Free Online FOOD for MIND & HUNGER - DO GOOD 😊 PURIFY MIND.To live like free birds 🐦 🦢 🦅 grow fruits 🍍 🍊 🥑 🥭 🍇 🍌 🍎 🍉 🍒 🍑 🥝 vegetables 🥦 🥕 🥗 🥬 🥔 🍆 🥜 🎃 🫑 🍅🍜 🧅 🍄 🍝 🥗 🥒 🌽 🍏 🫑 🌳 🍓 🍊 🥥 🌵 🍈 🌰 🇧🇧 🫐 🍅 🍐 🫒Plants 🌱in pots 🪴 along with Meditative Mindful Swimming 🏊‍♂️ to Attain NIBBĀNA the Eternal Bliss.
Kushinara NIBBĀNA Bhumi Pagoda White Home, Puniya Bhumi Bengaluru, Prabuddha Bharat International.
Categories:

Archives:
Meta:
December 2016
M T W T F S S
« Nov   Jan »
 1234
567891011
12131415161718
19202122232425
262728293031  
12/31/16
2095 Sun 01 Jan 2017 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://timesofindia.indiatimes.com/…/articlesh…/56272224.cms 20 Uttar Pradesh assembly constituencies to witness ATM-like receipt after casting vote. Election Commission of India has decided to use VVPAT (Voter-Verified Paper Audit Trail) machines in 20 assembly constituencies covering 14 districts of Uttar Pradesh. The VVPAT machines would be used in the upcoming assembly elections. The CEC had said that only in 2019 entire EVMs would be replaced. Now only in 20 Uttar Pradesh assembly constituencies the EVMs will be replaced. The ex CJI had committed a grave error of judgement by ordering that the EVMs would be replaced in a phased manner as suggested by the ex CEC Sampath because of the cost of 1600 involved in the entire replacement. Only 8 out of the 543 seats in 2014 Lok Sabha elections were replaced which helped Modi to gobble the Master Key. Ms Mayawati’s BSP lost because of these fraud EVMs. while they won in a majority in UP Panchayat elections as paper ballots were used as followed in 80 democracies of the world. Neither the CJI nor ECI ordered for paper ballots untill the entire EVMs were replaced. Now in UP appart from 20 constituencies in rest of the constituencies paper ballots must be used til the entire EVMs were replaced. The Central and all the Sate governments selected by these fraud EVMs must be dissolved and go for fresh polls until all the EVMs were replaced. C. Section on sampajañña
Filed under: General
Posted by: site admin @ 7:30 pm


2095
Sun 01 Jan 2017


LESSONS

from



Rector


JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart



an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan

of



Free Online

Buddhism
- World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken
One With Awareness Mind (A1wAM)
+
ioT (insight-net of Things) 
- the art of
Giving,
taking
and
Living   to attain Eternal Bliss as Final Goal through
Electronic Visual Communication Course on Political Science
-Techno-Politico-Socio Transformation and Economic Emancipation Movement
(TPSTEEM).




Struggle
hard to see that all fraud EVMs are replaced by paper ballots by




Start
using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.



Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.




 from



INSIGHT-NET-Hi Tech Radio Free Animation Clipart
Online A1 (Awakened One) Tipiṭaka Research & Practice University

in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level
through
http://sarvajan.ambedkar.org
up a level



https://awakenmediaprabandhak.
wordpress.com/











email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com

jchandra1942@icloud.com

sarvajanow@yahoo.co.in


is
the most Positive Energy of informative and research oriented site propagating the
teachings of the Awakened One with Awareness the Buddha and on
Techno-Politico-Socio
Transformation and Economic Emancipation Movement followed by millions
of people all over the world in 105 Classical languages.



Rendering
exact translation as a lesson of this University in one’s mother tongue
to this Google Translation and propagation entitles to become a Stream

Enterer (Sottapanna) and


to
attain Eternal Bliss as a Final Goal

BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.

http://timesofindia.indiatimes.com/…/articlesh…/56272224.cms

20 Uttar Pradesh assembly constituencies to witness ATM-like receipt after casting vote.

Election
Commission of India has decided to use VVPAT (Voter-Verified Paper Audit
Trail) machines in 20 assembly constituencies covering 14 districts of
Uttar Pradesh. The VVPAT machines would be used
in the upcoming assembly elections.

The CEC had said that only in 2019 entire EVMs would be replaced.

Now only in 20 Uttar Pradesh assembly constituencies the EVMs will be replaced.
The ex CJI had committed a grave error of judgement by ordering that the
EVMs would be replaced in a phased manner as suggested by the ex CEC
Sampath because of the cost of 1600 involved in the entire replacement.
Only 8 out of the 543 seats in 2014 Lok Sabha
elections were replaced which helped Modi to gobble the Master Key.

Ms Mayawati’s
BSP lost because of these fraud EVMs. while they won in a majority in UP
Panchayat elections as paper ballots were used as followed in 80
democracies of the world.

Neither the CJI nor ECI ordered for paper ballots untill the entire EVMs were replaced.

Now in UP appart
from 20 constituencies in rest of the constituencies paper ballots must
be used til the entire EVMs were replaced.

The Central and
all the Sate governments selected by these fraud EVMs must be dissolved
and go for fresh polls until all the EVMs were replaced.

C. Section on sampajañña

Furthermore,
bhikkhus, a bhikkhu, while approaching and while departing, acts with
sampajañña, while looking ahead and while looking around, he acts with
sampajañña, while bending and while stretching, he acts with sampajañña,
while wearing the robes and the upper robe and while carrying the bowl,
he acts with sampajañña, while eating, while drinking, while chewing,
while tasting, he acts with sampajañña, while attending to the business
of defecating and urinating, he acts with sampajañña, while walking,
while standing, while sitting, while sleeping, while being awake, while
talking and while being silent, he acts with sampajañña. 

Iti
ajjhattaṃ vā kāye kāyānupassī viharati, bahiddhā vā kāye kāyānupassī
viharati, ajjhatta-bahiddhā vā kāye kāyānupassī viharati;
samudaya-dhamm·ānupassī vā kāyasmiṃ viharati, vaya-dhamm·ānupassī vā
kāyasmiṃ viharati, samudaya-vaya-dhamm·ānupassī vā kāyasmiṃ viharati;
‘atthi kāyo’ ti vā pan·assa sati paccupaṭṭhitā hoti, yāvadeva
ñāṇa·mattāya paṭissati·mattāya,{1} a·nissito ca viharati, na ca kiñci
loke upādiyati. Evam·pi kho, bhikkhave, bhikkhu kāye kāyānupassī
viharati. 



Thus he dwells observing kāya in kāya internally, or he
dwells observing kāya in kāya externally, or he dwells observing kāya
in kāya internally and externally; he dwells observing the samudaya of
phenomena in kāya, or he dwells observing the passing away of phenomena
in kāya, or he dwells observing the samudaya and passing away of
phenomena in kāya; or else, [realizing:] “this is kāya!” sati is present
in him, just to the extent of mere ñāṇa and mere paṭissati, he dwells
detached, and does not cling to anything in the world. Thus, bhikkhus, a
bhikkhu dwells observing kāya in kāya. 


மேலும்,பிக்குக்களுக்களே,ஒரு
பிக்கு, அணுகும் பொழுது மற்றும் விட்டு நீங்கும் பொழுது, sampajañña
நிரந்தரமான தீர்க்கமான உணருந்திறனுடன்  நுணுகிக்கண்டு  செயல் படுகிரார்,
முன் நோக்கி கவனித்துப் பார்க்கும் பொழுது மற்றும் எல்லாப் பக்கங்களிலும்
கவனித்துப் பார்க்கும் பொழுது,sampajañña நிரந்தரமான தீர்க்கமான
உணருந்திறனுடன்  நுணுகிக்கண்டு  செயல் படுகிரார், வளைக்கிற பொழுது  மற்றும்
நெட்டிமுறியும் பொழுது,sampajañña நிரந்தரமான தீர்க்கமான உணருந்திறனுடன் 
நுணுகிக்கண்டு  செயல் படுகிரார், பதவிக்குரிய நீண்ட மேலங்கி அணிந்து கொள்
பொழுது மற்றும் தளர்த்தியான மேலங்கி  மற்றும் ஐயக்கடிஞை எடுத்துச் செல்லும்
பொழுது,sampajañña நிரந்தரமான தீர்க்கமான உணருந்திறனுடன்  நுணுகிக்கண்டு 
செயல் படுகிரார், உண்ணும் பொழுது, குடிக்கும் பொழுது, மெல்லும் பொழுது,
சுவைக்கும் பொழுது,sampajañña நிரந்தரமான தீர்க்கமான உணருந்திறனுடன் 
நுணுகிக்கண்டு  செயல் படுகிரார், வண்டலகற்றும்  மற்றும் சிறுநீர் கழிக்கும்
பணி கவனிக்கும் பொழுது,sampajañña நிரந்தரமான தீர்க்கமான உணருந்திறனுடன் 
நுணுகிக்கண்டு  செயல் படுகிரார், நடந்து செல்கிறே பொழுது நின்று
கொண்டிருக்கிற பொழுது,
உட்கார்ந்திருக்கிற பொழுது, படுத்திருத்திருக்கிற
பொழுது, விழிதிருக்கிற பொழுது, உரையாடுகிற பொழுது, பேசாமலிருக்கிற பொழுது,
sampajañña நிரந்தரமான தீர்க்கமான உணருந்திறனுடன்  நுணுகிக்கண்டு  செயல்
படுகிரார்.

இவ்வாறு அவர் kāya in kāya உடல்/காயத்தை காயதுக்குள்
கண்காணி வாசம் செய்கிரார், அல்லது காயத்தை காயதுக்கு வெளியே கண்காணி வாசம்
செய்கிரார், அல்லது காயத்தை காயதுக்கு உள்ளே மற்றும் வெளியே கண்காணி வாசம்
செய்கிரார்;புலன்களால் உணரத்தக்க எழுச்சி கண்காணி வாசம் செய்கிரார்,
மற்றும் புலன்களால் உணரத்தக்கதை கடந்துசெல்லுவதை கண்காணித்து வாசம்
செய்கிரார்; இல்லாவிடில் எச்சரிக்கையாயிருக்கிற உணர் உடனிருக்கிறதை,சும்மா
வெறும் ஓர்அளவு ஞானம் மற்றும் ஓர்அளவு paṭissati என எண்ணி பற்றறு வாசம்
செய்கிரார்.

http://tipitaka.org/

Buddha This web site is based on the Chaṭṭha Saṅgāyana CD published
by the Vipassana Research Institute.
Based at Dhamma Giri, Igatpuri, near Mumbai, India, the Vipassana
Research Institute also publishes literature & disseminates
information related to
Vipassana Meditation Technique as taught by
S.N.Goenka in the tradition of
Sayagyi U Ba Khin.

Vipassana is a universal, scientific method towards purifying the mind.
It is the practical essence of the teachings of the Buddha, who taught
Dhamma - the Universal Law of Nature.

The Pāḷi Tipiṭaka is now available online in various scripts. Although
all are in Unicode fonts, you may need to install some fonts and make
some changes to your system to view the site correctly.

Please read the help page carefully for more information on setting up your system and also on how to use this site.


New Desktop software: You can now download the entire Chaṭṭha Saṅgāyana Tipitaka to run off your computer in offline mode.
Click here for instructions.

New iOS web app: You can now navigate the Chaṭṭha Saṅgāyana Tipitaka using your iPhone, iPod Touch, or iPad.
Click here for instructions.

Older Operating systems: Vistors using Windows 95/98
may not be able to view Unicode texts as it is not fully supported by
these operating systems. The older
VRI Roman site is still available. To use the VRI Roman site you will need to install the
VRI Roman Pali fonts. Alternatively you may download an
image of the CSCD3 disc (208 MB) and burn your own copy of CSCD3.


In case of difficulties in viewing the Pāḷi Text or if you notice any other errors on this site, please write to
help@tipitaka.org describing the problem.

Tipiṭaka Scripts
Cyrillic Web
Devanagari Web |
PDF
Gujarati Web
Kannada Web
Malayalam Web
Roman Web |
PDF
Tamil Web
Telugu Web
Other Scripts
(Bengali, Gurmukhi, Khmer, Myanmar, Sinhala, Thai, Tibetan)


http://bestanimations.com/Holidays/Thankyou-01-june.gif


comments (0)
PRIVACY ISSUES IN AN ELECTRONIC VOTING https://drive.google.com/file/d/0B3FeaMu_1EQyQ0ZKMnNYTlVPNmM/view
Filed under: General
Posted by: site admin @ 7:21 pm

https://drive.google.com/file/d/0B3FeaMu_1EQyQ0ZKMnNYTlVPNmM/view

Page
20
/
20

Page 1 of 20

Chapter #

PRIVACY ISSUES IN AN ELECTRONIC VOTING

MACHINE

Arthur M. Keller1

, David Mertz2

, Joseph Lorenzo Hall

3

, and Arnold Urken4

1

UC Santa Cruz and Open Voting Consortium, ark@soe.ucsc.edu; 2

Gnosis Software, Inc.,

mertz@gnosis.cx; 3

UC Berkeley, School of Information Management and Systems,

jhall@sims.berkeley.edu; 4

Stevens Institute of Technology, aurken@stevens.edu

Abstract: The Open Voting Consortium has a developed a prototype voting system that

includes an open source, PC-based voting machine that prints an accessible,

voter-verified paper ballot along with an electronic audit trail. This system was

designed for reliability, security, privacy, accessibility and auditability. This

paper describes some of the privacy considerations for the system.

Key words: Electronic voting; privacy; secret ballot; Open Voting Consortium; Electronic

Ballot Printer; paper ballot; barcodes; accessible; reading impaired interface;

multiple languages; accessible voter-verified paper ballot.

1. INTRODUCTION – WHY A SECRET BALLOT?

The requirements for secrecy in elections depend upon the values and

goals of the political culture where voting takes place. Gradations of partial

and complete privacy can be found in different cultural settings. For

instance, in some cantons in Switzerland, voters traditionally communicate

their choices orally in front of a panel of election officials.

1 In contrast, in

most modern polities, the ideal of complete privacy is institutionalized by

relying on anonymous balloting.

2

The use of secret balloting in elections—where a ballot’s contents are

disconnected from the identity of the voter—can be traced back to the

earliest use of ballots themselves. The public policy rationales for instituting

anonymous balloting are typically to minimize bribery and intimidation of

1 Benjamin Barber, Strong Democracy (Twentieth Anniversary Edition, University of

California Press, 2004). 2 Alvin Rabushka and Kenneth Shepsle, POLITICS IN PLURAL SOCIETIES: A THEORY OF

DEMOCRATIC INSTABILITY (1972).

Page 1 of 20

Page 2 of 20

2 Chapter #

the voter. For example, in Athens, Greece during the sixth century B.C.E.,

Athenians voted by raising their hands “except on the question of exiling

someone considered dangerous to the state, in which case a secret vote was

taken on clay ballots.”

3 In this case, presumably it was deemed necessary to

vote via secret ballot to avoid bodily harm to the voter.

Secret ballots, although not always required, have been in use in America

since colonial times.

4 The Australian ballot,

5 designed to be uniform in

appearance because it is printed and distributed by the government, was

adopted throughout most of the U.S. in the late 1800’s. Today,

approximately one hundred years after most states in the U.S. passed legal

provisions for anonymous balloting, a strong sense of voter privacy has

emerged as a third rationale. All fifty states have provisions in their

constitutions for either election by “secret ballot” or elections in which

“secrecy shall be preserved,” which has been interpreted by the courts as an

implied requirement for secret balloting.

6 West Virginia does not require a

secret ballot and leaves that to the discretion of the voter.7 Fourteen states’

8

3
Spencer Albrecht, THE AMERICAN BALLOT (1942) at 9. 4 In 1682, the
Province of Pennsylvania in its Frame of the Government required “THAT
all

the elections of Members or Representatives of the People, to serve in the Provincial

Council and General Assembly … shall be resolved and determined by ballot.” (Votes

and Proceedings of the House of Representatives of the Province of Pennsylvania. Printed

and sold by B. Franklin and D. Hall, at The New Printing Office, near the Market.

Philadelphia, Pennsylvania MDCCLII, at xxxi.) In 1782, the legislature of the

Colony/State of New Jersey tried to intimidate Tories by requiring viva voce voting. (At

that time, about half of New Jersey voted with ballots and the other half viva voce.) They

rescinded this in their next session. (Richard P. McCormick, THE HISTORY OF VOTING IN

NEW JERSEY 74 (1953). In 1796, the State of New Jersey required federal elections to be

by ballot and extended that to state elections the following year. (Id. at 106.) In the 1853

pamphlet SECRET SUFFRAGE, Edward L. Pierce recounted Massachusetts’ battle to

make the secret ballot truly secret. The Massachusetts Constitution in 1820 required

elections for representatives to have “written” votes. In 1839, the legislature attacked the

secrecy of the written ballot by requiring the ballot to be presented for deposit in the ballot

box open and unfolded. In 1851, the legislature passed the “Act for the better security of

the Ballot,” which provided that the ballots are to be deposited in the ballot box in sealed

envelopes of uniform size and appearance furnished by the secretary of the Commonwealth

(State of Massachusetts). The battle waged until a provision in the State Constitution made

the secret ballot mandatory. (Edward L. Pierce, SECRET SUFFRAGE 7 (1853)(published by

the
Ballot Society, No. 140 Strand, London, England). 5 The more general
“Australian ballot” is a term used for anonymous balloting using
official

non-partisan ballots distributed by the government. See Albright 1942 at 26. “The very

notion of exercising coercion and improper influence absolutely died out of the country.”

See supra note 3, at 24, quoting Francis S. Dutton of South Australia in J. H. Wigmore’s

THE
AUSTRALIAN BALLOT SYSTEM (2nd ed., Boston, 1889) at 15-23. 6 For
example, The Delaware Supreme Court recognized that the Delaware’s
constitutional

language amounts to an “implied constitutional requirement of a secret ballot.” Brennan v.

Black,
34 Del. Ch. 380 at 402. (1954). 7 See W. Va. Const. Art. IV, §2 8 “In
all elections by the people, the mode of voting shall be by ballot; but
the voter shall be

left free to vote by either open, sealed or secret ballot, as he may elect.” (W. VA. CONST.

Page 2 of 20

Page 3 of 20

#. Privacy Issues in an Electronic Voting Machine 3

constitutions do not list “secret” balloting or “secrecy” of elections and/or

ballots explicitly. These states have either state laws (election code) or case

law (decided legal cases in that state) that mandate secret balloting or

interpret the phrase “election shall be by ballot” to mean a “secret ballot.”

These cultural values and practices contribute to the sets of user

requirements that define the expectations of voters in computer-mediated

elections

9 and determine alternative sets of specifications that can be

considered in developing open source software systems for elections. The

Open Voting Consortium (OVC)10 has developed a model election system

that aims as one of its goals to meet these requirements. This paper describes

how the OVC model ensures ballot privacy.

The OVC has developed its model for an electronic voting system largely

in response to reliability, usability, security, trustworthiness, and

accessibility concerns about other voting systems. Privacy was kept in mind

throughout the process of designing this system. Section 2 of this paper

discusses the requirements for a secret ballot in more detail. Section 3

considers how secrecy could be compromised in some systems. Section 4

describes the architecture of the polling place components of the OVC

system. Section 5 describes how the OVC handles privacy concerns. While

this paper focuses mostly on privacy issues for U.S.-based elections, and

how they are addressed in the OVC system, many of the issues raised are

relevant elsewhere as well.

2. SECRET BALLOT REQUIREMENTS

The public policy goals of secret balloting

11

— to protect the privacy

of the elector and minimize undue intimidation and influence — are

supported by federal election laws and regulations. The Help America Vote

Act of 200212

codifies this policy as “anonymity” and “independence” of all

voters, and “privacy” and “confidentiality” of ballots. It requires that the

ART. IV, § 2 (2003). 9 Arthur B, Urken, Voting in A Computer-Networked Environment, in THE INFORMATION

WEB: ETHICAL AND SOCIAL IMPLICATIONS OF COMPUTER NETWORKING (Carol Gould, ed.,

1989). 10

The Open Voting Consortium (OVC) is a non-profit organization dedicated to the

development, maintenance, and delivery of open voting systems for use in public

elections.
See http://www.openvotingconsortium.org/. 11 There are two aspects to
anonymous voting. The first is ballot privacy—the ability for

someone to vote without having to disclose his or her vote to the public. The second is

secrecy—someone should not be able to prove that they voted one way or another. The

desire for the latter is rooted in eliminating intimidation while the former is to curb vote

buying.
The history of these two concepts is beyond the scope of this paper. 12
The Help America Vote Act of 2002, 42 U.S.C.A. §§ 15301 – 15545 (West,
2004).

Page 3 of 20

Page 4 of 20

4 Chapter #

Federal Election Commission create standards that “[preserve] the privacy of

the voter and the confidentiality of the ballot.”

13

The Federal Election Commission has issued a set of Voting System

Standards (VSS)14 that serve as a model of functional requirements that

elections systems must meet before they can be certified for use in an

election. The VSS state explicitly:

To facilitate casting a ballot, all systems shall:

[…] Protect the secrecy of the vote such that the system cannot reveal any

information about how a particular voter voted, except as otherwise

required by individual State law;

15

and:

All systems shall provide voting booths [that shall] provide privacy for

the voter, and be designed in such a way as to prevent observation of the

ballot by any person other than the voter;

16

as well as a lengthy list of specific requirements that Direct Recording

Electronic voting systems must meet.

17 The basic, high-level requirement not

to expose any information about how an individual voted is required of all

voting systems before certification and is the most important. The second

requirement listed above is a corollary.

It is not sufficient for electronic voting systems merely to anonymize the

voting process from the perspective of the voting machine. Every time a

ballot is cast, the voting system adds an entry to one or more software or

firmware logs that consists of a timestamp and an indication that a ballot was

cast. If the timestamp log is combined with the contents of the ballot, this

information becomes much more sensitive. For example, it can be combined

with information about the order in which voters voted to compromise the

confidentiality of the ballot. Such information can be collected at the polling

place using overt or covert surveillance equipment—such as cell phone

cameras or security cameras common at public schools. As described

below, system information collected by the voting system should be kept

separated from the content of cast ballots and used in conjunction only by

authorized, informed election officials.

13 Id., § 301(a)(1)(C). (Also see §§ 242(a)(2)(B), 245(a)(2)(C), 261(b)(1), 271(b)(1), 281

(b)(1), 301(a)(3)(A)). 14 Federal Election Commission, Voting System Standards, Vols. 1 & 2 (2002), available at

http://www.fec.gov/pages/vsfinal (Microsoft Word .doc format) or

http://sims.berkeley.edu/~jhall/fec_vss_2002_pdf/
(Adobe PDF format) 15 Id. at Vol. 1, §2.4.3.1(b). 16 Id. at Vol. 1,
§3.2.4.1. 17 Id. at Vol. 1, §3.2.4.3.2(a)-(e) and §4.5.

Page 4 of 20

Page 5 of 20

#. Privacy Issues in an Electronic Voting Machine 5

3. HOW SECRECY COULD BE COMPROMISED

3.1 A voter’s secret identity

When a voter enters a polling place, she enters with a valuable secret: her

identity. A secret ballot is not really “secret” in a general sense — it is

possible, and even required, for certain recipients to disclose ballots. A

secret ballot is “secret” only in the sense that it is blind as to the identity of

the voter who cast it. The anonymity of ballots must apply even to most

statistical properties of the voters who cast them; a notable exception,

however, is in the disclosure of the geographic distribution of voters who

vote certain ways in the aggregate. We all know there are “Republican

precincts” and “Democratic precincts,” and anyone can easily and legally

find out which are which.

Complicating matters is the fact that a voter’s secret, her identity, must be

disclosed at a certain stage in the voting process. To be allowed to vote at

all, a voter must authenticate her right to vote using her identity, if only by a

declaration of purported identity to elections workers. Depending on

jurisdiction, different standards of identity authentication apply—some

require identification cards and/or revelation of personal information outside

the public domain—but in all cases, identity acts as a kind of key for entry to

voting. However, legally this key must be removed from all subsequent

communication steps in the voting process.

The act of voting, and the acts of aggregating those votes at subsequently

higher levels (called “canvassing” in voting parlance) can be thought of as

involving a series of information channels. At a first step, a voter is given a

token to allow her vote to pass through later stages; depending on the system

model, this token may be a pre-printed ballot form, a PIN-style code, a

temporary ballot-type marker, an electronic smart card, or at a minimum

simply permission to proceed. Although the OVC has not yet settled on a

particular token, we will focus on smart cards in this paper, because they

have the most serious implications for privacy. Outside the US, tokens such

as hand stamps in indelible ink are also used, particularly to preclude

duplicate votes being cast.

Once at a voting station, a voter must perform some voting actions using

either pen-and-paper, a mechanical device like a lever machine or a punch

card guide, or an electronic interface, such as a touchscreen or headphones-
with-keypad. After performing the required voting actions, some sort of

record of the voter’s selections is created, either on paper, in the state of

gears, on electronic/magnetic storage media, or using some combination of

those. That record of selections becomes the “cast ballot.” Under the Open

Voting Consortium system, the paper ballot produced at a voting station

undergoes final voter inspection before being cast into a physical ballot box.

Page 5 of 20

Page 6 of 20

6 Chapter #

After votes are cast, they are canvassed at several levels: first by precinct;

then by county, district, or city; then perhaps statewide. At each level of

canvassing, either the literal initial vote records or some representation or

aggregation of them must be transmitted.

3.2 Understanding covert channels

At every stage of information transmission, from voter entry, through

vote casting, through canvassing, a voter’s identity must remain hidden. It is

relatively simple to describe the overt communication channels in terms of

the information that actually should be transmitted at each stage. But within

the actual transmission mechanism it is possible that a covert channel also

transmits improper identity information.

Covert channels in a voting system can take a number of forms. Some

covert channels require the cooperation of collaborators, such as voters

themselves or poll workers. Other covert channels can result from

(accidental) poor design in the communication channels; while others can be

created by malicious code that takes advantage of incomplete channel

specification. A final type of covert channel is what we might call a

“sideband attack”—that is, there may be methods of transmitting improper

information that are not encoded directly in the overt channel, but result

indirectly from particular implementations.

For illustration, let us briefly suggest examples of several types of covert

channels. One rather straightforward attack on voter ballot anonymity is

repeatedly missed by almost every new developer approaching design from a

databases-and-log-files background. If the voting channels contain

information about the times when particular ballots are cast and/or the

sequence of ballots, this information can be correlated with an under-
protected record of the sequence of times when voters enter a polling place.

We sometimes call this a “covert videotape” attack. In part, this attack uses a

sideband: the covert videotaping of voters as they enter; but it also relies on

a design flaw in which ballots themselves are timestamped, perhaps as a

means to aid debugging.

A pure sideband attack might use Tempest

18 equipment to monitor

electro-magnetic emissions of electronic voting stations. In principle, it

might be possible for an attacker to sit across the street from a polling place

with a van full of electronics, watch each voter enter, then detect each vote

she selects on a touchscreen voting station.

Cooperative attacks require the voter or poll worker to do something

special to disclose identity. As with other attacks, these covert channels need

not rely on electronics and computers. For example, a malicious poll worker

might mark a pre-printed blank paper ballot using ultraviolet ink before

18 See http://www.cryptome.org/nsa-tempest.htm (Last visited February 13, 2005)

Page 6 of 20

Page 7 of 20

#. Privacy Issues in an Electronic Voting Machine 7

handing it to a targeted voter. The covert channel is revealed only with an

UV lamp, something voters are unlikely to carry to inspect their ballots. A

voter herself might cooperate in a covert channel in order to facilitate vote

buying or under threat of vote coercion. One such covert channel is to

instruct a bought or coerced voter to cast “marked votes” to prove she cast

the votes desired by her collaborator. Unique write-in names and unusual

patterns in ranked preference or judicial confirmations are ways to “mark” a

ballot as belonging to a particular voter.

3.3 Links between registration data and ballots

Since a voter must identify herself when signing in at the polling place,

there is the potential for her identity to be tied to her vote. The token given

to the voter to allow her to vote may contain her identity. For example, the

voter’s registration number could be entered into the smart-card writer and

then encoded on the smart card that is given to the voter to enable use of a

Direct Recording Electronic voting machine. When the voter registration list

is given to the polling place on paper, this channel appears less of an issue.

However, if the voter registration list is handled electronically, then the

smart card could easily contain the voter’s identity. Diebold’s stated intent

makes this issue a potentially serious privacy risk.

Diebold already has purchased Data Information Management Systems,

one of two firms that have a dominant role in managing voter-registration

lists in California and other states. “The long-term goal here is to introduce

a seamless voting solution, all the way from voter registration to (vote)

tabulation,” said Tom Swidarski, Diebold senior vice president for strategic

development.

19

4. OVC SYSTEM OVERVIEW

The Open Voting Consortium is developing a PC-based open source

voting system based on an accessible voter-verified paper ballot. We mostly

describe the components of the system that operate in the polling place.

20 In

addition, we briefly discuss the components at the county canvassing site.

19 Ian Hoffman, With e-voting, Diebold treads where IBM wouldn’t, OAKLAND TRIB., May 30,

2004, available at

http://www.oaklandtribune.com/Stories/0,1413,82~1865~2182212,00.html
20 See Arthur M. Keller, et al., A PC-Based Open Source Voting Machine
with an Accessible

Voter-Verifiable Paper Ballot, 2005 USENIX ANNUAL TECHNICAL CONFERENCE,

FREENIX/OPEN SOURCE TRACK, April 10-15, 2005, pp. 163–174, and available at

http://www-db.stanford.edu/pub/keller/2004/electronic-voting-machine.pdf

Page 7 of 20

Page 8 of 20

8 Chapter #

4.1 Voter sign-in station

The Voter Sign-In Station is used by the poll worker when the voter signs

in and involves giving the voter a “token.” It is a requirement that each voter

cast only one vote and that the vote cast be of the right precinct and party for

the voter. The “token” authorizes the voter to cast a ballot using one of these

techniques.

• Pre-printed ballot stock

o Option for scanning ballot type by Electronic Voting Machine

o Poll worker activation

• Per-voter PIN (including party/precinct identifier)

• Per-party/precinct token

• Smart cards

The token is then used by the Electronic Voting Machine or an Electronic

Voting Machine with a Reading Impaired Interface to ensure that each voter

votes only once and only using the correct ballot type.

If the voter spoils a ballot, the ballot is marked spoiled and kept for

reconciliation at the Ballot Reconciliation Station, and the voter is given a

new token for voting.

4.2 Electronic voting machine

The Electronic Voting Machine (EVM) includes a touch-screen interface

for the voter to view the available choices for each contest and select among

them. The EVM then prints a paper ballot, which the voter verifies (possibly

using the Ballot Verification Station) and places in the ballot box. The EVM

is activated by a token, such as a smart card, obtained at the sign-in station.

The EVM maintains an electronic ballot image as an audit trail and to

reconcile with the paper ballots at the Ballot Reconciliation Station.

4.3 Electronic voting machine with reading impaired interface

The Electronic Voting Machine with Reading Impaired Interface is a PC

similar to the Electronic Voting Machine described above which provides

auditory output of the ballot choices and selections made and also supports

additional modes of making selections suitable for the blind or reading

impaired. Whether these features are integrated into a common voting

machine with all functionality, or whether there is a separate configuration

for the disabled, is an open question. For example, additional modes of input

may be useful for those who can read printed materials, but have physical

limitations. The idea is to have a universal design that accommodates all

voters.

Page 8 of 20

Page 9 of 20

#. Privacy Issues in an Electronic Voting Machine 9

4.4 Ballot verification station

The Ballot Verification Station reads the ballot produced by the

Electronic Voting Machine or the Electronic Voting Machine with Reading

Impaired Interface and speaks (auditorily) the selections on the voter’s

ballot. A count is kept of usage, including counts of consecutive usage for

the same ballot, but no permanent record is kept of which ballots are

verified.

The Ballot Verification Station could also have a screen for displaying

the selections. Such an option, enabled by the voter upon her request, would

enable a voter who can read to verify that her ballot will be read correctly for

automated tallying.

4.5 Ballot reconciliation station

The Ballot Reconciliation Station reads the paper ballots, both cast and

spoiled, and reconciles them against the Electronic Ballot Images from the

Electronic Voting Machine or the Electronic Voting Machine with Reading

Impaired Interface.

4.6 Paper ballot

The paper ballot is printed by the Electronic Voting Machine or the

Electronic Voting Machine with Reading Impaired Interface. It must be

“cast” in order to be tallied during canvassing, testing, or a manual recount.

The paper ballot is intended to be easily read by the voter so that the voter

may verify that his or her choices have been properly marked. It also

contains security markings and a bar code. The bar code encodes the voter’s

choices, as expressed in the human readable portion of the ballot. The human

readable text should be in an OCR-friendly font so it is computer-readable as

well. Voters may use the Ballot Verification Station to verify that the bar

code accurately reflects their choices. The Ballot Verification Station not

only assists sight-impaired and reading-impaired voters in verifying their

ballots, but will also give all voters the assurance that the bar-code on the

ballot properly mirrors their choices, as represented in the human-readable

text on the ballot.

4.7 Privacy folder

The paper ballot contains the voter’s choices in two forms: a form that

can be read by people and a bar code that expresses those choices in a

machine-readable form.

Page 9 of 20

Page 10 of 20

10 Chapter #

Poll workers may come in contact with the ballot should they be asked to

assist a voter or to cast the ballot into the ballot box. In order to protect voter

privacy it is desirable to minimize the chance that a voting place worker

might observe the voter’s ballot choices. A privacy folder is just a standard

file folder with an edge trimmed back so that it reveals only the bar code part

of a ballot. The voter is expected to take his/her ballot from the printer of the

Electronic Voting Machine or the Electronic Voting Machine with Reading

Impaired Interface and place it into a privacy folder before leaving the

voting booth.

The privacy folder is designed so that the voter may place the ballot, still

in its folder, against the scanning station of the Ballot Verification Station to

hear the choices on the voter’s ballot spoken.

When handed the ballot by the voter, the poll worker casts the ballot

by turning the privacy folder so the ballot is face down, and then sliding the

paper ballot into the ballot box.

4.8 Ballot box

The ballot box is a physically secure container, into which voters have

their paper ballots placed, in order to “cast” their votes. The mechanical

aspects of the ballot box will vary among jurisdictions, depending on local

laws and customs. Optionally, a perforated tab is removed from the ballot

before placing the ballot into the ballot box, and the tab is handed to the

voter. The removal of the tab ensures that the ballot cannot be marked

“spoiled.”

4.9 Box for spoiled ballots

When a voter spoils a ballot, perhaps because the ballot does not

accurately reflect her preferences, the ballot is marked spoiled and placed in

a box for spoiled ballots for later reconciliation.

5. OVC BALANCES SECURITY, RELIABILITY AND

PRIVACY

This section discusses how the Open Voting Consortium is balancing

security, reliability and privacy in its electronic voting system.

5.1 Free and open source software

Opening the source code to a voting system — all stages of it, not only

the voting station—is a necessary, though not sufficient, condition for

Page 10 of 20

Page 11 of 20

#. Privacy Issues in an Electronic Voting Machine 11

ensuring trustworthiness, including the absence of trapdoors and covert

channels. For practical purposes, no system that functions as a black box, in

which the implementing source code is maintained as a trade secret, can be

known to lack covert channels. Any channel with non-optimal utilization

includes non-utilized content that is potentially malicious rather than merely

accidental — behavior analysis, in principle, cannot distinguish the two.

Of course, free and open source code is not sufficient to prevent covert

channels. Sideband channels, in particular, are never exposed by direct

examination of source code in isolation; it is necessary to perform additional

threat modeling. But even direct encoding of extra information within an

overt channel can sometimes be masked by subtle programming tricks. More

eyes always reduce the risk of tricks hidden in code. Parallel implementation

to open specifications, and message canonicalization also helps restrict

channels to overt content.

A frequent criticism of free and open source software is that, while the

code is available for inspection, no coordinated inspection is actually

conducted.

21 The absence of Non-Disclosure Agreements and restrictive

intellectual property agreements makes it possible for a large body of open

source developers to inspect the code. Furthermore, in the realm of elections

systems, which are mission-critical for a democratic government, open

source software could benefit from a specific group of developers who are

tasked with recognizing and repairing vulnerabilities. This is a common need

in many open source software projects, and in this sense, it might be an

appropriate role for a non-profit institution that has delivered such services

to other important projects like GNU/Linux, BIND, the Mozilla tool suite

and the Apache web server.

5.2 Privacy in the voting token (e.g., smart card)

The token given to the voter to enable her to use the electronic voting

machine might contain information that could compromise her anonymity.

Indeed, it is not possible to demonstrate the absence of covert channels

through black box testing. Thus, analysis of the software is important to

show how the data for the smart card is assembled. Above, we considered

the benefits of open source software in that numerous people, both inside

and outside the process, have the ability to inspect and test the software to

reduce the likelihood of covert channels. The hardware that enables smart-
card use also includes an interface used by the poll worker (the Voter Sign-
In Station). The nature of that interface limits the type of information that

can be encoded. Encoding the time of day in the smart card, either

intentionally or as a side effect of the process of writing files to the smart

21 Fred Cohen, Is Open Source More or Less Secure? MANAGING NETWORK SECURITY, (July

2002).

Page 11 of 20

Page 12 of 20

12 Chapter #

card, is a potential avenue for attack. However, the electronic voting

machine receiving the smart card knows the time as well, so the smart card

is not needed to convey this information.

We propose to encode in the voting token the ballot type and (particularly

for multiple precincts at the same polling place) the precinct. The smart card

should also be digitally signed by the smart card enabling hardware, so as to

help reduce forgeries.

5.3 Printed ballot

The printed ballot contains a human readable version of the voter’s

selections. After all, that is how it is a voter-verifiable paper ballot.

However, the secrecy of the voter’s selections is at risk while the voter

carries the paper ballot from the electronic voting machine, optionally to the

ballot validation station, and on to the poll worker to cast her ballot.

Our approach is to use a privacy folder to contain the ballot. When the

voter signs in, she receives the token plus an empty privacy folder. When the

EVM prints the ballot, the voter takes the ballot and places it in the privacy

folder, so that only the barcode shows. The barcode can be scanned by the

Ballot Validation Station without exposing the human readable portion of

the ballot. When the privacy folder containing the ballot is given to the poll

worker to be cast, the poll worker turns the privacy folder so the ballot is

face down and then slides the ballot out of the privacy folder and into the

official ballot box. The poll worker thus does not see the text of the ballot,

with the possible exception of precinct and (for primaries) party identifiers

that may be printed in the margin.

The privacy folder is an ordinary manila folder trimmed along the long

edge so that the barcode sticks out.

5.4 Reading impaired interface

The reading impaired interface is used both by voters who cannot read

and by voters who cannot see. Having a segregated electronic voting

machine used only by the reading and visually impaired can compromise

privacy. It is therefore desirable for the electronic voting machines with the

reading impaired interface to be used also by those who can read. For

example, if all electronic voting machines incorporated the reading impaired

interface, then reading impaired voters would not be segregated onto a

subset of the voting machines.

It is important that the ballot not record the fact that a particular ballot

was produced using the reading impaired interface. Nor should the electronic

voting machine record that information for specific ballots. Using a separate

voting station for the reading impaired means that the audit trail is

segregated by whether the voter is reading impaired.

Page 12 of 20

Page 13 of 20

#. Privacy Issues in an Electronic Voting Machine 13

Nonetheless, it is useful for the electronic voting machine to maintain

some statistics on the use of the reading impaired interface, provided that

these statistics cannot identify specific ballots or voters. These statistics

could be used to improve the user interface, for example.

5.5 Privacy issues with barcodes

The Open Voting Consortium system design uses a barcode to automate

the scanning of paper ballots. Such barcodes raise several possibilities for

introducing covert channels.

The prototype/demo system presented by OVC, for example, used a 1-D

barcode, specifically Code128. For vote encoding, selections were first

converted to a decimal number in a reasonably, but not optimally, efficient

manner; specifically, under the encoding particular digit positions have a

direct relationship to corresponding vote selections. These digits, in turn, are

encoded using the decimal symbology mode of Code128.

Co-author David Mertz identified the problem that even though barcodes

are not per-se human readable, identical patterns in barcodes — especially

near their start and end positions — could be recognized by observers. This

recognition would likely even be unconscious after poll workers saw

hundred of exposed barcodes during a day. For example, perhaps after a

while, a poll worker would notice that known Bush supporters always have

three narrow bars followed by a wide bar at the left of their barcode, while

known Kerry supporters have two wide bars and two narrow bars. To

prevent an attack based on this kind of human bar code recognition, 1-D

barcodes undergo a simple obfuscation of rotating digits by amounts keyed

to a repetition of the random ballot-id. This “keying” is not even weak

encryption—it resembles a Caesar cipher,

22 but with a known key; it merely

makes the same vote look different on different ballots.

In the future, OVC anticipates needing to use 2-D barcodes to

accommodate the information space of complex ballots and ancillary

anonymity-preserving information such as globally unique ballot-IDs and

cryptographic signatures. At this point, we anticipate that patterns in 2-D

barcodes will not be vulnerable to visual recognition; if they are, the same

kind of obfuscation discussed above is straightforward. But the greatly

expanded information space of 2-D barcodes is a vulnerability as well as a

benefit. More bit space quite simply provides room to encode more improper

information. For example, if a given style of barcode encodes 2000 bits of

information, and a particular ballot requires 500 bits to encode, those unused

1500 bits can potentially contain improper information about the voter who

cast the ballot.

22 See http://www.fact-index.com/c/ca/caesar_cipher.html (Last visited February 13, 2005).

Page 13 of 20

Page 14 of 20

14 Chapter #

Just because a barcode has room for anonymity-compromising

information does not mean that information is actually encoded there, of

course. Preventing misuse of an available channel requires complementary

steps. Moreover, even a narrow pipe can disclose quite a lot; it only takes

about 10 bits to encode a specific address within a precinct using a lookup

table. Even a relatively impoverished channel might well have room for a

malicious ten bits. For example, if a non-optimal vote encoding is used to

represent votes, it is quite possible that multiple bit-patterns will correspond

to the same votes. The choice among “equivalent” bit patterns might leak

information.

Eliminating barcodes, it should be noted, does not necessarily eliminate

covert channels in a paper ballot. It might, however, increase voter

confidence as average voters become less concerned about covert channels

(which is both good and bad). For example, even a barcode-free printed

ballot could use steganography

23 to encode information in the micro-spacing

between words, or within security watermarks on the page.

5.6 Ballot validation station

The Ballot Validation Station allows reading impaired voters—or

anyone—to hear and therefore validate their paper ballots. Since only the

barcode of the ballot (and possibly the ballot type—the precinct and party

for primaries) is viewable (and as mentioned above, the barcode is

obscured), it is best to keep the paper ballot in the privacy folder. So the

Ballot Validation Station should be able to read the barcode without

removing the paper ballot from the privacy folder. The back of the ballot

should have a barcode (possibly preprinted) saying “please turn over,” so a

Ballot Validation Station will know to tell the blind voter that the ballot is

upside down. So that others will not hear the Ballot Validation Station speak

the choices on the ballot, the voter should hear these choices through

headphones.

It is useful to know how many times the Ballot Validation Station is used,

and how many consecutive times the same ballot is spoken. It is important to

assure that ballot-IDs are not persistently stored by the Ballot Validation

Station. In particular, to tell how many consecutive times the same ballot

was spoken, the Ballot Validation Station must store the previous ballot-ID.

However, once another ballot with a different ballot-ID is read, then that

new ballot-ID should replace the previous ballot-ID. And the ballot-ID field

should be cleared during the end-of-day closeout. The counts of consecutive

reads of the same ballot should be a vector of counts, and no other ordering

23 Neil F. Johnson and Sushil Jajodia, Steganography: Seeing the Unseen, IEEE COMPUTER

(February 1998) at 26-34.

