext matches by checking a website or scanning a QR code.

Every machine will have a public key for signing messages, and every message is signed, broadcast, and logged. Only the election official will have the private key to decrypt the ballots.

Dan Wallach discussed potential problems and how to mitigate them. He suggested risk limited audits with a random sampling of the individual paper ballots to make sure that they match up with the electronic records. He noted that this has been successful in a number of California elections that use optically-scanned ballots. In STAR-Vote, ballots would only be decrypted as needed for the audit. He noted that one malicious voting terminal would not be able to stuff the ballot box, as there would not be a matching authorization code for the bogus ballot. If a malicious controller colluded with a malicious voting terminal, there still would not be a matching paper in the ballot box. Bogus paper ballots stuffed in the ballot box would not have the appropriate ciphertext. The system is designed to make it easy to detect inconsistencies. Election officials are talking about watermarks on the thermal paper for the ballot receipts, as well as digital signatures for the QR codes.

Dan Wallach noted that there are still legalities to be sorted out; there are both federal and state certification processes, and STAR-Vote is unlike any other current certified voting system. STAR-Vote may require waivers from the state government or amendments to current laws. Much of the current voting law focuses on “the ballot,” but in STAR-Vote there are multiple copies, and one version might be better than another depending on what information is being sought. “Best record of voter intent” might be a better phrase, as far as STAR-Vote is concerned. It is also not clear what would constitute a “recount” using STAR-Vote, as there are multiple forms of evidence. “Risk-limiting audit with large sample size” may be a better phrase than “recount,” in this case. He added that there are other practicalities to consider, such as provisional voting, limited ballots, and write-in votes.

Ted Hardie asked how a requirement to support multiple languages might affect usability. Dan Wallach replied that the paper ballot itself could be printed in English with a handful of other required languages. For the presentation layer of STAR-Vote, making the system multilingual should be trivial; Dan noted that they are working from the Volunteer Voter Standards Guide, which includes standards for the user interface.

For more information on STAR-Vote, please see:

https://www.usenix.org/conference/evtwote13/workshop-program/presentation/bell

3. Note to ICANN on IANA Transition

The IAB discussed their response to the ICANN’s proposal on the IANA transition. Russ Housley noted that the message is still being refined within the IAB’s IANA Evolution Program; the Program has a teleconference scheduled on 17 April 2014 to discuss the text.

Russ Housley asked the IAB what the timeline for the message should be; the IAB agreed that it would be preferable to send the message out prior to the NETmundial meeting that begins on 23 April 2014. The IAB agreed that once the IANA Evolution Program finalizes the text, Russ Housley will begin an e-vote that will close on Saturday, 19 April 2014.

4. draft-iab-cc-workshop-report-01

The IAB agreed to ask the Secretariat to resurrect draft-iab-cc-workshop-report. Once that has happened, Russ Housley will send out a message starting the IETF Community Review of draft-iab-cc-workshop-report.

5. draft-iab-itat-report-01

Eliot Lear reported that he is working to update draft-iab-itat-report based on the comments received during IAB Last Call. Once Eliot has updated the document, Russ Housley will send out a message starting the IETF Community Review of draft-iab-itat-report.