Page 14 of 20

Page 15 of 20

#. Privacy Issues in an Electronic Voting Machine 15

information should be maintained. Inspection of the code together with clear

interfaces of persistently maintained records can help assure privacy.

5.7 Languages

Steve Chessin has identified a problem with ballots for non-English

speakers. For the voter, the ballot must be printed in her own language.

However, for canvassing and manual counts, the ballot and its choices must

also be printed in English. However, this approach makes bilingual ballots

easy to identify, and that can compromise ballot anonymity if only a small

number of voters in a given precinct choose a particular language. Steve

Chessin’s solution is to have all ballots contain both English and another

language, where the other language is randomly chosen for English

speakers.

24

It is important that the Ballot Validation Station handle multiple

languages so the voter can choose the language for validating the ballot. To

simplify this process, the ballot barcode can include a notation of the second

language, but only if that information does not compromise anonymity.

Always choosing a second language at random where none is specifically

requested reduces the risk. When the ballot’s barcode is scanned by the

Ballot Validation Station, the voter is given a choice of these two languages

for the spoken review of choices listed on the ballot.

5.8 Randomization of ballot-IDs

Under the OVC design, ballots carry ballot-IDs. In our prototype, these

IDs are four digit numbers, which provides enough space for ten thousand

ballots to be cast at a polling place. We anticipate this ballot-ID length to

24 It is important to note that the procedure for randomizing the second, non-English language

printed on a ballot would have to be quite good. Flaws in the randomization or maliciously

planted code could result in the “marking” of certain ballots leading to a compromise of

ballot privacy. A simple solution would be to have all ballots printed only in English, and

requiring non-English literate voters to use the BVA to verify their vote auditorily. As an

alternative for ballots printed only in English, ballot overlays could by provided for each

language needed for each ballot type. The overlay could either be in heavy stock paper

printed with the contest names with holes for the selections to show through, or it could be

a translation sheet showing all the contest names and selections translated into non-English

language. In the former case, the ballots would have to be have the layout of each contest

fixed, so it would be necessary to have extra spaces when the length of the results vary,

such as for pick up to 3 candidates when only 2 were selected. These overlays could be

tethered to every voting machine so that voters who read only a specific language could

simply place the overlay over their ballot so that she could read their selections as if the

ballot was printed in their native language. The overlay approach reduces confusion for

English speakers and it also reduces the length of the printed ballot.

Page 15 of 20

Page 16 of 20

16 Chapter #

remain sufficient in production. The main purpose of ballot-IDs is simply to

enable auditing of official paper ballots against unofficial electronic ballot

images.

The crucial feature of ballot-IDs is that they must not reveal any

information about the sequence of votes cast. The prototype and current

reference implementation use Python’s ‘random’ module to randomize the

order of ballot-IDs. The module uses the well-tested Mersenne Twister

algorithm, with a periodicity of 219937–1. Seeding the algorithm with a

good source of truly random data—such as the first few bytes of

/dev/random on modern Linux systems—prevents playback attacks to

duplicate ballot-ID sequences.

Because the ballot-IDs are generated at random by each of the electronic

voting machines, it is important that two machines do not use the same

random ballot-ID. As a result, the first digit (or character) of the ballot-ID in

the reference platform will represent the voting machine ID for that polling

place.

The remaining 3 digits of the ballot-ID are randomly selected from the

range of 000 to 999. A list is maintained of already used ballot-IDs for this

electronic voting machine for this election. (One way to obtain such a list is

to scan the stored electronic ballot images for the ballot numbers used.) If

the random number generated matches an already used ballot-ID, then that

number is skipped and a new random number is generated.

5.9 Information hidden in electronic ballot images and their files

The electronic ballot images (EBIs) are stored on the electronic voting

machine where the ballot was created. One purpose of maintaining these

EBIs is to reconcile them against the paper ballots, to help preclude paper

ballot stuffing. The EBIs are in XML format, which can be interpreted when

printed in “raw” form.

We prefer not to store the EBIs in a database on the electronic voting

machine. A database management system incurs additional complexity,

potential for error, and can contain sequence information that can be used to

identify voters. On the other hand, flat files in XML format would include

the date and time in the file directory, and that is also a potential privacy

risk. We can mitigate this risk by periodically “touching” EBI files

electronically during voting station operation, in order to update the date and

time of all files to the latest time. The placement order of the files on the

disk, however, may still disclose the order of balloting.

Another approach is to store all the EBIs in a single file as if it were an

array. Suppose that it is determined that the largest XML-format EBI is 10K

bytes. Since there are 1000 possible ballot-IDs for this electronic voting

machine, it is possible to create a file with 1000 slots, each of which is 10K

Page 16 of 20

Page 17 of 20

#. Privacy Issues in an Electronic Voting Machine 17

in length. When the ballot is to be printed, the random ballot-ID is chosen,

and the EBI is placed in that slot in the file, padded to the full 10K in length

with spaces (which would be removed during canonicalization). The file can

be updated in place, thereby having only the latest date and time.

Alternatively, two files can be used, and the electronic voting machine can

write to one, wait for completion, and then write to the other. The benefit of

this approach is increased reliability of persistent storage of the EBI file.

A similar technique can be used to maintain copies of the Postscript versions

of the ballots.

When the polling place closes, the electronic voting machine is changed

to close out the day’s voting. At this time, the EBIs are written as individual

flat files in ascending ballot-ID order to a new session of the CD-R that

already contains the electronic voting machine software and personalization.

Because the EBIs are written all at once, and in order by ascending random

ballot-ID, anonymity is preserved.

5.10 Public vote tallying

It is important that the ballots be shuffled before publicly visible scanning

occurs using the Ballot Reconciliation System. The ballots will naturally be

ordered based on the time they were placed in the ballot box. As described

above, the time or sequence of voting is a potential risk for privacy

violations.

An illustration of this problem was reported privately to co-author Arthur

Keller about a supposedly secret tenure vote at a university. Each professor

wrote his or her decision to grant or deny tenure on a piece of paper. The

pieces of paper were collected and placed on top of a pile one-by-one in a

sequence determined by where each person was sitting. The pile was then

turned over and the votes were then read off the ballots in the reverse of that

sequence as they were tallied. One observer noted how each of the faculty

members voted in this supposedly secret vote.

5.11 Results by precinct

A key approach to ensuring the integrity of county (or other district)

canvassing (i.e., vote tallying) is to canvass the votes at the precinct and post

the vote totals by contest at the precinct before sending on the data to the

county. As a crosscheck, the county should make available the vote totals by

contest for each precinct. However, because the county totals include

absentee votes, it is difficult to reconcile the posted numbers at the precinct

against the county’s totals by precinct, unless the county separates out

absentee votes (plus hand-done polling place votes). However providing

these separations may reduce the aggregation size to impair anonymity. An

Page 17 of 20

Page 18 of 20

18 Chapter #

even worse threat to anonymity arises when provisional ballots are

incrementally approved and added to the tally one-by-one.

We propose to exclude provisional ballots from the results posted at the

precinct. The county tallies by precinct should be separated into a group of

votes included in the precinct-posted tally and a group of votes not included

in the precinct-posted tally. As long as there is a publicly viewable

canvassing of the votes not included in the precinct-posted tally, the issue of

voter confidence in the system will be addressed. If that canvassing process

involves ballots that have already been separated from the envelope

containing the voter’s identity, privacy is enhanced.

The totals by precinct are aggregate counts for each candidate. There is

no correlation among specific ballots, an important factor to help assure

privacy. However, ranked preference voting schemes, such as instant runoff

voting, require that the ordering of the candidates must be separately

maintained for each ballot. Vote totals are useful to help assure that each

vote was counted, but they do not contain enough information to produce an

absolute majority winner. Therefore, vote totals can be posted at the

precinct — independent of ranking — and those totals can also be posted at

the county. A voter who specifies a write-in candidate for a ranked

preference voting race might in principle be doing so as a marker for

observation during the canvassing process. To ensure anonymity, write-in

candidates whose vote totals are below a certain threshold could be

eliminated from the canvassing process. This threshold must be set to avoid

distortions of aggregate scores at the county level.

5.12 Privacy in the face of voter collusion

Complex cast ballots, taken as a whole, inevitably contain potential

covert channels. We reach a hard limit in the elimination of improper

identifying information once voter collusion is considered. In an ideal case,

voters cooperate in the protection of their own anonymity; but threats of vote

coercion or vote buying can lead voters to collaborate in disclosing—or

rather, proving—their own identity. It is, of course, the right of every voter

to disclose her own votes to whomever she likes; but such disclosure must

not be subject to independent verifications that attack voter anonymity as a

whole.

Elections with many contests, with write-ins allowed, or with

information-rich ranked preference contests, implicitly contain extra fields in

which to encode voter identity. For example, if an election contains eight

judicial retention questions, there are at least 6561 possible ways to complete

a ballot, assuming Yes, No, and No Preference are all options for each

question. Very few precincts will have over 6561 votes cast within them, so

a systematic vote buyer could demand that every voter cast a uniquely

identifying vote pattern on judicial retentions. That unique pattern, plus the

Page 18 of 20

Page 19 of 20

#. Privacy Issues in an Electronic Voting Machine 19

precinct marked on a ballot, in turn, could be correlated with a desired vote

for a contested office.

Ballots may not generally be completely separated into records by each

individual contest. For recounts or other legal challenges to elections, it is

generally necessary to preserve full original ballots, complete with correlated

votes. Of course it is physically possible to cut apart the contest regions on a

paper ballot, or to perform a similar separation of contests within an EBI.

However, doing so is not generally permissible legally.

The best we can do is to control the disclosure of full ballots to mandated

authorities, and maintain the chain of custody over the ballots, including the

EBIs. A full ballot must be maintained, but only aggregations of votes, per

contest, are disclosed to the general public. The number of people who have

access to full ballots should be as limited as feasible, and even people with

access to some full ballots should not necessarily be granted general access

to all full ballots.

5.13 Privacy in electronic voting machines with

voter-verifiable paper audit trails

This section discusses other approaches to voter-verifiable paper audit

trails. These issues do not apply to the design described in this paper ─ the

voter-verifiable paper ballot.

25

Rebecca Mercuri has proposed that Direct Recording Electronic voting

machines have a paper audit trail that is maintained under glass, so the voter

does not have the opportunity to touch it or change it.

26 Some vendors are

proposing that paper from a spool be shown to the voter, and if the ballot is

verified, a cutter will release the paper audit trail piece to drop into the box

for safekeeping.

27 The challenge with this approach is to make sure that all

of the paper audit trail is readable by the voter and does not curl away out of

view, and yet that paper audit trails from previous voters are obscured from

view. Furthermore, there is the problem that the paper audit trail would fall

in a more-or-less chronologically ordered pile. It is also difficult to reconcile

the paper audit trail with the electronic ballot images in an automated

manner if the paper audit trail cannot be sheet-fed.

25 See http://evm2003.sourceforge.net/security.html for the difference between a paper receipt

and a paper ballot, and between a paper audit trail and an electronically generated paper

ballot. 26 Rebecca Mercuri, A Better Ballot Box?, IEEE SPECTRUM ONLINE (October 2002), available

at
http://spectrum.ieee.org/WEBONLY/publicfeature/oct02/evot.html 27 For
reference, see Avanti VOTE-TRAKKERTMEVC308, available at

http://aitechnology.com/votetrakker2/evc308.html

Page 19 of 20

Page 20 of 20

20 Chapter #

Another approach is to keep the paper audit trail on a continuous spool.

28

While this approach has the potential to allow the audit trail to be more

easily scanned in an automated fashion for reconciliation, privacy is

compromised by maintaining an audit trail of the cast ballots in

chronological order. We described above why maintaining order information

is a problem for privacy.

6. CONCLUSION

We have described the Open Voting Consortium’s voting system that

includes a PC-based open-source voting machine with a voter-verifiable

accessible paper ballot, and discussed the privacy issues inherent in this

system. By extension, many of the privacy issues in this paper also apply to

other electronic voting machines, such as Direct Recording Electronic voting

machines. The discussion illustrates why careful and thorough design is

required for voter privacy. Even more work would be required to ensure that

such systems are secure and reliable.

ACKNOWLEDGEMENTS

We acknowledge the work of the volunteers of the Open Voting Consortium

who contributed to the design and implementation we describe. In particular,

Alan Dechert developed much of the design and Doug Jones provided

significant insights into voting issues. The demonstration software was

largely developed by Jan Kärrman, John-Paul Gignac, Anand Pillai, Eron

Lloyd, David Mertz, Laird Popkin, and Fred McLain. Karl Auerbach wrote

an FAQ on which the OVC system description is based. Amy Pearl also

contributed to the system description. Kurt Hyde and David Jefferson gave

valuable feedback. David Dill referred some of the volunteers.

An extended abstract of this paper appeared at the Workshop on Privacy

in the Electronic Society on October 28, 2004 in Washington DC, part of

ACM CCS 2004 (Conference on Computer and Communications Security).

Other papers on this topic are at http://www-db.stanford.edu/pub/keller

under electronic voting. More information on the Open Voting Consortium

may be found at http://www.openvotingconsortium.org.

28 Press Release, Sequoia Voting Systems, Sequoia Voting Systems Announces Plan to Market

Optional Voter Verifiable Paper Record Printers for Touch Screens in 2004,

available at http://www.sequoiavote.com/article.php?id=54

Page 20 of 20

Page 20 of 20

comments (0)
2094 Sat 31 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://picphotos.net/narendra-modi-cartoons/ http://blog.grabon.in/modis-currency-ban-summed-up-in-5-gi…/ http://www.firstpost.com/…/india-singapore-tax-treaty-amend… Murderer of democratic institutions (Modi) (Mad)i)) launches ‘Bheem App’ in digital push. http://indianexpress.com/…/why-hope-in-up-based-on-only-da…/ Why hope in Uttar Pradesh based on only SC/STs, Muslims of sarvajan samaj including Upper castes is Maya http://www.jantakareporter.com/…/serious-discontent-…/89124/ Serious discontent emerges among BJP and RSS leaders over note ban impact on assembly polls Uttar Pradesh: begins rallies in all 75 districts Mayawati will come to power in UP Mayawati is already leading..because of Sarvajan Hitay Sarvajan Sukhaya, is she planning to win all the 400 seats..not to leave any seats for Murderer of democratic institutions ((Modi).
Filed under: General
Posted by: site admin @ 1:14 am



2094 Sat 31 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvaj
an Hitay sarvajan Sukhay.

http://picphotos.net/narendra-modi-cartoons/

http://blog.grabon.in/modis-currency-ban-summed-up-in-5-gi…/

http://www.firstpost.com/…/india-singapore-tax-treaty-amend…

Murderer of democratic institutions (Modi) (Mad)i)) launches ‘Bheem App’ in digital push.

http://indianexpress.com/…/why-hope-in-up-based-on-only-da…/

Why hope in Uttar Pradesh based on only SC/STs, Muslims of sarvajan samaj including Upper castes is Maya

http://www.jantakareporter.com/…/serious-discontent-…/89124/

Serious discontent emerges among BJP and RSS leaders over note ban impact on assembly polls

Uttar Pradesh: begins rallies in all 75 districts

Mayawati will come to power in UP


Mayawati is already leading..because of Sarvajan Hitay Sarvajan
Sukhaya, is she planning to win all the 400 seats..not to leave any
seats for Murderer of democratic institutions ((Modi).




http://indianexpress.com/…/why-hope-in-up-based-on-only-da…/

Why hope in Uttar Pradesh based on only SC/STs, Muslims of sarvajan samaj including Upper castes is Maya


Results of past elections show that not only has Mayawati’s SC/STs
Muslims of sarvajan samaj including Upper castes votes increased , she
has found the going is not difficult with support from other upper
castes.

You will see that BSP will win 400 plus seats.


As electoral combinations are discussed ahead of Assembly elections in
UP, it is allways believed that a solid SC/ST base and Muslim and poor
Upper castes support — adding up to 99% of the vote — can put the BSP
in the driver’s seat. It is assumed that Muslims, upset after a series
of communal incidents, would move away from the ruling SP. Results of
past elections, however, show that not only has Mayawati’s SC/ST vote
increased , she has not found the going difficult with upper castes.


Rajya Sabha MP Satish Chandra Misra, and the Upadhyay family of
Aligarh, led by Maya’s former minister Ramveer, have held important
positions in the party for around 2 decades. Entire Sarvajan samaj feel
that if Mayawati becomes the PM the whole country will be peaceful as
she will distribute the wealth of the country equally among all sections
of the society as enshrined in our constitutions with then policy of
Sarvajan Hitay Sarvajan Sukhaya.

The BSP’s 2007 victory — with
over 30% votes — was largely because Maya put Misra in front and fielded
a large number of Brahmins, who suddenly allowed the BSP to speak for
“sarvajan” and “social engineering”. However, in 2014, even as Maya gave
21 out of 80 tickets to Brahmins — the most to any caste — not one
could win.

That was because the fraud EVMs were tampered to
gobble the Master key by the Murderer of democratic institutions (Modi)
with the support of PRESSTITUTE media as suggested by BJP but yet
support them for the sake of money. The media is is only with the
urbanites and not with the masses like internet, facebook and WhatsApps
where every intellectuals and the common man became journalists and
scribes. Once Napolean said that he can face two battalions but not two
scribes. The nettizens are those scribes mentioned by Napolean and not
the money greed PRESSTITUTES.
From JAN 1st they will be fully supporting Modi or Mad(i).


Results
of past elections show that not only has Mayawati’s Dalit vote shrunk,
she has found the going difficult without support from other — read
upper — castes.
indianexpress.com


http://picphotos.net/narendra-modi-cartoons/

http://blog.grabon.in/modis-currency-ban-summed-up-in-5-gi…/

http://www.firstpost.com/…/india-singapore-tax-treaty-amend…

Murderer of democratic institutions (Modi) (Mad)i)) launches ‘Bheem App’ in digital push.
Entire Sarvajan Samaj i.e., OBCs/Religious Minorities/Upper castes in
general and the SC/STs in particular oppose naming an app as Bheem App
to popularise his failed idea which killed innocent citizens in his
QUEUE INDIA MOVEMENT to withdraw their own money . To hush up his grave
sins the madi has taken refuge under the name of Babasaheb. He cannot
fool the world as they are aware of his cunning and crooked ideas. He
has no right to use the name of the Chief Archetect of our Modern
Constitution Dr BR Ambedkar for a lucky dip. Sarvajan Samaj condemns his
unconstitutional act as he is selected by the tampering of the fraud
EVMs.
The ex CJI had committed a grave error by ordering that the
EVMs could be replaced in a phased manner as suggested by the ex CEC
Sampath because of the cost of Rs 1600 crores invloved in replacing the
entire EVMs. Only 8 out of 543 seats in 2014 Lok Sabha elections were
replaced that helped madi gobble the Master Key.
The present CEC
said that only in 2019 entire EVMs will be repalced. But none of them
ordered for using the paper ballots until entire EVMs were replaced.

Ms Mayawati’s BSP lost in Lok Sabha because of these fraud EVMs while it won with a thumping majorityt with paper ballots.


Hence it is the duty of Sarvajan Samaj, the nes CJI, CEC to see that
the Central and State governments selected by these fraud EVMs be
dissolved and go for fresh polls with paper ballots.

Modi’s currency ban

1. The most wanted man in the whole country right now!

loose change currency ban Translation: My name is Bulla and I keep loose change.

getting change currency ban Translation: I have come to get change for my Rs 1000 notes.

4. Winter is here and no firewood? Might as well burn all the useless money.

money firewood currency ban

5. And finally, It’s not about the money…

money burning currency ban


Pics Photos - Narendra Modi Cartoons
picphotos.net

http://www.jantakareporter.com/…/serious-discontent-…/89124/

Serious discontent emerges among BJP and RSS leaders over note ban impact on assembly polls


The shock note ban announcement by the Murderer of democratic
institutions( Modi )has left everyone in his party incredibly worried
about its potential adverse impact on their electoral fortunes in
poll-bound states next year.

News
agency Reuters, which claimed to have interviewed the saffron party’s
lawmakers and a senior functionary of the BJP’s ideological parent, the
RSS, said that there was a considerable disquiet among the party cadres
on demonetisation.

“There is no doubt that it is difficult to
convince voters that everything will be fine,” Santosh Gangwar, who is
leading the BJP campaign in Uttar Pradesh, was quoted by the news
agency.

Gangwar added, “Every candidate who will be contesting
polls is nervous because they feel people may not vote for the BJP …
There is tension and we cannot deny it,” he said.

Such is the
worry among the BJP’s senior functionaries that 71 MPs from Uttar
Pradesh reportedly met the BJP President Amit Shah as well as visited
Arun Jaitly to seek solutions for the cash crunch.

An RSS leader
said that they had advised Modi days before the move to take time to
prepare the ground for such a massive exercise, including setting up two
new mints and expanding the banking network, and to roll it out in
phases.

But, the RSS leader, Modi decided to press ahead, and he alone would bear responsibility for its failure or success.


Jagdambika Pal, a BJP lawmaker from Uttar Pradesh who attended the
meeting, told Reuters, “The situation is grim, and we cannot ignore it.
It is a challenge for every BJP lawmaker to manage the situation, but we
cannot do anything if there is no money in the banks.”

Modi ne kaha tha jaise matadan samay me EVM ke charcha hota.. said Ananthkumar.


That is during election time people discus about EVMs that they could
be tampered in favour of BJP as it was done during the 2014 Lok Sabha
elections.

The ex CJI had committed a grave error of judgement by
ordering that the EVMs would be replaced in a phased manner as
suggested by the ex CEC Sampath because of the cost of Rs 1600 crores
involved in entire replacement of the fraud EVMs.

The present CEC
said that the entire EVMs would be replaced in 2019 and none of them
ordered for using paper ballots till the entire EVMs were replaced.


Therefore all democracy loving people CJI, CEC and even the
discontented BJP, RSS must seeto it that the Central and State
governments selected by these fraud EVMs were dissolved and go for fresh
polls with paper ballots as followed by 80 democracies of the world to
save equality, liberty and fraternity as enshrined in our modern
constitution.


Shock
note ban announcement by PM Modi has left many in his party incredibly
worried about its potential adverse impact on their electoral fortunes
jantakareporter.com|By JKR Staff


Uttar Pradesh: begins rallies in all 75 districts

Mayawati will come to power in UP


Mayawati is already leading..because of Sarvajan Hitay Sarvajan
Sukhaya, is she planning to win all the 400 seats..not to leave any
seats for Murderer of democratic institutions ((Modi).


Whenever the just 1% intolerant, violent, militant, shooting, lynching
lunatic. mentally retarded chitpawan brahmin RSS (Rakshasa Swayam
Sevaks) guided BJP (Bahut Jiyadha Psychopaths ) start finding fault with
BSP it means that BSP in on the right path as said by Dr BR Ambedkar.


The plan of RSS to make this country as a stealth, shadowy
discriminating hinutva cult rashtra is snubbed by the 99% Sarvajan
Samaj.

The party’s public meeting in Lucknow district on Saturday
will be presided over by former state president Dayaram Pal, who hails
from the backward Gadariya caste.

Pal confirmed that he will
preside over the meeting where BSP general secretary Naseemuddin
Siddiqui will be the chief guest. The party will hold similar programmes
across the state in the coming few days.Among the prominent OBC leaders
who will be part of these rallies are former speaker Sukhdeo Rajbhar,
BSP state president Ram Achal Rajbhar, former minister Lalji Verma,
former MP RK Singh Patel, and former MLC Pratap Singh Baghel.


Party sources said that the SP was “losing its grip” on backward castes,
especially non-Yadav castes, more so because of the widening rift
between Chief Minister Akhilesh Yadav and party state president Shivpal
Yadav, BSP has been in a position to take these sections into its fold.


On the death anniversary of BR Ambedkar on December 6, Mayawati had
successfully persuaded the OBCs to not support BJP, alleging that the
party wants to re-establish the stealth, shadowy, discriminating
hindutva caste system in which both Aboriginal inhabitants Backward
Castes and SC/STs were treated as shudras and adi shudras and by upper
castes.


The
party’s public meeting in Lucknow district on Saturday will be presided
over by former state president Dayaram Pal, who hails from the backward
Gadariya caste.
indianexpress.com

comments (0)
12/29/16
B. Iriyāpatha Pabba-
Filed under: General
Posted by: site admin @ 6:19 pm



B. Iriyāpatha Pabba

Puna
ca·paraṃ, bhikkhave, bhikkhu gacchanto vā ‘gacchāmī’ ti pajānāti, ṭhito
vā ‘ṭhitomhī’ ti pajānāti, nisinno vā ‘nisinnomhī’ ti pajānāti, sayāno
vā ‘sayānomhī’ ti pajānāti. Yathā yathā vā pan·assa kāyo paṇihito hoti,
tathā tathā naṃ pajānāti. 

B. Section on postures

Furthermore,
bhikkhus, a bhikkhu, while walking, understands: ‘I am walking’, or
while standing he understands: ‘I am standing’, or while sitting he
understands: ‘I am sitting’, or while lying down he understands: ‘I am
lying down’. Or else, in whichever position his kāya is disposed, he
understands it accordingly. 

Iti ajjhattaṃ vā kāye kāyānupassī
viharati, bahiddhā vā kāye kāyānupassī viharati, ajjhatta-bahiddhā vā
kāye kāyānupassī viharati; samudaya-dhamm·ānupassī vā kāyasmiṃ viharati,
vaya-dhamm·ānupassī vā kāyasmiṃ viharati, samudaya-vaya-dhamm·ānupassī
vā kāyasmiṃ viharati; ‘atthi kāyo’ ti vā pan·assa sati paccupaṭṭhitā
hoti, yāvadeva ñāṇa·mattāya paṭissati·mattāya,{1} a·nissito ca viharati,
na ca kiñci loke upādiyati. Evam·pi kho, bhikkhave, bhikkhu kāye
kāyānupassī viharati. 



Thus he dwells observing kāya in kāya
internally, or he dwells observing kāya in kāya externally, or he dwells
observing kāya in kāya internally and externally; he dwells observing
the samudaya of phenomena in kāya, or he dwells observing the passing
away of phenomena in kāya, or he dwells observing the samudaya and
passing away of phenomena in kāya; or else, [realizing:] “this is kāya!”
sati is present in him, just to the extent of mere ñāṇa and mere
paṭissati, he dwells detached, and does not cling to anything in the
world. Thus, bhikkhus, a bhikkhu dwells observing kāya in kāya. 

மேலும்,பிக்குக்களுக்களே,ஒரு
பிக்கு, நடந்து செல்லும் பொழுது, ‘நான் நடந்து செல்கிறேன்’,என அவர்
அறிந்துகொள்கிறார்.அல்லது நின்று கொண்டிருக்கிற பொழுது, ‘நான் நின்று
கொண்டிருக்கிகிறேன்’, என அவர் அறிந்துகொள்கிறார்:அல்லது உட்கார்ந்திருக்கிற
பொழுது, ‘நான் உட்கார்ந்திருக்கிறேன்’, என அவர் அறிந்துகொள்கிறார்: அல்லது
படுத்திருத்திருக்கிற பொழுது, ‘நான் படுத்திருத்திருக்கிறேன்’,என அவர்
அறிந்துகொள்கிறார்: தவிர அவர் kāya உடல்அமர்வுநிலை எதுவாக தீர்வு
செய்கிறாரோ அதன்படிபுரிந்து கொள்கிறார்.

இவ்வாறு அவர் kāya in kāya
உடல்/காயத்தை காயதுக்குள் கண்காணி வாசம் செய்கிரார், அல்லது காயத்தை
காயதுக்கு வெளியே கண்காணி வாசம் செய்கிரார், அல்லது காயத்தை காயதுக்கு
உள்ளே மற்றும் வெளியே கண்காணி வாசம் செய்கிரார்;புலன்களால் உணரத்தக்க
எழுச்சி கண்காணி வாசம் செய்கிரார், மற்றும் புலன்களால் உணரத்தக்கதை
கடந்துசெல்லுவதை கண்காணித்து வாசம் செய்கிரார்; இல்லாவிடில்
எச்சரிக்கையாயிருக்கிற உணர் உடனிருக்கிறதை,சும்மா வெறும் ஓர்அளவு ஞானம்
மற்றும் ஓர்அளவு paṭissati என எண்ணி பற்றறு வாசம் செய்கிரார்.
C. Sampajāna Pabba

Puna
ca·paraṃ, bhikkhave, bhikkhu abhikkante paṭikkante sampajānakārī hoti,
ālokite vilokite sampajānakārī hoti, samiñjite pasārite sampajānakārī
hoti, saṅghāṭi-patta-cīvara-dhāraṇe sampajānakārī hoti, asite pīte
khāyite sāyite sampajānakārī hoti, uccāra-passāva-kamme sampajānakārī
hoti, gate ṭhite nisinne sutte jāgarite bhāsite tuṇhībhāve sampajānakārī
hoti. 



http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif





Page 1 of 2

Privacy Issues in an Electronic Voting Machine

Arthur M. Keller

UC Santa Cruz, Baskin

School of Engineering

Santa Cruz, CA 95066

+1(831)459-1485

ark@soe.ucsc.edu

David Mertz

Gnosis Software, Inc.

99 2nd Street

Turners Falls, MA 01376

+1(413)863-4552

mertz@gnosis.cx

Joseph Lorenzo Hall

UC Berkeley, SIMS

102 South Hall

Berkeley, CA 94720

+1(510)642-1464

joehall@berkeley.edu

Arnold Urken

Stevens Inst. of Technology,

Political Science

Hoboken, NJ 07030

+1(201) 216-5394

aurken@stevens.edu

ABSTRACT

In this paper, we describe the Open Voting Consortium’s voting

system and discuss the privacy issues inherent in this system. By

extension, many of the privacy issues in this paper also apply to

other electronic voting machines, such as DREs (Direct

Recording Electronic voting machines). The privacy issues

illustrate why careful and thorough design is required to ensure

voter privacy and ballot secrecy.

Categories and Subject Descriptors: K.4.1 [Computers and

Society]: Public Policy Issues — privacy.

General Terms: Design, Human Factors, Legal Aspects.

Keywords: Electronic voting, open source, privacy design.

1. INTRODUCTION

The requirements for secrecy in elections depend upon the

values and goals of the political culture where voting takes place.

Gradations of partial and complete privacy can be found in

different cultural settings. Most modern polities institutionalize

the ideal of complete privacy by relying on anonymous balloting.

The use of secret balloting in elections — where a ballot’s

contents are disconnected from the identity of the voter — can be

traced back to the earliest use of ballots themselves in 6th Century

B.C.E. Athens, Greece. The public policy rationales for instituting

anonymous balloting typically aim to minimize bribery and

intimidation of the voter [1]. Secret ballots, although not always

required, have been in use in America since colonial times.

Today, almost one hundred years after most states in the U.S.

passed laws to require anonymous balloting, a strong sense of

voter privacy has emerged as a third rationale.

These cultural values and practices contribute to the sets of

user requirements that define the expectations of voters in

computer-mediated elections and determine alternative sets of

specifications that can be considered in developing open source

software systems for elections [7]. The Open Voting Consortium

(OVC) has developed a model election system that aims as one of

its goals to meet these requirements. This paper describes how the

OVC model ensures ballot privacy.

The OVC has developed the model for an electronic voting

system largely in response to the reliability, usability, security,

trustworthiness, and accessibility concerns of other voting

systems. Privacy was kept in mind throughout the process of

designing this system. Section 2 of this paper discusses the

requirements for a secret ballot in more detail and how secrecy

could be compromised in some systems. Section 3 describes how

the OVC handles the privacy concerns. While this paper focuses

mostly on privacy issues for US-based elections, and how they are

addressed in the OVC system, many of the issues raised are

applicable elsewhere.

2. SECRET BALLOT REQUIREMENTS

The public policy goals of secret balloting — to protect the

privacy of the elector and minimize undue intimidation and

influence — are supported by federal election laws and

regulations. The Help America Vote Act of 2002 [5] codifies this

as “anonymity” and “independence” of all voters, “privacy” and

“confidentiality” of ballots and requires that the Federal Election

Commission create standards that “[preserve] the privacy of the

voter and the confidentiality of the ballot.”

The Federal Election Commission (FEC) has issued a set of

Voting System Standards (VSS) [4] that serve as a model of

functional requirements that elections systems must meet before

they can be certified for use in an election. The FEC VSS state

explicitly:

“To facilitate casting a ballot, all systems shall: […] Protect the

secrecy of the vote such that the system cannot reveal any

information about how a particular voter voted, except as

otherwise required by individual State law;” ([4] at § 2.4.3.1(b).)

This high level requirement of not exposing any information

about how an individual voted is required of all voting systems

before certification.

It is not sufficient for electronic voting systems to merely

anonymize the voting process from the perspective of the voting

machine. Each time a ballot is cast, the voting system adds an

entry to one or more software or firmware logs with a timestamp

and an indication that a ballot was cast. If the timestamp log is

combined with the contents of the ballot, this information

becomes much more sensitive. For example, it can be combined

with information about the order of votes cast collected at the

polling place with surveillance equipment — from cell phone

cameras to security cameras common at public schools — to

compromise the confidentiality of the ballot. As described below,

system information collected by the voting system should be kept

separated from the content of cast ballots and only used in

conjunction by authorized, informed elections officials.

Rebecca Mercuri proposed that Direct Recording Electronic

(DRE) voting machines have a paper audit trail maintained under

glass, so the voter does not have the opportunity to touch it or

change it. [6] Some vendors are proposing that paper from a spool

be shown to the voter, and a cutter releases the paper audit trail

piece to drop into a box for safekeeping. [2] A challenge is to

make sure that all of the paper audit trail is readable by the voter,

doesn’t curl away out of view, and yet the paper audit trails from

previous voters is obscured from view. However, the paper audit

trail can fall in a more-or-less chronologically ordered pile. The

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that

copies bear this notice and the full citation on the first page. To copy

otherwise, or republish, to post on servers or to redistribute to lists,

requires prior specific permission and/or a fee.

WPES’04, October 28, 2004, Washington, DC, USA.

Copyright 2004 ACM 1-58113-968-3/04/0010…$5.00.


Page 2 of 2

problem of reconciling the paper audit trail with the electronic

ballot image is difficult to do in an automated manner if the paper

audit trail cannot be sheetfed. Another approach is to keep the

paper audit trail on a continuous spool. [7] While this approach

has the potential to be more easily scanned in an automated

fashion for recounts, privacy is compromised by maintaining the

chronological order.

In the longer version of this paper, we discuss in more detail these

issues. We discuss that problem that the voter’s secret identity

must be disclosed to poll workers and yet not be discernable from

the ballot. Covert channels can be used to transfer identity of the

voter to the ballot. A critical example is when the machine that

prepares for the voter an authorizing token also contains the voter

registration data, which might be passed to the electronic voting

machine through that authorizing token.

3. SECURITY, PRIVACY, RELIABILITY

In the full version of this paper, we discuss a variety of issues and

their solutions in security, privacy, and reliability for the voting

system designed by the Open Voting Consortium and described

more fully there.

Some of these issues are the following.

The Advantage of Free and Open Source Software. When

the system is a black box, where the source code is maintained as

a trade secret, we must trust the official testers. A frequent

criticism of free and open source software is that, while the code

is available for inspection, no coordinated inspection is actually

conducted. [3] The absence of Non-Disclosure Agreements and

restrictive intellectual property agreements encourages the large

body of open source developers to inspect the code.

Randomization of Ballot-IDs. Under the OVC design

ballots carry ballot-IDs to enable auditing of official paper ballots

against unofficial electronic ballot images. Ballot IDs are easily

remembered and can be a vehicle for disclosing the vote.

Privacy Issues with Barcodes. The Open Voting

Consortium system design uses a barcode to automate the

scanning and tallying of paper ballots. Such barcodes raise several

possibilities for introducing covert channels.

Privacy in the Voting Token. The token given to the voter

to enable her to use the electronic voting machine might contain

information that could compromise anonymity. Analysis of the

software and the poll worker interface for encoding the voter

token can show the type of information that can be encoded.

Information Hidden in Electronic Ballot Images and

Their Files. The electronic ballot images (EBIs) are stored on the

electronic voting machine where the ballot was created. Storing

the EBIs in a database management system can record sequence

information that can be used to identify voters. Flat files can

include the date/time in the file directory, a potential privacy risk.

Reading Impaired Interface. It is important that the ballot

not record that the voter used the reading impaired interface. Nor

should the electronic voting machine maintain such information in

a way that identifies specific ballots. If a separate reading

impaired voting station is used, the ballot-ID should be generated

in a manner that does not identify the voting station used.

Printed Ballot. The secrecy of the voter’s selections is at

risk while the voter carries the paper ballot around the polling

place. We use a privacy folder — an ordinary manila folder

trimmed along the long edge so that the barcode sticks out.

Ballot Validation Station. The ballot validation station

allows visually impaired voters, or anyone, to hear through

headphones and therefore validate their paper ballots. Ballot-IDs

should not be persistently stored by the ballot validation station.

Languages. Steve Chessin identified a problem with ballots

for non-English speakers when printed in the voter’s own

language. This approach makes bilingual ballots easy to identify,

and that can compromise ballot anonymity if only a small number

of voters in a given precinct choose a particular language.

Public Vote Tallying. It is important that the ballots be

shuffled before publicly visible scanning occurs. The ballots will

naturally be ordered based on the time they were placed in the

ballot box. The sequence of voting is a potential privacy risk.

Results by Precinct. Care must be taken to ensure that

results posted by precinct do not compromise privacy and yet can

be reconciled against county totals.

Privacy in the Face of Voter Collusion. Complex cast

ballots, taken as a whole, contain potential covert channels.

4. CONCLUSION

We have discussed the privacy issues inherent the Open Voting

Consortium’s voting system that includes a PC-based open-source

voting machine with a voter-verifiable accessible paper ballot. By

extension, many of the privacy issues in this paper also apply to

other electronic voting machines, such as DREs (Direct

Recording Electronic voting machines). The privacy issues

illustrate why careful and thorough design is required for voter

privacy. Imagine how much work is required to ensure that such

systems are secure and reliable.

Further information about the Open Voting Consortium can be

found at http://www.openvotingconsortium.org. This paper is an

extended abstract; a longer version may be found at

http://www-db.stanford.edu/pub/keller.

5. ACKNOWLEDGMENTS

We acknowledge the work of the volunteers of the Open Voting

Consortium who contributed to the design and implementation we

describe. In particular, Alan Dechert developed much of the

design and Doug Jones provided significant insights into voting

issues. The demonstration software was largely developed by Jan

Kärrman, John-Paul Gignac, Anand Pillai, Eron Lloyd, David

Mertz, Laird Popkin, and Fred McLain. Karl Auerbach wrote an

FAQ on which the OVC system description is based. Amy Pearl

also contributed to the system description. Kurt Hyde and David

Jefferson gave valuable feedback. David Dill referred some of the

volunteers.

6. REFERENCES

[1] Albright, S. The American Ballot. American Council on Public Affairs,

Washington, D.C., 1942.

[2] Avante VOTE-TRAKKERTM EVC308-SPR,

http://www.aitechnology.com/votetrakker2/evc308spr.html.

[3] Cohen, F. Is Open Source More or Less Secure? Managing Network

Security, 2002, 7 (Jul. 2002), 17–19.

[4] Federal Election Commission. Voting System Standards. Vols. 1 & 2

(2002), http://www.fec.gov/pages/vssfinal/

[5] Help America Vote Act, 42 U.S.C.A. §§ 15301 – 15545.

[6] Mercuri, R. A Better Ballot Box? IEEE Spectrum Online, October 2,

2002, http://www.spectrum.ieee.org/WEBONLY/

publicfeature/oct02/evot.html

[7] Sequoia Voting Systems, “Sequoia Voting Systems Announces Plan to

Market Optional Voter Verifiable Paper Record Printers for Touch

Screens in 2004,” http://www.sequoiavote.com/article.php?id=54

[8] Urken, A. B. Voting in a Computer-Networked Environment. In The

Information Web: Ethical and Social Implications of Computer

Networking, Carol Gould (ed.), Westview Press, Boulder, CO, 1989.

Page 2 of 2

comments (0)
12/28/16
2092 Thu 29 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://www.ambedkar.org/gifimages/voteforBSP.gif UP Assembly election: Advantage BSP, while uncle Shivpal has the last laugh over nephew Akhilesh The BSP will turn out to be the biggest beneficiary in this tug of war within the Yadav family. The CEC had announced that the entire EVMs would be replaced only in 2019. Till such time paper ballots must be used. Magadhi [Pali] Prakrit of the Thervadin Buddhists Of all the Buddhists Traditions, Theravada was the only sect to preserve the usage of Magadhi Prakrit in its literature. [The term “Pali” was traditionally used for denoting the Texts in the language, the language is itself referred to as Magadhi in Theravadin literature]. https://www.reddit.com/…/what_language_did_siddhartha_gau…/… TRIKURAL AND TRIVALLUVAR The Tripitaka, the earliest collection of Buddhist teachings and the only text recognized as canonical by Theravada Buddhists Please visit http://sarvajan.ambedkar.org for animated yoga postures http://sarvajan.ambedkar.org/?m=201206 http://yoga.org.nz/postures.htm-https://www.youtube.com/watch?v=ojHBcT5e_M8 Sutta Piṭaka-Digha Nikāya DN 16 - (D ii 137) Mahāparinibbāna Sutta
Filed under: General
Posted by: site admin @ 7:30 pm



2092 Thu 29 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvaj
an Hitay sarvajan Sukhay.

http://www.ambedkar.org/gifimages/voteforBSP.gif

UP Assembly election: Advantage BSP, while uncle Shivpal has the last laugh over nephew Akhilesh

The BSP will turn out to be the biggest beneficiary in this tug of war within the Yadav family.
The CEC had announced that the entire EVMs would be replaced only in 2019. Till such time paper ballots must be used.

Magadhi [Pali] Prakrit of the Thervadin Buddhists


Of all the Buddhists Traditions, Theravada was the only sect to
preserve the usage of Magadhi Prakrit in its literature. [The term
“Pali” was traditionally used for denoting the Texts in the language,
the language is itself referred to as Magadhi in Theravadin literature].


https://www.reddit.com/…/what_language_did_siddhartha_gau…/…

TRIKURAL AND TRIVALLUVAR

The Tripitaka, the earliest collection of Buddhist teachings and the only text recognized as canonical by Theravada Buddhists

Please visit http://sarvajan.ambedkar.org for animated yoga postures
http://sarvajan.ambedkar.org/?m=201206

http://yoga.org.nz/postures.htm

Summary of the Problem with Electronic Voting
https://drive.google.com/file/d/0B3FeaMu_1EQyZWVzSnVBcVY4a28/view


http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

UP Assembly election: Advantage BSP, while uncle Shivpal has the last laugh over nephew Akhilesh

The BSP will turn out to be the biggest beneficiary in this tug of war within the Yadav family.


Marginalised by his own father and subdued by his own uncle, a
seemingly fuming but apparently helpless Akhilesh Yadav may be talking
of persuading Mulayam to rethink on the list, but the announcement has
already been made undermining his authority.

It’s clear that his
uncle Shivpal Yadav has had the last laugh, but possibly after the
Assembly elections in UP, the BSP will turn out to be the biggest
beneficiary in this tug of war within the Yadav family.


Meanwhile, BSP supremo Mayawati has been alleging that a tie-up between
Congress and the SP was being engineered by the BJP after the
demonetisation. But ‘Netaji’ Mulayam Singh Yadav put to rest all such
speculations. He categorically stated that Samajwadi Party will go it
alone and have no tie up with anyone in the elections. He also said that
the Samajwadi Party’s nominations for 325 seats were made by him, and
his was the final word.

Today’s development will comfort the BSP
especially since UP’s ruling party is a divided house in itself and that
the ambitious plans of Akhilesh to have a tie up with the Congress has
now been rubbished by Mulayam.

While Mayawati have benefited greatly, BJP’s own prospects have diminished considerably too.

AKHILESH’S AUTHORITY QUESTIONED


The Chacha-Bhatija wedge is threatening to get deeper after several
names in Akhilesh’s own list have been omitted in party nominations.
This coupled with the fact that don-turned politician Atik Ahmed,
despite thumbing his nose several times at Akhilesh, managed to secure
his Kanpur Cantt seat nomination.

Several of those close to
Akhilesh have been dropped from nominations. This has created a question
mark on Akhilesh’s say in party matters.

SP supremo Mulayam
seems to have put aside Akhilesh’s ‘Kaam Bolta Hai’ push, while on an
inauguration spree, and given credence to his younger brother Shivpal. A
deeper chasm in the party coming to the fore might not augur well for
SP, as divisive forces and conflicting interests may act as loggerheads.

In the meantime, it is advantage BSP. Especially, post demonetisation.

The CEC had announced that the entire EVMs would be replaced only in 2019. Till such time paper ballots must be used.


The ex CJI Sathasivam had committed a grave error of judgement by
ordering that the EVMs would be replaced in a phased manner as suggested
by the ex CEC Sampath because of the cost of Rs 1600 crores involved in
entire replacement.In the 2014 Lok Sabha elections only 8 out of 543
seats were replaced to benefit BJP. They never ordered for using paper
ballots until the entire EVMs were replaced.

Ms Mayawati’s BSP
lost all the Lok Sabha seats because of these EVMs and BSP won majority
of the seats in UP Panchayat elections conducted with paper ballots as
followed by 80 democracies of the world.

All people having faith
in democracy, the present CJI and CEC must dissolve the central and
state governments selected by these fraud EVMs and go for polls with
paper ballots to save equality, liberty and fraternity as enshrined in
our modern constitution for Sarvajan Hitay Sarvajan Sukhaya i.e., for
the welfare, happiness and peace of all societies.

http://www.firstpost.com/…/uttar-pradesh-assembly-election-…

Uttar Pradesh Assembly Election 2017: Mayawati alleges BJP of SC/ST discrimination


Murderer of democratic institutions (Modi) -led BJP (Bajuth Jiyadha
Psychopaths) is targetting her because of she is a Aboriginal Scheduled
caste as well as the ‘master key’ to unlocking the upcoming Uttar
Pradesh Assembly election.


Alleging that the BJP has an anti-SC/ST mindset and is being casteist,
Mayawati said, “They don’t like that a Aboriginal Scheduled Caste
daughter working for the upliftment of all societies ,” Mayawati said in
a special press conference on Tuesday.

She said that the Modi is
afraid of Mayawati’s popularity: “Mayawati is the master key to UP
Assembly election and the BJP is shaken.”

Modi must know that the Aboriginal Inhabitants Scheduled Caste is the Mother Caste of all other castes. They are the HRD & D (Human Resource Developers and Distributors) and he must know that all the people belong to a single same race irrespective of castes, creeds, colours and relegions.

The BSP chief
reiterated how the BSP was the first party to oppose demonetisation, and
that Modi is targetting her and the party because it blames her for
fuelling opposition parties to rise up against the move.

She also
clarified on the Rs 100 crore deposited in a BSP account stating that
the party has all the records of the deposits made into its accounts
after demonetisation, and the money was deposited as per the rules of
the BSP. “All the money has been collected after 21 August. We convert
all the donations into notes of higher denominations because it’s easier
to transport. All the donations are collected in Delhi for final
accounting. It’s deposited in banks only after final accounting in my
presence. We were unable to deposit earlier because I was unable to go
to Delhi,” she said.

On a sarcastic note, the BSP chief thanked
the Modi and party president Amit Shah, stating that the tactics of
Modi, Amit Shah of BJP will get her gain full majority in the upcoming
election, just like allegations towards her helped win the election in
2007. “Modi is targetting me and senior members of the party along with
my friends and relatives for political gains. Shah is maligning my
reputation by talking about the ghotalas, and the Taj Corridor. I want
to tell you that most parties in power do that. The BJP especially.
There’s not a single file on the project that went through me. I have
not signed on a single file. They maligned by name between 2003 and
2007, but I got an absolute majority. They are doing it again. And I am
sure the BSP will form a government again with an absolute majority. I
am grateful to them(!)”

Mayawati also challenged the Modi to
divulge records of all bank deposits and purchases made by the party
before and after 8 November.

Taking a jibe at the Modi on
demonetisation, the BSP chief said, “I pray to God that they take a
couple of more decisions like demonetisation and make it easier for us
to form government. I won’t even have to go to the 75 districts for poll
campaigning. I will win sitting at home.”


A day after reports emerged of deposits worth Rs 100 crore in old notes of Rs 1,000 made in Bahujan…
firstpost.com


http://indianexpress.com/article/india/india-others/narendra-modi-and-his-ministers-declare-assets-heres-what-they-own/




 Modi

Age
66
Marital Status
Separated

Modi and his party declare assets: Here’s what they own



The richest among
Modi’s friends Arun Jaitley, who along with
his wife, has assets worth Rs 72.10 crore.

Modi owns movable assets worth Rs 26,12,288 and immovable assets worth Rs 1 crore.

Rajnath Singh,
who also features in the list, is richer than Modi. He
owns movable assets worth Rs 66,41,260.33 and immovable assets worth Rs
1,90,00,000. He has also declared the wealth owned by his
wife, and it’s worth Rs 40,88,871.

Sushma Swaraj has declared her wealth worth Rs 2,98,48,485, in addition
to an ancestral land in Palwal, Haryana. Her husband, Swaraj Kaushal,
has movable assets worth Rs 8,88,91,635 and immovable worth Rs
3,18,90,050 (total wealth worth Rs 12,07,81,685).

The list further has declaration of assets by all the friends of Modi .

What about undeclared asets ?

Why do they need our currency.They were in foreign countries last year!!!!

Rs
5000 crore spent by Modi in election campaining…..can modi remotely
controlled by Rakshasa Swayam Sevaks (RSS) declare the source of
funding.

Mark
 

Modi has only 1.3cr.huh What a joke..

Citizen
 Good
at last a beginning is made now it is for the citizens to keep track
and be vigilant on these things to find any wrong doing by these guys
so that some good advocate/group can file a PIL in the courts to haul
them up.



http://www.forbes.com/sites/greatspeculations/2016/12/02/modis-demonetization-is-a-cure-worse-than-the-disease-for-india/#344d205a5c58
In November 2016 he unexpectedly announced plans to eliminate Country’s
two largest bank notes in a bid to reduce money laundering and
corruption, creating a nationwide frenzy to quickly swap out the bills.

Modi’s Demonetization Is a Cure Worse Than The Disease For The Country

Tuesday  marked four weeks since Modi
made his surprise demonetization announcement that has sent shockwaves
throughout the South Asian country’s economy.

In an effort by Modi to combat black money and put Rs 15 lakhs in every citizens bank accounts all
500 and 1,000 rupee banknotes are no longer recognized as legal tender.

Inevitably, low-income and rural households have been hardest hit by
Modi’s currency reform. Barter economies have reportedly sprung up in
many towns and villages. Banks have limited the amount that can be
withdrawn. Scores of weddings have been called off. Indian stocks
plunged below their 200-day moving average.


indian stocks tumble following modis demonetization announcement




Buys, holds, and hopes

Frank Holmes Frank Holmes, Contributor

Next
Tuesday will mark four weeks since Indian Prime Minister Narendra Modi
made his surprise demonetization announcement that has sent shockwaves
throughout the South Asian country’s economy.

overnight indian prime minister narendra modi killed 90 nations currency

In an effort to combat corruption, tax evasion and counterfeiting,
all 500 and 1,000 rupee banknotes are no longer recognized as legal
tender.

I’ve previously written about the possible ramifications of the “war on cash,”
which is strengthening all over the globe, even here in the U.S. Many
policymakers, including former Treasury Secretary Larry Summers, are in
favor of axing the $100 bill. In May, the European Central Bank (ECB)
said it would stop printing the 500 euro note, though it will still be
recognized as legal currency. The decision to scrap the “Bin Laden”
banknote, as it’s sometimes called, hinged on its association with money
laundering and terror financing.

Electronic payment systems are convenient, fast and easy, but when a government imposes this decision on you, your economic liberty is debased.
In a purely electronic system, every financial transaction is not only
charged a fee but can also be tracked and monitored. Taxes can’t be
levied on emergency cash that’s buried in the backyard. Central banks
could drop rates below zero, essentially forcing you to spend your money
or else watch it rapidly lose value.

Inevitably, low-income and rural households have been hardest hit by
Modi’s currency reform. Barter economies have reportedly sprung up in
many towns and villages. Banks have limited the amount that can be
withdrawn. Scores of weddings have been called off. Indian stocks
plunged below their 200-day moving average.

indian stocks tumble following modis demonetization announcement

Recommended by Forbes

Demonetization has also weighed heavily on the country’s
manufacturing sector. The Nikkei India Manufacturing PMI fell to 52.3 in
November from October’s 54.4. Although still in expansion mode,
manufacturing production growth slowed, possibly signaling further
erosion in the coming months.

Indian Manufacturing Cools in December


The Country Runs on Cash


The two Country’s bills in question, worth $7.50 and $15, represented an
estimated 86 percent of all cash in circulation by value. No two bills
in the U.S. so dominate transactions quite like the Rs500 and Rs1,000
notes, but imagine if tomorrow the Treasury Department killed everything
north of the $20 bill. Despite the widespread availability and
acceptability of electronic payment systems, this would be devastating
to many American consumers who prefer cash or who are underbanked.


Because Country’s economy relies predominantly on cash, the effects
will be far greater. ATMs are scarce, and few rural Indians have a
credit or debit card. An estimated 600 million Indians—nearly half the
country’s population—are without a bank account. Three hundred million
have no government identification, necessary to open an account. By
comparison, about
7 percent of Americans are unbanked, with an additional 20 percent underbanked, according to the Federal Deposit Insurance Corporation (FDIC).

In india cash is king


This is one of the main reasons why the Country’s people have traditionally held
gold in such high demand. Many have little faith in banks and other
financial institutions, preferring instead to store their wealth in
something more reliable and tangible. So great is Countrys’ appetite for
the yellow metal that prices have
historically surged in September,
following the end of the monsoon season and ahead of Diwali and the
wedding season, when gifts of gold jewelry are typically given.


“Gold is a need of the [the Country’s] people,” says Suresh Jain, owner of India’s B.J. Jain Jewellers, as quoted in the Financial Times. “It is not a luxury item. It is essential.”


Ironically, though, Modi’s demonetization scheme will likely hurt
gold demand in the long run, “by dramatically reducing the stock of
black money hitherto used in a large chunk of purchases,” according to
the Financial Times.

As per the article in Forbes and Ms Mayawati
we are already in a worst than emergency days. 99% of the people are
affected by this economic emergency. May be Modi is trying through such
polls to officially declare emergency.

The nut wants the dictator coconut to declare emergency that is already there.

Just
1% intolerant, violent, militant, shooting, lynching, cannibal
chitpawan brahmin Rakshasa Swayam Sevaks (RSS) psychopaths are for
emergency for their stealth, shadowy discriminating hindutva cult
rashtra. But the 99% Sarvajan Samaj like our Chief Architect of Modern
Constitution Dr BR Ambedkar which is for equality, liberty and
farternity opposed to manuvad that believes in brahmins as 1st rate,
kshatras as 2nd, Vyshayas as 3rd and Shudras as 4th rate athmas (Souls )
and the aboriginal inhabitant SC?STs having no souls so that any crime
cand be done for them. But the Buddha never believed in any soul. He
said all are equal and that is enshrined in our modern constitution for
Sarvajan Hitay Sarvajan Sukhaya i.e., for the welfare, happiness and
peace for all societies.


overnight indian prime minister narendra modi killed 90 nations currency


The CEC had announced that the entire EVMs would be replaced only in 2019. Till such time paper ballots must be used.


The ex CJI Sathasivam had committed a grave error of judgement by
ordering that the EVMs would be replaced in a phased manner as suggested
by the ex CEC Sampath because of the cost of Rs 1600 crores involved in
entire replacement.In the 2014 Lok Sabha elections only 8 out of 543
seats were replaced to benefit BJP. They never ordered for using paper
ballots until the entire EVMs were replaced.


Ms Mayawati’s BSP lost all the Lok Sabha seats because of these EVMs
and BSP won majority of the seats in UP Panchayat elections conducted
with paper ballots as followed by 80 democracies of the world.


All people having faith in democracy, the present CJI and CEC must
dissolve the central and state governments selected by these fraud EVMs
and go for polls with paper ballots to save equality, liberty and
fraternity as enshrined in our modern constitution for Sarvajan Hitay
Sarvajan Sukhaya i.e., for the welfare, happiness and peace of all
societies.

Magadhi [Pali] Prakrit of the Thervadin Buddhists


Of all the Buddhists Traditions, Theravada was the only sect to
preserve the usage of Magadhi Prakrit in its literature. [The term
“Pali” was traditionally used for denoting the Texts in the language,
the language is itself referred to as Magadhi in Theravadin literature].

The usage of Pali is still strong among the native Buddhists.
This serves as the strong example for the bonding between the Magadhi
Language & Theravada.

The Theravadins also held the view that their language is
the most natural language and original language.

The fifth century Visuddhimagga by Buddhaghosa declares:


Magadhi is the root of all dialects, which was spoken by Brahmas, by
men before the present kalpa, by those who had neither heard nor uttered
human accent, and also by supreme Buddhas

sā māgadhī mūla bhāsā nārā yā yādi kappikā
brahmānochassutālāpā sambuddhā ehāpi bāsare

The Atthagatha (commentary) of Abhidhamma Vibhanga, states the below as the view of the Buddha Bhikshu Tissadatta Thera:

seated_buddha_in_bhumisparshamudra_rm56


If a new born baby is kept isolated and but not hear any language
spoken by any one, he would speak the Magadhl If, again, a person in an
uninhabited forest, in which no speech (is heard), should intuitively
attempt to articulate words, he would speak the very Magadhi.

It predominates in all regions (such as) Hell; the animal kingdom; the
Preta sphere ; the human world ; and the world of the devas. The rest
of the eighteen languages—Otta, Kirata, Andhaka, Yonaka, Damila, etc.,
undergo changes —but the Magadhi does not, which alone is unchangeable,
and is said to be the speech of Brahmans and Ariyas.

Even Buddha,
who rendered his tipitaka words into texts, did so by means of the very
Magadhi ; and why ? Because by doing so it (was) easy to acquire their
(true) significations. Moreover, the sense of the words of Buddha which
are rendered into doctrines by means of the Magadhi language, is
conceived in hundreds and thousands of ways by those who have attained
the patisambhida, so soon as they reach the ear, or the instant the ear
comes in contact with them ; but discourses rendered into other
languages are acquired with much difficulty.

It (i.e. Magadhi) was first predominant in the hells and in the world of
men and that of the gods. And afterwards the regional languages such as
Andhaka, Yonaka, Damila, etc., as well as the eighteen great languages,
Sanskrit, etc., arose out of it.


va apāyesuu manusse devaloke c’eva paṭhamam ussannā | pacchā ca tato
andhaka yonaka damiḽādi desabhāsā c’eva sakkaṭadi aṭṭhārasa mahābhāsā ca
nibattā |


As the grand finale, here to the view converges to considering Pali as
the source language of all. One interesting point to note that it
considers the Greek Language (Yonaka) as being born from Pali
.
https://en.wikipedia.org/wiki/Magadhi_Prakrit

Magadhi Prakrit


Magadhi Prakrit (Ardhamāgadhī) is of one of the three Dramatic
Prakrits, the written languages. Magadhi Prakrit was spoken in the
eastern Indian subcontinent, in a region spanning what is now eastern
India, Bangladesh, and Nepal. It is believed to be the language spoken
by the important religious figures Gautama Buddha and Mahavira and was
also the language of the courts of the Magadha mahajanapada and the
Maurya Empire; the edicts of Ashoka were composed in it.

Magadhi
Prakrit later evolved into the Eastern Zone Indo-Aryan languages,
including Assamese, Bengali, Odia and the Bihari languages (Bhojpuri,
Maithili, and Magahi languages, among others).
Pali and Ardhamāgadhī


Theravada Buddhist tradition has long held that Pali was synonymous
with Magadhi and there are many analogies between it and an older form
of Magadhi called Ardhamāgadhī “Proto-Magadhi”. Ardhamāgadhī was
prominently used by Jain scholars and is preserved in the Jain Agamas.
Both Gautama Buddha and the tirthankara Mahavira preached in Magadha.

Pali: Dhammapada 103:

Yo sahassaṃ sahassena, saṅgāme mānuse jine;

Ekañca jeyyamattānaṃ, sa ve saṅgāmajuttamo.

Greater in battle than the man who would conquer a thousand-thousand men, is he who would conquer just one — himself.

http://manipurinfo.tripod.com/


W.Shaw and Raj Mohan Nath , two eminent scholars are of the view that ”
Bishnupriya ” with its Devanagari script had been language of ancient
Manipur.(18)

On the other hand, some other Bishnupriya Scholars
like Dr. K.P. Sinha has objected to claim of Manipur to the alleged
connection of Hindu legend. Dr. Sinha tried to prove his theory on the
basis that Bishnupriya Manipuri language as a resultant language of
Magadhi Prakrit.

https://en.wikipedia.org/wiki/Magadhi_Prakrit


https://www.reddit.com/…/what_language_did_siddhartha_gau…/…

TRIKURAL AND TRIVALLUVAR

The Tripitaka, the earliest collection of Buddhist teachings and the only text recognized as canonical by Theravada Buddhists.

Trikural, Trimandiram, Trivasagam, Trivennba, Trimaalai, Trikadugam, was later replaced by Thiru and became Thirukural etc.


Pāḷi means “Buddha Vacanam”, the word of the Buddha consisting the
texts of the Tripitaka, the sacred Buddhist Canon, containing the
original teachings of the Buddha. The home of Pāḷi is Magadha. That
is why it is also known as Māgadhi.

The Buddha purposely did not speak in Chandas, the language
of Vedas, also called as Vedic Sanskrit. He spoke in the language of the common people.


“Anujānāmi bhikkhave sakāyaniruttiā Buddhavacanaṁ pariyāpunitaṁ -
Monks, I instruct that the words of the Buddha are learnt in the
standard vernacular of the masses.”

In the latest research when a
just born baby is separated and kept alone it will speak a natural
language of humans that is Magadhi/prakruth/ Pali like all other spices
like birds, animals etc.,have their own language with which it can
interact.

Hence Pali the natural common language of the humans was spoken by the Buddha in all his discourses.

Hence Pali is the mother language of all other languages which are its off shoots.

This apart, chronologically, Pāḷi is decidedly older
than modern classical Sanskrit.

It is hoped that in the age of science and technology when
language studies are becoming more and more objective, Pāḷi should be
studied widely as a discipline inseparable from other classical
languages of Prabuddha Bharath.

The Tripitaka was handed down
orally, and then written down in the third century B.C.E. According to
Buddhist tradition, the contents of the Tripitaka were determined at the
First Buddhist Council, shortly after the Buddha’s death. As many as
500 of Buddha’s disciples assembled, and at the direction of
Mahakashypa, Buddha’s
successor, the teachings of the Buddha were
recited in full. They were then verified by others who had also been
present and organized into the Tripitaka (although not written at the
time).

The Vinaya Pitaka (Discipline Basket) was recalled by a
monk named Upali. It deals with rules and regulations for the monastic
community (the sangha), including 227 rules for monks, further

regulations for nuns, and guidelines for the interaction between the
sangha and the laity. Most of these rules derive from the Buddha’s
responses to specific situations in the community.

The Sutta Pitaka (Discourse Basket) was recited by Ananda, Buddha’s cousin and closest companion. It contains the
Buddha’s teachings on doctrine and behavior, focusing especially on meditation techniques.

The Abhidharma Pitaka (Higher Knowledge or Special Teachings Basket) was recited by Mahakashyapa, the Buddha’s successor.
It is essentially a collection of miscellaneous writings, including songs,
poetry, and stories of the Buddha and his past lives. Its primary
subjects are Buddhist philosophy and psychology. Also within the
Abhidharma Pitaka is the Dhammapada a popular Buddhist text. The
Dhammapada consists of sayings of the Buddha and simple discussions of
Buddhist doctrine based on the Buddha’s
daily life.

Later Thirukural of Thiruvalluvar was written in Dravidian Language,
is the most popular, and most widely esteemed Tamil Classic of all
times. It is a Tamil book on philosophy and life in general, written by
Thiruvalluvar, a sage and philosopher, about 2000 years ago. Its appeal
is universal. It is the only Tamil literary work that has been
translated many times in almost all languages of the world.

Written by the Sage Thiruvalluvar, the Thirukkural is in the
form of couplets which convey noble thoughts.

The Thirukkural is a code of ethics. It has something noble
for the ordinary man, the administrator, the king and the ascetic. It
is global ears ago. It deals with the power of virtue, extols self
control, urges man to perform sacrifice and charity, and elucidates the
qualities that go to make perfection in all people - the married and the
ascetic.

The Thirukkural consists of Divided into three sections, the
first part called arattupaal in 38 chapters enumerates the ways to live
a morally upright life; touching on such things as the happy married life and the greatness of those who renounce.


The second part, called porutpaal tackles the conduct of those involved
in administration and socio-political life; about social
relations and citizenship.

The third part, inbatupaal, deals with love; about
physical longing, about true love and ethics.

Pandidamani Iyodhi Dass thought that the untouchables were
originally Buddhists and their salvation lay in Buddhism. He was the
great thinker and writer, he wrote Trikural apart from Thiruvalluvar
Aaraachi, Kural Kadavul Vaazhuthu etc.

He married Dhanalakshmi, the younger sister of Devan Bhadur
R. Srinivasan, who represented the Depressed Classes with Dr. Babasaheb Ambedkar at the Round Table Conference.

Pandit Iyodhi Dass had four sons and two daughters. One of
his sons Shri I.Rajaram went to Natal, South Africa and tried to spread
Buddhism there. Later A.C.P. Periaswamier founded the natal
Buddhist Society in the year 1920.

Pandidamani Iyodhi Dass was the first Buddhist revivalist in
India among the untouchables. He breathed his last 5th May 1914 at the age of 69.


Early Buddhism followed aniconic tradition, which avoids direct
representation of the human figure. But wanted Dhamma to be spread all
over the world. Around the 1st century CE an iconic
period emerged lasting to this day which represents the Buddha in human form.


Buddhist art followed believers as the dharma spread, adapted, and
evolved in each new host country. It developed to the north through
Central Asia and into Eastern Asia to form the Northern branch of
Buddhist art, and to the east as far as Southeast Asia to form the
Southern branch of Buddhist art. In India, Buddhist art flourished and
even influenced the development of Hindu art

The three-layered
gilt-copper round base is engraved with treasure flowers and curling
grass patterns inlaid with turquoise, lapis lazuli and ivory. The body
of the pagoda is made of lapis lazuli, with the outer surface engraved
with gold-filled Prajna Paramita Sutra. The shoulders of the pagoda are
adorned with four gilt-silver beast faces holding strings of pearls,
turquoises and lapis lazuli stones in their mouths. These strings are
connected with the canopy.

There’s a Buddhist niche on the front
side of the pagoda, with a jade-carved flight of steps at the entrance.
The gilt-silver niche door is engraved with two dragons playing with a
pearl, and the front of the door is fitted with a glass pane bearing the
gold-traced inscriptions “wuliang shoufo zan” (meaning) “Ode to the
Amitayus Buddha”) by Emperor Qianlong of the Qing Dynasty. There’s a
gold Buddha statue enshrined inside the niche. The 13-storey finial is
decorated with lotus petal patterns and the carved gold canopy is
ringed with lapis lazuli-inlaid Sanskrit inscriptions, with tourmaline-ended strings of pearls and turquoises hanging down.


The sun, crescent moon, flames and treasure pearl at the top are inlaid
with rubies, tourmalines, turquoises and pearls respectively. Thus the
Buddhists rejoice now.

Who has seen how Buddha appeared before 2600 years age?


Thiruvalluvar did not mention even once as ‘god’ in any of 133
chapters with each containing 10 couplets composed in the kural-venba
metre, like the Buddha, who preached Compassion and loving kindness.

The Thirukkural has achieved a perfect balance between the
secular and the spiritual.

Although we can say much about the book, we cannot do the
same about the author. Very little is known about Thiruvalluvar and his life.

Indian sages have this unique quality of making themselves
unimportant and wishing only for their works to be known and useful.


They shy away from talking about themselves. This is one reason why
there is little information about many of our sages. They held the
belief that their message was more important than themselves.
Thiruvalluvar was one of these noble souls.

Thiruvalluvar’s parents names are not conclusively known.


However his wife’s name is given as Vasugi. She is described as the
embodiment of chastity with many stories about her purity being often
quoted even today.

Thiruvalluvar in his Trirukural insisted on Aadhibaghavan,
Vaalivaan, Malar Misai Yeaginaan, Veadudhal, Veeanaamaillaan,
Porivaayil Iyndhavithaan, Thanakuvamaiillaadhavan, Aravaazhi Andanan,
Yenngunathaan, Muraicheidhu Kaaptriya Iraivan which depict Buddha.

Like Buddha’s Dhamma, he Thirukkural can lead to a happy,
contented, morally upright and peaceful life. It can lead to harmonious and peaceful social relations and co-existence.


Please visit http://sarvajan.ambedkar.org for animated yoga postures
http://sarvajan.ambedkar.org/?m=201206

http://yoga.org.nz/postures.htm

Main Page

Welcome to our yoga postures section. Here you will find
yoga moves that are broken down to the bare basics with colour photos
to match. We also have state of the art flash yoga animation
technology that you can use to view these moves in full screen size,
full colour and with full instruction.

Yogic exercises cater to the needs of each individual
according to his or her specific needs and physical condition. They
involve vertical, horizontal, and cyclical movements, which provide
energy to the system by directing the blood supply to the areas of the
body which need it most.

In yoga, each cell is observed, attended to, and
provided with a fresh supply of blood, allowing it to function smoothly.
The mind is naturally active and dynamic, while the innerself is
luminous. In this section we will give you plenty of yoga images and
instruction.

Breathing Pose

Arm Stretch

Kneeing Twist

Breathing Pose

The simple act of learning to control the breath
has a number of beneficial effects on your wellbeing, ranging from
increasing your energy, to improved relaxation into sleep. It purifies
the body by flushing away the gaseous by products of metabolism and will
also help you to remain calm in the face of the challenges that we
encounter in our everyday lives.

Control of the breath is an essential element in
the art of yoga. When bringing the air in to the abdomen, do not to puff
the stomach out, but pull the air into it while extending the inside
wall. By harnessing the power of the breath the mind can be stilled and
can be prepared for your Yoga practise.

Instruction Table Breathing Basics
1


Sit in a simple cross-legged position on
the floor. If you don’t feel comfortable in this position place a folded
blanket under your buttocks.

Place your right hand on the rib cage and your left hand on your abdomen

Inhale
slowly through the nose feeling the breath filling the abdomen,
bringing it slowly into the rib cage, then the upper chest.

Exhaling
softly feeling the breath leave the abdomen first, then the ribs and
lastly the upper chest. Observe the space at the end of the exhale

2

Now move hands so your forearms come to a comfortable position
resting on your knees and continue the breathing with a relaxed rhythm.

Continue with a flowing controlled breath in your own time.


Yoga breathing is also call Pranayama . Many say that Pranayama
(Rhythmic control of breath) is one of the bests medicines in the world .

Right click the link and save as to download a beginners breathing routine . Then watch in windows media player.

Click the BIG play button in the middle below. To watch a Pranayama Breathing overview .

Please visit:

http://www.youtube.com/watch…

The Virasana Arm/Shoulder Stretch

Hero Pose

The purpose of this pose is to help give the entire
body a very complete stretch from the heels to the head. It improves
strength and endurance and helps to control your breathing in
conjunction with the movements of the body.

It eases and stimulates the joints especially the
knees, ankles and shoulders. It reduces and alleviates backache and
improves the circulation of the entire body.

Instruction Table
1

Come in to a position on your hands and your

knees with your knees together and your feet slightly wider than hip width apart. Your big

toes & little toes pressing firmly into the floor

2

Push back with your hands & sit between your
buttocks on the floor, make sure you roll your calf muscles out wards so
your not sitting on them.

3


Make sure the inner calves are touching the outer thighs and your
ankles are outside your buttocks, arms resting at the sides.

4

Inhale as you slowly raise your arms to shoulder height, shoulders down.

5

Exhale lengthen out through the fingertips & turn your palms to the roof. Inhale stretch your arms overhead.

6

Interlock the fingers. Slowly exhaling turn the palms
towards the ceiling, and with a powerful push lift up from the belly
into your chest and shoulders.

7

Exhale bring your hands down in a smooth continuance motion….

8

Now bringing your arms interlocking behind your back
with straight arms, being careful not to roll the shoulders forward,
squeezing the shoulder blades together and opening the chest on the
front of the body.

9

Inhale hands back to the side

Repeat 2-3 more times

Please Visit:

http://www.youtube.com/watch…

Kneeing Twist Pose

Regular practice of the kneeling twist pose
will aid in your ability to rotate the spine and upper torso more
effectively, while increasing the flexibility and strength in your back
and abdominal muscles. It also massages, stimulates and rejuvenates the
internal abdominal organs.

This pose is a good beginners pose and will get you ready for more advanced twists.
To view in flash - click the image below

Instruction Table
1


Sit on your heals with your knees together, the tops of the feet
pressing firmly into the ground. Your head, shoulders, and hips should
be in one straight line.

Arms relaxed by the side keep your base firm by contracting your buttocks.

2

Inhale, extending the spine upwards, exhale twist around to the
right, placing your left hand on the outside of your right thigh,
turning the head in the direction of the twist, but keeping the head and
shoulders relaxed.

Take a few breaths here, keeping the stomach soft and the eyes soft.

Repeat on the other side

Please Visit:

http://www.youtube.com/watch…


Triangle Pose
Tree
Warrior

The Triangle Pose


Triangle pose tones the leg muscles, spinal nerves and abdominal
organs; it contributes towards a strong healthy lower back.

The triangle gives an excellent and complete stretch

throughout the entire body.
To view in flash - click the image below

Instruction Table
1

Align yourself in mountain pose.

Continuing with your smooth

flowing breath

2

Inhale deeply and jump your feet out landing approx
1.2-1.5m apart. your feet need to be in line and pointing forward at
right angles. Next raise your arms to shoulder level, be sure that they
are in line with each other. Stretch your arms out from the middle of
your back. Lift your chest and look straight ahead.

3

Now turn your right foot out while keeping your hips to
the front, and turn your left foot in from 90 to 70 degrees, by pivoting
on your heel. Insure your right heel is in line with the instep of the
left foot.

This is important as it sets the base for this pose.

4

The kneecaps and thighs are pulling up,
simultaneously pushing downward through your feet into the floor.
Inhale, extend the spine, exhale as you bend to the right, pushing out
from the hips, through the right arm…

5

Taking your right hand to a comfortable position on your
leg, your left arm coming up to straight, moving down as far as
possible without turning the hips or torso. Keep the thighs firm and
rolling around towards the buttocks, moving the left hip back and open
the chest.

6

Inhale, extend the neck and spine, exhale, turn your head to look up at your left hand.

Keep
your head, your buttocks and your heels in one straight line,not
looking down with you body, keep opening your whole body up.

Breathe easy.

Click here to view the Triangle pose

http://www.youtube.com/watch…

The Tree Pose

This pose harnesses the powers of mental concentration, while
allowing you to calm the mind. It develops balance and stability, and
strengthens the legs and feet, also increasing flexibility in the hips
and knees.

The tree pose is a balance pose incorporating three lines of
energy, emitting from the centre outwards. One line proceeds down the
straight leg, one line extends up the spine and out the fingertips, and
the third moves outward through the bent knee.
To view in flash - click the image below

Instruction Table
1


Align yourself in mountain pose.

Continuing with your smooth

flowing breath

2

On your next inhale; shift the bulk of your weight onto
your left foot. Exhale bend the right knee, and assisting with your
hand, place the sole of your right foot as high as possible into the
left inner thigh, with toes pointing down, steady yourself, and

breathe easy.

3

Next raise your arms to shoulder level, be sure that
they are in line with each other. Stretch your arms out from the middle
of your back. Lift your chest and look straight ahead. Keep completely
focused on the pose.

4

Now bring your palms together in prayer
position. Keeping your eyes focused on a point in front of you, will
assist your balance.

5

Inhale as you raise your arms overhead keeping your palms together and stretching upwards through the fingertips.

Keep working your right knee back and contracting your buttocks muscles in and down.

Feel your abdomen plane and hips facing straight ahead, while lifting out of the waist.

Please Visit:

http://www.youtube.com/watch…< ?xml:namespace prefix = o ns = “urn:schemas-microsoft-com:office:office” />

The Warrior Pose

Virabhadra

The Warrior pose is
named after the mythic warrior-sage, Virabhadra. This challenging pose
strengthens the entire body while improving mental capacity and self
control.

It builds, shapes and tones the entire lower body. It tones the
abdominal section and helps to prevent, reduce and eliminate back pain.
The entire upper body -front and back- is worked and doing this pose
increases the capacity of the respiratory system.
To view in flash - click the image below

Instruction Table
1


Stand in mountain pose continuing with your smooth flowing breath.

2

Jump your feet sides ways and sweep your arms out to the side so your
ankles are below your wrists. Establish your foundation, by pulling
your knees and thighs up, tucking your tailbone under, pushing your feet
firmly into the floor.

Visualise
an imaginary line running vertically down the centre of your body,
dropping your shoulders. Squeeze your arms and legs away from the
centreline.

3

Keep an awareness of this line as you turn your right
foot out to 90 degrees and turn your left foot in to 70 degrees. Ensure
the heel of your front foot aligns with arch of your back foot, hips
facing forward.


If your body wants to turn off centre, counter-act it by pushing
simultaneously in opposite directions from the centre line.

4

Inhale, an as you exhale bend your right
leg, pulling up with the outside and inside of the thigh to form a right
angle at the knee. Only go as low as you can with out turning your hips
off centre.

Ideally
you want your knee directly above your ankle with you leg coming
vertically out of the floor like pillar. Keep the power flowing through
the back leg into the floor.

5

Inhale lift the spine; exhale turn your head to look over your right arm. Take a few deep breaths through the nose.

Hold the pose and breathe smooth.

Reverse the procedure back to mountain pose and repeat back to the other side.


Please Visit:

http://www.youtube.com/watch…

Mountain Pose
Prayer Pose
Shrug

Mountain Yoga Pose

The Mountain Pose is one of the most important poses in yoga. It is the start and finish point of all standing poses.

When standing in mountain pose, the mind is quiet,
and the body strong and still, like a mountain. This is a pose you can
practise in your daily life, practising to stand correctly will have a
profound influence on your physical and mental well being.
To view in flash - click the image below

Instruction Table
1

Moutain Pose 1


Stand with your feet hip width apart, so the outsides of the feet are almost parallel edged.

Press and spread the toes into the floor. Feel the weight of your
body distributed evenly through your feet, from the toes to the heels,
keep pressing firmly into the floor.

2

Moutain Posture 2
Lift the kneecaps up by contracting the front thigh
muscles, but not locking the backs of the knees. Pull up with the back
of the thighs, and activate the hip and buttocks to level the pelvis.

3

Mountain Poses Back
Your hips should be directly over your knees, and your
knees over your ankles. This gives you a stable foundation and by
positioning the pelvis properly, keeps the spine healthy.

4

Now extend the spine, by slowly inhaling, lifting up
through the legs as you lift the ribcage, opening the chest and dropping
the shoulders down, extending the neck, keeping the jaw and eyes soft.


5

Bring the shoulder blades into the back, to support the ribcage. Breathe slowly and softly.

Keep your head directly over your shoulders, and look at eye level at a point in front of you.


Please Visit:
http://www.youtube.com/watch…


The Prayer Pose

This pose is simple, but very effective, and is a
key movement to more advanced poses. This pose will teach you how to
push from under the shoulders and out of the lats, the major muscle
group of the back. A key movement in a lot of yoga poses.

It strengthens and aligns the upper body while
releasing tension and increasing the circulation to the shoulder joint,
which is a ball and socket joint. It also aids in strengthening the
abdominal and lumber region as you look to form a solid base.
To view in flash - click the image below

Instruction Table
1


Centre yourself in mountain pose and take a
few deep breaths here, breathing down into the abdomen, continuing the
breathing that you are now familiar with.

2

Inhale, raise your arms to shoulder height and stretch them out in the opposite direction to each other

3

Now twist your arms from the shoulder and turning your palms upwards. Keep the body in a nice strong upright position

4

Bring your arms out in front of you, pushing
your elbows firmly together and your fingers extending away from you,
while focusing on pulling your shoulder blades together..

5

Continue squeezing the elbows together as you bring your palms together

6

Now bend at the elbow and take the forearms to vertical.
Keep pressing firmly with the palms and the elbows as you breathe the
arms upwards. With each exhale moving slightly higher.
Shoulder opener Yoga Posture. This
movement will teach you how to push from under the shoulders and out of
the lats, the major muscle group of the back. A key movement in a lot of
yoga poses. This pose is simple, but very effective, and is a key
movement to more advanced poses.

Please Visit:
http://www.youtube.com/watch…

The Shoulder Shrug

The shoulder rotation is another pose which can be practiced anywhere and at any time.

It strengthens and aligns the shoulder region while
releasing tension and increasing the circulation to the shoulder joint,
which is a ball and socket joint. It also aids in strengthening the
abdominal and lumber region as you look to form a solid base.
To view in flash - click the image below

Instruction Table
1


Align yourself in mountain pose.

Continuing with your smooth

flowing breath

2

As you inhale, lift your shoulders to your ear lobes, keeping the head erect and soft.

3

As you exhale, rotate the shoulders around

by pushing up out of the chest and squeezing the shoulder blades together, rotating them

in a full circle.

4

Back down into mountain pose

Repeat 3 more times

Please Visit:

http://www.youtube.com/watch…
Lying Twist
Downward Dog
Seated Forward Bend

The Lying Basic Twist

Doing this pose will rapidly increase strength and muscle tone in your midsection.

The lying twist is another pose which is very
simple yet extremely effective. This pose is soothing to the spine and
neck, and warms and frees the lower back and hips and it also improves
digestion and assists in toxin elimination.
To view in flash - click the image below

Instruction Table
1


Come to a position lying on your back and stretch your arms out to
the side and place your palms and shoulders firmly on the floor.

Move your shoulder blades under. Spread your toes apart. Feel the
back and shoulders moulding to the straight lines of the floor.

2

Bend your knees as far as they come towards the chest.

3


Inhale, keeping your knees and ankles together,
Exhale, rolling your knees to the right. Focus on keeping your arms
pressing out wards and your shoulders pushing firmly into the ground.
You may feel or hear your spine lengthening as it extends into the
correct alignment.

Knees & ankles together breathe, focus on creating length between the left lower rib and the hip,

4

Now turn your head to look over your left hand. Relax in to this pose, stomach soft, breathing soft and relaxed.

Reverse the pose back up and repeat to the other side
Please Visit:


The Downward Facing Dog

Adhomukha Svanasana

The downward yoga pose is
named as such as it resembles the shape of a Dog stretching itself out.
This pose helps to strengthen, stretch and reduce stiffness in the legs
while strengthening and shaping the upper body. Dog pose Yoga Posture .
One of the main yoga asanas. If you have time for only one posture try
this one.

Holding this pose for a minute or longer will
stimulate and restore energy levels if you are tired. Regular practice
of this pose rejuvenates the entire body and gently stimulates your
nervous system.
To view in flash - click the image below

Instruction Table
1

Come up onto your hands and knees with your knees hip
width apart and the hands shoulder width apart, your fingers wide
pressing firmly into the floor.

2

Inhale, arch your spine and look up as you turn your toes under.

3

As you exhale straighten your legs and pause here for a moment.

4

Now push the floor away from you hands, positioning your
body like an inverted V, achieving a straight line from your hands to
your shoulders to the hips. Straight arms and straight legs.

As you inhale press downward into your hands and lift outward out of the shoulders.

Lift your head and torso back through the line of your body.

Please Visit:

http://www.youtube.com/watch…

The Seated Forward Bend

Paschimottanasana

The purpose of this pose is to give the entire back
of your body a very complete stretch from the heels to the head. It is
excellent for posture improvement and stimulates the internal organs as
well.

It adds in improved mental concentration and
endurance and helps to control and calm the mind. It relieves
compression while increasing the elasticity of the spine, it also
strengthens and stretches the hamstrings.
To view in flash - click the image below

Instruction Table
1

Come to a sitting position with your legs together in front of you.

Move
the fleshy part of your buttocks from underneath you, so you are on the
top of your sitting bones, which are located at the very top of your
legs.
2

Roll the thighs inwards so that the kneecaps are facing directly upwards.

Activate the legs by pressing down into the floor, and out through the heels.

Spread your toes wide and pull them towards you.

Lengthen your lower back muscles down as you extend your spine up and out of the pelvis.
3

Now take your strap around both feet. The
strap`s purpose is to keep the spine straight. This is very important.
Be aware the head is an extension of the spine, so keep it aligned
accordingly.

Use the breath to create the optimum degree of intensity in the stretch.
4

On your next exhale; come down the belt further while
maintaining the extension on the front and back of the torso. Some of
you will be able to grab the sides of your feet. Breathe softly and
continuously. Don’t pull yourself forward by the strength of your upper
body.

Keep bending at the hips, maintaining a relaxed head and neck.
5

Go a little further, relax your abdomen, and inhale, as
you lengthen, exhale, and come further forward, increasing the space in
your vertebrae.

Please Visit:

http://www.youtube.com/watch…


The Locust
The Bridge
Extended Child’s Pose

The Locust Pose

Salabhasana

The locus yoga posture is
named as such as it resembles the shape of the insect known as the
Locust. This pose helps to strengthen, stretch and reduce stiffness in
the lower back while bringing flexibility to the upper back region.

When you first begin to practice this pose, your
legs may not move very far off the floor. Please continue and stay
positive as you will find your range will continue to improve the more
you practice. Learning to master this pose will hold you in good stead
for more advanced back bends.
To view in flash - click the image below

Instruction Table
1

Come to a position lying face down on the floor, with
your arms along side your body, palms and forehead down. Bring your
knees and ankles together. Squeeze the shoulder blades together and
down. Push your palms into the floor. Pull the abdominals inwards,
contract the buttocks, and press the hips and pubis firmly into the
floor.

2

On your next exhale; raise the legs to a height that is comfortable but challenging.

Keep the buttocks activated, lock the knees, keep the ankles together.

3

Extend the front of your body as you pull
the shoulder blades together, raising the head, the arms, and upper
torso away from the floor, looking straight ahead, opening the front of
the chest and pushing down the lines of the arms.

Keep the legs working strongly.

Please Visit:

http://www.youtube.com/watch…

The Bridge Pose

The Bridge Pose is
a simple yet very effective pose to practice. It helps to promote a
healthy flexible spine while strengthening the legs and buttock muscles.
It also helps to stretch and stimulate the abdominal muscles and
organs.

It aids in easing and stimulating the mind and is a great way to reenergize if feeling tired.
To view in flash - click the image below

Instruction Table
1


Lie on your back with your legs bent, heels close to the buttocks,
Feet pressing firmly into the floor, hip width and parallel.

Your arms should be slightly out from your sides, the palms of your hands pressing firmly into the floor.

2

Inhale, and with the exhale raise the hips up by pushing strongly
into the floor with your feet. Keep the buttocks firm, and press the
shoulders and arms into the floor. Only go to the height that you are
comfortable with.

Take a few nourishing breaths in this position, as you keep opening the chest and lengthening the torso.

3


Now bring your arms over your head to the floor behind
you. Keep lifting your buttocks away from the floor, keeping them
contracted, which will protect the lower spine, and work softly with the
breath, keeping the head and neck relaxed.

This
pose stretches the whole front of the body, and brings mobility to the
spine. Breathing is improved from the opening of the ribcage and chest
area.
Please Visit:
http://www.youtube.com/watch…

The Extended Child’s Pose / Garbhasana

The Childs Yoga pose when
practiced regularly is very beneficial to your entire mind and body. It
helps to release the pressure on the spine while providing an entire
stretch through the upper body to the fingertips. It also aids in
strengthening and stretching the insides of the legs while massaging the
internal organs.

Breathing will becomes more efficient and your mind
will become clear. It also aids in improved mental processes and helps
to rejuvenate and energize the entire being.
To view in flash - click the image below

Instruction Table
1


Bring your big toes together and your knees wide apart, inhale as you lift your spine and extend your stomach.

2

Exhale bend forward from the hips as you walk you hands
out as far in front of you as possible, extending from the hips to the
fingertips.

3


Place your forehead on the ground & buttocks
back to the heels. Work your pubis to the floor and strech the inner
thigh muscles. Focus on the breath.

4

Breathing into the abdomen as you extend it
forward in to the breastbone, creating length through the upper body.
Exhale from deep in the abdomen relaxing in the spine and continue the
slow controlled breathing.

Please Visit:

http://www.youtube.com/watch…

Standing Forward Bend
The Boat (beginners)

The Standing Forward Bend

This pose aids in digestion and is restorative. It
frees the rib cage allowing for improved breathing. It aids in mental
concentration and helps to revive mental and pysichal exhaustion. The
heartbeat is slowed and the lower back is strengthened and pressure is
removed from the lumbar region.

It increases flexibility while strengthening and
developing the hamstrings. It also helps to strengthen the feet and
ankles while realigning the entire body.
To view in flash - click the image below

Instruction Table
1


Stand in mountain pose, in the centre of your mat, with your hands in prayer position. Jump your feet wide apart.

Keep the outside of your feet running parallel while lifting your
arches, pulling up with the thighs and the tail bone tucked under.

2

Place your hands on your hips and feel the extension up out of the waist.

3


Inhale, As you exhale bend at the hips extend forward,
continue lifting out of the hips keeping your legs strong and your base
nice and firm, looking forward to begin with. Keep the extension on the
stomach, which will help keep your back flat protecting it.

Take a few breaths here.

4

Now take your hands to the floor extending from the lower abdomen to
the breastbone and through the spine. Some of you maybe on the finger
tips.

If
you can’t keep your spine straight put your hands on your knees and
keep slowly working down your legs, working with your body, not against
it. Lift your sitting bones to the ceiling.

5

Draw your shoulders down your back so you can extend the neck with ease.

Remember to keep the arches high.
Please Visit:
http://www.youtube.com/watch…

The Boat Pose

Doing the boat pose will rapidly increase strength and muscle tone in your midsection.

Keep challenging yourself to stay in this pose
longer. If you find the stimulation of the midsection becoming intense,
just persist with it, knowing your mind has ultimate control over the
body.
To view in flash - click the image below

Instruction Table
1


Find yourself on your sitting bones, lifting out of the hips.

Extend your spine upwards, and press the soles of your feet into the floor, with the knees and ankles together.

2

Using your fingertips on the floor for balance, extend your abdomen as you lean back slightly.

3


Bring your lower legs up, parallel to the floor.
Breathe softly, in and out through the nose, while opening the chest and
squeezing the shoulder blades together.

Focus on a point at eye level in front of you. You may find this pose challenging to begin with

4

Now bring your arms up beside your knees, parallel to the floor,
opening the chest. Keep your focus on that point in front of you. This
will help your stability. Continue with the controlled breathing.

Feel the stimulation of the entire abdominal region, as you hold this pose for a few more breaths.
Advanced Variation of The Boat


Now bring your legs up to straight. Continue to keep your focus on that point in front of you.

Continue with the controlled breathing.

Please Visit:

http://www.youtube.com/watch…

https://www.youtube.com/watch?v=ojHBcT5e_M8

Sutta Piṭaka-Digha Nikāya

DN 16 - (D ii 137)
Mahāparinibbāna Sutta
{excerpts}
— The last instructions —
[mahā-parinibbāna]

This
sutta gathers various instructions the Buddha gave for the sake of his
followers after his passing away, which makes it be a very important set
of instructions for us nowadays.

Note: infobubbles on all Pali words except in section with light green background color

Dhammādāsaṃ
nāma dhamma-pariyāyaṃ desessāmi, yena samannāgato ariyasāvako
ākaṅkhamāno attanāva attānaṃ byā-kareyya: ‘khīṇa-nirayo-mhi
khīṇa-tiracchāna-yoni khīṇa-pettivisayo khīṇ’āpāya-duggati-vinipāto,
sotāpanno-hamasmi avinipāta-dhammo niyato sambodhi-parāyaṇo’ ti. �
(The Mirror of the Dhamma)

I
will expound the discourse on the Dhamma which is called Dhammādāsa,
possessed of which the ariyasāvaka, if he so desires, can declare of
himself: ‘For me, there is no more niraya, no more tiracchāna-yoni, no
more pettivisaya, no more state of unhappiness, of misfortune, of
misery, I am a sotāpanna, by nature free from states of misery, certain
of being destined to sambodhi.
தமிழ்
(தம்மாவின் உருப்பளிங்கு)
நான்
Dhammādāsa (தம்மாவின் உருப்பளிங்கு) என கருதப்படும் தம்மாவை
வியாக்கியானம் பண்ண பிரசங்கம் செய்ய விரும்புகிரேன்,ariyasāvaka (புனிதமான
சீடர்)ஆக ஆட்கொண்டு,ஒருவேளை அவர் தானே விரும்பி உறுதியாக்கிக் கொண்டால்:
‘ஆக
எனக்கு, இன்னும் மேலும் niraya (நரகம்) இல்லை,இன்னும் மேலும்
tiracchāna-yoni ( மிருகம சாம்ராஜ்யம்) இல்லை,இன்னும் மேலும் pettivisaya
(ஆவிகள் சாம்ராஜ்யம்) இல்லை,இன்னும் மேலும்
பாக்கியவீனம்,துரதிருஷ்டம்,துக்கம், நிலை இல்லை, நான் sotāpanna (புனல்
பிரவேசி), இயற்கையாக துக்க நிலையில் இருந்து விடுவிக்கப்பட்டவன்,sambodhi
(முழுக்க தூக்கத்திலிருந்து விழிப்பு) ஆக சேர இருத்தல் உறுதி.

Katamo
ca so, Ānanda, dhammādāso dhamma-pariyāyo, yena samannāgato ariyasāvako
ākaṅkhamāno attanāva attānaṃ byā-kareyya: ‘khīṇa-nirayo-mhi
khīṇa-tiracchāna-yoni khīṇa-pettivisayo khīṇ’āpāya-duggati-vinipāto,
sotāpanno-hamasmi avinipāta-dhammo niyato sambodhi-parāyaṇo’ ti? �
And
what, Ānanda, is that discourse on the Dhamma which is called
Dhammādāsa, possessed of which the ariyasāvaka, if he so desires, can
declare of himself: ‘For me, there is no more niraya, no more
tiracchāna-yoni, no more pettivisaya, no more state of unhappiness, of
misfortune, of misery, I am a sotāpanna, by nature free from states of
misery, certain of being destined to sambodhi?
மற்றும் என்ன,Ānanda
(ஆனந்தா),தம்மா மீது ஆன அந்த பிரசங்கம் Dhammādāsa (தம்மாவின்
உருப்பளிங்கு) என கருதப்படும் தம்மாவை வியாக்கியானம் பண்ண பிரசங்கம் செய்ய
விரும்புகிரேன்,ariyasāvaka (புனிதமான சீடர்)ஆக ஆட்கொண்டு,ஒருவேளை அவர்
தானே விரும்பி உறுதியாக்கிக் கொண்டால்:
‘ஆக எனக்கு, இன்னும் மேலும்
niraya (நரகம்) இல்லை,இன்னும் மேலும் tiracchāna-yoni ( மிருகம
சாம்ராஜ்யம்) இல்லை,இன்னும் மேலும் pettivisaya (ஆவிகள் சாம்ராஜ்யம்)
இல்லை,இன்னும் மேலும் பாக்கியவீனம்,துரதிருஷ்டம்,துக்கம், நிலை இல்லை, நான்
sotāpanna (புனல் பிரவேசி), இயற்கையாக துக்க நிலையில் இருந்து
விடுவிக்கப்பட்டவன்,sambodhi (முழுக்க தூக்கத்திலிருந்து விழிப்பு) ஆக சேர
இருத்தல் உறுதி தானே?

Idh’ānanda, ariyasāvako Buddhe aveccappasāda samannāgato hoti:

Here, Ānanda, an ariyasāvaka is endowed with Buddhe aveccappasāda:
இங்கு,ஆனந்தா,புனிதமான சீடர் Buddhe aveccappasāda (புத்தர் இடத்தில் தன்னம்பிக்கை)யாக குணிக்கப் படுகிரார்.

‘Itipi
so bhagavā arahaṃ sammāsambuddho vijjācaraṇasampanno sugato lokavidū
anuttaro purisadammasārathi satthā devamanussānaṃ buddho bhagavā’ ti.�
Dhamme aveccappasāda samannāgato hoti:
He is endowed with Dhamme aveccappasāda:
Dhamme aveccappasāda:(தம்மா இடத்தில் தன்னம்பிக்கை)யாக குணிக்கப் படுகிரார்.

‘Svākkhāto bhagavatā dhammo sandiṭṭhiko akāliko ehipassiko opaneyyiko paccattaṃ veditabbo viññūhī’ ti.�
Saṅghe aveccappasāda samannāgato hoti:
He is endowed with Saṅghe aveccappasāda:
Saṅghe aveccappasāda (சான்றோர் இடத்தில் தன்னம்பிக்கை)யாக குணிக்கப் படுகிரார்.

‘Suppaṭipanno
bhagavato sāvakasaṅgho, ujuppaṭipanno bhagavato sāvakasaṅgho,
ñāyappaṭipanno bhagavato sāvakasaṅgho, sāmīcippaṭipanno bhagavato
sāvakasaṅgho yadidaṃ cattāri purisayugāni aṭṭha purisapuggalā, esa
bhagavato sāvakasaṅgho āhuneyyo pāhuneyyo dakkhiṇeyyo añjalikaraṇīyo
anuttaraṃ puññakkhettaṃ lokassā’ ti.�
Ariya-kantehi sīlehi samannāgato hoti
He is endowed with a sīla which is agreeable to the ariyas,
புனிதமானவர்கள் ஏற்றுக்கொள்ளத்தக்க சீலராக குணிக்கப் படுகிரார்.

akhaṇḍehi acchiddehi asabalehi akammāsehi bhujissehi viññūpasatthehi aparāmaṭṭhehi samādhisaṃvattanikehi.�
Ayaṃ
kho so, Ānanda, dhammādāso dhamma-pariyāyo, yena samannāgato
ariyasāvako ākaṅkhamāno attanāva attānaṃ byā-kareyya: ‘khīṇa-nirayo-mhi
khīṇa-tiracchāna-yoni khīṇa-pettivisayo khīṇ’āpāya-duggati-vinipāto,
sotāpanno-hamasmi avinipāta-dhammo niyato sambodhi-parāyaṇo’ ti �
This,
Ānanda, is the discourse on the Dhamma which is called Dhammādāsa,
possessed of which the ariyasāvaka, if he so desires, can declare of
himself: ‘For me, there is no more niraya, no more tiracchāna-yoni, no
more pettivisaya, no more state of unhappiness, of misfortune, of
misery, I am a sotāpanna, by nature free from states of misery, certain
of being destined to sambodhi. �
இது, Ānanda (ஆனந்தா),தம்மா மீது ஆன
அந்த பிரசங்கம் Dhammādāsa (தம்மாவின் உருப்பளிங்கு) என கருதப்படும்
தம்மாவை வியாக்கியானம் பண்ண பிரசங்கம் செய்ய விரும்புகிரேன்,ariyasāvaka
(புனிதமான சீடர்)ஆக ஆட்கொண்டு,ஒருவேளை அவர் தானே விரும்பி உறுதியாக்கிக்
கொண்டால்:�’ஆக எனக்கு, இன்னும் மேலும் niraya (நரகம்) இல்லை,இன்னும் மேலும்
tiracchāna-yoni ( மிருகம சாம்ராஜ்யம்) இல்லை,இன்னும் மேலும் pettivisaya
(ஆவிகள் சாம்ராஜ்யம்) இல்லை,இன்னும் மேலும்
பாக்கியவீனம்,துரதிருஷ்டம்,துக்கம், நிலை இல்லை, நான் sotāpanna (புனல்
பிரவேசி), இயற்கையாக துக்க நிலையில் இருந்து விடுவிக்கப்பட்டவன்,sambodhi
(முழுக்க தூக்கத்திலிருந்து விழிப்பு) ஆக சேர இருத்தல் உறுதி.

… �
… �
Sato, bhikkhave, bhikkhu vihareyya sampajāno. Ayaṃ vo amhākaṃ anusāsanī. �
Sato should you remain, bhikkhus, and sampajānos. This is our intruction to you.
�Sato(கவனமான)
நீர் இருக்க வேண்டும்,bhikkhus (பிக்குக்கள்),மேலும் sampajānos(மாறா
இயல்பு அநித்தியத்தை பகுத்தறிதல்).இது தான் உமக்கு
எங்களுடைய போதனை.

Katha’ñca, bhikkhave, bhikkhu sato hoti? Idha, bhikkhave, bhikkhu
And how, bhikkhus, is a bhikkhu sato? Here, bhikkhus, a bhikkhu
மற்றும் எப்படி,பிக்கு, பிக்குக்கள் sato (கவனமான) இருக்கிரார்? இங்கு,பிக்குக்கள், ஒரு பிக்கு

kāye
kāyānupassī viharati ātāpī sampajāno satimā, vineyya loke
abhijjhā-domanassaṃ; vedanāsu vedanānupassī viharati ātāpī sampajāno
satimā, vineyya loke abhijjhā-domanassaṃ; citte cittānupassī viharati
ātāpī sampajāno satimā, vineyya loke abhijjhā-domanassaṃ; dhammesu
dhammānupassī viharati ātāpī sampajāno satimā, vineyya loke
abhijjhā-domanassaṃ.

Evaṃ kho, bhikkhave, bhikkhu sato hoti. Katha’ñca, bhikkhave, bhikkhu sampajāno hoti? Idha, bhikkhave,
Thus, bhikkhus, is a bhikkhu sato. And how, bhikkhus, is a bhikkhu sampajāno? Here, bhikkhus,

இப்படி,பிக்குக்கள்,பிக்கு
sato (கவனமான) இருக்கிரார்.மற்றும் எப்படி,பிக்குக்கள், பிக்கு
sampajānos(மாறா இயல்பு அநித்தியத்தை பகுத்தறிதல்)ஆகிரார்?
இங்கு,பிக்குக்கள்,

bhikkhu abhikkante paṭikkante sampajānakārī
hoti, ālokite vilokite sampajānakārī hoti, samiñjite pasārite
sampajānakārī hoti, saṅghāṭipattacīvaradhāraṇe sampajānakārī hoti, asite
pīte khāyite sāyite sampajānakārī hoti, uccārapassāvakamme
sampajānakārī hoti, gate ṭhite nisinne sutte jāgarite bhāsite tuṇhībhāve
sampajānakārī hoti.

Evaṃ kho, bhikkhave, bhikkhu sampajāno hoti. Sato, bhikkhave, bhikkhu vihareyya sampajāno. Ayaṃ vo amhākaṃ anusāsanī ti. �
Thus, bhikkhus, is a bhikkhu sampajāno. Sato should you remain, bhikkhus, and sampajānos. This is our intruction to you.
இப்படி,பிக்குக்கள்,பிக்கு
sampajānos(மாறா இயல்பு அநித்தியத்தை பகுத்தறிதல்)ஆகிரார்,Sato(கவனமான)
நீர் இருக்க வேண்டும்,பிக்குக்கள்,மற்றும்sampajānos(மாறா இயல்பு
அநித்தியத்தை பகுத்தறிதல்),இது தான் உமக்கு
எங்களுடைய போதனை.

… �


Sabbaphāliphullā kho, Ānanda, yamakasālā akālapupphehi. Te tathāgatassa
sarīraṃ okiranti ajjhokiranti abhippakiranti tathāgatassa pūjāya.
Dibbānipi mandāravapupphāni antalikkhā papatanti, tāni tathāgatassa
sarīraṃ okiranti ajjhokiranti abhippakiranti tathāgatassa pūjāya.
Dibbānipi candanacuṇṇāni antalikkhā papatanti, tāni tathāgatassa sarīraṃ
okiranti ajjhokiranti abhippakiranti tathāgatassa pūjāya. Dibbānipi
tūriyāni antalikkhe vajjanti tathāgatassa pūjāya. Dibbānipi saṅgītāni
antalikkhe vattanti tathāgatassa pūjāya. �
– Ananda, the twin sala
trees are in full bloom, though it is not the season of flowering. And
the blossoms rain upon the body of the Tathagata and drop and scatter
and are strewn upon it in worship of the Tathagata. And celestial coral
flowers and heavenly sandalwood powder from the sky rain down upon the
body of the Tathagata, and drop and scatter and are strewn upon it in
worship of the Tathagata. And the sound of heavenly voices and heavenly
instruments makes music in the air out of reverence for the Tathagata.
-ஆனந்தா,பூவா
பருவகாலமாக இருந்த போதிலும், இரட்டை sala (சாலா) மரங்கள் முழு மலர்ச்சி
அடைந்து இருக்கிறது. மற்றும் Tathagata (குறைபாடற்றவரை) வழிபாடு செய்தல்
போல் Tathagata(குறைபாடற்றவர்) உடல் மேலே பூமழை பொழிந்து, துளி சிதற,
இரத்தினப்பிரபையாகியது. மற்றும் தேவலோக பவழமலர்கள் மற்றும் சுவர்க்கத்தைச்
சேர்ந்த சந்தன மரத் தூள் வானத்தில் இருந்து மழை கீழ் நோக்கி Tathagata
(குறைபாடற்றவர்) உடல் மேலே பொழிந்து, மற்றும் Tathagata (குறைபாடற்றவரை)
வழிபாடு செய்தல் போல் Tathagata(குறைபாடற்றவர்) உடல் மேலே பூமழை பொழிந்தது.
மற்றும் Tathagata(குறைபாடற்றவர்) போற்றுதலைக் காட்டுஞ் சமிக்கையால்
சுவர்க்கத்தைச் சேர்ந்த குரல் ஒலி மற்றும் இசைகருவிகள் காற்றுவெளியில்
வெளிப்படுத்தியது.

Na kho, Ānanda, ettāvatā Tathāgato sakkato vā
hoti garukato vā mānito vā pūjito vā apacito vā. Yo kho, Ānanda, bhikkhu
vā bhikkhunī vā upāsako vā upāsikā vā dhammānudhammappaṭipanno viharati
sāmīcippaṭipanno anudhammacārī, so Tathāgataṃ sakkaroti garuṃ karoti
māneti pūjeti apaciyati, paramāya pūjāya. Tasmātih’ānanda,
dhammānudhammappaṭipannā viharissāma sāmīcippaṭipannā
anudhammacārin’oti. Evañ’hi vo, Ānanda, sikkhitabba nti. �
It is not
by this, Ānanda, that the Tathāgata is respected, venerated, esteemed,
paid homage and honored. But, Ananda, any bhikkhu or bhikkhuni, layman
or laywoman, remaining dhamm’ānudhamma’p’paṭipanna, sāmīci’p’paṭipanna,
living in accordance with the Dhamma, that one respects, venerates,
esteems, pays homage, and honors the Tathāgata with the most excellent
homage. Therefore, Ānanda, you should train yourselves thus: ‘We will
remain dhamm’ānudhamma’p’paṭipanna, sāmīci’p’paṭipanna, living in
accordance with the Dhamma’.
இதனால் மட்டும் அல்ல, ஆனந்தா,Tathagata
(குறைபாடற்றவரை) உபசரித்தது, மரியாதை செலுத்தியது, நன்குமதிக்கப் பட்டது,
மனந்திறந்த புகழுரைத்தது, கெளரவம் செலுத்தியது. ஆனால், ஆனந்தா, எந்த ஒரு
பிக்குவோ அல்லது பிக்குனியோ, உபாசகன் அல்லது
உபாசகி,dhamm’ānudhamma’p’paṭipanna, sāmīci’p’paṭipanna, தம்மாவிற்கு
பொருந்துமாறு பயிற்சிக்கிராரோ அவர் Tathagata (குறைபாடற்றவரை) உபசரித்தது,
மரியாதை செலுத்தி, நன்குமதித்து, மனந்திறந்த புகழுரைத்தது, கெளரவம்
செலுத்தி. மிக உயர்ந்த அளவு நேர்த்திவாய்ந்த மனந்திறந்த புகழுரையாற்றுவர்.
இதுக்காக, ஆனந்தா, நீங்கள், நீங்களாகவே பயிற்சித்தல் இதுதான்: நாங்கள்
dhamm’ānudhamma’p’paṭipanna, sāmīci’p’paṭipanna, தம்மாவிற்கு
பொருந்துமாறு வாழ்க்கை முறையில் தொடர்ந்திருப்போம்.
… �
… �

‘Siyā kho pan’ānanda, tumhākaṃ evam’assa: ‘atīta-satthukaṃ pāvacanaṃ,
natthi no satthā’ ti. Na kho pan’etaṃ, Ānanda, evaṃ daṭṭhabbaṃ. Yo vo,
Ānanda, mayā Dhammo ca Vinayo ca desito paññatto, so vo mam’accayena
satthā. �
– ‘To some of you, Ānanda, it may occur thus: ‘The words of
the Teacher have ended, there is no longer a Teacher’. But this,
Ānanda, should not, be so considered. That, Ānanda, which I have taught
and made known to you as the Dhamma and the Vinaya, that will be your
Teacher after my passing away. �
உங்கள் சிலர்ருக்கு, ஆனந்தா,இவ்வாறு நேரிடக் கூடும்:
கற்பிப்பவர் வார்த்தைகள் தீர்ந்து விட்டது, இனி கற்பிப்பவர் இல்லை. ஆனால் இது,
ஆனந்தா, அவ்வாறு ஆலோசனை பண்ணப்படாது. அது, ஆனந்தா,எவை நான் பாடம் படிப்பிது
மற்றும் உங்களை அறிந்திருக்க செய்துமுடித்த Dhamma and Vinaya (தம்மாவும்
வினயாவும்) அது என்னுடைய இறப்புக்கு அப்பால் உங்களுடைய கற்பிப்பவராக
இருக்கும்.


Venerable Kiribathgoda Gnanananda Thero
youtube.com


Summary of the Problem with Electronic Voting
https://drive.google.com/file/d/0B3FeaMu_1EQyZWVzSnVBcVY4a28/view


Page
1
/
2


Page 1 of 2


Summary of the Problem with Electronic Voting


The 2000 presidential election and the consequential actions of Congress and the states are dramatically


changing the American election process. The Help America Vote Act (HAVA) passed by Congress in 2002


mandates reform of the election processes of all states. HAVA provides funding to replace obsolete voting


technologies such as punch cards and lever machines with more modern
technologies such as precinct- based optical scanners and direct
recording electronic (DRE) voting machines.


While HAVA includes a requirement that all voting systems must provide a manual audit capacity, its


definition of that requirement is ambiguous, and there are conflicting interpretations of its meaning.


Many elections officials have concluded that HAVA does not require a paper record of each ballot, verified by


the voter at the time the ballot is cast. As a result, over 100,000 paperless DRE voting machines have


already been deployed which lack the ability to produce a voter-verified paper ballot.


We are gravely concerned about the extensive reliance of voting machines that record and tally votes


exclusively through electronic means and provide no paper ballot that can be verified by the voter. We have


three major objections to entrusting our elections to these machines:


• Software errors are unavoidable


• Without a voter-verified paper ballot it is impossible to perform meaningful recounts


• The opportunities for fraud exist on a greater scale than ever before


Software Errors


No one knows how to write bug-free software. This fact is not in dispute. The more complex the software,


the more difficult it is to find and fix bugs. Election software is very complex because of the wide variety of


ballot types used across the nation, and it will contain errors, regardless of the skill and dedication of the


engineers who design it and the programmers who code it.


Computer glitches are not uncommon. All of us who use computers know this. Undoubtedly, software errors


will cause problems in future elections, just as they have in past elections. Here are three of the many


examples of computer errors reported in newspapers in recent elections:


• Cateret County, North Carolina, November 2004: software problems caused 4,438 electronic


ballots to be lost and never recovered. The vendor acknowledged responsibility for the loss.


• Fairfax County, Virginia, November 2003: testing ordered by a judge revealed the several


voting machines subtracted one in every hundred votes for the candidate who lost her seat on the


school board.


• Broward County, Florida, January 2004: 134 electronic ballots were blank in a one-race


election held on DRE voting machines in which the margin of victory was 12 votes. Florida law


required a manual recount of the ballots, but that recount was impossible because there were no


physical ballots to recount.


These and many other reports of computer problems present us with an obvious question: how many election


results were compromised by unnoticed computer errors and malfunctions? Of course, we have no way of


knowing. These reported cases were detected, but it is only reasonable to assume that were other


undetected errors, and we will never know how many.


Impossibility of Meaningful Recounts


Trusting our votes to a wholly electronic process of recording and storage leaves us completely without


recourse if that electronic process fails - and history shows that the process fails all too frequently. DRE


voting machines do allow voters to inspect and correct their choices on the touch screen’s final summary


display prior to casting their vote. But, DREs do not provide voters any method for inspecting how their vote


is stored inside the DRE’s electronic memory. Thus, the electronic ballot records stored in those memory


circuits are completely invisible to and unverified by the voter; they are also alterable. Yet it is the contents


of that invisible, impermanent, and unverified computer memory that are used to total up the votes.


Page 1 of 2
Page 2 of 2


Without voter-verified paper records that accurately reflect the voters’ choices, it is simply impossible to


perform a meaningful recount. While most DRE voting machines can print a paper record of the votes cast,


this report is not generated until after the polls have closed, and is nothing more than a printout of the


electronic records. If the electronic record is inaccurate, then the printed report will also be inaccurate.


Such a printout is not voter-verified and does not provide an audit trail appropriate for a meaningful


recount.


Consider this scenario, not unlike events that have occurred in past elections: A voter marks the


appropriate locations on the voting machine’s touch screen, reviews the choices, and gives the command to


cast the ballot. Due to a software problem or malfunction, the computer records the ballot incorrectly, or


not at all. The voter leaves the booth, and at the end of the day, the poll worker prints out the ballot images.


The voter’s votes are incorrectly tallied and the printed ballot image is incorrect, but this error goes


undetected because the voter is not there to view the printed version. But because the printed version of


the ballot images all match the electronic records (as they must, since one is simply a copy of the other),


elections officials proudly report that they have successfully conducted yet another flawless election.


Opportunities for Grand-Scale Fraud


Election fraud is not unknown in previous American elections, and it is not unexpected in future elections.


However, the opportunities for fraud provided by electronic voting machines surpass all the opportunities


available previously. For example, a corrupt insider, working for one of the vendors of widely-used voting


machines, could hide malicious code in the software. That vendor could then unwittingly distribute that


malicious code to thousands of machines across the nation and alter the election results in every state


where those machines are used. Existing testing and certification procedures for DREs are voluntary and


currently insufficient to guarantee that this type of tampering will be detected. Elections officials are


usually not computer security experts and most do not fully appreciate the security vulnerabilities of DRE


voting machines.


Concerns about fraud are not simply speculation. A 2003 study by Johns Hopkins and Rice University


computer experts revealed hundreds of security flaws in the software of a leading manufacturer. Two


separate studies commissioned by Maryland (the SAIC and RABA reports) confirmed many of those findings


and identified additional vulnerabilities. An Ohio study of the four major voting machines has shown them


all to have serious security vulnerabilities. That study prompted the Ohio Secretary of State to delay the


installation of DRE voting machines in that state until after the 2004 election.


A Reasonable Solution


How each voter votes is a private matter. But how those votes are counted is everyone’s business. When


voters cast their ballots, they must be able to verify that their choices have been accurately and


permanently recorded on that ballot. They must also be ensured that their ballots cannot be altered or


deleted after they have verified them, and that their voter-verified paper ballots are available for a


meaningful recount, including manual recounts where required by law.


There are now several vendors of voting machines that provide both accessibility to voters with disabilities


and a voter-verified paper ballot. In addition, a major vendor of DRE voting machines is now supplying


printers that can be retrofit onto its previously-paperless systems; those retrofit printers were used


successfully to produce voter-verified paper ballots on the DRE voting machines used in the September


2004 primary elections in Nevada.


Accordingly, a reasonable solution to the problem with electronic voting is to pass legislation requiring all


DRE voting machines to provide a voter-verified paper ballot that is saved in a ballot box for use in recounts


and audits. Since HAVA mandates that all voting systems must (by 2006) provide equivalent accessibility


to voters with disabilities, any such voter-verified paper ballot system must also be accessible by that date.


In the last session (the 108th), several bills were introduced in the U.S. Congress that would establish such


a voter-verified paper ballot requirement for all voting systems. While these bills differed in the details of


their implementation and in their effective dates, all would have established a voter-verified paper ballot


requirement by 2006. As of October 2004, the combined cosponsorship for these bills included members of


both parties and totaled 192 members of the House and 20 members of the Senate. Of all of the VVPB bills


that were introduced into the Senate, only the Ensign amendment, S. 2437, attracted bipartisan support.


For additional information, please visit http://www.verifiedvoting.org


Page 2 of 2


revised_summary31.pdf


http://bestanimations.com/Holidays/Thankyou-01-june.gif

comments (0)
12/27/16
Privacy Issues in an Electronic Voting Machine https://drive.google.com/file/d/0B3FeaMu_1EQyUkxuWWJscVZFbjg/view
Filed under: General
Posted by: site admin @ 11:18 pm

Privacy Issues in an Electronic Voting Machine
https://drive.google.com/file/d/0B3FeaMu_1EQyUkxuWWJscVZFbjg/view

Page
1
/
2

Page 1 of 2

Privacy Issues in an Electronic Voting Machine

Arthur M. Keller

UC Santa Cruz, Baskin

School of Engineering

Santa Cruz, CA 95066

+1(831)459-1485

ark@soe.ucsc.edu

David Mertz

Gnosis Software, Inc.

99 2nd Street

Turners Falls, MA 01376

+1(413)863-4552

mertz@gnosis.cx

Joseph Lorenzo Hall

UC Berkeley, SIMS

102 South Hall

Berkeley, CA 94720

+1(510)642-1464

joehall@berkeley.edu

Arnold Urken

Stevens Inst. of Technology,

Political Science

Hoboken, NJ 07030

+1(201) 216-5394

aurken@stevens.edu

ABSTRACT

In this paper, we describe the Open Voting Consortium’s voting

system and discuss the privacy issues inherent in this system. By

extension, many of the privacy issues in this paper also apply to

other electronic voting machines, such as DREs (Direct

Recording Electronic voting machines). The privacy issues

illustrate why careful and thorough design is required to ensure

voter privacy and ballot secrecy.

Categories and Subject Descriptors: K.4.1 [Computers and

Society]: Public Policy Issues — privacy.

General Terms: Design, Human Factors, Legal Aspects.

Keywords: Electronic voting, open source, privacy design.

1. INTRODUCTION

The requirements for secrecy in elections depend upon the

values and goals of the political culture where voting takes place.

Gradations of partial and complete privacy can be found in

different cultural settings. Most modern polities institutionalize

the ideal of complete privacy by relying on anonymous balloting.

The use of secret balloting in elections — where a ballot’s

contents are disconnected from the identity of the voter — can be

traced back to the earliest use of ballots themselves in 6th Century

B.C.E. Athens, Greece. The public policy rationales for instituting

anonymous balloting typically aim to minimize bribery and

intimidation of the voter [1]. Secret ballots, although not always

required, have been in use in America since colonial times.

Today, almost one hundred years after most states in the U.S.

passed laws to require anonymous balloting, a strong sense of

voter privacy has emerged as a third rationale.

These cultural values and practices contribute to the sets of

user requirements that define the expectations of voters in

computer-mediated elections and determine alternative sets of

specifications that can be considered in developing open source

software systems for elections [7]. The Open Voting Consortium

(OVC) has developed a model election system that aims as one of

its goals to meet these requirements. This paper describes how the

OVC model ensures ballot privacy.

The OVC has developed the model for an electronic voting

system largely in response to the reliability, usability, security,

trustworthiness, and accessibility concerns of other voting

systems. Privacy was kept in mind throughout the process of

designing this system. Section 2 of this paper discusses the

requirements for a secret ballot in more detail and how secrecy

could be compromised in some systems. Section 3 describes how

the OVC handles the privacy concerns. While this paper focuses

mostly on privacy issues for US-based elections, and how they are

addressed in the OVC system, many of the issues raised are

applicable elsewhere.

2. SECRET BALLOT REQUIREMENTS

The public policy goals of secret balloting — to protect the

privacy of the elector and minimize undue intimidation and

influence — are supported by federal election laws and

regulations. The Help America Vote Act of 2002 [5] codifies this

as “anonymity” and “independence” of all voters, “privacy” and

“confidentiality” of ballots and requires that the Federal Election

Commission create standards that “[preserve] the privacy of the

voter and the confidentiality of the ballot.”

The Federal Election Commission (FEC) has issued a set of

Voting System Standards (VSS) [4] that serve as a model of

functional requirements that elections systems must meet before

they can be certified for use in an election. The FEC VSS state

explicitly:

“To facilitate casting a ballot, all systems shall: […] Protect the

secrecy of the vote such that the system cannot reveal any

information about how a particular voter voted, except as

otherwise required by individual State law;” ([4] at § 2.4.3.1(b).)

This high level requirement of not exposing any information

about how an individual voted is required of all voting systems

before certification.

It is not sufficient for electronic voting systems to merely

anonymize the voting process from the perspective of the voting

machine. Each time a ballot is cast, the voting system adds an

entry to one or more software or firmware logs with a timestamp

and an indication that a ballot was cast. If the timestamp log is

combined with the contents of the ballot, this information

becomes much more sensitive. For example, it can be combined

with information about the order of votes cast collected at the

polling place with surveillance equipment — from cell phone

cameras to security cameras common at public schools — to

compromise the confidentiality of the ballot. As described below,

system information collected by the voting system should be kept

separated from the content of cast ballots and only used in

conjunction by authorized, informed elections officials.

Rebecca Mercuri proposed that Direct Recording Electronic

(DRE) voting machines have a paper audit trail maintained under

glass, so the voter does not have the opportunity to touch it or

change it. [6] Some vendors are proposing that paper from a spool

be shown to the voter, and a cutter releases the paper audit trail

piece to drop into a box for safekeeping. [2] A challenge is to

make sure that all of the paper audit trail is readable by the voter,

doesn’t curl away out of view, and yet the paper audit trails from

previous voters is obscured from view. However, the paper audit

trail can fall in a more-or-less chronologically ordered pile. The

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that

copies bear this notice and the full citation on the first page. To copy

otherwise, or republish, to post on servers or to redistribute to lists,

requires prior specific permission and/or a fee.

WPES’04, October 28, 2004, Washington, DC, USA.

Copyright 2004 ACM 1-58113-968-3/04/0010…$5.00.

Page 1 of 2
Page 2 of 2

problem of reconciling the paper audit trail with the electronic

ballot image is difficult to do in an automated manner if the paper

audit trail cannot be sheetfed. Another approach is to keep the

paper audit trail on a continuous spool. [7] While this approach

has the potential to be more easily scanned in an automated

fashion for recounts, privacy is compromised by maintaining the

chronological order.

In the longer version of this paper, we discuss in more detail these

issues. We discuss that problem that the voter’s secret identity

must be disclosed to poll workers and yet not be discernable from

the ballot. Covert channels can be used to transfer identity of the

voter to the ballot. A critical example is when the machine that

prepares for the voter an authorizing token also contains the voter

registration data, which might be passed to the electronic voting

machine through that authorizing token.

3. SECURITY, PRIVACY, RELIABILITY

In the full version of this paper, we discuss a variety of issues and

their solutions in security, privacy, and reliability for the voting

system designed by the Open Voting Consortium and described

more fully there.

Some of these issues are the following.

The Advantage of Free and Open Source Software. When

the system is a black box, where the source code is maintained as

a trade secret, we must trust the official testers. A frequent

criticism of free and open source software is that, while the code

is available for inspection, no coordinated inspection is actually

conducted. [3] The absence of Non-Disclosure Agreements and

restrictive intellectual property agreements encourages the large

body of open source developers to inspect the code.

Randomization of Ballot-IDs. Under the OVC design

ballots carry ballot-IDs to enable auditing of official paper ballots

against unofficial electronic ballot images. Ballot IDs are easily

remembered and can be a vehicle for disclosing the vote.

Privacy Issues with Barcodes. The Open Voting

Consortium system design uses a barcode to automate the

scanning and tallying of paper ballots. Such barcodes raise several

possibilities for introducing covert channels.

Privacy in the Voting Token. The token given to the voter

to enable her to use the electronic voting machine might contain

information that could compromise anonymity. Analysis of the

software and the poll worker interface for encoding the voter

token can show the type of information that can be encoded.

Information Hidden in Electronic Ballot Images and

Their Files. The electronic ballot images (EBIs) are stored on the

electronic voting machine where the ballot was created. Storing

the EBIs in a database management system can record sequence

information that can be used to identify voters. Flat files can

include the date/time in the file directory, a potential privacy risk.

Reading Impaired Interface. It is important that the ballot

not record that the voter used the reading impaired interface. Nor

should the electronic voting machine maintain such information in

a way that identifies specific ballots. If a separate reading

impaired voting station is used, the ballot-ID should be generated

in a manner that does not identify the voting station used.

Printed Ballot. The secrecy of the voter’s selections is at

risk while the voter carries the paper ballot around the polling

place. We use a privacy folder — an ordinary manila folder

trimmed along the long edge so that the barcode sticks out.

Ballot Validation Station. The ballot validation station

allows visually impaired voters, or anyone, to hear through

headphones and therefore validate their paper ballots. Ballot-IDs

should not be persistently stored by the ballot validation station.

Languages. Steve Chessin identified a problem with ballots

for non-English speakers when printed in the voter’s own

language. This approach makes bilingual ballots easy to identify,

and that can compromise ballot anonymity if only a small number

of voters in a given precinct choose a particular language.

Public Vote Tallying. It is important that the ballots be

shuffled before publicly visible scanning occurs. The ballots will

naturally be ordered based on the time they were placed in the

ballot box. The sequence of voting is a potential privacy risk.

Results by Precinct. Care must be taken to ensure that

results posted by precinct do not compromise privacy and yet can

be reconciled against county totals.

Privacy in the Face of Voter Collusion. Complex cast

ballots, taken as a whole, contain potential covert channels.

4. CONCLUSION

We have discussed the privacy issues inherent the Open Voting

Consortium’s voting system that includes a PC-based open-source

voting machine with a voter-verifiable accessible paper ballot. By

extension, many of the privacy issues in this paper also apply to

other electronic voting machines, such as DREs (Direct

Recording Electronic voting machines). The privacy issues

illustrate why careful and thorough design is required for voter

privacy. Imagine how much work is required to ensure that such

systems are secure and reliable.

Further information about the Open Voting Consortium can be

found at http://www.openvotingconsortium.org. This paper is an

extended abstract; a longer version may be found at

http://www-db.stanford.edu/pub/keller.

5. ACKNOWLEDGMENTS

We acknowledge the work of the volunteers of the Open Voting

Consortium who contributed to the design and implementation we

describe. In particular, Alan Dechert developed much of the

design and Doug Jones provided significant insights into voting

issues. The demonstration software was largely developed by Jan

Kärrman, John-Paul Gignac, Anand Pillai, Eron Lloyd, David

Mertz, Laird Popkin, and Fred McLain. Karl Auerbach wrote an

FAQ on which the OVC system description is based. Amy Pearl

also contributed to the system description. Kurt Hyde and David

Jefferson gave valuable feedback. David Dill referred some of the

volunteers.

6. REFERENCES

[1] Albright, S. The American Ballot. American Council on Public Affairs,

Washington, D.C., 1942.

[2] Avante VOTE-TRAKKERTM EVC308-SPR,

http://www.aitechnology.com/votetrakker2/evc308spr.html.

[3] Cohen, F. Is Open Source More or Less Secure? Managing Network

Security, 2002, 7 (Jul. 2002), 17–19.

[4] Federal Election Commission. Voting System Standards. Vols. 1 & 2

(2002), http://www.fec.gov/pages/vssfinal/

[5] Help America Vote Act, 42 U.S.C.A. §§ 15301 – 15545.

[6] Mercuri, R. A Better Ballot Box? IEEE Spectrum Online, October 2,

2002, http://www.spectrum.ieee.org/WEBONLY/

publicfeature/oct02/evot.html

[7] Sequoia Voting Systems, “Sequoia Voting Systems Announces Plan to

Market Optional Voter Verifiable Paper Record Printers for Touch

Screens in 2004,” http://www.sequoiavote.com/article.php?id=54

[8] Urken, A. B. Voting in a Computer-Networked Environment. In The

Information Web: Ethical and Social Implications of Computer

Networking, Carol Gould (ed.), Westview Press, Boulder, CO, 1989.

Page 2 of 2

privacy-electronic-voting-WPES-2004.pdf

comments (0)
The Yoga Suttas of Patanjali: a manual of Buddhist meditation
Filed under: General
Posted by: site admin @ 11:01 pm

Dhammarakkhita

The Yoga Suttas of Patanjali: a manual of Buddhist meditation

Translation
and free adaptation of the article published on the blog “Theravadin -
Theravada Practice Blog” (http://theravadin.wordpress.com/).

We consider here the Yoga Sutras of Patanjali, a classical text and revered in Hinduism, dated at approx. 200 BC and compared its semantics and vocabulary to Buddhist canonical texts. In
summary, this comparison is quite obvious that the author of Yoga Sutra
was highly influenced by Buddhist philosophy and meditation practice,
possibly contemporaneously to the author.

Moreover,
it appears that a student of Buddhist canonical texts may in fact be
more easily understood than the Yoga Sutra a Hindu practitioner with no
other previous reference parameter practical and philosophical.
 We
do not consider comments here later Hindu / Brahman existing this text,
some of which seem to avoid (or ignore) the original references to
Buddhism in this text.

The
proximity of the Yoga Sutra-style, vocabulary, and subject to canonical
texts in Pali could also mean simply that Patanjali - or whoever it is
that inspired his writings - had practiced meditation from a Buddhist
contemplative community, a community of monks for a time before
returning to Brahmanism and then the movement would have rephrased his
experience in order to add a divine touch to your experience, making
substantial use of technical terms of Buddhist meditation, as originally
framed or developed by the Buddha for the purpose of contemplative
practice.
 But this would be pure speculation, because there is so far no studies or historical finding that supports this understanding.

It
is also possible, even likely, that the Buddhist meditation had so
broadly permeated the practice Hindu / Brahman at the time (after years
of a strong cultural influence began with Buddhist proselytism promoted
by Ashoka the Buddhist Sangha in his reign and Consolidation of India),
that these technical terms as well as descriptions of practice of jhana /
dhyana (meditative absorptions) have it built into common knowledge at
the point of no longer sounding particularly Buddhists.
 Something
similar to what happens today with the adoption of the ideas of
“nirvana” and “karma” in Western culture, in Christian countries.

In
particular, if the Yoga Sutra is read in one continuous line is amazing
how close the text is the thoughts and topics about samadhi, jhana
meditation and Samatha (concentration) as defined in the ancient texts
in Pali Buddhist.

For a first analysis, an overview. Look
at the “Ashtanga Yoga” or the “Eightfold Path of Yoga” (sic) we are
certainly inclined to think the definition of the central Buddha of the
Noble Eightfold Path.

But
instead of following the Buddhist literary definition of the Noble
Eightfold Path, the interpretation of the eightfold path of yoga follows
(to our surprise?) Another description of the Buddhist path: the one
given by the Buddha as he described how he taught his disciples to
practice in your system meditative, which consists of a number of steps
outlined in various suttas of the volume of speeches with Mean Length
(as in Ariyapariyesana Sutta, MN 26, etc.) and remind us much of the way
“yogic” (pragmatic?), as devised by Patanjali at Yoga Sutra.

Then compare these two “paths to reach the samadhi.”

First what is in the Yoga Sutra of Patanjali:

1.                  Yama, on the field conduct, morality or virtue

2.                 Niyama, self-purification and study

3.                 Asana, proper posture

4.                 Pranayama, breath control

5.                 Pratyahara, the removal of the five senses

6.                 Dharana, concentration or apprehension of the object meditative

7.                  Samadhi, meditative absorption

And down the list of steps recommended by the Buddha when asked about the gradual development through his teachings. This list is found in many suttas of the volumes of speeches and Mean Length Long, as in other parts of the Canon:

1.                  Sila, moral conduct or virtue, and Santosa, contentment

2.                 Samvara, containment or removal of the senses

3.                 Kayagata-sati and Iriyapatha, or “Asana” means the cultivation of mindfulness and four correct postures.

4.                 Anapanasati, mindfulness of breathing

5.                 Overcoming Obstacles or five nivarana (sensual desire, ill will, anxiety and remorse, sleep and torpor, doubt, skeptical)

6.                 Sati, mindfulness, keep the object in mind, often quoted along with the comments dharana canonical.

7.                  Jhana, levels of meditative absorption

8.                 Samadhi, a result of absorption, the “realization” of various kinds or Samāpatti

Of course we’re not the first to notice similarities such as the list above. A handful of other authors have noted some more and others less obvious parallels. In fact, even Wikipedia has an entry for Yoga Sutra in which we read:

“Karel Werner writes that” the system of Patanjali is unthinkable without Buddhism. As
far as terminology goes aa long in the Yoga Sutra that reminds us of
formulations of the Buddhist Pali Canon and even more Abhidharma
Sarvastivada Sautrantika and school. “Robert Thurman writes that
Patanjali was influenced by the success of the Buddhist monastic system
to formulate its own matrix for the version of thought he considered
orthodox (…) The division between Eight States (Sanskrit Ashtanga)
Yoga is reminiscent of the Noble Eightfold Path of Buddha, and the
inclusion of brahmavihara (Yoga Sutra 1:33) also shows the influence of
Buddhism in parts of the Sutras. “

Now
this is where the subject becomes interesting for us here on this blog
and its relevance to the practice of Buddhist meditation.

Does
all the above tells us that the Yoga Sutra is a comment Hindu / Brahmin
or at least a photograph of meditation practices common (influenced by
Buddhism) in the second century BC?

If this is the case, definitely warrants a closer look at. Certainly,
this is because the text is not a Buddhist but shares a “core” of
fundamental ideas on meditation to be able to take it as a sign pointing
to a deeper understanding of some of the terminology in the context of
the first centuries of Buddhist practice.

Thus,
if the Yoga Sutra is read in a Buddhist context, one can have some idea
of how people understood at that time and (ou!) practiced Buddhist
meditation?
 Could this be of some help in triangular or point of which was the direction of former Buddhist meditation?

The
more we know how people practiced a few centuries after the Buddha’s
Parinibbana, the more we can understand how some of his teachings have
evolved and how they were implemented and explained / taught.

What
makes this fascinating idea is that this text would definitely be
filterable through the eyes of a Hindu / Brahman, but he is still
influenced by the “knowledge” of Buddhist meditation apparently so well
received, and the time of his writing had become the mainstream
“contemplative practices.
 This
would show us how and in what particular point, was considered to be
the “essence” of meditation (in addition to being philosophical
discussion of its purpose) in order to be considered universally true,
then that can be “merged” into other forms of practice religious.

Under this view, the Yoga Sutra is actually quite revealing. Consider a few passages that copies may shed light on this idea. Passages like the following really seems a direct copy and paste the Buddha-Dhamma. Some of them even make much sense in a context of religious doctrine theological-in-search-of-the-soul-creationist , but it fits absolutely in the philosophy of liberation through concentration and wisdom. However,
they were considered “truth” and “accepted” so that the author Hindu /
Brahman had no other choice but to incorporate them into their theistic
philosophy, reminding us Western Christians today that due to the common
acceptance of the idea karma / kamma, sometimes find ways to
incorporate this idea in their religious views.

Let’s start seeing the following list of impurities that Yoga Sutra tells us must be overcome:

“Avidya
(ignorance), Asmita (egoism), raga-Dvesha (desires and aversions),
Abhinivesha (clinging to mundane life) are the five klesha or distress.
 Destroy these afflictions [e] You will realize Samadhi. “

[Free translation of the original quote from Wikipedia]

What
impresses the reader as Buddhist before this paragraph is the simple
fact that all these impurities listed are those that no longer are you
supposed to Arahant one, or Awakened (!!!).
 That is, according to the text of Patanjali, the “Samadhi of Conduct” would be conceptually the same as the Buddhist Liberation.

Consider the terms used:

Avijja,
ignorance or mental turvidão is even mentioned in the first place,
while clearly a Buddhist point of view is considered the root of all
problems.

Then
“asmita”, which is superficially translated as “selfishness” by
understanding that had developed in shallow Sanskrit tradition that was
ignorant of the deeper meaning of that term as used in the suttas of the
Pali Canon (or tried to distort to suit your context religious).

This
term Buddhist in particular, pointing to the deeply embedded “notion
that it is” (ASMI-tā) has a clear explanation in the suttas, but here in
this passage and elsewhere, is reduced to a mere “selfishness” as a
moral impurity devoid of its original psychological application.
 In
the suttas “ASMI-Mana” is a deeply rooted psychological tendency that
only a Arahant (Iluminsfo) won [see post “The scent of am” blog
Theravadin].

And
there is also “abhinivesa”, a term the Buddha uses to explain how our
mind comes in and assumes the five groups of attachment.
 The
term “Nives” denotes a dwelling, a house - a simile brought by the
Buddha to show how our consciousness moves “inside” of the contact
experience of the senses and settles as if living in a house (see Sutta
Nipata, Atthakavagga , and Haliddakani Magandiya Sutta Sutta). This
usage is decreased very particular psychological context in Hindu /
Brahmin to denote only an “attachment to worldly life.”But here is worth
questioning whether this was also shared by superficial understanding
or just by Patanjali Yoga Sutra later commentators, who have lost sight
of these implications for not having knowledge of or access to the
preceding context of Buddhism in the Yoga Sutra was written?

And sometimes something awakening about the “sati” Buddhist can also be found. We
have another pearl of a Buddhist point of view, which can be considered
truly revealing: the use of the word “Dharana” in the text of
Patanjali.

This is one area in which our contemporary knowledge of Buddhism can benefit from insights. The
term “Dharana”, which literally means short and “I can hold, carry,
keep (in mind)” is a good description of the task faced in Buddhist
contemplative practice, regardless of what tradition / school
considered.

In meditation we also need to maintain our meditation object firmly in focus in mind, without losing it. This
central feature of the task undertaken when trying to cultivate
meditative concentration, relates as an equivalent to the literal
meaning of the Buddhist term “sati” (which means reminder / recall) and
what is general and now translated simply as “mindfulness” - a
translation that often aboard with questions.

And the reason is as follows, in summary: To maintain the object of meditation in mind you need to remember it. Remember here that means you have to hold, keep in mind, your object of concentration. This
is exactly what makes the faculty of memory, usually being pushed away
by the impressions with new information by the six senses, which, if
penetrated, would result in more or less a wild spin.

If
you are able to sustain their concentration on one point however - or
even as much as you can keep it, one of the laws of functioning of the
mind that the Buddha rediscovered and explained in detail that this
rebate is “artificial” senses the support and focus on a particular
mental object equivalent to a minor sensory stimulus.

As
a result of mental calmness and happiness (piti) and happiness index
(sukha) will arise and show signs of the primeirs a stronger
concentration - these being two of the five factors of meditative
absorption (jhana), along with (i) directed thought (vitakka) (ii)
sustained (Vicara) and (iii) equanimity (Upekkha).

This
is also the reason why is quite logical that samma sati, mindfulness,
has to come before samma samadhi, full concentration in the Noble
Eightfold Path of Buddhism - or, as shown in this case in the Yoga
Sutra, “Dharana” would be the stage immediately prior to “Delivering the
Samadhi.”

In
this case the Yoga Sutra throws much light on the original meaning as
understood in the early centuries of Buddhist practice and can help us
reach a more precise understanding of what “samma sati, right
mindfulness, originally meant or pointed.
 (In Theravadin blog post is a rather plain and that shows how sati yoniso manasikara are coming in practical terms, check this 
link ).

On
the opposite side, or better, understanding it as a byproduct of the
practice of sati is no other term that would best be described as
“mindfulness.”
 The Pali term is sampajaññā -
which literally means “next-consideration”, eg, be well aware of when
performing an action, then a “clear understanding” of what it does - but
this activity is a result of sati, as having the mind fixed on an
object leads to a refined consciousness that arises when during the next
and keep the mind of an object, creating a clear understanding of the
few sensory impressions that may enter. According to this concept, mindfulness would be a result of sati and not the practice of sati in itself!

But
again, both activities are happening almost simultaneously, even if not
in the same order and then the current use of the term translated can
be done - at the same time a fine distinction, however, has its
benefits.
 You can not
keep an object from the standpoint of mind without which would create or
develop mindfulness in mind - but (unfortunately!) you may be aware of
all your actions that you work without the right concentration - as when
eat an ice cream, in seeking the sensual pleasure, an example of
improper care. This being the fact that unfortunately idealize the interpretations of some Westerners who want to say “Buddhist”.

There
is a difference between deliberately let himself be led by sense
impressions by focusing on their physical pleasures and enhancing /
supporting raga (desire) and nandi (joy) - and, from the perspective of
Gotama Buddha, put his feet on the ground using the mindful memory and
thus experiencing a more refined awareness of trying to get it off the
shaft so that it results in a greater mindfulness, in the culmination of
his experience flows into total equanimity in the face of both
pleasurable and painful sensations.

Thus,
then, we must understand as vipassanā is no way a synonym for
mindfulness (sati) but something that springs from the combination of
all these factors especially the last two, samma sati (mindfulness) and
samma samadhi (right concentration) applied to the relentless
observation of what appears to be in front of (yathabhuta).

You
could say, vipassanā is a name for the Buddhist practice of sati
associated samadhi directed to the view anicca / anatta / dukkha (ie,
generating the wisdom of the vision of these three features) in the
processes of the six senses, including any mental activity.
 Thus, one will find the term vipassanā but the idea of sati in
the Yoga Sutra, Buddhist texts mention as the first term clearly having
samādhi as just the beginning of the journey to insight and access -
for example aniccanupassana .

Finish here the parenthesis. Suffice
to say that any particular reference to the Buddhist philosophy citing
anicca antta or point to the goal of Nibbana, a philosophical
proposition to which the system of Yoga certainly does not refer.

In essence the school of Yoga can be placed below the postures eternalists. So,
while it definitely does need to produce sati-samadhi, definitely does
not need to understand is samadhi anicca, dukkha and anatta - that does
not sound very compatible with the worldview of a eternalistic. Before
this, all spiritual approach arise due to the attempt to interpret
Samadhi Yoga Sutra as marriage or at least as close as you can get from a
“God”, a “Lord.” Something
that sounds quite natural in the end to a theist - such as an
Evangelical Christian would never interpret the reduction of its focus
on mental object unique sensual ecstasy and consequently a mere effect
of a psychological technique, but he would label it “the divine sign of
God touching him. “ It is for
this reason that, according to the Buddha Dhamma, in fact in most
situations we are inclined to be led by the plots of our senses,
including the mental impressions / thoughts / feelings / perceptions -
and therefore tend to limit ourselves to go beyond such experiences also
distorted the merger would allow access to insight and liberation.

Returning
to the context of comparison with the Christian interpretation of this
ecstasy, in short what Patanjali is facing such a theistic
interpretation sounds like someone moving a large portion of vocabulary
and terminology for the New Testament, which gives this ring a Buddhist.

The
funny thing is that this is exactly how many of the contemporary New
Age books are written - an amalgam of the terms of Western Spirituality /
Christian trying to express a view east.
 So
one can imagine that the situation in India was similar to that when
the Yoga Sutra was written addressing the Buddhist philosophy of that
era.

The
remaining Buddhist philosophy with his particular terminology
established by the Buddha himself would have become so pervasive in
religious thought, so to make seemingly trusted what was written on
meditation was a need to borrow or rely on several of these Buddhist
concepts predominant.
 This
had largely been done or even conscious, as most New Age authors
present not even reflect the content of their texts but about the
message you want to spend.

Thus,
below is done in a way a translation - or rather a translation of a
transliteration given the proximity between languages - as was done with
the text of the Yoga Sutra in Sanskrit brought back to Pāli.
 Similar to what has been done this Sutra ( Theravadin available on the blog, in English on this 
link ),
the exercise helps us see how the same text would sound the Pāli
language, opening then find parallels in ancient Buddhist texts, the
suttas.

However,
having said all that, pragmatism invoked by the text (which is what
makes it so valuable) also indicates much more than a simple textual
exploration.
 As you
read this you can not discern the notion, especially since the position
of a meditator concentration of whoever has written or inspired by this
text, at some point personally experienced jhana and samadhi and wanted
to convey his experience making use a rich language Buddhist meditation
on the same interpretation being directed to an audience Brahman /
proto-Hindu India 200 BC.

Anyway,
check by itself - the pauses between sets of paragraphs labeled in bold
are the author / translator and some important technical terms
Buddhists were deployed, with additional comments made in italics:

Patañjalino yogasutta (Part I of IV)

Introduction

atha yogānusāsana | | 1 | |

And now a statement about the European Union (Yoga)

[1] Read yourself to be the object of meditation, or an instruction (anusāsana) on the meditative practice (yoga).

yogo-citta-vatta nirodho | | 2 | |

The Union (Yogo) is the extinction of the movement of the mind

[2] in this passage denotes vatta turbulence, swirl, activity - literally wandering, circling, confused. In
this context broadly means “meditation is (…) a stop to the busy
mind,” which is very active and its activity suggests a walk in circles.
 Probably the most direct (and correct) translation.

Tada ditthi (muni) svarūpe’avaṭṭhāna | | 3 | |

(Only) then he who sees is allowed (to be) in (his) true nature.

[3]
In the Pāli language Drist the word does not exist, and it would be
something like subsitituída by Muni, which has the same meaning -
except, of course, the fact that “he who sees” further points in this
case the seeing process.
 Here was however used the term Pāli ditthi so as to maintain the link with the term semantic ditthi. The alternate translation is then: “So lets see who (or have the opportunity - avaṭṭhāna) of being in their true and natural.”

Sarup-vatta itaritara | | 4 | |

(Otherwise) at other times we become (equal) to this activity (of mind).

Challenges

vatta Panza kilesa akilesā ca ca | | 5 | |

Activities (Mental) are five, some non-contaminating other contaminants:

pamanes-vipariyesa-vikappa-Nidda-sati | | 6 | |

i)
Experience (Evident-Measurement), ii) misperception (Illusion), iii)
Intentional Thinking / Willing, iv) Sleep / Numbness, v) Memory /
Mindfulness.

i) pamanes, experience or clear-measurement

Paccakkh’ānumān’āgamā honte pamāāni | | 7 | |

What one sees and looks directly (paccakha), taking as a reference - it’s called experience.

[7] Literally: “What comes through direct visualization and measurement is called the experience”

ii) Vipariyesa, misperception or illusion

Micca vipariyeso-Nanam atad-rūpa-patiṭṭhita | | 8 | |

Illusion is the wrong understanding, based on something (lit. “one way”) that is not really.

iii) Vikappa, Thought Intentional / Keen

Saddam-ñāānupattī vatthu-Sunna vikappo | | 9 | |

Intentional
Thinking / Willing is any way of understanding and unfounded assertion
(ie the internal speech, voltiva, partial and willful, based on mental
speculation).

[9]
Alternative translation: “Thinking is cognition without a sound object /
cause noise (vatthu).Think about it, thoughts are no more than sounds,
silent babble that passes through our being.

iv) Nidda, Sleep / Numbness

abhava-paccay’-ārammaā vatta Nidda | | 10 | |

Mental activity in the absence of mental objects is called Sleep / Torpor.

v) Sati, the Memory / Mindfulness

Anubhuti-visayāsammosā sati | | 11 | |

Not to be confused (or not lose) the object (sensory) previously experienced is called Memory / Mindfulness.

Abhyasa-virāgehi Tesam nirodho | | 12 | |

The extinction of these [activities] comes from the practice of detachment / cessation of passions (turning)

[12] We have here the words turn and nirodha in the same sentence! It can not be more Buddhist canon than this! Interestingly, however, is the current use and non-metaphysical terms of this stretch. They are applied in a simple process of meditation, in particular the process of concentration meditation. This can not go unnoticed and goes directly in line with readings jhanic cultivation practices in Buddhism.

 The Training 

tatra-tiṭṭha yatano abhyasi | | 13 | |

The
practice’s commitment to non-movement (ie, become mentally property (at
the same time it parmanece fluid - an excellent description for the
concentration!)

so-Kala-pana Dīgha nirantara-sakkār’āsevito dalhia-bhumi | | 14 | |

Mast this (practice) must be based firmly in a long and careful exercise [excellent point here!]

[14]
This goes in line with what the author wrote the medieval Pali
subcomentários the volume of the Digha Nikaya, where also we find the
combination of the terms and dalhia bhumi - “firmness” and
“establishment” - in the same sentence, denoting ” firm establishment “

diṭṭhānusavika-visaya-vitahāya Vasik-Sannes viraga | | 15 | |

Detachment is the mastery (VASI-kara) of perception, the dropping of the seat (vitahā) by the following (anu-savika, lit.’s Subsequent flow) experience a prey to view.

parama-tam Puris akkhātā gua-vitaha | | 16 | |

This is the climax: the abandonment of the current headquarters of the senses, based on personal revelation / knowledge of self.

[16] Here we turned a Brahman, is this approach that allows the soul to win the seat / attachment, Tanh. And this short sentence has much to offer! At
that moment in history, Patanjali was so convinced of the Buddhist goal
of “opening up the attachment, the seat stop,” which boils down to vita
hā term he uses. However,
it does not give up without a soul which its theistic philosophy simply
collapses and nothing in the text would make it distinguishable from a
treatise on the Buddha Dhamma.
 Thus,
mounted on a meditative Buddhist terminology and guidelines in the
conversation he introduces the term “Puris, which can be read as” soul,
“saying that the more you get closer to its” intrinsic nature “(svarūpa)
and inner body “Puri, or soul, you become able to stop itself this seat
/ attachment.
 Interesting.

Realization - Jhana / Dhyanas 

The first jhana / Dhyāna

vitakka-vicar-Anand-Asmita rūp’ānugamā sampajaññatā | | 17 | |

This
is the alertness (sampajañña) from (the) (Kingdom of) form: a
self-directed thought-based consciousness, which remains (to this) and
inner happiness.

[17] Here we describe an almost identical description of the first jhana used time and again by the Buddha in Pali texts ( see this example ). Indeed,
we have a very beautiful description of the first jhana as a form of
sampajaññatā (fully aware of what is happening), after the plan of the
form (the theme of our meditation is a mental form) and a combined
happiness at the thought we are trying to grasp what itself could be
described as the pure experience of “I am” (Asmita - the term is being
used more loosely in place as would suttas).

However,
the announcement vitakka / vicara the first mention of meditative
absorption is a clear reference to the origin of Buddhist Yoga Sutra.
 Interesting also is the connection that is being done now with sampajaññatā: Think of everything we have said before about sati. If sati is simply the seizure of an object (the paṭṭhāna
of sati, so to speak), so it’s interesting to see how sampajaññā this
case, is identified with the state of the first jhana.
 Could this mean that when the Buddha mentions these two texts in Pali, which implicitly means samatha-vipassana?

This
is not at all a strange idea, like many vipassana meditators, focusing
on objects will be much more subtle quickly show signs of the first
jhana.
 Could it be then that the term “sampajaññatā” was seen as the first result of a concentrated mind?

In
any case, experience will teach you very quickly that when you try to
hold an object in your mind, your awareness of what happens at this time
will increase dramatically, simply due to the fact that his effort to
keep the object is under constant danger during the siege of sense.

saw-Paticca Abhyasa-anno-pubbo sakhāraseso | | 18 | |

(This accomplishment) is based on detachment and previously applied for any subsequent activities.

bhava-Paticca videha-prakriti-layana | | 19 | |

(For example) Based on this existence and the characteristics of self

saddha-viriya-sati-samadhi-paññā-pubbaka itaresam | | 20 | |

This
flower gives himself (based on these qualities) of conviction (saddha),
energy (viriya), mindfulness (sati), concentration (samadhi) and wisdom
(paññā)

[20] The Buddha mentions these five factors when he was training arupa jhana under his previous two teachers. He also mentions how crucial factors when striving for enlightenment under the Bodhi tree. Later,
during his years of teaching, he gave the name of “powers” (bullet) and
explained that, if perfected, would lead to enlightenment.

Tibba-savegānām āsanno | | 21 | |

(For those) with a firm determination reached (this accomplishment, the first Dhyana / jhana).

Advancing in jhana, tips and tricks.

Mudu-majjhim’ādhi-mattatā tato’pi Visions | | 22 | |

There is also a differentiation between (achievement) lower, middle and high

Issar paidhānā-go | | 23 | |

Or based on devotion (devotion) to a Lord (a master of meditation).

kilesa-kamma-vipākāsayā aparāmissā Puris-visions’ Issar | | 24 | |

The Lord (the Master) that is no longer influenced by the outcome kammic impurities and past desires.

[24]
Besides the question whether the term “Issar” found here could be read
as merely referring to a master of meditation (which fits perfectly into
the discussion until verse 27, where it starts to not fit any more) is
likely discussion, including on-line
 translation of the Yoga Sutra by Geshe Michael Roach . The
principle can be interpreted so as to skeptics recalling the first
sutta MN seemed more logical to assume Issar was first used to designate
“the Lord” (ie your God).

But with a little more research found that the term Issar Theragatha us are used to designate the “master”. Interesting is also the word in Pali āsayih replaced simple wish / desire - “Asa.” But
“almost” sounds like “Asava” that would fit even better in the context
of kamma and vipaka Asava.But the idea is very specific (”that which
flows within you, taking it) and may or may not be what was meant in
this passage.

tatra-niratisaya sabbaññatā bīja | | 25 | |

It is this that lies the seed of omniscience unmatched.

sa pubbesam api guru kālen’ānavacchedanā | | 26 | |

This Master from the beginning never abandoned him or abandon

[26] Literally, “not” drop “(an + evaluation + chedana), or abandon, even for a time (short) (Kalena)

tassa vācako Panavia | | 27 | |

His Word is the breath and the clamor of living

[27] On the panavah term, which can be interpreted as “om” in Hindu literature. It
all depends if we read verses 24-27 as involving “Issar” to mean “God”
or simply refer to consider meditation master of meditation you learn.
 If
you do a search in the Tipitaka, you see that when the Buddha used the
term was to refer to teachers (see for example Theragatha)

taj-tad-japp attha-bhavana | | 28 | |

Praying in unison with this, this is the goal of meditation

touch-pratyak cetanādhigamo’pi antarāyābhāvo ca | | 29 | |

So if the mind itself and carries it away all obstacles / hazards:

Vyadha-ṭṭhāna-samsaya-pamādālayāvirati-bhrānti-dassanā’laddhabhūmikatvā’navatthitatāni

Diseases,
skeptical questions, be moved to laziness of attachment, wrong view of
things, not meditative placements, or not yet firmly established in
these.

citta-vikkhepā te’ntarāyā | | 30 | |

These are the causes of mental distractions (they fall due).

dukkha-domanass’agam ejayatv’assāsa-Passaseo vikkhepa-saha-Bhuvah | | 31 | |

The physical and mental pain arises in the body, the shaking of the inhale and exhale conjução occur with such distractions.

[31] Here dukkha and Domanassam mentioned. They also appear in the definition of the Buddha’s four jhana, but in a different direction. The problem described here meditative seems out of place and looks as if someone had to fit these words here. Also
the inhale and exhale clearly has an important role in that they cease
to exist (nirodha) so subjective to the practitioner in the fourth
jhana.
 It is strange that all this is on the list, but is presented in a very different interpretation.

  The Objects of Meditation

tat-pratiedhārtham ekatattābhyāsa | | 32 | |

In order to control these distractions, this is the practice of unification of mind:

metta-karuna-mudita Upekkha-sukha-dukkha-Visayan-puññāpuñña bhāvanātassa cittapasādana | | 33 | |

The
cheerful calm the mind (citta-pasada) is achieved by meditation of
loving kindness, compassion, joy and equanimity in the face of pleasure,
pain as well as luck and misfortunes.

[33] And here we go. The
four brahmavihara, of course, famous for the way Buddha encouraged
monks to practice them to subdue the obstacles and enter the five jhana.
 It
is also interesting as the Tipitaka sometimes aligns them with the
progression in four jhana (which deserves to be studied separately).

pracchardana-vidhāraābhyā go prāasya | | 34 | |

Or the inhale and exhale, which is also an excellent exercise in meditation.

Visayavati go pa-vatta uppannā manaso thiti-nibandhinī | | 35 | |

It helps to stop and control the increasing mental activity that occurs through the power of the senses.

[34
and 35] Wow, now includes Anapanasati to the list of meditation
techniques, the most favorite topics of Buddhist meditation, in addition
to brahmavihara, which “coincidentally” was mentioned in the previous
passage.
 Here
he almost “cites” the benefit of Anapanasati of Pali suttas, the Buddha
gave in the Anapanasatisamyutta Mahavagga, where it is clearly said
that the greatest benefit of Anapanasati is the ability to quiet the
mind.
 Very interesting!

Visoko go jotimatī | | 36 | |

And the mind becomes free from sorrow and radiant.

vita-raga-visaya go citta | | 37 | |

Free from desire for sense objects

[36
and 37] These two passages seem more like a copy of what the Buddha
says in the suttas: “It is almost always remain in these states, O
monks, neither my body or my eyes get tired.” Although it immediately to
Explaining how the mind free from desires and radiant moves away from
the senses, as do the experienced meditators, this passage is important
because it shows that the author knew what he was talking in terms
pragmáticos.Não there is something more important to the induction of
samadhi (ie, jhana) that the resolution of the mind, the balance against
the attack of the senses to the mind.

svapna Nidda-go-jnānālambana | | 38 | |

Of dreaming and sleep,

yathābhimata dhyānād-go | | 39 | |

parama-anu-stop-mahattvānto’ssa vasīkāri | | 40 | |

kkhīa-vatta abhijātass’eva grahīt mani-Graham-grāhyeu stha-tat-tad-anjanatāsamāpatti | | 41 | |

When
it happens in the destruction of mental activity or movement
[Khin-vatta], there is the appearance of a jewel, the emergence of
someone who carries such an object, the object and the carrying of such
an object in itself - and this immobility is what is called a
realization, or state of completion.

tatra-nana-saddattha vikappai sakiṇṇā savitakkā Samāpatti, | | 42 | |

There is the state of realization is “with thought” and marked by impurity of speech of conscious thought, the internal speech.

[42], in the Pali Canon parlance we would say “savitakka-jhana.”

sati-parisuddha svarūpa-suññevattha-matta-nibbhāsā nivitakkā | | 43 | |

(However)
there is a state of achievement without thinking (nirvitakka) with full
attention and clearer that it is the nature of emptiness without a
voice.

[43] parisuddham sati is obviously the name the Buddha gave to the fourth jhana. It
seems that the author tries to show us the range of four jhana,
pointing to the criteria of the first, and then, in contrast to the
characteristics of the fourth jhana again using the terminology of the
Pali suttas.

etadeva savic Nirvicārā ca-sukkhuma visaya akkhātā | | 44 | |

Likewise, the state with and without research and consideration (vicara) is judged by subtlety of the object.

[44] Here we are somewhat hampered by the language, and tempted to ask: by whom discerned before the non-self (anatta)?

sukkhuma-visayatta c’āliga-pary’avasānam | | 45 | |

It culminates in a subtle object with no features

tā eva sa-Bijo samādhi | | 46 | |

But even this is a samadhi with seed / question.

Nirvicārā-visārad’ajjhatta-pasado | | 47 | |

Happiness
is attained with the inner conviction without regard to the
concentration already (vicara, which is paired with vitakka)

itabharā paññā tatra | | 48 | |

In this way, the truth is filled with wisdom.

sut’ānumāna paññāyā-anna-visaya vises’atthatā | | 49 | |

And this wisdom is of a different kind of knowledge acquired through learning.

taj-jo-sakhāro’ñña Samkhara-paibaddhī | | 50 | |

Such activity (meditative and induced) obstructs born (all) other activities.

tassāpi nirodha Sabba-nirodha nibbījo samādhi | | 51 | |

With the extinction of it all is also stopped - and this is the root-without-samadhi (samadhi-unborn)

[51]
This last sentence sounds more like a reporter who, after being invited
to a very important meeting, is eager to share what he heard from
relevant sources.

Here
we are given a definition, in fact, the definition of the Buddha
“phalasamāpatti” - a state of jhana, which can only happen after someone
has had a realization that the particular insight nirvanic, giving you
access to that which is samadhi no “seeds” (nibbīja).

This
whole concept fits nicely into a row of theistic argument, and no
attempt is being made here in the final set of samadhi, to explain it.

Did
the Buddhists speak of this matter so that among the philosophical
circles “mainstream” of the time it was automatically understood as “the
highest you can get,” and the argument was so powerful that, despite
not fit in the school already thinking of the times (an ancient
Hinduism) was considered indisputable?

Hard to say. This
argument appears in the Sutta Ratanasutta Nipata.Vemos this final
state, without seeds, as something that would target when trying to
“Sanna-vedayita-nirodha” cessation of perception and feeling, a
realization of the Buddha described as possible Arahants Anagami for
that, after entering the eighth jhana sequentially finally leave the
activity more subtle (the sankhara) back.

Patanjali Yoga viracite-iti-samadhi sutta pahamo-pated | | |

This is the first chapter on the Samadhi Yoga Sutra of Patanjali.

Source for adaptation and translation http://theravadin.wordpress.com/2010/08/28/the-yoga-sutra-a-handbook-on-buddhist-meditation/

Published with Blogger-droid v1.6.5

Posted by Dhammarakkhittas at 15:31 

Labels: ashtanga yoga , Brahmanism , Buddha , Buddhism , ancient Buddhism , dharma , dhyana ,Hinduism , jhana , patanjali , Sangha , Theravada , yoga , Yogasutra

Reactions: 


0 comments:

Post a comment

http://yoga.org.nz/postures.htm

Main Page

Welcome to our yoga postures section. Here you will find
yoga moves that are broken down to the bare basics with colour photos
to match. We also have state of the art flash yoga animation technology that you can use to view these moves in full screen size, full colour and with full instruction.

Yogic exercises cater to the needs of each individual
according to his or her specific needs and physical condition. They
involve vertical, horizontal, and cyclical movements, which provide
energy to the system by directing the blood supply to the areas of the
body which need it most.

In yoga, each cell is observed, attended to, and
provided with a fresh supply of blood, allowing it to function smoothly.
The mind is naturally active and dynamic, while the innerself is
luminous. In this section we will give you plenty of yoga images and
instruction.

Breathing Pose
 
Arm Stretch
 
Kneeing Twist

Breathing Pose


The simple act of learning to control the breath
has a number of beneficial effects on your wellbeing, ranging from
increasing your energy, to improved relaxation into sleep. It purifies
the body by flushing away the gaseous by products of metabolism and will
also help you to remain calm in the face of the challenges that we
encounter in our everyday lives.

Control of the breath is an essential element in
the art of yoga. When bringing the air in to the abdomen, do not to puff
the stomach out, but pull the air into it while extending the inside
wall. By harnessing the power of the breath the mind can be stilled and
can be prepared for your Yoga practise.


Instruction Table Breathing Basics
1                              


   
Sit in a simple cross-legged position on
the floor. If you don’t feel comfortable in this position place a folded
blanket under your buttocks. 


Place your right hand on the rib cage and your left hand on your abdomen 


Inhale
slowly through the nose feeling the breath filling the abdomen,
bringing it slowly into the rib cage, then the upper chest. 


Exhaling
softly feeling the breath leave the abdomen first, then the ribs and
lastly the upper chest. Observe the space at the end of the exhale
 
2                               


Now move hands so your forearms come to a comfortable position
resting on your knees and continue the breathing with a relaxed rhythm.

Continue with a flowing controlled breath in your own time.

Yoga breathing is also call Pranayama . Many say that Pranayama (Rhythmic control of breath) is one of the bests medicines in the world .

Right click the link and save as to download a beginners breathing routine . Then watch in windows media player.

Click the BIG play button in the middle below. To watch a Pranayama Breathing overview .

Please visit:

http://www.youtube.com/watch?v=t7WFq17NxWA&feature=player_embedded#at=24

 

The Virasana Arm/Shoulder Stretch


Hero Pose

The purpose of this pose is to help give the entire
body a very complete stretch from the heels to the head. It improves
strength and endurance and helps to control your breathing in
conjunction with the movements of the body.

It eases and stimulates the joints especially the
knees, ankles and shoulders. It reduces and alleviates backache and
improves the circulation of the entire body.


Instruction Table
1                        


Come in to a position on your hands and your 


knees with your knees together and your feet slightly wider than hip width apart. Your big 


toes & little toes pressing firmly into the floor
 
2                        


Push back with your hands & sit between your
buttocks on the floor, make sure you roll your calf muscles out wards so
your not sitting on them.
 
3                        


Make sure the inner calves are touching the outer thighs and your ankles are outside your buttocks, arms resting at the sides.
 
4                        


Inhale as you slowly raise your arms to shoulder height, shoulders down.
 
5                        


Exhale lengthen out through the fingertips & turn your palms to the roof. Inhale stretch your arms overhead.
 
6                        


Interlock the fingers. Slowly exhaling turn the palms
towards the ceiling, and with a powerful push lift up from the belly
into your chest and shoulders.
 
7                        


Exhale bring your hands down in a smooth continuance motion….
 
8                        


Now bringing your arms interlocking behind your back
with straight arms, being careful not to roll the shoulders forward,
squeezing the shoulder blades together and opening the chest on the
front of the body.
 
9                        


Inhale hands back to the side


Repeat 2-3 more times

  Please Visit:

http://www.youtube.com/watch?v=vvG-lekx64I&feature=player_embedded

Kneeing Twist Pose

Regular practice of the kneeling twist pose
will aid in your ability to rotate the spine and upper torso more
effectively, while increasing the flexibility and strength in your back
and abdominal muscles. It also massages, stimulates and rejuvenates the
internal abdominal organs.

This pose is a good beginners pose and will get you ready for more advanced twists.

To view in flash - click the image below


Instruction Table
1                              


   

Sit on your heals with your knees together, the tops of the feet
pressing firmly into the ground. Your head, shoulders, and hips should
be in one straight line.

Arms relaxed by the side keep your base firm by contracting your buttocks.

 
2                               


Inhale, extending the spine upwards, exhale twist around to the
right, placing your left hand on the outside of your right thigh,
turning the head in the direction of the twist, but keeping the head and
shoulders relaxed.

Take a few breaths here, keeping the stomach soft and the eyes soft.

Repeat on the other side

Please Visit:

http://www.youtube.com/watch?v=91MT6kmP7zo&feature=player_embedded

 

Triangle Pose
Tree
Warrior

The Triangle Pose

Triangle pose tones the leg muscles, spinal nerves and abdominal organs; it contributes towards a strong healthy lower back.

The triangle gives an excellent and complete stretch


throughout the entire body.

To view in flash - click the image below


Instruction Table
1                


Align yourself in mountain pose. 


Continuing with your smooth


flowing breath
 
2                


Inhale deeply and jump your feet out landing approx
1.2-1.5m apart. your feet need to be in line and pointing forward at
right angles. Next raise your arms to shoulder level, be sure that they
are in line with each other. Stretch your arms out from the middle of
your back. Lift your chest and look straight ahead.
 
3                


Now turn your right foot out while keeping your hips to
the front, and turn your left foot in from 90 to 70 degrees, by pivoting
on your heel. Insure your right heel is in line with the instep of the
left foot.


This is important as it sets the base for this pose.
 
4                


The kneecaps and thighs are pulling up,
simultaneously pushing downward through your feet into the floor.
Inhale, extend the spine, exhale as you bend to the right, pushing out
from the hips, through the right arm…
 
               


Taking your right hand to a comfortable position on your
leg, your left arm coming up to straight, moving down as far as
possible without turning the hips or torso. Keep the thighs firm and
rolling around towards the buttocks, moving the left hip back and open
the chest.
 
               


Inhale, extend the neck and spine, exhale, turn your head to look up at your left hand.


Keep
your head, your buttocks and your heels in one straight line,not
looking down with you body, keep opening your whole body up.


Breathe easy.

Click here to view the Triangle pose

http://www.youtube.com/watch?v=tutu7aE2dBI&feature=player_embedded

The Tree Pose

This pose harnesses the powers of mental concentration, while
allowing you to calm the mind. It develops balance and stability, and
strengthens the legs and feet, also increasing flexibility in the hips
and knees.

The tree pose is a balance pose incorporating three lines of
energy, emitting from the centre outwards. One line proceeds down the
straight leg, one line extends up the spine and out the fingertips, and
the third moves outward through the bent knee.

To view in flash - click the image below


Instruction Table
1                


  
Align yourself in mountain pose. 


Continuing with your smooth


flowing breath
 
2                


On your next inhale; shift the bulk of your weight onto
your left foot. Exhale bend the right knee, and assisting with your
hand, place the sole of your right foot as high as possible into the
left inner thigh, with toes pointing down, steady yourself, and 


breathe easy.
 
3                


Next raise your arms to shoulder level, be sure that
they are in line with each other. Stretch your arms out from the middle
of your back. Lift your chest and look straight ahead. Keep completely
focused on the pose.
 
4                


Now bring your palms together in prayer
position. Keeping your eyes focused on a point in front of you, will
assist your balance.
 
               


Inhale as you raise your arms overhead keeping your palms together and stretching upwards through the fingertips. 


Keep working your right knee back and contracting your buttocks muscles in and down.


Feel your abdomen plane and hips facing straight ahead, while lifting out of the waist.

 
Please Visit:

http://www.youtube.com/watch?v=V_V4gM4ExLI&feature=player_embedded< ?xml:namespace prefix = o ns = “urn:schemas-microsoft-com:office:office” />

The Warrior Pose


Virabhadra

The Warrior pose is
named after the mythic warrior-sage, Virabhadra. This challenging pose
strengthens the entire body while improving mental capacity and self
control.

It builds, shapes and tones the entire lower body. It tones the
abdominal section and helps to prevent, reduce and eliminate back pain.
The entire upper body -front and back- is worked and doing this pose
increases the capacity of the respiratory system.

To view in flash - click the image below



Instruction Table
1                



   
Stand in mountain pose continuing with your smooth flowing breath.
 
2                


Jump your feet sides ways and sweep your arms out to the side so your
ankles are below your wrists. Establish your foundation, by pulling
your knees and thighs up, tucking your tailbone under, pushing your feet
firmly into the floor.


Visualise
an imaginary line running vertically down the centre of your body,
dropping your shoulders. Squeeze your arms and legs away from the
centreline.

 
3                


Keep an awareness of this line as you turn your right
foot out to 90 degrees and turn your left foot in to 70 degrees. Ensure
the heel of your front foot aligns with arch of your back foot, hips
facing forward.


If your body wants to turn off centre, counter-act it by pushing simultaneously in opposite directions from the centre line.
 
4                


Inhale, an as you exhale bend your right
leg, pulling up with the outside and inside of the thigh to form a right
angle at the knee. Only go as low as you can with out turning your hips
off centre.


Ideally
you want your knee directly above your ankle with you leg coming
vertically out of the floor like pillar. Keep the power flowing through
the back leg into the floor.
 
               


Inhale lift the spine; exhale turn your head to look over your right arm. Take a few deep breaths through the nose.

Hold the pose and breathe smooth.

Reverse the procedure back to mountain pose and repeat back to the other side.

 

  Please Visit:

http://www.youtube.com/watch?v=-PVX6hATjfk&feature=player_embedded

 
Mountain Pose
Prayer Pose
Shrug

Mountain Yoga Pose

The Mountain Pose is one of the most important poses in yoga. It is the start and finish point of all standing poses.

When standing in mountain pose, the mind is quiet,
and the body strong and still, like a mountain. This is a pose you can
practise in your daily life, practising to stand correctly will have a
profound influence on your physical and mental well being.

To view in flash - click the image below


Instruction Table
1                 


   Moutain Pose 1

Stand with your feet hip width apart, so the outsides of the feet are almost parallel edged.

Press and spread the toes into the floor. Feel the weight of your
body distributed evenly through your feet, from the toes to the heels,
keep pressing firmly into the floor.

 
2                 


Moutain Posture 2
Lift the kneecaps up by contracting the front thigh
muscles, but not locking the backs of the knees. Pull up with the back
of the thighs, and activate the hip and buttocks to level the pelvis. 


 
 
3                 


Mountain Poses Back
Your hips should be directly over your knees, and your
knees over your ankles. This gives you a stable foundation and by
positioning the pelvis properly, keeps the spine healthy.
 
4                 


Now extend the spine, by slowly inhaling, lifting up
through the legs as you lift the ribcage, opening the chest and dropping
the shoulders down, extending the neck, keeping the jaw and eyes soft.

 
5                                                                              


    Bring the shoulder blades into the back, to support the ribcage. Breathe slowly and softly.

Keep your head directly over your shoulders, and look at eye level at a point in front of you.


Please Visit:
http://www.youtube.com/watch?v=Bz1SWd-cihA&feature=player_embedded
 

The Prayer Pose

This pose is simple, but very effective, and is a
key movement to more advanced poses. This pose will teach you how to
push from under the shoulders and out of the lats, the major muscle
group of the back. A key movement in a lot of yoga poses.

It strengthens and aligns the upper body while
releasing tension and increasing the circulation to the shoulder joint,
which is a ball and socket joint. It also aids in strengthening the
abdominal and lumber region as you look to form a solid base.

To view in flash - click the image below

Instruction Table
1                


   
Centre yourself in mountain pose and take a
few deep breaths here, breathing down into the abdomen, continuing the
breathing that you are now familiar with.
 
2                


Inhale, raise your arms to shoulder height and stretch them out in the opposite direction to each other 
 
3                


Now twist your arms from the shoulder and turning your palms upwards. Keep the body in a nice strong upright position
 
4                


Bring your arms out in front of you, pushing
your elbows firmly together and your fingers extending away from you,
while focusing on pulling your shoulder blades together..
 
               


Continue squeezing the elbows together as you bring your palms together
 
6


Now bend at the elbow and take the forearms to vertical.
Keep pressing firmly with the palms and the elbows as you breathe the
arms upwards. With each exhale moving slightly higher.
Shoulder opener Yoga Posture. This
movement will teach you how to push from under the shoulders and out of
the lats, the major muscle group of the back. A key movement in a lot of
yoga poses. This pose is simple, but very effective, and is a key
movement to more advanced poses.
 
Please Visit:
http://www.youtube.com/watch?v=t9TPzR6-Kmc&feature=player_embedded

The Shoulder Shrug

The shoulder rotation is another pose which can be practiced anywhere and at any time.

It strengthens and aligns the shoulder region while
releasing tension and increasing the circulation to the shoulder joint,
which is a ball and socket joint. It also aids in strengthening the
abdominal and lumber region as you look to form a solid base.

To view in flash - click the image below


Instruction Table
1                


  
Align yourself in mountain pose. 


Continuing with your smooth


flowing breath
 
2                


As you inhale, lift your shoulders to your ear lobes, keeping the head erect and soft.
 
3                


As you exhale, rotate the shoulders around 


by pushing up out of the chest and squeezing the shoulder blades together, rotating them 


in a full circle.
 
4                


Back down into mountain pose


Repeat 3 more times

  Please Visit:

http://www.youtube.com/watch?v=SzWxM_W4DNA&feature=player_embedded

Lying Twist
Downward Dog
Seated Forward Bend

The Lying Basic Twist

Doing this pose will rapidly increase strength and muscle tone in your midsection.

The lying twist is another pose which is very
simple yet extremely effective. This pose is soothing to the spine and
neck, and warms and frees the lower back and hips and it also improves
digestion and assists in toxin elimination.

To view in flash - click the image below


Instruction Table
1                              


   

Come to a position lying on your back and stretch your arms out to
the side and place your palms and shoulders firmly on the floor.

Move your shoulder blades under. Spread your toes apart. Feel the
back and shoulders moulding to the straight lines of the floor.

 
2                               


 

Bend your knees as far as they come towards the chest.

 

 
3                                


Inhale, keeping your knees and ankles together,
Exhale, rolling your knees to the right. Focus on keeping your arms
pressing out wards and your shoulders pushing firmly into the ground.
You may feel or hear your spine lengthening as it extends into the
correct alignment.


Knees & ankles together breathe, focus on creating length between the left lower rib and the hip,
 
4                                


Now turn your head to look over your left hand. Relax in to this pose, stomach soft, breathing soft and relaxed.

Reverse the pose back up and repeat to the other side

Please Visit:
 

The Downward Facing Dog


Adhomukha Svanasana

The downward yoga pose is
named as such as it resembles the shape of a Dog stretching itself out.
This pose helps to strengthen, stretch and reduce stiffness in the legs
while strengthening and shaping the upper body. Dog pose Yoga Posture .
One of the main yoga asanas. If you have time for only one posture try
this one.

Holding this pose for a minute or longer will
stimulate and restore energy levels if you are tired. Regular practice
of this pose rejuvenates the entire body and gently stimulates your
nervous system.

To view in flash - click the image below


Instruction Table
1


Come up onto your hands and knees with your knees hip
width apart and the hands shoulder width apart, your fingers wide
pressing firmly into the floor.
 
2


Inhale, arch your spine and look up as you turn your toes under.
 
3


As you exhale straighten your legs and pause here for a moment.
 
4


Now push the floor away from you hands, positioning your
body like an inverted V, achieving a straight line from your hands to
your shoulders to the hips. Straight arms and straight legs.


As you inhale press downward into your hands and lift outward out of the shoulders.


Lift your head and torso back through the line of your body.

Please Visit:

http://www.youtube.com/watch?v=cKx-LPTtvBQ&feature=player_embedded

The Seated Forward Bend


Paschimottanasana

The purpose of this pose is to give the entire back
of your body a very complete stretch from the heels to the head. It is
excellent for posture improvement and stimulates the internal organs as
well.

It adds in improved mental concentration and
endurance and helps to control and calm the mind. It relieves
compression while increasing the elasticity of the spine, it also
strengthens and stretches the hamstrings.

To view in flash - click the image below


Instruction Table
1


Come to a sitting position with your legs together in front of you. 



Move
the fleshy part of your buttocks from underneath you, so you are on the
top of your sitting bones, which are located at the very top of your
legs.
2


Roll the thighs inwards so that the kneecaps are facing directly upwards.


Activate the legs by pressing down into the floor, and out through the heels.



Spread your toes wide and pull them towards you. 


Lengthen your lower back muscles down as you extend your spine up and out of the pelvis.
3


Now take your strap around both feet. The
strap`s purpose is to keep the spine straight. This is very important.
Be aware the head is an extension of the spine, so keep it aligned
accordingly.



Use the breath to create the optimum degree of intensity in the stretch.
4


On your next exhale; come down the belt further while
maintaining the extension on the front and back of the torso. Some of
you will be able to grab the sides of your feet. Breathe softly and
continuously. Don’t pull yourself forward by the strength of your upper
body.


Keep bending at the hips, maintaining a relaxed head and neck.
5


Go a little further, relax your abdomen, and inhale, as
you lengthen, exhale, and come further forward, increasing the space in
your vertebrae.

Please Visit:

http://www.youtube.com/watch?v=rEhU1KqPyY4&feature=player_embedded

 

The Locust
The Bridge
Extended Child’s Pose

The Locust Pose


Salabhasana

The locus yoga posture is
named as such as it resembles the shape of the insect known as the
Locust. This pose helps to strengthen, stretch and reduce stiffness in
the lower back while bringing flexibility to the upper back region.

When you first begin to practice this pose, your
legs may not move very far off the floor. Please continue and stay
positive as you will find your range will continue to improve the more
you practice. Learning to master this pose will hold you in good stead
for more advanced back bends.

To view in flash - click the image below


Instruction Table
1


Come to a position lying face down on the floor, with
your arms along side your body, palms and forehead down. Bring your
knees and ankles together. Squeeze the shoulder blades together and
down. Push your palms into the floor. Pull the abdominals inwards,
contract the buttocks, and press the hips and pubis firmly into the
floor.
 
2


On your next exhale; raise the legs to a height that is comfortable but challenging.

Keep the buttocks activated, lock the knees, keep the ankles together.

 
3


Extend the front of your body as you pull
the shoulder blades together, raising the head, the arms, and upper
torso away from the floor, looking straight ahead, opening the front of
the chest and pushing down the lines of the arms.


Keep the legs working strongly.

Please Visit:

http://www.youtube.com/watch?v=MhotDI-dqRE&feature=player_embedded

The Bridge Pose

The Bridge Pose is
a simple yet very effective pose to practice. It helps to promote a
healthy flexible spine while strengthening the legs and buttock muscles.
It also helps to stretch and stimulate the abdominal muscles and
organs.

It aids in easing and stimulating the mind and is a great way to reenergize if feeling tired.

To view in flash - click the image below


Instruction Table
1                                 


Lie on your back with your legs bent, heels close to the buttocks, Feet pressing firmly into the floor, hip width and parallel. 


Your arms should be slightly out from your sides, the palms of your hands pressing firmly into the floor.
 
2                                


Inhale, and with the exhale raise the hips up by pushing strongly
into the floor with your feet. Keep the buttocks firm, and press the
shoulders and arms into the floor. Only go to the height that you are
comfortable with. 


Take a few nourishing breaths in this position, as you keep opening the chest and lengthening the torso.

 
3                                


Now bring your arms over your head to the floor behind
you. Keep lifting your buttocks away from the floor, keeping them
contracted, which will protect the lower spine, and work softly with the
breath, keeping the head and neck relaxed.


This
pose stretches the whole front of the body, and brings mobility to the
spine. Breathing is improved from the opening of the ribcage and chest
area.

Please Visit:
http://www.youtube.com/watch?v=dIvKigXK1mU&feature=player_embedded

The Extended Child’s Pose / Garbhasana

The Childs Yoga pose when
practiced regularly is very beneficial to your entire mind and body. It
helps to release the pressure on the spine while providing an entire
stretch through the upper body to the fingertips. It also aids in
strengthening and stretching the insides of the legs while massaging the
internal organs.

Breathing will becomes more efficient and your mind
will become clear. It also aids in improved mental processes and helps
to rejuvenate and energize the entire being.

To view in flash - click the image below


Instruction Table
1                              


   
Bring your big toes together and your knees wide apart, inhale as you lift your spine and extend your stomach.
 
2                               


Exhale bend forward from the hips as you walk you hands
out as far in front of you as possible, extending from the hips to the
fingertips.
 
3                                


Place your forehead on the ground & buttocks
back to the heels. Work your pubis to the floor and strech the inner
thigh muscles. Focus on the breath.
 
4                                


Breathing into the abdomen as you extend it
forward in to the breastbone, creating length through the upper body.
Exhale from deep in the abdomen relaxing in the spine and continue the
slow controlled breathing.

  Please Visit:

http://www.youtube.com/watch?v=WrA5mN-MW5U&feature=player_embedded

 
Standing Forward Bend
The Boat (beginners)

The Standing Forward Bend

This pose aids in digestion and is restorative. It
frees the rib cage allowing for improved breathing. It aids in mental
concentration and helps to revive mental and pysichal exhaustion. The
heartbeat is slowed and the lower back is strengthened and pressure is
removed from the lumbar region.

It increases flexibility while strengthening and
developing the hamstrings. It also helps to strengthen the feet and
ankles while realigning the entire body.

To view in flash - click the image below


Instruction Table
1                              


   

Stand in mountain pose, in the centre of your mat, with your hands in prayer position. Jump your feet wide apart.

Keep the outside of your feet running parallel while lifting your
arches, pulling up with the thighs and the tail bone tucked under.

 
2                               


Place your hands on your hips and feel the extension up out of the waist.
 
3                                


Inhale, As you exhale bend at the hips extend forward,
continue lifting out of the hips keeping your legs strong and your base
nice and firm, looking forward to begin with. Keep the extension on the
stomach, which will help keep your back flat protecting it. 


Take a few breaths here.
 
4                                


Now take your hands to the floor extending from the lower abdomen to
the breastbone and through the spine. Some of you maybe on the finger
tips.



If
you can’t keep your spine straight put your hands on your knees and
keep slowly working down your legs, working with your body, not against
it. Lift your sitting bones to the ceiling.

 
5                                


Draw your shoulders down your back so you can extend the neck with ease.



Remember to keep the arches high.

Please Visit:
http://www.youtube.com/watch?v=bUtawL5TmAE&feature=player_embedded

The Boat Pose

Doing the boat pose will rapidly increase strength and muscle tone in your midsection.

Keep challenging yourself to stay in this pose
longer. If you find the stimulation of the midsection becoming intense,
just persist with it, knowing your mind has ultimate control over the
body.

To view in flash - click the image below


Instruction Table
1                              


   
Find yourself on your sitting bones, lifting out of the hips.


Extend your spine upwards, and press the soles of your feet into the floor, with the knees and ankles together.
 
2                               


Using your fingertips on the floor for balance, extend your abdomen as you lean back slightly.
 
3                                


Bring your lower legs up, parallel to the floor.
Breathe softly, in and out through the nose, while opening the chest and
squeezing the shoulder blades together. 


Focus on a point at eye level in front of you. You may find this pose challenging to begin with
 
4                                


Now bring your arms up beside your knees, parallel to the floor,
opening the chest. Keep your focus on that point in front of you. This
will help your stability. Continue with the controlled breathing.

Feel the stimulation of the entire abdominal region, as you hold this pose for a few more breaths.

Advanced Variation of The Boat

Now bring your legs up to straight. Continue to keep your focus on that point in front of you.

Continue with the controlled breathing.

Please Visit:

http://www.youtube.com/watch?v=iMJ9×8STzfA&feature=player_embedded



 

 

 

animated scorpionanimated snailsnail clip artBird-01-june.gif (6564 bytes)Bird-03-june.gif (15868 bytes)Chicken-03-june.gif (17101 bytes)Chicken-01-june.gif (20768 bytes)Chicken-02-june.gif (14661 bytes)Dove-02-june.gif (38556 bytes)animated penguinpenguin animationfree animated penguin gifpenguin clip artshark animationanimated sharkshark clip artFly-01-june.gif (12736 bytes)ant animationAnt-01-june.gif (42846 bytes)butterfly gifButterfly clip artButterfly animationfree butterfly clip artBat-01-june.gif (10197 bytes)Moose-01-june.gif (18700 bytes)Pig-02-june.gif (7483 bytes)Pig-01-june.gif (13961 bytes)Mouse-01-june.gif (58060 bytes)Mouse-02-june.gif (10566 bytes)PolarBear-02-june.gif (14429 bytes)Bear-02-june.gif (12590 bytes)TeddyBear-01-june.gif (7268 bytes)Cow-03-june.gif (102915 bytes)Cow-01-june.gif (39799 bytes)Moose-01-june.gif (18700 bytes)Pig-02-june.gif (7483 bytes)Pig-01-june.gif (13961 bytes)Mouse-01-june.gif (58060 bytes)Mouse-02-june.gif (10566 bytes)PolarBear-02-june.gif (14429 bytes)Bear-02-june.gif (12590 bytes)TeddyBear-01-june.gif (7268 bytes)Cow-03-june.gif (102915 bytes)Cow-01-june.gif (39799 bytes)cat gif clip artfree cat animationCat animationCat-03-june.gif (7541 bytes)free cat giffree cat animationCheetah-01-june.gif (5262 bytes)Cheetah-02-june.gif (13654 bytes)Cheetah-03-june.gif (25877 bytes)Tiger-02-june.gif (21729 bytes)Tiger-01-june.gif (38928 bytes)free animated dogfree animated dog gifanimated dogDog animationfree dog animationdog clip artfree dog clip art gifanimated dog clip artWolf-04-june.gif (60505 bytes)Wolf-01-june.gif (48022 bytes)Wolf-03-june.gif (22514 bytes)Wolf-02-june.gif (10300 bytes)horsehorsehorsefree horse animationanimated horse


dinosaur animated gifanimated dinosaurfree animated dinosaur gifdinosaur animationfree dinosaur animationdinosaur clip artdinosaur gif

MAY ALL SENTIENT AND NON-SENTIENT BEINGS BE EVER HAPPY WELL AND SECURE


 

comments (0)
2091 Wed 28 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://www.firstpost.com/…/uttar-pradesh-assembly-election-… Uttar Pradesh Assembly Election 2017: Mayawati alleges BJP of SC/ST discrimination Murderer of democratic institutions (Modi) -led BJP (Bajuth Jiyadha Psychopaths) is targetting her because of she is a Aboriginal Scheduled caste as well as the ‘master key’ to unlocking the upcoming Uttar Pradesh Assembly election.
Filed under: General
Posted by: site admin @ 6:26 pm


2091 Wed 28 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvaj
an Hitay sarvajan Sukhay.


http://www.firstpost.com/…/uttar-pradesh-assembly-election-…

Uttar Pradesh Assembly Election 2017: Mayawati alleges BJP of SC/ST discrimination


Murderer of democratic institutions (Modi) -led BJP (Bajuth Jiyadha
Psychopaths) is targetting her because of she is a Aboriginal Scheduled
caste as well as the ‘master key’ to unlocking the upcoming Uttar
Pradesh Assembly election.


Alleging that the BJP has an anti-SC/ST mindset and is being casteist,
Mayawati said, “They don’t like that a Aboriginal Scheduled Caste
daughter working for the upliftment of all societies ,” Mayawati said in
a special press conference on Tuesday.

She said that the Modi is
afraid of Mayawati’s popularity: “Mayawati is the master key to UP
Assembly election and the BJP is shaken.”

The BSP chief
reiterated how the BSP was the first party to oppose demonetisation, and
that Modi is targetting her and the party because it blames her for
fuelling opposition parties to rise up against the move.

She also
clarified on the Rs 100 crore deposited in a BSP account stating that
the party has all the records of the deposits made into its accounts
after demonetisation, and the money was deposited as per the rules of
the BSP. “All the money has been collected after 21 August. We convert
all the donations into notes of higher denominations because it’s easier
to transport. All the donations are collected in Delhi for final
accounting. It’s deposited in banks only after final accounting in my
presence. We were unable to deposit earlier because I was unable to go
to Delhi,” she said.

On a sarcastic note, the BSP chief thanked
the Modi and party president Amit Shah, stating that the tactics of
Modi, Amit Shah of BJP will get her gain full majority in the upcoming
election, just like allegations towards her helped win the election in
2007. “Modi is targetting me and senior members of the party along with
my friends and relatives for political gains. Shah is maligning my
reputation by talking about the ghotalas, and the Taj Corridor. I want
to tell you that most parties in power do that. The BJP especially.
There’s not a single file on the project that went through me. I have
not signed on a single file. They maligned by name between 2003 and
2007, but I got an absolute majority. They are doing it again. And I am
sure the BSP will form a government again with an absolute majority. I
am grateful to them(!)”

Mayawati also challenged the Modi to
divulge records of all bank deposits and purchases made by the party
before and after 8 November.

Taking a jibe at the Modi on
demonetisation, the BSP chief said, “I pray to God that they take a
couple of more decisions like demonetisation and make it easier for us
to form government. I won’t even have to go to the 75 districts for poll
campaigning. I will win sitting at home.”


A day after reports emerged of deposits worth Rs 100 crore in old notes of Rs 1,000 made in Bahujan…
firstpost.com

https://ash870.wordpress.com/…/bsp-supremo…/comment-page-1/…

BSP supremo Mayawati: I thank BJP for helping us win through false smear campaigns and policies like demonetisation

Whenever a party like Bahuth Jiyadha Psychopaths (BJP) remotely
controlled by just 1% intolerant, violent, mentally retarded, shooting,
lynching, lunatic, mentally retarded cannibal psychopath chitpawan
brahmin finds fault with aboriginal Sarvajan Samaj Mayawati, that means
she is on the right path as said by Dr BR Ambedkar the chief Architect
of our modern constitution.

BSP is the only largest party with techno-politico-socio transformation and economic emancipation movement.
BJP is a greedy for power and money which has gobbled the Master Key by tampering the fraud EVMs.
Ex CJI Sathasivam had committed a grave error of judgement by ordering
that the EVMs to be replaced in a phased manner as suggested by ex CEC
Sampath because of the cost of Rs 1600 crores to replace the entire
EVMs.
The present CEC says that only in 2019 the entire EVMs will be
replaced. But none of them ever ordered that paper ballots would be
used till entire EVMs were replaced.

With paper ballots BSP won
majority of the seats in UP Panchayat elections while it lost in 2014
Lok Sabha elections because of these fraud EVMs. Only 8 out of 543 seats
were replaced to help BJP.

If elections are conducted with paper
ballots BJP will be washed out. They are aware that the entire sarvajan
samaj is with Mayawati and she is sure to be the PM of Prabuddha
Bharath. So they spread false smear campaigns and policies like
demonetisation.

BSP supremo had attacked Murderer of democratic
institutions (Modi), Congress and SP for colluding against public
interest in the run up to assembly election in Uttar Pradesh, due in
2017.

She thanks Modi for helping us win through false smear campaigns and policies like demonetisation.

Modi’s attempt to tarnish her name only result in poll benefits to BSP.

BJP has tried to malign her and her families name before, but that will not deter BSP to regain power in UP in next elections.

BJP is responsible for any sanction or corruption in Taj corridor project, not Mayawati:

The Sarvajan Samaj is aware that Taj corridor always wrongfully gets dragged into political controversy.

Modi must give account of money deposited by its party 10 months before and since Nov 8: Mayawati

BSP have deposited the money collected as party funds honestly in the bank account, no wrongdoings: Mayawati

All democracy loving Sarvajan samaj, the CJI. CEC must see that the
Central and State governments selected by the fraud EVMs are dissolved
and go fro fresh elections with paper ballots to save the country from a
dictator and save democracy, liberty, equality and fraternity as
enshrined in our Modern Constitution for Sarvaja Hitay Sarvajan Sukhaya
i.e., for peace, welfare and happiness of all societies.
BSP supremo Mayawati: I thank BJP for helping us win through false smear campaigns and policies like demonetisation
ash870.wordpress.com

https://ash870.wordpress.com/…/bsp-supremo…/comment-page-1/…

BSP supremo Mayawati: I thank BJP for helping us win through false smear campaigns and policies like demonetisation

Whenever a party like Bahuth Jiyadha Psychopaths (BJP) remotely
controlled by just 1% intolerant, violent, mentally retarded, shooting,
lynching, lunatic, mentally retarded cannibal psychopath chitpawan
brahmin finds fault with aboriginal Sarvajan Samaj Mayawati, that means
she is on the right path as said by Dr BR Ambedkar the chief Architect of our modern constitution.

BSP is the only largest party with techno-politico-socio transformation and economic emancipation movement.
BJP is a greedy for power and money which has gobbled the Master Key by tampering the fraud EVMs.
Ex CJI Sathasivam had committed a grave error of judgement by ordering
that the EVMs to be replaced in a phased manner as suggested by ex CEC
Sampath because of the cost of Rs 1600 crores to replace the entire
EVMs.
The present CEC says that only in 2019 the entire EVMs will be
replaced. But none of them ever ordered that paper ballots would be
used till entire EVMs were replaced.

With paper ballots BSP won
majority of the seats in UP Panchayat elections while it lost in 2014
Lok Sabha elections because of these fraud EVMs. Only 8 out of 543 seats
were replaced to help BJP.

If elections are conducted with paper
ballots BJP will be washed out. They are aware that the entire sarvajan
samaj is with Mayawati and she is sure to be the PM of Prabuddha
Bharath. So they spread false smear campaigns and policies like
demonetisation.

BSP supremo had attacked Murderer of democratic
institutions (Modi), Congress and SP for colluding against public
interest in the run up to assembly election in Uttar Pradesh, due in
2017.

She thanks Modi for helping us win through false smear campaigns and policies like demonetisation.

Modi’s attempt to tarnish her name only result in poll benefits to BSP.

BJP has tried to malign her and her families name before, but that will not deter BSP to regain power in UP in next elections.

BJP is responsible for any sanction or corruption in Taj corridor project, not Mayawati:

The Sarvajan Samaj is aware that Taj corridor always wrongfully gets dragged into political controversy.

Modi must give account of money deposited by its party 10 months before and since Nov 8: Mayawati

BSP have deposited the money collected as party funds honestly in the bank account, no wrongdoings: Mayawati

All democracy loving Sarvajan samaj, the CJI. CEC must see that the
Central and State governments selected by the fraud EVMs are dissolved
and go fro fresh elections with paper ballots to save the country from a
dictator and save democracy, liberty, equality and fraternity as
enshrined in our Modern Constitution for Sarvaja Hitay Sarvajan Sukhaya
i.e., for peace, welfare and happiness of all societies.


Sutta Piμaka

(Five nik±yas, or collections)

1. D2gha-nik±ya [34 suttas; 3 vaggas, or chapters (each a book)]
(1) S2lakkhandavagga-p±1⁄4i (13 suttas)
(2) Mah±vagga-p±1⁄4i
(10 suttas)
(3) P±μikavagga-p±1⁄4i
(11 suttas)

2. Majjhima-nik±ya [152 suttas;15 vaggas; divided in 3 books,
5
vaggas each, known as paoo±sa (‘fifty’)]

(1) M3lapaoo±ssa-p±1⁄4i (the ‘root’ fifty)
1. M3lapariy±yavagga (10
suttas)
2. S2han±davagga (10 suttas)
3. Tatiyavagga (10 suttas)

4. Mah±yamakavagga (10 suttas)

5. C31⁄4ayamakavagga (10 suttas)
(2) Majjhimapaoo±sa-p±1⁄4i
(the ‘middle’ fifty)

6. Gahapati-vagga (10 suttas)
7. Bhikkhu-vagga (10 suttas)
8. Paribb±jaka-vagga (10 suttas)
9. R±ja-vagga (10 suttas)

10. Br±hmana-vagga (10 suttas)
(3) Uparipaoo±sa-p±1⁄4i
(means ‘more than fifty’)

11. Devadaha-vagga (10 suttas)
12. Anupada-vagga (10 suttas)
13. Suññata-vagga (10 suttas)
14. Vibhaaga-vagga (12 suttas)
15. Sa1⁄4±yatana-vagga (10 suttas)

3. Sa1⁄2yutta-nik±ya [2,904 (7,762) suttas; 56 sa1⁄2yuttas; 5 vaggas; divided
into 6 books]

(1) Sag±thavagga-sa1⁄2yutta-p±1⁄4i (11 sa1⁄2yuttas)
(2) Nid±navagga-sa1⁄2yutta-p±1⁄4i
(10 sa1⁄2yuttas)
(3) Khandavagga-sa1⁄2yutta-p±1⁄4i
(13 sa1⁄2yuttas)
(4) Sa1⁄4±yatanavagga-sa1⁄2yutta-p±1⁄4i
(10 sa1⁄2yuttas)
(5) Mah±vagga-sa1⁄2yutta-p±1⁄4i
Vol I ( 6 sa1⁄2yuttas)
(6) Mah±vagga-sa1⁄2yutta-p±1⁄4i
Vol II ( 6 sa1⁄2yuttas)

4. Aaguttara-nik±ya [9,557 suttas; in11 nip±tas, or groups, arranged purely
numerically; each
nip±ta has several vaggas; 10 or more suttas in
each
vagga; 6 books]

(1) Eka-Duka-Tika-nipata-p±1⁄4i (ones, twos, threes)
(2) Catukka-nipata-p±1⁄4i (fours)
(3) Pañcaka-nipata-p±1⁄4i (fives)
(4) Chakka-Sattaka-nipata-p±1⁄4i (sixes, sevens)

(5) Aμμhaka-Navaka-nipata-p±1⁄4i (eights, nines)
(6) Dasaka-Ekadasaka-nipata-p±1⁄4i (tens, elevens)

5. Khuddaka-nik±ya [the collection of small books, a miscellaneous gather-
ing of works in 18 main sections; it includes
suttas, compilations of
doctrinal notes, histories, verses, and commentarial literature that has
been incorporated into the Tipiμaka itself.; 12 books]

(1) Kuddhakap±tha,Dhammapada & Ud±na-p±1⁄4i

1. Kuddhakap±tha (nine short formulae and suttas, used as a training manual for
novice bhikkhus)
2. Dhammapada (most famous of all the books of the Tipiμaka; a collection of 423
verses in 26
vaggas)

3. Ud±na (in 8 vaggas, 80 joyful utterances of the Buddha, mostly in verses, with

some prose accounts of the circumstances that elicited the utterance)

(2) Itivuttaka, Suttanip±ta-p±1⁄4i
4. Itivuttaka (4 nip±tas, 112 suttas, each beginning, “iti vutta1⁄2 bhagavata” [thus was
said by the Buddha])
5. Suttanip±ta (5 vaggas; 71 suttas, mostly in verse; contains many of the best
known, most popular
suttas of the Buddha

(3) Vim±navatthu, Petavatthu, Therag±th± & Therig±th±-p±1⁄4i
6. Vim±navatthu (Vim±na means mansion; 85 poems in 7 vaggas about acts of
merit and rebirth in heavenly realms)
7. Petavatthu (4 vaggas, 51 poems describing the miserable beings [petas] born in
unhappy states due to their demeritorious acts)
8. Therag±th± (verses of joy and delight after the attainment of arahatship from 264
elder bhikkhus; 107 poems, 1,279
g±thas)
9. Therig±th± (same as above, from 73 elder nuns; 73 poems, 522 g±thas)

(4) J±taka-p±1⁄4i, Vol. I
(5) J±taka-p±1⁄4i, Vol II

10. J±taka (birth stories of the Bodisatta prior to his birth as Gotama Buddha; 547
stories in verses, divided into
nip±ta according to the number of verses required to
tell the story. The full J±taka stories are actually in the J±taka commentaries that
explain the story behind the verses.

(6) Mah±nidessa-p±1⁄4i
(7) C31⁄4anidessa-p±1⁄4i

11. Nidessa (commentary on two sections of Suttanip±ta)
Mah±nidessa: commentary on the 4th
vagga
C31⁄4anidessa: commentary on the 5th vagga and

the Khaggavis±oa sutta of the 1st vagga
(8) Paμisambhid±magga-p±1⁄4i

12. Paμisambhid±magga (an abhidhamma-style detailed analysis of the Buddha’s
teaching, drawn from all portions of the Vin±ya and Sutta Piμakas; three
vaggas,
each containing ten topics [kath±])

(9) Apad±na-p±1⁄4i, Vol. I
13. Apad±na (tales in verses of the former lives of 550 bhikkhus and 40 bhikkhunis)

(10) Apad±na, Buddhava1⁄2sa & Cariy±piμaka-p±1⁄4i

14. Buddhava1⁄2sa (the history of the Buddhas in which the Buddha, in answer to a
question from Ven. Sariputta, tells the story of the ascetic Sumedha and D2paakara
Buddha and the succeeding 24 Buddhas, including Gotama Buddha.)
15. Cariy±piμaka (35 stories from the J±taka arranged to illustrate the ten p±ram2)

(11) Nettippakarana, Peμakopadesa-p±1⁄4i

16. Nettippakarana (small treatise setting out methods for interpreting and explain-
ing canonical texts)
17. Peμakopadesa (treatise setting out methods for explaining and expanding the
teaching of the Buddha)

(12) Milindapañha-p±1⁄4i

18. Milinda-pañha (a record of the questions posed by King Milinda and the
answers by Ven. Nagasena; this debate took place ca. 500 years after the
mah±parinibb±na of the Buddha)

Abhidhamma Piμaka

[Seven sections of systematic, abstract exposition of all dhammas; printed in
12 books]

1. Dhammasaagao2
(enumeration of the
dhammas)

(1) Dhammasaagao2-p±1⁄4i

2. Vibhaaga-p±1⁄42
(distinction or analysis of
dhammas)

(2) Vibhaaga-p±1⁄42

3. Dh±tukath±
(discussion of elements; these 1st three sections form a trilogy that
must be digested as a basis for understanding Abhidhamma)

4. Puggalapaññatti
(designation of individuals; ten chapters: the 1st dealing with single
individuals, the 2nd with pairs, the 3rd with groups of three, etc.

(3) Dh±tukath±-Puggalapaññatti-p±1⁄42

5. Kath±vatthu-p±1⁄42
(points of controversy or wrong view; discusses the points raised and
settled at the 3rd council, held at the time of Aœoka’s reign, at Patna)

(4) Kath±vatthu-p±1⁄42

6. Yamaka-p±1⁄42
(book of pairs; a use of paired, opposing questions to resolve ambi-
guities and define precise usage of technical terms)

(5) Yamaka-p±1⁄42, Vol I
(6) Yamaka-p±1⁄42, Vol II
(7) Yamaka-p±1⁄42, Vol III

7. Paμμh±na
(book of relations; the elaboration of a scheme of 24 conditional
relations [paccaya] that forms a complete system for understanding
the mechanics of the entire universe of Dhamma)

(8) Paμμh±na-p±1⁄4i, Vol I
(9) Paμμh±na-p±1⁄4i, Vol II
(10) Paμμh±na-p±1⁄4i, Vol III
(11) Paμμh±na-p±1⁄4i, Vol IV
(12) Paμμh±na-p±1⁄4i, Vol V

(1) P±r±jika-p±1⁄4i Bhikku
p±r±jik±
(expulsion) 4
saaghadises± (meetings of the Sangha) 13
aniyat± (indeterminate) 2
nissagiy± p±cittiy± (expiation with forfeiture) 30

(2) P±cittiya-p±1⁄4i
suddha p±cittiy±
(ordinary expiation) 92
p±tidesaniy± (confession re: alms food) 4
sekhiya (concerning etiquette & decorum) 75
adhikaraoasamath± (legal process) 7

(concludes with bhikkuni vinaya rules) ______
227

Bhikkhuni

8
17
0
30

166
8
75
7
______
311

2. Khandaka [two books of rules and procedures]
(3) Mah±vagga-p±1⁄4i (10 sections [khandhakas]; begins with historical accounts of the

Buddha’s enlightenment, the first discourses and the early growth of the Sangha;
outlines the following rules governing the actions of the Sangha:
1. rules for admission to the order (upasampad±)
2. the
uposatha meeting and recital of the p±timokkha

3. residence during the rainy season (vassa)
4. ceremony concluding the
vassa, called pav±rao±
5. rules for articles of dress and furniture
6. medicine and food
7. annual distribution of robes (kaμhina)
8. rules for sick
bhikkhus, sleeping and robe material
9. mode of executing proceedings of the Sangha
10. proceedings in cases of schism

(4) C31⁄4avagga-p±1⁄4i (or Cullavagga) (12 khandakas dealing with further rules and proce-
dures for institutional acts or functions, known as
saaghakamma:
1. rules for dealing with offences that come before the Sangha
(saagh±disesa)

2. procedures for putting a bhikkhu on probation
3. procedures for dealing with accumulation of offences by a
bhikkhu
4. rules for settling legal procedures in the Sangha
5. misc. rules for bathing, dress, etc.
6. dwellings, furniture, lodging, etc.
7. schisms
8. classes of
bhikkhus and duties of teachers & novices
9. exclusion from the
p±timokkha
10. the ordination and instruction of bhikkhunis
11. account of the 1st council at R±jagaha
12. account of the 2nd council at Ves±li

3. Pariv±ra-p±1⁄4i [a summary of the vinaya, arranged as a
catechism for instruction and examination]

(5) Pariv±ra-p±1⁄4i The fifth book of vinaya serves as a kind of manual enabling the reader
to make an analytical survey of the whole of Vinaya Piμaka.


Sutta Piṭaka -Digha Nikāya

DN 9 -
Poṭṭhapāda Sutta
{excerpt}
— The questions of Poṭṭhapāda —

Poṭṭhapāda asks various questions reagrding the nature of Saññā.

Note: plain texts

ஸஞ்யா
நு கொ பந்தெ பதமங் உப்பஜ்ஜதி, பச்சா ஞானங்? உதாஹு ஞானங் பதமங் உப்பஜ்ஜதி,
பச்சா ஸஞ்யா? உதாஹு ஸஞ்யா ச ஞானங்ச அபுபங் ஆசரிமங் உப்பஜ்ஜந்தி?’ தி.

Saññā nu kho bhante paṭhamaṃ uppajjati, pacchā ñāṇaṃ? Udāhu ñāṇaṃ
paṭhamaṃ uppajjati, pacchā saññā? Udāhu saññā ca ñāṇañca apubbaṃ
acarimaṃ uppajjantī?’ ti.


இப்பொழுது, பந்த்தே, எது முதலாவது எழும்புவது
புலனுணர்வா,ஞானங் அடுத்ததா? அல்லது ஞானங் முதலாவது மற்றும் புலனுணர்வு
அடுத்ததா? அல்லது ஒரே நேரத்தில் புலனுணர்வும் ஞானமும் எழும்புகிறதா?


Now, lord, does perception arise first, and knowledge after; or does
knowledge arise first, and perception after; or do perception &
knowledge arise simultaneously? 



ஸஞ்யா கொ பொத்தபாதப தமங் உப்பஜ்ஜதி பச்சா
ஞானங். ஸன்யுப்பாதா ச பன ஞானுப்பாதொ ஹோதி. ஸொ ஏவங் பஜானாதி: இதப்பச்சாயா
கிர மெ ஞானங் உதபாதிதி. இமினா கொ ஏதங் பொத்தபாத பரியாயென வேதிதப்பங், யதா
ஸஞ்யா பதமங் உப்பஜ்ஜதி பச்சா ஞானங், ஸன்யுப்பாதொ  ச பன ஞானுப்பாதொ
ஹோதி’தி.


Saññā kho poṭṭhapāda paṭhamaṃ uppajjati pacchā ñāṇaṃ. Saññuppādā ca pana
ñāṇuppādo hoti. So evaṃ pajānāti: idappaccayā kira me ñāṇaṃ udapādīti.
Iminā kho etaṃ poṭṭhapāda pariyāyena veditabbaṃ, yathā saññā paṭhamaṃ
uppajjati pacchā ñāṇaṃ, saññuppādo ca pana ñāṇuppādo hotī’ ti. 


பொத்தபாத, முதலாவது
புலனுணர்வும் பின்னால் ஞானம் எழும்புகிறது.மற்றும் புலனுணர்வு
எழும்புகிறபோது ஞானம் எழும்புகிறது. ஒரு பிரித்தறியும் நிலை சார்ந்துள்ள
என்னுடைய இந்த ஞானம் எழும்பியது. இவ்வழியான வரம்பின் காரண ஆய்வால் ஒருவர்
எப்படி முதலாவது புலனுணர்வு எழும்புகிறது மற்றும் ஞானம் அடுத்து என்று உணர
முடியும் மற்றும் எவ்வாறு புலனுணர்வு எழும்பியதால், ஞானம் எழும்பிமயது
என்றும்.


Potthapada, perception arises first, and
knowledge after. And the arising of knowledge comes from the arising of
perception. One discerns, ‘It’s in dependence on this that my knowledge
has arisen.’ Through this line of reasoning one can realize how
perception arises first, and knowledge after, and how the arising of
knowledge comes from the arising of perception.

comments (0)
Verifying Security Properties in Electronic Voting Machines-https://drive.google.com/file/d/0B3FeaMu_1EQyN29uTnQ1TG9jazg/view
Filed under: General
Posted by: site admin @ 6:10 pm

Verifying Security Properties in Electronic Voting Machines

https://drive.google.com/file/d/0B3FeaMu_1EQyN29uTnQ1TG9jazg/view

Page

157
/
157

Page 1 of 157

Verifying Security Properties in Electronic Voting Machines

by

Naveen K. Sastry

B.S. (Cornell University) 2000

A dissertation submitted in partial satisfaction of the

requirements for the degree of

Doctor of Philosophy

in

Computer Science

in the

GRADUATE DIVISION

of the

UNIVERSITY OF CALIFORNIA, BERKELEY

Committee in charge:

Professor David Wagner, Chair

Professor Eric Brewer

Professor Pamela Samuelson

Spring 2007

Page 1 of 157

Page 2 of 157

The dissertation of Naveen K. Sastry is approved:

Chair Date

Date

Date

University of California, Berkeley

Spring 2007

Page 2 of 157

Page 3 of 157

Verifying Security Properties in Electronic Voting Machines

Copyright 2007

by

Naveen K. Sastry

Page 3 of 157

Page 4 of 157

1

Abstract

Verifying Security Properties in Electronic Voting Machines

by

Naveen K. Sastry

Doctor of Philosophy in Computer Science

University of California, Berkeley

Professor David Wagner, Chair

Voting is the bridge between the governed and government. The last few years have brought a

renewed focus onto the technology used in the voting process and a hunt for voting machines that

engender confidence. Computerized voting systems bring improved usability and cost benefits but

also the baggage of buggy and vulnerable software. When scrutinized, current voting systems are

riddled with security holes, and it difficult to prove even simple security properties about them. A

voting system that can be proven correct would alleviate many concerns.

This dissertation argues that a property based approach is the best start towards a fully

verified voting system. First, we look at specific techniques to reduce privacy vulnerabilities in a

range of voting technologies. We implement our techniques in a prototype voting system. The com-
ponentised design of the voting system makes it amenable to easily validating security properties.

Finally, we describe software analysis techniques that guarantee that ballots will only be stored if

they can later be accurately reconstructed for counting. The analysis uses static analysis to enable

Page 4 of 157

Page 5 of 157

2

dynamic checks in a fail-stop model.

These successes provide strong evidence that it is possible to design voting systems with

verifiable security properties, and the belief that in the future, voting technologies will be free of

security problems.

Professor David Wagner

Dissertation Committee Chair

Page 5 of 157

Page 6 of 157

i

Contents

List of Figures iv

List of Tables v

1 Introduction 1

1.1 The voting problem: motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Contributions and summary of results . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2.2 Cryptographic voting protocols and privacy implications . . . . . . . . . . 6

1.2.3 Privacy through reboots . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.4 An architecture to verify voting . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.5 Dynamically verifying properties . . . . . . . . . . . . . . . . . . . . . . 9

2 Voting goals & properties 11

2.1 Voting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2 Voting goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.3 Specific properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Cryptographic voting protocols 22

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.1 Threat models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.3 Two voting protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.3.1 Neff’s scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.3.2 Chaum’s visual crypto scheme . . . . . . . . . . . . . . . . . . . . . . . . 35

3.4 Subliminal channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.4.1 Randomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.4.2 Mitigating random subliminal channels . . . . . . . . . . . . . . . . . . . 44

3.4.3 Multiple visual and semantic representations . . . . . . . . . . . . . . . . 46

3.4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.5 Denial of service attacks and election recovery . . . . . . . . . . . . . . . . . . . . 48

Page 6 of 157

Page 7 of 157

ii

3.5.1 Denial of service (DoS) attacks . . . . . . . . . . . . . . . . . . . . . . . 48

3.5.2 Mitigation strategies and election recovery . . . . . . . . . . . . . . . . . 50

3.6 Implementing secure cryptographic voting protocols . . . . . . . . . . . . . . . . 52

3.6.1 Underspecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.6.2 Open research problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4 Privacy 56

4.1 Voting sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.2 Avenues for information flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.2.1 DRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.2.2 Cryptographic voting protocol . . . . . . . . . . . . . . . . . . . . . . . . 60

4.2.3 Ballot marking device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4.2.4 Optical scan reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.3 Reboots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.3.1 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5 Designing voting machines for verification 65

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

5.2 Goals and assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5.3 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.3.1 Architecture motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.3.2 Detailed module descriptions . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.3.3 Hardware-enforced separation . . . . . . . . . . . . . . . . . . . . . . . . 78

5.3.4 Reducing the complexity of trusted components . . . . . . . . . . . . . . . 81

5.4 Prototype implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

5.4.1 Implementation primitives . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

5.5.1 Verifying the desired properties . . . . . . . . . . . . . . . . . . . . . . . 90

5.5.2 Line counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.6 Applications to VVPATs and cryptographic voting protocols . . . . . . . . . . . . 94

5.7 Extensions and discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

5.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6 Environment-freeness 98

6.1 Introduction and motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.2 Static analysis to enable dynamic checking . . . . . . . . . . . . . . . . . . . . . . 100

6.3 Environment-free and compile-time constants . . . . . . . . . . . . . . . . . . . . 103

6.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6.3.2 Environment-free functions . . . . . . . . . . . . . . . . . . . . . . . . . 104

6.3.3 Compile-time constants . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6.3.4 How these are verified . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6.4 Specifics and algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6.4.1 Annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6.4.2 Finding methods and variables to check . . . . . . . . . . . . . . . . . . . 108

Page 7 of 157

Page 8 of 157

iii

6.4.3 Compile time constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

6.4.4 Environment-free methods . . . . . . . . . . . . . . . . . . . . . . . . . . 113

6.4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.5 Results and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.5.1 AES block cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.5.2 Serialization of voting data structures . . . . . . . . . . . . . . . . . . . . 121

6.5.3 Non-determinism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

7 Related work 125

7.1 Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

7.2 Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

7.3 Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

7.4 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

7.5 State management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

8 Conclusion 138

Bibliography 140

Page 8 of 157

Page 9 of 157

iv

List of Figures

2.1 Overview of using a DRE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.1 Detailed receipt for Neff’s scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2 Verifiable choice in Neff’s scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3 Opened verifiable choice in Neff’s scheme. . . . . . . . . . . . . . . . . . . . . . 32

3.4 Receipt generation in Neff’s scheme. . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.5 Transparency representation in Chaum’s scheme. . . . . . . . . . . . . . . . . . . 35

3.6 Visual cryptography overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.7 Summary of Chaum’s protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.1 Diagram of voting architecture proposal. . . . . . . . . . . . . . . . . . . . . . . . 72

5.2 Our architecture, showing the hardware communication elements. . . . . . . . . . 79

5.3 Gumstix picture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

5.4 Mounting board for voting component. . . . . . . . . . . . . . . . . . . . . . . . . 85

5.5 Photograph of implementation prototype. . . . . . . . . . . . . . . . . . . . . . . 87

5.6 Screenshot of

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ component. . . . . . . . . . . . . . . . . . . . . . . . 89

5.7 Code extracts from

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ and

✁ ✂ ✄ ✠✁ ☛✄ modules. . . . . . . . . . . . 91

6.1 Screenshot of environment-free checker finding error in AES implementation. . . . 120

Page 9 of 157

Page 10 of 157

v

List of Tables

3.1 Summary of weaknesses we found in Neff’s and Chaum’s voting schemes. . . . . . 23

4.1 Avenues for privacy flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.1 Non-comment, non-whitespace lines of code. . . . . . . . . . . . . . . . . . . . . 93

6.1 Immutable types whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

6.2 Environment-free method whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . 115

Page 10 of 157

Page 11 of 157

vi

Acknowledgments

I am deeply grateful for David Wagner’s insightful input in crafting this dissertation. His influence

permeates each section and I am fortunate to have such a caring advisor. He patiently taught me

the basics and listened to my asinine and ill-informed ideas. He removed obstacles and served as

a great model to follow, always humble and kind. I learned not only research from him, but also

ethics, honesty, and character.

I have long joked that I would show up in my colleagues’ dis-acknowledgments for slow-
ing down their progress. Fortunately, I can safely say that my colleagues were kinder to me and

became my friends, and made work fun. They refined my ideas and improved my research quality.

Umesh Shankar taught me many of the paper-writing basics in one of my first papers and continued

to hone my ideas. Chris Karlof has been a frequent co-author, sounding board, and constant friend.

Along with Chris, Adrian Mettler and Yoshi Kohno each were crucial co-authors on papers that

formed the basis of this work. Manu Sridharan was not only a gym-buddy, but also a helpful re-
source for all my PL questions. Finally, I will fondly reminisce about my days in 567, as I discussed

Economics, women, and more with Rob Johnson and Karl Chen.

I want to thank my parents, sister, and family for their loving support. Their sacrifices

gave me the opportunity, tools, and especially the confidence to tackle graduate school.

And finally, my tremendous wife, Seshu, deserves my eternal gratitude. She endured

practice presentations and editing, while soothing my frustrations in completing the dissertation.

Her gentle encouragements and patient understanding were crucial to finishing on time.

Page 11 of 157

Page 12 of 157

1

Chapter 1

Introduction

1.1 The voting problem: motivation

The 2000 Presidential election brought attention to the importance of accurately recording

and tabulating ballots, and a hunt for new technologies to fix the unearthed problems. Election

officials faced considerable difficulty deciphering voters’ selections. Direct Recording Electronic

(DRE) voting machines were seen as one solution and are now deployed in many counties. These

computerized machines offer advantages over traditional lever, paper, or punch card voting systems.

They eliminate classes of ballot marking errors using software logic to rule out voting for multiple

candidates where only one is allowed, for example. Since voters interact with a computer screen,

the DRE machines can adopt the interface that best suits the needs of a voter. For example, they can

switch to large, high-contrast fonts for voters with reduced visual acuity. Additionally, tabulating

the results is quicker than with other systems since each machine effectively maintains a running

sum.

However, the advantages that current DRE systems offer do not come without risk. DREs

Page 12 of 157

Page 13 of 157

2

are built upon general purpose computers, and are designed with standard software development

techniques. Standard software development techniques often lead to code that is buggy and suffers

from latent vulnerabilities. Voting software is no different: Kohno et al. recently performed a secu-
rity audit and showed the software on these machines is not well designed and riddled with severe

security bugs [42]. This study is not unique in its conclusions, as others have found innumerable

security problems in commercial voting code [18, 25, 72, 90, 94].

Currently deployed DREs use a single monolithic application written in an unsafe lan-
guage, such as C. Unless great care is taken, software written in C can suffer from buffer overruns,

improper type coercions, and programmer errors that lead to memory safety violations. In addition,

the software is just too complex to be sure all security bugs can be eliminated even with a careful

audit. This naturally begs the question: can we do better?

One option is for counties to deploy non-DRE based voting technology, of which there are

several options, such as optical scan readers. But given the prevalence and advantages of DREs, it

is necessary to address their shortcomings. In this dissertation, we focus on DREs. Thus far, voting

and security experts have come to two potentially viable remedies to sidestep the issue of buggy

voting software in DREs. Both approaches are designed to detect voting machine errors and still

yield the proper election tally.

In the first, DREs are augmented with printers to produce paper records of the voter’s

choices. Before leaving the voting booth, the voter checks the printed record accurately represents

their choices [50]. This voter verified paper audit trail (VVPAT) can serve as an official recourse in

case the electronic record is suspect.

Alternatively, C. Andrew Neff and David Chaum have each come up with innovative

Page 13 of 157

Page 14 of 157

3

solutions that rely on cryptography [19, 60, 61]. After voting on a traditional DRE, their systems

engage in a cryptographic protocol with the voter. During the protocol, the DRE prints a specially

formated receipt. The receipt does not reveal any information about the voter’s choices, but it

does allow the voter to take the receipt home and verify their vote hasn’t been changed after they

voted and that their vote will be counted. This property, called universal verifiability, is unique to

cryptographic voting protocols.

Both solutions offer advantages over existing DREs, however in this dissertation we show

that those two solutions are not sufficient since there are classes of privacy violations left unad-
dressed. We also propose new techniques that begin to address their shortcomings in DRE based

voting machines.

1.1.1 Approach

The solutions we pursue are aimed at one central goal: simplifying an auditor’s task in

verifying the correctness of security properties in voting machines. This is distinct from another,

perhaps more obvious goal: eliminating security bugs from voting machines. While the latter goal

is more appropriate for many software applications, it is not sufficient for the voting context. As

Dan Wallach has said, “The purpose of an election is not to name the winner, it’s to convince the

loser they lost” [85]. Consequently, it is not enough to eliminate all security bugs: we must develop

ways for interested third parties to verify for themselves that the voting machine is free of security

bugs.

Making it easier to verify the absence of security bugs is particularly relevant given that

voting machines currently receive little oversight. Counties rely on a handful of Independent Testing

Authorities (ITAs) to ensure that a vendor’s voting machine complies with voting standards and

Page 14 of 157

Page 15 of 157

4

meets nominal security requirements. In one study, we found 16 critical security vulnerabilities in

Diebold voting code [90], while CIBER, an ITA given the same mandate to evaluate the same code,

produced a vastly different report and only found three security vulnerabilities [21]. This contrast

highlights the main motivation for this work: to help auditors and citizens verify that their voting

system is secure.

In verifying a voting system, an auditor or concerned citizen must analyze a voting system

against a set of measurable criteria. For example, one such criterion may be that a voting system

always gives the voter a chance to review their ballot and correct any mistakes they discover before

casting. We call these measurable criteria properties. The Voluntary Voting System Guidelines

produced by the United States Election Assistance Commission is one such list of these properties.

These properties are created to reflect societal goals, norms, and laws with respect to voting. Since

goals can often be vague, it is important to have a precise definition of what is being verified.

Properties are meant to embody this greater specificity and measurability. Hence, high-level societal

goals are translated into low-level technical requirements. Note the explicit difference between a

societal goal and a measurable and precise security property.

Typically, there are a number of established techniques to verify a system satisfies a set

of properties. One technique often used is manual inspection of the system’s code, design, and

procedures. This labor intensive process aims to either prove or disprove a specific property through

reasoning. Doing so adequately requires reading and understanding the relevant parts of the system

undergoing inspection. In a well designed system, it is possible to limit the scope of the system

under consideration and study a smaller portion of it.

Another technique, called static analysis, involves using computer programs to analyze

Page 15 of 157

Page 16 of 157

5

source code to validate security properties and is built upon a wealth of prior work. Static analysis

tools attempt to automate the process of manual human inspection. Depending upon the sophistica-
tion of the static analysis tool used and the difficulty of the property being analyzed, static analysis

can require additional help from the programmer. For example, a particular analysis may require

the programmer to add annotations to the source code, or possibly to rewrite the code and thereby

make it easier for the static analysis tool.

Static analysis and manual inspection each offer the benefit of detecting security problems

while the system is being designed and are able to catch security errors before the voting system

is deployed in the field. Naturally, there is a tremendous advantage to finding problems before

any voter ever touches the voting machine; but for certain properties, it may be simpler to employ

a dynamic analysis, whereby behavior that contradicts the property is detected while the voting

machine is run, either during testing or in the course of an actual election. If the voting machine

exhibits behavior that contradicts a security requirement, the DRE software can flag an error and

prevent the voter from continuing. Dynamic analysis requires changes to the program code so it

actively checks its own behavior. The programmer can enact the changes directly , or possibly with

the assistance of a software tool.

This dissertation draws on all three techniques to prove a small set of properties, allowing

us to gain confidence in certain aspects of a voting machine’s behavior.

Page 16 of 157

Page 17 of 157

6

1.2 Contributions and summary of results

1.2.1 Properties

In Chapter 2 we outline high-level security goals for voting systems. These security goals

are informed by convention, law, and social policy. As discussed, though, the security goals must

be translated into more testable, concrete properties for voting systems. This chapter discusses six

properties that we focus on during the course of this dissertation. We produce a voting system

implementation in which we successfully verify three of the six properties and refer to additional

work that details how to achieve similar success with the fourth property.

A fully verified voting machine would require verifying significantly more than a handful

of properties. However, building and verifying all those properties in a voting machine is currently

too daunting for us to consider. Recognizing that we should keep this as an end goal, we must start

by verifying a few key properties. Current voting machines are not designed with verification in

mind. Consequently, there is much value in a voting machine where it is possible to verify even a

few properties. This is a positive first step.

1.2.2 Cryptographic voting protocols and privacy implications

Cryptographic voting protocols provide voters with a novel mechanism to verify their

vote is properly recorded and counted. They are meant to augment DREs and provide voters with

an end-to-end guarantee of the proper tabulation of their vote. Proponents of cryptographic voting

protocols cite the end-to-end verifiability property as a reason for requiring less scrutiny of the

software on these DREs. They argue that a vigilant voter would detect the effects of tampering by

buggy software or malicious poll workers. This would lessen the necessity to trust the software

Page 17 of 157

Page 18 of 157

7

since the voter provides an end-to-end check of their ballot’s integrity.

When using a cryptographic voting protocol, the voter typically takes home a receipt. For

privacy protection, the receipt is specially designed to not reveal any of the voter’s choices. These

protocols usually expect the users to check their receipt with an online version after voting; this

check ensures the proper recording and counting of their vote. They can detect tampering or buggy

voting machines via mathematical proofs of correctness.

Cryptographic voting protocols offer the promise of verifiable voting without the need to

trust the integrity of any software in the system. However, these cryptographic protocols are only

one part of a larger system composed of voting machines, software implementations, and election

procedures, and we must analyze their security by considering the system in its entirety. In Chap-
ter 3, we analyze the security properties of two different cryptographic protocols, one proposed by

Andrew Neff and another by David Chaum. We discovered several potential weaknesses in these

voting protocols which only became apparent when considered in the context of an entire voting

system. These weaknesses include: subliminal channels in the encrypted ballots and denial of ser-
vice attacks. These attacks could compromise election integrity, erode voter privacy, and enable vote

coercion. Whether the attacks succeed or not will depend on how these ambiguities are resolved in a

full implementation of a voting system, but we expect that a well designed implementation and de-
ployment may be able to mitigate or even eliminate the impact of these weaknesses. However, these

protocols must be analyzed in the context of a complete specification of the system and surrounding

procedures before they are deployed in any large scale public election.

So, while the protocols offer the promise of skipping verification, their current implemen-
tations do not offer the same guarantees that the theoretical results would indicate. This gap in the

Page 18 of 157

Page 19 of 157

8

realized systems means that as currently conceived, it is still necessary to verify security properties

about the software implementation.

1.2.3 Privacy through reboots

The privacy problems present in cryptographic voting protocols are prevalent in other

voting technologies as well. In Chapter 4, we cover privacy problems for a range of voting tech-
nologies. We introduce a simple idea to cut down on privacy leaks: rebooting after each voter. We

outline the solution and then describe the conditions necessary to implement reboots to help allevi-
ate privacy concerns. This technique, when combined with restrictions on how a program accesses

its persistent storage, allows one to show that information from one voter’s session cannot leak to

another voter’s session.

Employing this reboot technique to guarantee privacy need not be limited to voting ap-
plications. It is also of independent interest, and is likely applicable in other computation domains

where users share the same hardware one after another in independent sessions. For example, users

may demand privacy guarantees from the ATM machines or transit kiosks they use since they pro-
vide each machine with their financial details in conducting their transactions.

1.2.4 An architecture to verify voting

Realizing that we need new techniques to prove that specific security properties hold in

voting machines, we explore a particular architecture specifically designed to make verification

easier. In Chapter 5, we use specific properties about voting, off the shelf hardware, isolation, and

architectural decisions to allow easy verification of two critical security properties.

We develop the architecture in a series of design exercises driven by two specific prop-

Page 19 of 157

Page 20 of 157

9

erties that we introduce in Chapter 2. We expand upon the privacy-reboot idea from Chapter 4 in

a real system and implement it. The final design facilitates manual verification of these security

properties, which we also discuss. Finally, we present the voting system’s design and discuss our

experience building a prototype implementation in Java and C.

1.2.5 Dynamically verifying properties

Some properties are best verified using software analysis. In Chapter 6, we look at proving

the correctness of serialization—the process of storing the in-memory representation of a data struc-
ture, such as a ballot, to a permanent store such as a disk. Trusting computerized voting requires

that serialization, and its mate deserialization, work together reliably and predictably.

We propose to use a dynamic check to guarantee proper recovery of the ballot from stor-
age. Before the ballot is to be stored to disk, the DRE checks that the tallier (used to count the

votes) will be able to be reconstruct the serialized ballot for proper counting at the end of the day.

If an error is found, the voting machine alerts the voter and election officials of the error and re-
fuses to proceed. Since the tallier is to be run later under potentially different conditions, the check

must guarantee that deserialization will always yield the same results, even in a potentially different

execution environment. For a deserialize function to always yield the same result, its return value

must only depend on its arguments and any constants compiled into the code. It may not depend on

non-deterministic inputs. We call such functions environment-free. We develop a static analysis to

check the environment-free property in Java code. Proving the deserialize function is environment-
free allows enables the DRE to check at run-time that the serialized ballot will always be able to

properly to be deserialized. We describe the results of the environment free static checker and the

results of using it to prove the correctness of serialization.

Page 20 of 157

Page 21 of 157

10

The environment-free checker is potentially useful to check other functions that follow

the serialization/deserialization pattern. More broadly, serialization is just one of a family of com-
mon data transformation routines that litter programs. Two others in the family include encryp-
tion/decryption and compression/decompression. In Chapter 6, we show the checker also can be

used to prove that decryption is the inverse of encryption for an AES implementation. We believe,

therefore, that the environment-free checker is useful outside the voting context.

Page 21 of 157

Page 22 of 157

11

Chapter 2

Voting goals & properties

In this chapter, we start with an overview of the voting process. This will serve as useful

background for the remaining chapters.

We then present a number of different security goals for voting systems. Goals reflect so-
cietal desires based on laws and convention. They make statements about the entire voting process,

can often be subjective and stateable without many technical details. Goals guide system designers

when they are forced to make engineering tradeoffs. The list of goals should not be seen as a static

list; for example, the secret ballot, providing privacy and coercion resistance, was only adopted in

the 1880s in the United States. The list of voting goals evolves with the advent of new technology.

We consider six currently accepted goals, and one that may be on the horizon. Achieving these goals

requires not only impeccable technology, but also stringent procedures, including voter education,

machine maintenance, pollworker training, and dispute resolution. We concern ourselves with the

behavior of the entire system, not just the voting technology.

But goals are not sufficient; it is still difficult to measure a voting system against a goal: a

Page 22 of 157

Page 23 of 157

12

✁ ✂ ✄ ☎ ✆ ✝ ✞ ✟ ✝ ✟ ✠ ✂ ✡ ✁ ☛ ☛ ✝ ✟ ✞

✆ ✂ ✠ ✂ ✝ ✁ ✟

☞ ✌ ✍ ✎ ✏ ✑ ✏ ✒ ✍ ✎ ✓ ✔

✁ ✂ ✄ ☎ ✠ ✕ ✂ ✖ ✄ ✟ ✂ ✝ ✗ ✠ ✂ ✝ ✁ ✟

✁ ✂ ✄ ☎ ✝ ✟ ✂ ✄ ☎✠ ✗ ✂ ✝ ✁ ✟

✁ ✂ ✄ ✆ ✂ ✁ ☎✠ ✞ ✄

✘ ✟ ✆ ✂ ✠ ☛ ☛ ✙ ✠ ☛ ☛ ✁ ✂

✚ ☎✝ ✟ ✂ ✛ ✄ ☎✁ ✜✂ ✠ ✡ ✄

✢ ✣ ✑ ✤✏ ✒ ✍ ✎ ✓ ✔ ✢ ✒ ✥ ✍ ✤✏ ✒ ✍ ✎ ✓ ✔

✦ ✝ ✟ ✠ ☛ ✝ ✛ ✄ ✙ ✠ ☛ ☛ ✁ ✂ ✆

✌ ☞ ✓ ✏ ☞ ✥ ✥ ✎ ✓ ✔

✧ ✄ ✆ ✝ ✞ ✟ ✙ ✠ ☛ ☛ ✁ ✂

★ ✕ ✩ ✕ ✡ ✪ ✁ ✂ ✄ ✆

Figure 2.1: Major steps in the voting process when using DREs.

goal is broad and encompasses many facets. We must be very clear about what specific properties we

aim to achieve in our system. A property is a more measurable requirement than a goal and is meant

to be specific and objective; determining whether a voting system satisfies a property should not be

ambiguous. An example property is that, when the voter is making their selection for a particular

race, the voting system must present all candidates in a format in accordance with election laws. A

voting machine that always exhibits the property could not conditionally omit certain candidates, or

present certain candidates in a smaller font. Upon reading the source code, it should be possible to

determine whether this property holds.

We focus on six properties that the rest of the dissertation addresses. The list is by no

means exhaustive, but is chosen to reflect important properties that are first and important building

blocks for any voting machine.

Page 23 of 157

Page 24 of 157

13

2.1 Voting overview

Pre-election setup. The full election process incorporates many activities beyond what a voter

typically experiences in the voting booth. Although the exact processes differ depending on the

specific voting technology in question, Figure 2.1 overviews the common steps for DRE-based

voting. In the pre-election stage, election officials prepare ballot definition files describing the

parameters of the election. Ballot definition files can be very complex [52], containing not only a

list of races and information about how many selections a voter can make for each race, but also

containing copies of the ballots in multiple languages, audio tracks for visually impaired voters

(possibly also in multiple languages). Additionally, the ballot presented to the voter may vary based

on the precinct as well as the voter’s party affiliation. Election officials generally use external

software to help them generate the ballot definition files. After creating the ballot definition files,

an election worker will load those files onto the DRE voting machines. Before polls open, election

officials generally print a “zero tape,” which shows that no one cast a ballot prior to the start of the

election.

Active voting. When voter Alice wishes to vote, she must first interact with election officials to

prove that she is eligible to vote. The election officials then give her some token or mechanism to

allow her to authenticate herself to the DRE as an authorized voter. Once the DRE verifies the token,

the DRE displays the ballot information appropriate for Alice, e.g., the ballot might be in Alice’s

native language or, for primaries, be tailored to Alice’s party affiliation. After Alice selects the

candidates she wishes to vote for, the DRE displays a “confirmation screen” summarizing Alice’s

selections. Alice can then either accept the list and cast her ballot, or reject it and return to editing

Page 24 of 157

Page 25 of 157

14

her selections. Once she approves her ballot, the DRE stores the votes onto durable storage and

invalidates her token so that she cannot vote again.

Finalization & post-voting. When the polls are closed, the DRE ensures that no further votes can

be cast and then prints a “summary tape,” containing an unofficial tally of the number of votes for

each candidate. Poll workers then transport the removable storage medium containing cast ballot

images, along with the zero tape, summary tape, and other materials, to a central facility for tallying.

During the canvass, election officials accumulate vote totals and cross-check the consistency of all

these records.

Additional steps. In addition to the main steps above, election officials can employ various au-
diting and testing procedures to check for malicious behavior. For example, some jurisdictions use

parallel testing, which involves sequestering a few machines, entering a known set of votes, and

checking whether the final tally matches the expected tally. Also, one could envision repeating

the vote-tallying process with a third-party tallying application, although we are unaware of any

instance where this particular measure has been used in practice. While these additional steps can

help detect problems, they are by no means sufficient.

2.2 Voting goals

In this section, we enumerate a number of broad goals for voting systems.

Goal 1. One voter/one vote: The cast ballots should exactly represent the votes cast by legitimate

voters. Malicious parties should not be able to add, duplicate, or delete ballots.

Page 25 of 157

Page 26 of 157

15

This goal emphasizes that each legitimate voter should have exactly one vote toward each race. It

should be impossible for the voters themselves, designers of the voting technology, election officials,

or other people to subvert this goal. Procedures and voting policy can greatly impact whether this

particular goal is successfully achieved. For example, it is imperative that the polling station be

staffed with adequate supplies of voting materials (whether it be voting machines or blank ballots).

Insufficient allocation or resources impinges on this goal; poor technology design can also adversely

affect the goal, either by increasing the amount of resources needed, or through errors that can

surreptitiously allow people to add or drop ballots at will. It also requires the poll workers to

determine who is a legitimate voter.

Goal 2. Cast-as-intended: A voter should be able to reliably and easily cast the ballot that they

intend to cast.

Cast-as-intended gets to the heart of voting – in essence, the voter must be able to reliably and

consistently express their desired opinion for a particular election. Meeting this goal requires over-
coming many challenges. Broadly, 1) the voting machine must present all choices for their particular

ballot in a non-biased manner. As subtle changes in layout, order, or presentation can influence the

voter to favor one choice over another, the voting machine must present all choices in as equitable

manner as possible; 2) the voter must be able to express their desires among the choices. The voting

machine should not make it more difficult to chose one candidate over another; 3) the completed

ballot must be stored without changes and kept for tallying under all conditions. It is also impera-
tive that the voter must be able to express their selections easily and efficiently and should strive to

reduce inadvertent errors.

There are a host of issues underlying each of the three above challenges. As just one

Page 26 of 157

Page 27 of 157

16

example, a voter who is unfamiliar with computers must have the same opportunities to express

their votes as a computer-literate person. On electronic voting technology, this can be challenging.

Designing user interfaces and ballot layouts that are unambiguous to first-time users is challenging.

Goal 3. Counted-as-cast: The final tally should be an accurate count of the ballots that have been

cast.

The counted-as-cast goal assures the accuracy of the final tally. Achieving this goal requires that

ballots are not modified or lost, and will properly be reconstructed in a form that reflects the original

cast ballot form. The challenge is assuring this despite poor procedures, lost or broken voting

machines, and ambiguities in determining the voter’s intent.

Goal 4. Verifiability: It should be possible for participants in the voting process to prove that

the voting system obeys certain properties. For example, when referring to goals 2 and 3 (cast-as-
intended and counted-as-cast), the voter should be able to prove to themselves that their ballot own

ballot was cast-as-intended, and all voters should be able to prove to themselves (and others) that

all of the ballots are properly counted-as-cast.

Verifiability is a property that allows voting participants to easily prove the correct operation of

some portion of the voting process. When discussing verifiability, it is critical to consider who is

verifying the particular property under consideration. When the voter is performing the verification,

it is imperative to consider the usability of the verification process. A property cannot reasonably

called verifiable by the voter if it requires the voter to analyze source code. It would take the

average voter far too long to learn the required skills. However, it would be appropriate to call such

a property verifiable by software experts since they possess the required skills.

In this dissertation, we seek to enable software experts to verify a set of security properties.

Page 27 of 157

Page 28 of 157

17

Chapter 3 analyzes two cryptographic voting protocols that provide verifiably cast-as-
intended and verifiably counted-as-cast to the voters. Verifiably cast-as-intended means each voter

should be able to verify her ballot accurately represents the vote she cast. Often, this includes

looking at a website after voting. Verifiably counted-as-cast means everyone should be able to

verify that the final tally is an accurate count of the ballots contained on the website, for example.

The difficult in achieving verifiability is doing so while also preserving a voter’s privacy. Typically,

solutions that strive for verifiability of cast-as-intended and counted-as-cast include at least some

cryptographic techniques.

Goal 5. Privacy: Ballots and all events during the voting process should be remain secret.

A voter should be able to trust that their ballot and all interactions with the voting machine will

remain hidden. In cases where the ballot is published, it should not be possible to link the ballot

with the voter. The first part of the goal would even preclude indirect privacy leaks, whereby the

voting machine changes its behavior in response to votes that have already been cast. Preserving

privacy requires effort from the voting machine designers as well as the poll workers, since lapses

by either can result in privacy leaks.

Goal 6. Coercion resistance: A voter should not be able to prove how she voted to a third party

not present in the voting booth.

Coercion resistance is related to privacy. A voter should not be able to collude with an outsider in

order to prove how they voted. Put another way, a voter should not be able to subvert their own

privacy. There is a typical caveat with this goal: coercion resistance is not offered when the voter

brings another person (or the electronic equivalent: a recording device) into the polling booth with

Page 28 of 157

Page 29 of 157

18

them. In this case, the voter’s companion can directly observe all of the voter’s interactions with the

voting machine

2.3 Specific properties

As stated, properties are measurable aspects of a voting system goals. One must be careful

in which properties are required. It is possible that designing a voting system to exhibit one security

property may help one goal to the detriment of another. As one example, a property requiring

voting systems to provide voters with a printout of their onscreen selections to take home may help

guarantee cast-as-intended, but at the cost of coercion resistance.

Resolving these tradeoffs requires guidance from policy makers. They are in the best

position to guard and balance different stakeholders’ interests. It is the job of computer scientists to

point out the tradeoffs.

We now present specific properties that this dissertation work will address. These prop-
erties represent some aspect of one or more of the above goals, but aren’t sufficient on their own to

guarantee any of these goals are met.

Property 1. None of a voter’s interactions with the voting machine, including the final ballot, can

affect any subsequent voter’s sessions1

.

This property has implications for Goals 2 and 5. A DRE that achieves Property 1 will prevent

two large classes of attacks: one against election integrity and another against privacy. One way to

understand this property is to consider a particular voting system design that exhibits the property.

Note that some interactions may be unavoidable. For example, an electronic ballot box that becomes “full” on a

voting machine should not allow subsequent voters to vote. This interaction is a desired and unavoidable interaction. The

remedy here is to ensure that if the ballot box becomes full, there will be no subsequent voters.

Page 29 of 157

Page 30 of 157

19

A DRE can be “memoryless,” so that after indelibly storing the ballot, it erases all traces of the

voter’s actions from its RAM. This way, a DRE cannot use the voter’s choices in making future

decisions.

A DRE that is memoryless cannot decide to change its behavior in the afternoon on elec-
tion day if it sees the election trending unfavorably for one candidate. Similarly, successful verifi-

cation of this property guarantees that a voter, possibly with the help of the DRE or election insider,

cannot learn how a prior voter voted.

We discuss this property in Chapters 3 and 4.

Property 2. A ballot cannot be cast without the voter’s consent to cast it.

Property 2 ensures the voter’s ballot is only cast with their consent; a voting machine that always

exhibits this property will help achieve Goal 2 (Cast-as-intended). When a ballot is cast with the

voter’s consent and at the proper time, guarantees that the voter has had the chance to see all races

and has had the option of editing their selections before casting. Additionally, when combined with

other security measures, this property helps guarantee the ballot box cannot be stuffed by the DRE.

If each cast operation requires a human’s input, and the DRE cannot automatically cast additional

ballots.

Property 3. The DRE cannot leak information through the on-disk format. Additionally, the ballot

box should be history-independent and tamper evident.

Part of Property 3 directly supports Goal 5 (Privacy). Requiring the on-disk format to be history-
independent means that it should not leak the order that voters voted on the DRE. A DRE exhibiting

this property would reduce the burden on procedures to safeguard the electronic ballot box. If the

ballot box were not history-independent, the ballot box would contain the order in which voters

Page 30 of 157

Page 31 of 157

20

voted. It would then be easy for an adversary to correlate the order in which voters voted with

the order in which they entered the polling station and then link ballots to people. This ultimately

compromises voter privacy.

This property can also further Goal 3 (Counted-as-cast). If the on-disk format of the ballot

box does not reveal the vote order, it may be possible to publish an exact copy of the ballot box.

This allows anyone to collate the ballot boxes from all DREs in a precinct and recreate the final

tally to double check the tabulation process2

. The ballot box must be history-independent in order

to safely publish it.

We can use the techniques developed in conjunction with Molnar et al. in implementing

Property 3 [55].

Property 4. The DRE only stores ballots that have been approved by the voter.

Property 4 refers to a few conditions. The DRE must not change the ballot after the voter chooses

their candidates. Additionally, the voter must have a chance to see the contents of the ballot and

approve or reject it. The ballot structure may be passed through confirmation screens and to serial-
ization mechanisms before it is ultimately stored; through all this, it must remain unmodified. This

is another aspect of Goal 2 (Cast-as-intended).

Property 5. There should be a canonical format for the ballot so there is only one way to represent

the voter’s choices.

Violation of Property 5 could violate the voter’s privacy, even if the voter approves the ballot. Sup-
pose the voter’s choice, “James Polk” were stored with an extra space: “James Polk”. The voter

However, there are some subtleties to publishing the ballot boxes: if the votes are to be published, they must be done

in a manner that does not enable vote-selling. For example, a vote-buyer may offer cash if a voter makes a selection for a

high-profile race and then fills in a particular string for a write-in candidate in a different race. The vote-buyer will only

pay if one ballot among the published ballots contains the pre-arranged string and a vote for the candidate they ordered.

Page 31 of 157

Page 32 of 157

21

would not likely notice anything were amiss, but this could convey privacy leaking-information in

a subliminal channel, described in Chapter 3.

Property 6. The ballot counted in the tally stage should be the same as the in-memory copy ap-
proved by the voter at the voting machine.

This property, an aspect of Goal 3 (Counted-as-cast), guarantees that the ballot recording software

can properly hand off the ballot to the tally machine. It requires that the serialized version of the in-
memory ballot the voter fills out must be properly deserialized into an equivalent in-memory copy

when needed by the tallying software.

We do not expect these to be an exhaustive list of the desirable security properties; rather,

they are properties that we believe are important and that we can easily achieve with the contribu-
tions of this work.

Page 32 of 157

Page 33 of 157

22

Chapter 3

Cryptographic voting protocols

In this chapter, we look at two cryptographic voting protocols. They provide the voter the

opportunity to verify their own vote was cast-as-intended and that all votes were counted-as-cast.

This is a major step forward in the capabilities of voting systems.

However, in this chapter, we show it is imperative to view cryptographic protocols as a part

of a complete voting system and consider the security implications of all surrounding procedures and

the implementations of the protocols. Doing so for these protocols reveals privacy vulnerabilities

through subliminal channels (the ramifications of which will be mitigated through some strategies

suggested in Chapter 4), and opportunities for denial of service attacks.

Parts of this work are drawn with permission from previously published work [39].

3.1 Introduction

Trustworthy voting systems are crucial for the democratic process. Recently, direct record-
ing electronic voting machines (DREs) have come under fire for failing to meet this standard. The

Page 33 of 157

Page 34 of 157

23

Weakness Protocols Threat Model Affects

Random subliminal channels Neff Malicious DRE colluding Voter privacy &

w/ outsider coercion resistance

Semantic subliminal channels Chaum Malicious DRE colluding Voter privacy &

w/ outsider coercion resistance

Denial of service attacks Neff & Malicious DRE or Voter confidence &

Chaum tallying software election integrity

Table 3.1: Summary of weaknesses we found in Neff’s and Chaum’s voting schemes.

problem with paperless DREs is that the voting public has no good way to tell whether votes were

recorded or counted correctly, and many experts have argued that, without other defenses, these

systems are not trustworthy [42, 57].

Andrew Neff and David Chaum have recently proposed revolutionary schemes for DRE-
based electronic voting [19, 60, 61]. The centerpiece of these schemes consists of novel and sophis-
ticated cryptographic protocols that allow voters to verify their votes are cast and counted correctly.

Voting companies Votegrity and VoteHere have implemented Chaum’s and Neff’s schemes, respec-
tively. These schemes represent a significant advance over previous DRE-based voting systems:

voters can verify that their votes have been accurately recorded, and everyone can verify that the

tallying procedure is correct, preserving privacy and coercion resistance in the process. The ability

for anyone to verify that votes are counted correctly is particularly exciting, as no prior system has

offered this feature.

This chapter presents a first step towards a security analysis of these schemes. Our goal

is to determine whether these new DRE-based cryptographic voting systems are trustworthy for use

in public elections. We approach this question from a systems perspective. Neff’s and Chaum’s

schemes consist of the composition of many different cryptographic and security subsystems. Com-
posing security mechanisms is not simple, since it can lead to subtle new vulnerabilities [28, 48, 64].

Page 34 of 157

Page 35 of 157

24

Consequently, it is not enough to simply analyze a protocol or subsystem in isolation, as some at-
tacks only become apparent when looking at an entire system. Instead, we perform a whole-system

security analysis.

In our analysis of these cryptographic schemes, we found weaknesses in that subliminal

channels may be present in the encrypted ballots. These attacks could potentially compromise

election integrity, erode voter privacy, and enable vote coercion. In addition, we found several

detectable but unrecoverable denial of service attacks. We note that these weaknesses only became

apparent when examining the system as a whole, underlining the importance of a security analysis

that looks at cryptographic protocols in their larger systems context.

The true severity of the weaknesses depends on how these schemes are finally imple-
mented. During our security analysis, one challenge we had to deal with was the lack of a complete

system to analyze. Although Neff and Chaum present fully specified cryptographic protocols, many

implementation details—such as human interfaces, systems design, and election procedures—are

not available for analysis. Given the underspecification, it is impossible to predict with any confi-

dence what the practical impact of these weaknesses may be. Consequently, we are not yet ready

to endorse these systems for widespread use in public elections. Still, we expect that it may be

possible to mitigate some of these risks with procedural or technical defenses, and we present coun-
termeasures for some of the weaknesses we found and identify some areas where further research

is needed. Our results are summarized in Table 3.1.

Page 35 of 157

Page 36 of 157

25

3.2 Preliminaries

David Chaum and Andrew Neff have each proposed a cryptographic voting protocol for

use in DRE machines [13, 19, 60, 61, 89]. Although these protocols differ in the details of their

operation, they are structurally similar. Both protocols fit within the DRE voting steps in Figure 2.1.

However, they introduce a few extra actions, which we outline here.

In the pre-voting stage, a set of election trustees with competing interests are chosen such

that it is unlikely that all trustees will collude. The trustees interact amongst themselves before the

election to choose parameters and produce key material used throughout the protocol. The trustees

should represent a broad set of interest groups and governmental agencies to guarantee sufficient

separation of privilege and discourage collusion among the trustees.

Active voting begins when a voter visits a polling station to cast her vote on election

day, and ends when that ballot is cast. To cast her vote, the voter interacts with a DRE machine

in a private voting booth to select her ballot choices. The DRE then produces an electronic ballot

representing the voter’s choices and posts this to a public bulletin board. This public bulletin board

serves as the ballot box. At the same time, the DRE interacts with the voter to provide a receipt.

Receipts are designed to resist vote buying and coercion, and do not allow the voter to prove to a

third party how she voted. Also, each voter’s ballot is assigned a unique ballot sequence number

(BSN). BSNs ease auditing and verification procedures, without compromising voter privacy.

After all ballots have been posted to the bulletin board, canvassing stage begins. The elec-
tion trustees execute a publicly verifiable multistage mix net, where each trustee privately executes

a particular stage of the mix net [33, 61]. To maintain anonymity, the trustees strip each ballot of

its BSN before it enters the mix net. Each stage of the mix net takes as input a set of encrypted

Page 36 of 157

Page 37 of 157

26

ballots, partially decrypts or re-encrypts them (depending on the style of mix net), and randomly

permutes them. The final result of the mix net is a set of plaintext ballots which can be publicly

counted but which cannot be linked to the encrypted ballots or to voter identities. In cryptographic

voting protocols, the mix net is designed to be universally verifiable: the trustee provides a proof

which any observer can use to confirm that the protocol has been followed correctly. This means a

corrupt trustee cannot surreptitiously add, delete, or alter ballots.

At various points during this process, voters and observers may engage in election verifi-

cation. After her ballot has been recorded on the public bulletin board, the voter may use her receipt

to verify her vote was cast as intended and will be accurately represented in the election results.

Note that the receipt does not serve as an official record of the voter’s selections; it is only intended

for convincing the voter that her ballot was cast correctly. Election observers (e.g., the League of

Women Voters) can verify certain properties about ballots on the public bulletin board, such as, that

all ballots are well-formed or that the mix net procedure was performed correctly.

Both the Chaum and Neff protocols require DREs to contain special printing devices for

providing receipts. The security requirements for the printer are: 1) the voter can inspect its output,

and 2) neither the DRE nor the printer can erase, change, or overwrite anything already printed

without the voter immediately detecting it. There are some differences in the tasks these devices

perform and additional security requirements they must meet, which we will discuss later.

3.2.1 Threat models

We must consider a strong threat model for voting protocols. In national elections, bil-
lions of dollars are at stake, and even in local elections, controlling the appropriation of municipal

funding in a large city can be sufficient motivation to compromise significant portions of the election

Page 37 of 157

Page 38 of 157

27

system [41]. We consider threats from three separate sources: DREs, talliers, and outside coercive

parties. To make matters worse, malicious parties might collude together. For example, malicious

DREs might collude with outside coercers to buy votes.

Malicious DREs can take many forms [5]. A programmer at the manufacturer could insert

Trojan code, or a night janitor at the polling station could install malicious code the night before the

election. We must assume malicious DREs behave arbitrarily. Verification of all the DRE software

in an election is hard, and one goal of Neff’s and Chaum’s schemes is to eliminate the need to verify

that the DRE software is free from Trojan horses.

We also must consider malicious parties in the tallying process, such as a malicious bul-
letin board or malicious trustees. These parties wield significant power, and can cause large prob-
lems if they are malicious. For example, if the bulletin board is malicious, it can erase all the ballots.

If all the software used by the trustees is malicious, it could erase the private portions of the trustees’

keys, making ballot decryption impossible.

To evaluate a voting system’s coercion resistance, we must consider outside coercive par-
ties colluding with malicious voters. We assume the coercer is not present in the voting booth.

Attacks where the coercer is physically present are outside the scope of voting protocols and can

only be countered with physical security mechanisms. Similarly, attacks where a voter records her

actions in the poll booth (e.g., with a video or cell phone camera) are also outside the scope of

voting protocols, and we do not consider them here.

Finally, we must consider honest but unreliable participants. For example, voters and poll

workers might not fully understand the voting technology or utilize its verification properties, and a

malicious party might be able to take advantage of this ignorance, apathy, or fallibility to affect the

Page 38 of 157

Page 39 of 157

28

outcome of the election.

3.3 Two voting protocols

In this section, we describe Neff’s and Chaum’s voting protocols in detail.

3.3.1 Neff’s scheme

Andrew Neff has proposed a publicly verifiable cryptographic voting protocol for use in

DREs [60, 61]. During election initialization, the trustees perform a distributed key generation

protocol to compute a master public key; decryption will only be possible through the cooperation

of all trustees in a threshold decryption operation. Also, there is a security parameter

. A DRE can

surreptitiously cheat with a probability of ✁ ✂✄ . Neff suggests ☎✆ ✝

✝ ☎✞.

Neff’s scheme is easily extensible to elections with multiple races, but for the sake of

simplicity assume there is a single race with candidates ✟ ✠ ✡ ☛ ☛ ☛ ✡ ✟ ☞ . After a voter communicates

her choice ✟ ✌ to the DRE, the DRE constructs an encrypted electronic ballot representing her choice

and commits to it. Each ballot is assigned a unique BSN. The voter is then given the option of

interacting with the DRE further to obtain a receipt. In Figure 3.1, we show an example of a receipt

taken from the VoteHere website. This receipt enables the voter to verify with high probability that

her vote is accurately represented in the tallying process.

After the voter communicates her intended choice ✟✌ to the DRE, it constructs a verifiable

choice (VC) for ✟ ✌ . A VC is essentially an encrypted electronic ballot representing the voter’s

choice ✟ ✌ (see Figure 3.2). A VC is a ✍ ✎

matrix of ballot mark pairs (BMPs), one row per

candidate (recall that

is a security parameter). Each BMP is a pair of El Gamal ciphertexts. Each

Page 39 of 157

Page 40 of 157

29

Figure 3.1: This is an example of a detailed receipt for Neff’s scheme, taken from the VoteHere

website, http://www.votehere.com.

Page 40 of 157

Page 41 of 157

30

0 1 0 0 1 0 1

1 1 0 0 1 1 1

1 0 0 1 0 1 1 0

1 0 1 0 1 1 0

1

1

0

1 2 3

✁ ✂

✁ ✄

✁ ☎

✁ ✆

Figure 3.2: A verifiable choice (VC) in Neff’s scheme. ✝ represents an encryption of bit ✝. This

VC represents a choice of candidate ✟ ✞ . Note the second row contains encryptions of ✟✆ ✡ ✆ ✠ and

✟☎ ✡ ☎✠, and the unchosen rows contain encryptions of ✟✆ ✡ ☎✠ and ✟☎ ✡ ✆ ✠.

ciphertext is an encryption of 0 or 1 under the trustees’ joint public key, written ✆ or ☎ for short.

Thus, each BMP is a pair ✝ ✠ ✝ ✞ , an encryption of ✟✝ ✠ ✡ ✝ ✞ ✠.

The format of the plaintexts in the BMPs differs between the row corresponding to the

chosen candidate ✟ ✌ (i.e., row ✡) and the other (“unchosen”) rows. Every BMP in row ✡ should take

the form ✆ ✆ or ☎ ☎ . In contrast, the BMPs in the unchosen rows should be of the form ✆ ☎

or ☎ ✆ . Any other configuration is an indication of a cheating or malfunctioning DRE. More

precisely, there is a ✍ ✎

matrix ☛ so that the ☞ -th BMP in unchosen row ✌ is ☛ ✍ ✎✏ ✑ ☛ ✍ ✎✏ , and

the ☞ -th BMP in the choice row ✡ is ☛ ✌ ✎✏ ☛ ✌ ✎✏ .

Consider the idealized scenario where all DREs are honest. The trustees can tally the votes

by decrypting each ballot and looking for the one row consisting of ✟✆ ✡ ✆ ✠ and ✟☎ ✡ ☎✠ plaintexts. If

decrypted row ✡ consists of ✟✆ ✡ ✆ ✠ and ✟☎ ✡ ☎✠ pairs, then the trustees count the ballot as a vote for

candidate ✟ ✌ .

1

In the real world, we must consider cheating DREs. Up to this point in the protocol,

the DRE has constructed a VC supposedly representing the voter’s choice ✟ ✌ , but the voter has no

assurance this VC accurately represents her vote. How can we detect a dishonest DRE?

This is a simplified view of how the trustees tally votes in Neff’s scheme, but it captures the main idea.

Page 41 of 157

Page 42 of 157

31

Neff’s scheme prints the pair ✟BSN ✡ hash ✟

✟ ✠ ✠ on the receipt and then splits verification

into two parts: 1) at the polling booth, the DRE will provide an interactive proof of correct con-
struction of the VC to the voter; 2) later, the voter can compare her receipt to what is posted on

the bulletin board to verify that her ballot will be properly counted. At a minimum, this interactive

protocol should convince the voter that row ✡ (corresponding to her intended selection) does indeed

contain a set of BMPs that will be interpreted during tallying as a vote for ✟✌ , or in other words,

each BMP in her chosen row is of the form ✝ ✝ . Neff introduces a simple protocol for this: for

each such BMP, the DRE provides a pledge bit ✁ ; then the voter randomly selects the left or right

position and asks the DRE to provide a proof that the ciphertext in that position indeed decrypts to

✁ ; and the DRE does so by revealing the randomness used in the encryption. Here we are viewing

the ciphertext ✝ as a commitment to ✝, and ✝ is opened by revealing ✝ along with the random-
ness used during encryption. If this BMP has been correctly formed as ✝ ✝ , the DRE can always

convince the voter by using the value ✝ as a pledge; however, if the BMP contains either ✆ ☎ or

☎ ✆ , the voter has a ✠

✞ probability of detecting this. By repeating the protocol for each of the

BMPs in row ✡, the probability that a malformed row escapes detection is reduced to ✟

✞ ✠✄ . The role

of the interactive protocol is to ensure that the receipt will be convincing for the person who was in

the voting booth but useless to anyone else.

In practice, it is unrealistic to assume the average voter will be able to parse the VC and

carry out this protocol unassisted within the polling station. Instead, Neff’s scheme enables the

voter to execute it later with the assistance of a trusted software program. The DRE first prints the

pledges on the receipt, and then receives and prints the voter’s challenge. The challenge ✂ ✌ for the

row ✡ is represented as a bit string where the ☞ -th bit equal to 0 means open the left element of the

Page 42 of 157

Page 43 of 157

32

0 0 1 1 1 1 0 0

1 1 1 1 1 1 0 0

0 1 0 1 1 0

1 0

1 0

1 0 0 1 0 1

1 2 3

✁ ✄

✁ ☎

✁ ✆

✁ ✂

Figure 3.3: An opened verifiable choice (OVC) in Neff’s scheme. ✝ represents an encryption of bit

✝, and ✝ represents an opened encryption of bit ✝. An opened encryption of ✝ contains both ✝ and

the randomness

used to encrypt ✝ in the VC.

☞ -th BMP and 1 means open the right element.

The DRE then constructs an opened verifiable choice (OVC) according to the voter’s

challenge and submits it to the bulletin board. In Figure 3.3, we show an example of an OVC

constructed from the VC in Figure 3.2. We represent an opened encryption of bit ✝ in an half-
opened BMP by ✝ . In the OVC, the opened BMPs in row ✡ are opened according to ✂ ✌ , so that

each half-opened BMP contains a pair of the form ✝ ✝

(if ✂✌ ✎✏ ✂ ✆) or ✝ ✝

(if ✂ ✌ ✎✏ ✂ ☎). To

ensure that the OVC does not reveal which candidate was selected, the BMPs in the unchosen rows

are also half-opened. In unchosen row ✌ , the DRE selects an

-bit challenge ✂✍ uniformly at random

and then opens this row according to ✂✍ . Thus, an OVC consists of an ✍ ✎

matrix of half-opened

Page 43 of 157

Page 44 of 157

33

BMPs. Consequently, the usual invocation of the receipt formation protocol is as follows:

☎ ☛ Voter

DRE ✁ ✡

✁ ☛ DRE

Printer ✁ BSN ✡ hash ✟

✟ ✠

☛ DRE

Printer ✁ commit ✟✁ ✠ ✡ ☛ ☛ ☛ ✡ ✁ ☞ ✠

☛ Voter

DRE ✁ ✂ ✌

✞ ☛ DRE

Printer ✁ ✂ ✠ ✡ ☛ ☛ ☛ ✡ ✂☞ ☎

☛ DRE

B. Board ✁ ✆

Here we define ✁ ✌ ✎✏ ✂ ☛ ✌ ✎✏ and ✁ ✍ ✎✏ ✂ ☛ ✍ ✎✏ ✝ ✂✍ ✎✏ (✌ ✂✞ ✡). While at the voting booth, the voter only

has to check that the challenge ✂ ✌ she specified does indeed appear on the printed receipt in the ✡-th

position (i.e., next to the name of her selected candidate). Later, the voter can check that the OVC

printed in step 5 does appear on the bulletin board and matches the hash printed in step 2 (and that

the candidates’ names are printed in the correct order), and that the OVC contains valid openings of

all the values pledged to in step 3 in the locations indicated by the challenges printed in step 5. Note

that the VC can be reconstructed from the OVC, so there is no need to print the VC on the receipt

or to post it on the bulletin board.

To prevent vote buying and coercion, the voter is optionally allowed to specify challenges

for the unchosen rows between steps 2 and 3, overriding the DRE’s default random selection of ✂✍

(✌ ✂✞ ✡). If this were omitted, a vote buyer could tell the voter in advance to vote for candidate ✟ ✌

and to use some fixed value for the challenge ✂ ✌ , and the voter could later prove how she voted by

presenting a receipt with this prespecified value appearing as the ✡-th challenge.

After the election is closed, the trustees apply a universally verifiable mix net to the col-
lection of posted ballots. Neff has designed a mix net for El Gamal pairs [58, 61], and it is used

here.

Page 44 of 157

Page 45 of 157

34

☎ ☛ Voter

DRE ✁ ✡

✁ ☛ DRE

Printer ✁ BSN ✡ hash ✟

✟ ✠

☛ DRE

Voter ✁ basic or detailed?

☛ Voter

DRE ✁

✡ where

basic ✡ detailed ✄

✞☎ ☛ DRE

Printer ✁ commit ✟✁ ✠ ✡ ☛ ☛ ☛ ✡ ✁ ☞ ✠

✞ ✝ ☛ Voter

DRE ✁ ✂ ✌

✞ ✂ ☛ DRE

Printer ✁ ✂ ✠ ✡ ☛ ☛ ☛ ✡ ✂☞ ☎

☛ DRE

B. Board ✁ ✆

Figure 3.4: Summary of receipt generation in Neff’s scheme with the option of basic or detailed

receipts. Steps ✞☎ ✡ ✞ ✝, and ✞ ✂ happen only if

✂ detailed.

In VoteHere’s implementation of Neff’s scheme, voters are given the option of taking

either a detailed or basic receipt. The detailed receipt contains all the information described in this

section (Figure 3.1), but a basic receipt contains only the pair (BSN, hash(

✟ )). This decision is

made separately for each race on a ballot, and for each race that a voter selects a detailed receipt she

must independently choose the choice and unchosen challenges for that race.

A basic receipt affords a voter only limited verification capabilities. Since a basic receipt

foregoes the pledge/challenge stage of Neff’s scheme, a voter cannot verify her ballot was recorded

accurately. However, a basic receipt does have some value. It enables the voter to verify that the

ballot the DRE committed to in the poll booth is the same one that appears on the bulletin board.

Since the DRE must commit to the VC before it knows whether the voter wants a detailed or basic

receipt, a DRE committing a VC that does not accurately represent the voter’s selection is risking

detection if the voter chooses a detailed receipt. The receipt protocol augmented with this additional

Page 45 of 157

Page 46 of 157

35

Pres: Polk

Sen: Adams

.

.

.

✁✁✁✁✁✁✁✁

✁✁✁✁✁✁✁✁✄

☎ ✆ ✝ ✞

Top layer ☎ ✆ ✝ ✞

Bottom layer

Figure 3.5: Representation of the printed ballot and transparencies in Chaum’s scheme. The top two

images show the ballot as well as a zoomed in portion of the two overlayed transparencies portrayed

below.

choice is summarized in Figure 3.4.

3.3.2 Chaum’s visual crypto scheme

David Chaum uses a two-layer receipt based on transparent sheets for his verifiable voting

scheme [13, 19, 89]. A voter interacts with a DRE machine to generate a ballot image ✟ that

represents the voter’s choices. The DRE then prints a special image on each transparency layer.

The ballot bitmaps are constructed so that overlaying the top and bottom transparencies (✠ and ✡ )

reveals the voter’s original ballot image. On its own, however, each layer is indistinguishable from

a random dot image and therefore reveals nothing about the voter’s choices (see Figure 3.5).

The DRE prints cryptographic material on each layer so that the trustees can recover the

original ballot image during the tabulation phase. The voter selects either the top or bottom layer,

Page 46 of 157

Page 47 of 157

36

Encoding for Transparency 1: 0:

Encoding for Overlay ☎

: ✆

: or

✝✁ Truth Table ✆ ✝ ✁ ☎ ✂ ☎

✝✁ = ✆ ✝ ✁ ✆ ✂ ✆

✝✁ = ☎ ✝ ✁ ☎ ✂ ✆

✝✁ = ☎ ✝ ✁ ✆ ✂ ☎

✝✁ =

Figure 3.6: Visual cryptography overview. A printed pixel on a single transparency has a value in

✆ ✡ ☎✄, encoded as shown in the first row. We apply the visual xor operator ✝✁ by stacking two

transparencies so that light can shine through areas where the subpixels are clear. The pixels in the

overlay take values from ✂

✆ ✡

✄. The bottom table shows the truth table for the visual xor operator

and its parallels to the binary xor operator.

and keeps it as her receipt. A copy of the retained layer is posted on the bulletin board, and the other

layer is destroyed. The voter can later verify the integrity of their receipt by checking that it appears

on the bulletin board and that the cryptographic material is well formed.

Visual cryptography exploits the physical properties of transparencies to allow humans

to compute the xor of two quantities without relying on untrusted software. Each transparency is

composed of a uniform grid of pixels. Pixels are square and take values in ✂

✆ ✡ ☎✄. We print for

a 0-valued pixel and for a 1-valued pixel. We refer to each of the four smaller squares within

a pixel as subpixels. Overlaying two transparencies allows light to shine through only in locations

where both subpixels are clear, and the above encoding exploits this so that overlaying performs

a sort of xor operation. Pixels in the overlay take values in ✂

✆ ✡

✄. Pixels in the overlay have a

different appearance than those in the individual transparency layer: ✆

appears as or , while

appears as . Using ✝ ✁ to represent the visual overlay operation, we see that ✆ ✝✁ ✆ ✂ ✆

, ✆ ✝✁ ☎ ✂ ☎

, and in general if ☎ ✝ ✝ ✂ ✂ then ☎ ✝ ✁ ✝ ✂

✂ (see Figure 3.6).

Chaum’s protocol satisfies three properties:

Page 47 of 157

Page 48 of 157

37

1. Visual Check: Given the desired ballot image ✟ , the DRE must produce two transparencies

✠ and ✡ so that ✠ ✝✁ ✡ ✂ ✟ . This property allows the voter to verify the correct formation

of the two transparencies.

2. Recovery: Given a single transparency ✠ or ✡ and the trustee keys, it must be possible to

recover the original ballot image ✟ .

3. Integrity: ✠ and ✡ contain a commitment. There is a way to open ✠ or ✡ and to verify the

opening so that for all other top and bottom pairs ✠

and ✡

such that ✠

✁ ✝✁ ✡

✟ and ✠

(or ✡

) does not decrypt to ✟ , then ✡

(or ✠

) is unopenable. In other words, for a pair of

transparencies that overlay to form ✟ (or a close enough approximation for the voter to accept

it as ✟ ), the DRE should only be able to generate a witness for a transparency if the other

transparency decrypts to ✟ .

We will consider each pixel to have a type ✁

✂ ✁

, ✂ ✄ in addition to its value ✁

✆ ✡ ☎✄.

The pixel’s type will determine how we compute the value. We label pixels on the transparency so

that no pixels of the same type are adjacent to each other, forming a repeating grid of alternating

pixel types. Additionally, when the two transparencies are stacked, we require that ✁

-pixels are

only atop ✂ -pixels and ✂ -pixels are only atop ✁

-pixels. The upper left corner of the top

transparency looks like: E P E

P E P

E P E

, and the upper left corner of the bottom transparency looks like: P E P

E P E

P E P

.

The ✁

-pixels in a layer come from a pseudorandom stream. The stream is composed of ✍ separate

streams, one from each trustee. Each of these trustee streams is based on the trustee number and

the voter’s BSN; the seed will be encrypted using each trustee’s public key requiring the trustee to

participate in the decryption process. The value of the ✂ -pixel is set so that overlaying it with

the corresponding ✁

-pixel in the other layer yields a ballot pixel. An ✂ -pixel alone reveals no

Page 48 of 157

Page 49 of 157

38

information: it is the xor of a ✁

-pixel and the ballot image.

Details on transparency formation

The pseudorandom stream for a given transparency is composed of ✍ pseudorandom

streams, each of which is seeded by a different value. For each of the top and bottom transparencies,

there is one stream per trustee. The ✡

th trustee’s seed for the top is

✁ ✌ ✂ ✄

✟sign✏ ☎ ✟BSN✠ ✡ ✡ ✠ (3.1)

where BSNrepresents the unique ballot sequence number assigned to the voter and sign✏ ☎ ✟✆✠ is a

signature using ☞✝ , a key specific to the DRE, and ✄

✟✆✠ is a hash function. The ✡

th trustee’s seed for

the bottom is

✝✌ ✂ ✄

✟sign ✏ ✞ ✟BSN✠ ✡ ✡ ✠ (3.2)

The hash expansion function ✄✁ ✟✆✠ is used to generate the trustee stream. Trustee streams are xored

together to produce the pseudorandom stream for the top layer:

✠ ✂ ✟☞

✌✠ ✠

✄ ✁ ✟

✁ ✌ ✠ (3.3)

The corresponding bottom stream uses the bottom seeds:

✁ ✡ ✂ ✟☞

✌✠ ✠

✄✁ ✟

✝✌ ✠ (3.4)

We can now define each pixel’s value. We view the ballot as a stream of pixels ✟ , and

✟ ✡✡☛ denotes the ✡☞ ✌ pixel. A ✁

-pixel ✡ on the top transparency is assigned the value ✁

✠ ✡✡☛ . The

✂ -pixel ✡ on the bottom transparency is defined to have value ✁

✠ ✡✡☛ ✝ ✟ ✡✡☛ . When viewing the

two transparencies in alignment, then, the voter sees the original ballot stream ✟ because ✁

✠ ✡✡☛ ✝✁

Page 49 of 157

Page 50 of 157

39

✟✁

✠ ✡✡☛ ✝ ✟ ✡✡ ☛ ✠ ✂

✠ ✡✡ ☛ ✝ ✟✁

✠ ✡✡☛ ✝ ✟ ✡✡ ☛ ✠ ✂ ✟ ✡✡☛. When taken alone, neither transparency reveals

any information since each pixel is either pseudorandomly generated or the xor of a pseudorandom

quantity and the original ballot.

After constructing the two layers, the DRE appends an onion encryption of the seeds so

the trustees can jointly recover ✁

✠ or ✁ ✡ . The DRE adds

✡ ✂ ✁

✏ ✂ ✟

✝☞ ✄ ✄✁

✏ ✂ ☎

✟☛ ☛ ☛ ✄ ✄✁

✝ ✞ ✄ ✄✁

✝ ✠ ✠ ✠ ✠ ✠

✠ ✂ ✁

✏ ✂ ✟

✁☞ ✄ ✄✁

✏ ✂ ☎

✟☛ ☛ ☛ ✄ ✄✁

✁ ✞ ✄ ✄✁

✁ ✠ ✠ ✠ ✠ ✠ (3.5)

to each transparency.

✠ and

✡ are known as dolls. ✁

✏ ✆ ✟✆✠ is a public-key encryption function

that uses the ✡

th trustee’s public key, ☞✌ .

The voter is then presented a choice to either choose the top or bottom transparency as

a receipt. After the voter chooses a receipt layer, the DRE appends signatures committing to the

voter’s and its choices. Without loss of generality, assume the voter keeps the top transparency

as a receipt. The DRE then prints sign✏ ☎ ✟BSN✠ as an opening for the top layer (see the integrity

requirement of the previous section). This opening allows the voter to verify that the DRE properly

formed

✁ ✌ and that the DRE printed the ✁

-pixels on the chosen layer as it should. By recreating

the onion encryption, the voter can verify that

✠ is properly formed. Finally, the DRE appends

a copy of the chosen layer to the bulletin board. We show a summary of Chaum’s protocol in

Figure 3.7.

When the voter performs these checks, a malicious DRE has only a ☎✝ ✁ chance of evad-
ing detection. By extension, its chance of changing a significant number of ballots without being

caught is exponentially small. For instance, a DRE can cheat by forming the ✁

-pixels incorrectly

so the voter will see what they expect in the overlay yet the ballot will decrypt to some other im-

Page 50 of 157

Page 51 of 157

40

☎ ☛ Voter

DRE ✁ candidate choices

✁ ☛ DRE

Printer ✁ transparency images

☛ DRE

Printer ✁ BSN ✡

✡ ✡

☛ Voter

Printer ✁ ✂ where ✂ ✁

top ✡ bottom ✄

✞ ☛ DRE

Printer ✁ sign✏

✟BSN✠ ✡

sign✏

DRE ✟BSN ✡

✠ ✡

✡ ✡ chosen transparency ✠

Figure 3.7: Summary of Chaum’s protocol.

age. However, the voter will detect cheating if her receipt transparency contains incorrectly formed

-pixels. Therefore, a malicious DRE must commit to cheating on either the top or bottom trans-
parency (not both, or else it will surely be caught) and hope the voter does not choose that layer as

a receipt.

Tabulation & verification

Chaum uses a Jakobsson et al. style mix net to decode the transparency chosen by the

voter and recover their choices from ✟ in the tallying phase [33]. The values of the pseudorandom

pixels do not contain any information, while the encrypted pixels contain the ballot image xor-ed

with the pseudorandom pixels from the other transparency. For each ballot that a trustee in the mix

net receives, trustee ✡ in the mix net recovers its portion of the pseudorandom stream. Let’s assume

the voter chose a top transparency. In the case, trustee ✡ will first decrypt the doll provided by the

DRE (Equation (3.5)) to obtain

✝✌ and then xor ✄✁ ✟

✝✌ ✠ into the ✂ -pixels in the encrypted ballot.

This trustee next permutes all of the modified ballots and passes the collection to the next trustee.

Page 51 of 157

Page 52 of 157

41

When the ballots exit the mix net, the ✁

-pixels still contain pseudorandom data, but the encrypted

pixels will contain the voter’s ballot pixels from ✟ .

3.4 Subliminal channels

Subliminal channels, also known as covert communication channels, arise in electronic

ballots when there are multiple valid representations of a voter’s choices. If the DRE can choose

which representation to submit to the bulletin board, then the choice of the representation can serve

as a subliminal channel. Subliminal channels are particularly powerful because of the use of public

bulletin boards in voting protocols. A subliminal channel in ballots on the bulletin board could

be read by anyone (if the decoding algorithm is public) or only by a select few (if the decoding

algorithm is secret).

A subliminal channel in an encrypted ballot carrying the voter’s choices and identifying

information about the voter threatens voter privacy and enables vote coercion. For example, as

Keller et al. note, a DRE could embed in each encrypted ballot the time when the ballot was cast

and who the voter chose for president [40]. Then, a malicious observer present in the polling place

could record when each person voted and later correlate that with the data stored in the subliminal

channel to recover each person’s vote. Alternatively, if a malicious poll worker learns a voter’s

BSN, she can learn how a person voted since each encrypted ballot includes the BSN in plaintext.

Detecting such attacks can be quite difficult: without specific knowledge of how to decode the

subliminal channel, the encrypted ballots may look completely normal. The difficulty of detection,

combined with the enormous number of voters who could be affected by such an attack, makes the

subliminal channel threat troubling.

Page 52 of 157

Page 53 of 157

42

The above scenarios illustrate how an adversary can authentically learn how someone

voted. Coercion then becomes simple: the coercer requires the voter to reveal their BSN or the time

at which they voted, then later verifies whether there exists a ballot with that identifying information

and the desired votes.

The threat model we consider for subliminal channel attacks is a malicious DRE colluding

with an external party. For example, a malicious programmer could introduce Trojan code into

DREs and then sell instructions on how to access the subliminal channel to a coercer.

Neither Neff’s nor Chaum’s protocol completely address subliminal channels in ballots.

In this section, we present subliminal channel vulnerabilities in these protocols and some possible

mitigation strategies.

One interesting observation is that subliminal channels are a new problem created by

these protocols. Subliminal channels only become a serious problem because the bulletin board’s

contents are published for all to see. Since all the ballots are public and anonymously accessible,

decoding the channel does not require any special access to the ballots. Subliminal channels are

not a significant problem with current non-cryptographic DREs because electronic ballots are not

public.

3.4.1 Randomness

Several cryptographic primitives in Neff’s scheme require random values, and subliminal

channel vulnerabilities arise if a malicious DRE is free to choose these random values.2 These prim-

Chaum’s scheme, as originally published, does not specify which encryption primitives should be used to construct

the onion encryption in Equation 3.5 [19]. Subsequently, Chaum has related to us that he intended the encryption to use

a deterministic encryption scheme [20] precisely to avoid using random values and the associated subliminal channel

vulnerability. There is some risk in using this non-standard construction since the widely accepted minimum notion of

security for public key encryption is IND-CPA, which requires a source of randomness.

Page 53 of 157

Page 54 of 157

43

itives use randomness to achieve semantic security [26], a strong notion of security for encryption

schemes which guarantees that it is infeasible for adversaries to infer even partial information about

the messages being encrypted (except maybe their length). Each choice for the random number

allows a different valid ballot, which creates opportunities for subliminal channels.

Subliminal channels are easy to build in protocols or encryption schemes that use random-
ness. If a cryptographic protocol requests the DRE to choose a random number

and then publish it,

the DRE can encode ✄

✄ bits through judicious selection of

. Alternatively, given any randomized

encryption scheme ✁

✏ ✟✆ ✡ ✆✠, the DRE can hide a bit ✝ in an encryption of a message

by computing

✂ ✂

✏ ✟

✠ repeatedly using a new random number

each time until the least significant bit of

✟✂ ✠ is ✝. More generally, a malicious DRE can use this technique to hide

bits in ✂ with expected

✆ ✟✁ ✄ ✠ work. Thus, all randomized encryption schemes contain subliminal channels.

Random subliminal channel attack. Neff’s scheme uses randomness extensively. Each BMP

consists of a pair of El Gamal ciphertexts, and the El Gamal encryptions are randomized. In forming

the OVC, the DRE reveals half of the random values

used in the encryptions (Figure 3.3).

For each BMP, one of the encryption pairs will be opened, revealing the random encryp-
tion parameter

. This presents a subliminal channel opportunity.3 Although the DRE must commit

to the ballot before the voter chooses which side of the BMP to open, a malicious DRE can still

embed ✄

✄ bits of data for each BMP by using the same

for both encryptions in the BMP. In this

way

is guaranteed to be revealed in the ballot.

This attack enables a high bandwidth subliminal channel in each voter’s encrypted ballot. ✁

Another way a malicious DRE could embed a subliminal channel in Neff’s scheme is if the voter doesn’t choose all

her unchoice challenges (i.e., the DRE is free to choose some of them). However, Neff outlines a variant of his proposal

that solves this using two printers [60].

Page 54 of 157

Page 55 of 157

44

For example, in an election with 8 races and 5 candidates per race, there will be ✄

✆ ✆

ballot mark

pairs, where Neff suggests

☎✆. A reasonable value of ✄

✄ is 1024 bits. The total channel, then,

can carry 128 bytes in each of the 400 BMPs, for a total of 51200 bytes of information per ballot.

This is more than enough to leak the voter’s choices and identifying information about the voter.

3.4.2 Mitigating random subliminal channels

Eschew randomness. One approach to prevent subliminal channels is to design protocols that

don’t require randomness. Designing secure protocols that do not use randomness is tricky, since

so many proven cryptographic primitives rely on randomness for their security. Proposals relying

on innovative uses of deterministic primitives, including Chaum’s, deserve extra attention to ensure

that forgoing randomness does not introduce any security vulnerabilities. Ideally, they would be

accompanied by a proof of security.

Random tapes and their implementation. In a personal communication, Neff suggested that

DREs could be provided with pre-generated tapes containing the random bits to use for all of their

non-deterministic choices, instead of allowing them to choose their own randomness [59]. With a

random tape for each BSN, the ballot becomes a deterministic function of the voter’s choices and

the random tape for that BSN. As long as the BSN is assigned externally before the voter selects

her candidates, the ballots will be uniquely represented. This will eliminate the threat of random

subliminal channels in encrypted ballots.

It is not enough for the intended computation to be deterministic; it must be verifiably so.

Thus, we need a way to verify that the DRE has used the bits specified on the random tape, not some

other bits. We present one possible approach to this problem using zero-knowledge (ZK) proofs [27]

Page 55 of 157

Page 56 of 157

45

which allows everyone to verify that each DRE constructed ballots using the random numbers from

its tape. We imagine that there are several optimizations to this approach which improve efficiency.

Suppose before the election, the trustees generate a series

✎✠ ✡

✎✞ ✡ ☛ ☛ ☛ of random values

for each BSN

, and post commitments ✟ ✟

✎✠ ✠ ✡ ✟ ✟

✎✞ ✠ ✡ ☛ ☛ ☛ on a public bulletin board. The election

officials then load the random values

✎✠ ✡

✎✞ ✡ ☛ ☛ ☛ on the DRE which will use BSN

.

During the election, for each randomized function evaluation ✁

✡ ✆✠, the DRE uses the

next random value in the series and furnishes a ZK proof proving it used the next random value in

the series. For example, in Neff’s scheme, along with each ✝ , which is an El Gamal encryption

✡ ✝ ✠, the DRE includes a non-interactive zero knowledge proof of knowledge proving that 1) it

knows a value

✎✌ which is a valid opening of the commitment ✟ ✟

✎✌ ✠ and 2) ✁

✎✌ ✡ ✝ ✠ ✂ ✝ .

Verifying that each

✎✌ is used sequentially within a ballot enables any observer to verify that the

encryption is deterministic, so there can be no random subliminal channels in ✝ or its opening ✝ .

However, there is a wrinkle to the above solution: under most schemes, constructing the

zero-knowledge proof itself requires randomness, which creates its own opportunities of subliminal

channels. It may be possible to determinize the ZK proof using research on unique zero-knowledge

proofs (uniZK) [45, 46].

This approach may require further analysis to determine whether it is able to satisfy the

necessary security properties.

Trusted hardware. Utilizing trusted hardware in DREs can also help eliminate subliminal chan-
nels. In this approach, the trusted hardware performs all computations that require random inputs

and signs the encrypted ballot it generates. The signature enables everyone to verify the ballot was

generated inside the trusted hardware. As long as trustees verify the DRE’s trusted hardware is

Page 56 of 157

Page 57 of 157

46

running the correct software and the trusted hardware isn’t compromised, DREs will not be able to

embed a random subliminal channel.

3.4.3 Multiple visual and semantic representations

A tabulator that accepts multiple equivalent visual or semantic representations of the

voter’s choice creates another subliminal channel opportunity. For example, if the tabulator ac-
cepts both James Polk and James Polk (with an extra space) as the same person, then a DRE can

choose which version to print based on the subliminal channel bit it wants to embed.

Semantic subliminal channel attack. Chaum’s scheme is vulnerable to multiple visual represen-
tations. A malicious DRE can create alternate ballot images for the same candidate that a voter

will be unlikely to detect. Recall that Chaum’s scheme encrypts an image of the ballot, and not an

ASCII version of the voter’s choices. The voter examines two transparencies together to ensure that

the resulting image accurately represents their vote. A DRE could choose to use different fonts to

embed subliminal channel information; the choice of font is the subliminal channel. To embed a

higher bandwidth subliminal channel, the DRE could make minor modifications to the pixels of the

ballot image that do not affect its legibility. Unless the voter is exceptionally fastidious, these mi-
nor deviations would escape scrutiny as the voter verifies the receipt. After mixing, the subliminal

channel information would be present in the resulting plaintext ballots.

There is no computational cost for the DRE to embed a bit of information in the font. It

can use a simple policy, such as toggling a pixel at the top of a character to encode a one, and a pixel

at the bottom to encode a zero. On a 10 race ballot, using such a policy just once per word could

embed 30 bits of information.

Page 57 of 157

Page 58 of 157

47

There is a qualitative difference between the semantic subliminal channels and the random

subliminal channels. The information in the semantic channels will only become apparent after the

mix net decrypts the ballot since the channel is embedded in the plaintext of the ballot. In contrast,

the random subliminal channels leak information when the ballots are made available on the bulletin

board.

Mitigation. To prevent the semantic subliminal channel attack, election officials must establish of-

ficial unambiguous formats for ballots, and must check all ballots for conformance to this approved

format. Any deviation indicates a ballot produced by a malicious DRE. Such non-conforming bal-
lots should not be allowed to appear on the bulletin board, since posting even a single suspicious

ballot on the bulletin board could compromise the privacy of all voters who used that DRE. Un-
fortunately, the redaction of such deviant ballots means that such ballots in will not be able to be

verified by the voter through normal channels.

An even more serious problem is that this policy violates assumptions made by the mix

net. One would need to ensure the mix net security properties still hold when a subset of the

plaintexts are never released.

The order in which ballots appear will also need to be standardized. Otherwise, a DRE

can choose a specific ordering of ballots on the public bulletin board as a low bandwidth subliminal

channel [42]. Fortunately, it is easy to sort or otherwise canonicalize the order of ballots before

posting them publicly.

Page 58 of 157

Page 59 of 157

48

3.4.4 Discussion

Subliminal channels pose troubling privacy and voter coercion risks. In the presence of

such attacks, we are barely better off than if we had simply posted the plaintext ballots on the bulletin

board in unencrypted form for all to see. The primary difference is that subliminal channel data may

be readable only by the malicious parties. This situation seems problematic, and we urge protocol

designers to design voting schemes that are provably and verifiably free of subliminal channels.

3.5 Denial of service attacks and election recovery

Although Neff’s and Chaum’s schemes can detect many attacks, recovering legitimate

election results in the face of these attacks may be difficult. In this section, we present several

detectable but irrecoverable denial of service (DoS) attacks launched at different stages of the voting

and tallying process. We consider attacks launched by malicious DREs and attacks launched by

malicious tallying software, and discuss different recovery mechanisms to resist these attacks.

3.5.1 Denial of service (DoS) attacks

Launched by malicious DREs. Malicious DREs can launch several DoS attacks which create

detectable, but unrecoverable situations. We present two classes of attacks: ballot deletion and

ballot stuffing.

In a ballot deletion attack, a malicious DRE erases voters’ ballots or submits random bits

in their place. Election officials and voters can detect this attack after the close of polls, but there is

little they can do at that point. Since the electronic copy serves as the only record of the election, it

is impossible to recover the legitimate ballots voted on that DRE.

Page 59 of 157

Page 60 of 157

49

DREs can launch more subtle DoS attacks using ballot stuffing. Recall that both Neff’s

and Chaum’s schemes use ballot sequence numbers (BSNs) to uniquely identify ballots. BSNs

enable voters to find and verify their ballots on the public bulletin board, and by keeping track of

the set of valid BSNs, election officials can track and audit ballots.

In the BSN duplication attack, a DRE submits multiple ballots with the same BSN. Elec-
tion officials will be able to detect this attack after the ballots reach the bulletin board, but recovery

is difficult. It is not clear how to count ballots with the same BSN. Suppose a DRE submits 100

valid ballots (i.e., from actual voters) and 100 additional ballots, using the same BSN for all the

ballots. How do talliers distinguish the invalid ballots from the valid ones?

In the BSN stealing attack, a malicious DRE “steals” BSNs from the set of BSNs it would

normally assign to legitimate voters’ ballots. For a particular voter, the DRE might submit a vote

of its own choosing for the BSNit is supposed to use, and on the voter’s receipt print a different

(invalid) BSN. Since the voter will not find her ballot on the bulletin board, this attack can be

detected, but recovery is tricky: how do election officials identify the injected ballots and remove

them from the tally?

Neff’s and Chaum’s scheme enable voters and/or election officials to detect these attacks,

but recovery is non-trivial because 1) the voters’ legitimate ballots are missing and 2) it is hard to

identify the invalid ballots injected by the DRE.

Launched by malicious tallying software. DoS attacks in the tallying phase can completely ruin

an election. For example, malicious tallying softwares can delete the trustees’ keys, making decryp-
tion and tallying of the encrypted ballots forever impossible. Malicious bulletin board software can

erase, insert, or delete ballots.

Page 60 of 157

Page 61 of 157

50

Selective DoS. An attacker could use DoS attacks to bias the outcome of the election. Rather than

ruining the election no matter its outcome, a more subtle adversary might decide whether to mount a

DoS attack or not based on who seems to be willing the race. If the adversary’s preferred candidate

is winning, the adversary need do nothing. Otherwise, the adversary might try to disrupt or ruin

the election, forcing a re-election and giving her preferred candidate a second chance to win the

election, or at least raising questions about the winner’s mandate and reducing voters’ confidence in

the process.

There are many ways that selective DoS attacks might be mounted:

If an outsider has a control channel to malicious DREs, the outsider could look at the polls

and communicate a DoS command to the DREs.

An autonomous DRE could look at the pattern of votes cast during the day, and fail (deleting

all votes cast so far at that DRE) if that pattern leans towards the undesired candidate. This

would disrupt votes cast only in precincts leaning against the attacker’s preferred candidate.

If trustees’ software is malicious, it could collude to see how the election will turn out, then

cause DoS if the result is undesirable. Note that if all trustees are running the same tallying

software, this attack would require only a single corrupted programmer.

Selective DoS attacks are perhaps the most troubling kind of DoS attack, because they threaten

election integrity and because attackers may have a real motive to launch them.

3.5.2 Mitigation strategies and election recovery

Note that in all these attacks, non-malicious hardware or software failures could cause the

same problems. This may make it hard to distinguish purposeful attacks from unintentional failures.

Page 61 of 157

Page 62 of 157

51

The above attacks create irrecoverable situations because voters’ legitimate ballots are

lost or corrupted, the bulletin board contains unidentifiable illegitimate ballots submitted by mali-
cious DREs, or both. In this section, we evaluate two recovery mechanisms for these DoS attacks:

revoting and a voter verified paper audit trail.

Revoting. One recovery strategy is to allow cheated voters to revote. Depending on the scope of

the attack or failure, this could range from allowing only particular voters to revote to completely

scrapping the election and starting over. However, revoting is problematic. Redoing the entire elec-
tion is the most costly countermeasure. Alternatively, election officials could allow only those voters

who have detected cheating to revote. Unfortunately, this is insufficient. Less observant voters who

were cheated may not come forward, and it may be hard to identify and remove illegitimate ballots

added by a malicious DRE. Revoting does not help with selective DoS.

Voter verified paper audit trail. A voter verified paper audit trail (VVPAT) system produces a

paper record verified by the voter before her electronic ballot is cast [51]. This paper record is cast

into a ballot box. The paper trail is an official record of the voter’s vote but is primarily intended for

use in recounts and auditing.

It would not be hard to equip cryptographic voting systems with a VVPAT. This would

provide a viable mechanism for recovering from DoS attacks. In addition to providing an indepen-
dent record of all votes cast, VVPAT enables recovery at different granularities. If election officials

conclude the entire electronic record is questionable, then the entire VVPAT can be counted. Alter-
natively, if only a single precinct’s electronic record is suspect, then this precinct’s VVPAT record

can be counted in conjunction with the other precincts’ electronic records. This approach enables

Page 62 of 157

Page 63 of 157

52

officials to keep the universal verifiability of the uncorrupted precincts while recovering the legiti-
mate record of the corrupted precinct.

A third benefit of VVPAT is that it provides an independent way to audit that the cryp-
tography is correctly functioning. This would be one way to help all voters, even those who do not

understand the mathematics of these cryptographic schemes, to be confident that their vote will be

counted correctly.

3.6 Implementing secure cryptographic voting protocols

A secure implementation of Neff and Chaum’s protocol will still need to resolve many

issues. In this section, we outline important areas that Neff and Chaum have not yet specified.

These parts of the system need to be fully designed, implemented, and specified before one can

perform a comprehensive security review. Also, we list three open research problems which we feel

are important to the viability of these schemes.

3.6.1 Underspecifications

Bulletin board. Both protocols rely on a public bulletin board to provide anonymous, read only

access to the data. The data must be stored robustly, overcoming software and mechanical failures

as well as malicious attacks. Further, only authenticated parties should be able to append messages

to the bulletin board. An additional requirement is to ensure that the system delivers the same copy

of the bulletin board contents to each reader. If the bulletin board were able to discern a voter’s

identity, say by IP address, it could make sure the voter always saw a mix transcript that included

a proof that their vote was counted. But, for the official transcript, the mix net and bulletin board

Page 63 of 157

Page 68 of 157

57

Section 2.1, all voting sessions are encompassed within the active voting phase. A voting session

starts with the voter’s first use of a particular voting machine and ends when they leave the voting

machine. It is assumed that only one voter uses the machine during each session. After each voting

session, the machine returns to a start state and readies itself for the next voter’s session.

4.2 Avenues for information flows

In this section, we look at different voting technologies and highlight some of the ways

privacy violations might occur. Table 4.1 summarizes the ways that private information might leak

out of the machine as well as the relative severity of the potential leak.

4.2.1 DRE

A voting session with a DRE begins with the voter presenting their authentication token

and ends after they make their selections, confirm the choices, and leave the voting machine. A

DRE has many output devices: the voting screen, audio output, and the electronic ballot box. DREs

with VVPAT [51] contain also have a printer for the paper receipt. Each of these output devices

presents a different avenue for data to leak.

With corrupt software, a DRE could reveal previous voters’ selections to the screen. Just

as in Section 3.4, the malicious DRE could reveal the ballot casting times for all ballots for a

specific candidate. Correlating this information with when voters leave the polling booth easily

reveals voters’ choices. A party could activate malicious code to gain access to this confidential

data with a specific and unusual sequence of inputs. Assume that each vote can be represented with

a four or five bits, or alternatively one ASCII character; with a ballot of 100 races, a single voter’s

Page 68 of 157

Page 69 of 157

58

Voting Technology Output Channel Flow capacity Notes

DRE Screen Large

VVPAT printed record Medium

Audio accessibility interface Small

Vote storage Large We can prevent leaks using [55]

Cryptographic voting protocols Receipt Medium

Screen Large

Audio accessibility interface Small

Bulletin board Large Can be read anonymously over the Internet

Vote storage Large We can prevent leaks using [55]

Ballot marking device Screen Large

Marked ballot Large

Optical scan reader Confirmation screen Small

Vote storage Large We can prevent leaks using [55]

Table 4.1: Ways that prior vote information might escape from a voting machine in different voting technologies.

Page 69 of 157

Page 70 of 157

59

choices can fit in one line of text. This means that over 100 voters’ full ballots can fit onto two pages

of text. It would be inconceivable to copy two full pages of ASCII gibberish down by hand, but a

digital camera would be a convenient tool to download the data from the DRE.

The audio output device, used to improve accessibility for voters with visual impairments,

can also be used to surreptitiously leak prior voters’ data. A malicious DRE could simply read out

prior voter’s selections. However, this is a slow process, so it is infeasible to quickly leak all prior

voters’ data.

DREs store their ballots into an electronic ballot box. This is usually a removable memory

device that is used for summing the votes cast on the DRE. Depending upon the voting jurisdiction’s

procedures, the contents of the ballot box may be made public. This represents a large potential

vehicle for information leakage. The ballot box 1) may contain extraneous data that reveals voters’

selections in unused portions of the ballot box device; or 2) may encode hidden data using the order

the elements are on disk. These allow a malicious voting machine to leak casting time of all of the

votes. Using a standardized data format and the techniques developed in conjunction with Molnar

et al [55], it is possible to eliminate privacy leaks from a electronic ballot boxes.

Finally, some DREs are being equipped with VVPAT printers. Even though the voter

does not keep or even touch the paper record, it represents an output channel to convey private

information. The paper record displays the entire list of a voter’s selections. After reviewing the

printed voter record, the machine queries the voter and either prints an acceptance note on the record,

or a spoil note and allows the voter to edit their response and again review the printed ballot. Since

the printed record is retained by election officials and could undergo later scrutiny, a malicious DRE

must attempt to disguise private data it is conveying. One way for the DRE to leak a prior voter’s

Page 70 of 157

Page 76 of 157

65

Chapter 5

Designing voting machines for

verification

In this chapter, we provide techniques to help vendors, independent testing agencies, and

others verify critical security properties in direct recording electronic (DRE) voting machines. We

expand upon the privacy preserving techniques presented in Chapter 4 to address Property 1 and

also address Property 2 to guarantee a ballot is only cast with the voter’s consent. With a little

additional work, the other properties are amenable to our techniques. We rely on specific hardware

functionality, isolation, and architectural decisions to allow one to easily verify critical security

properties. We believe our techniques will help us verify other properties as well though we have

not demonstrated this. Verification of these security properties is one step towards a fully verified

voting machine.

Parts of this work are drawn with permission from previously published work [74].

Page 76 of 157

Page 77 of 157

66

5.1 Introduction

In this chapter we seek to answer how can we reason about, or even prove, relevant se-
curity properties in voting machines. As we have seen, the flurry of reports criticizing the trust-
worthiness of direct recording electronic (DRE) voting machines, computer scientists have not been

able to allay voters’ concerns about this critical infrastructure [42, 18, 72, 90]. The problems are

manifold: poor use of cryptography, buffer overflows, and in at least one study, poorly commented

code.

The ultimate security goal would be a system where any voter, without any special train-
ing, could easily convince themselves about the correctness of all relevant security properties. Our

goal is not so ambitious; we address convincing those with the ability to understand code the cor-
rectness of a few security properties. For clarity, we focus on two important security properties in

this chapter. These properties were originally described in Chapter 2. Briefly, recall that Property 1

states that a voter’s interactions should not affect any subsequent voter’s sessions. Property 2 states

that a ballot should not be cast without the voter’s consent. Verification of these properties, as well

as the others we described in Chapter 2, are a step towards the full verification of a voting machine.

Current DREs are not amenable to verification of these security properties; for instance,

version 4.3.1 of the Diebold AccuVote-TS electronic voting machine consists of 34 7121

lines of

vendor-written C++ source code, all of which must be analyzed to ensure Properties 1 and 2. One

problem with current DRE systems, in other words, is that the trusted computing base (TCB) is

simply too large. The larger problem, however, is the code simply is not structured to verify security

Kohno et al. count the total number of lines in their paper [42]; for a fair comparison with our work, we look at

source lines of code, which excludes comments and whitespace from the final number. Hence, the numbers cited in their

paper differ from the figure we list.

Page 77 of 157

Page 78 of 157

67

properties.

In this chapter, we develop a new architecture that significantly reduces the size of the

TCB for verification of these properties. Our goal is to make voting systems more amenable to

efficient verification, meaning that implementations can be verified to be free of malicious logic.

By appropriate architecture design, we reduce the amount of code that would need to be verified

(e.g., using formal methods) or otherwise audited (e.g., in an informal line-by-line source code

review) before we can trust the software, thereby enhancing our ability to gain confidence in the

software. We stress that our architecture assumes voters will be diligent: we assume that each voter

will closely monitor their interaction with the voting machines and look for anomalous behavior,

checking (for example) that her chosen candidate appears in the confirmation page.

We present techniques that we believe are applicable to DREs. We develop a partial voting

system, but we emphasize that this work is not complete. As we discussed in Section 2.1, voting

systems comprise many different steps and procedures: pre-voting, ballot preparation, audit trail

management, post-election, recounts, and an associated set of safeguard procedures. Our system

only addresses the active voting phase. As such, we do not claim that our system is a replacement

for an existing DRE or a DRE system with a paper audit trail system. See Section 5.6 for a discussion

of using paper trails with our architecture.

Technical elements of our approach. We highlight two of the key ideas behind our approach.

First, we focus on creating a trustworthy vote confirmation process. Most machines today divide

the voting process into two phases: an initial vote selection process, where the voter indicates who

they wish to vote for; and a vote confirmation process, where the voter is shown a summary screen

listing their selections and given an opportunity to review and confirm these selections before casting

Page 78 of 157

Page 81 of 157

70

We explicitly do not consider the following possible goals:

Protect against retail attacks by election insiders and vendors when the attacks do involve

compromising physical security.

Protect against attacks by outsiders, e.g., voters, when the attacks do involve compromising

physical security.

On the adversaries that we explicitly do not consider. We explicitly exclude the last two ad-
versaries above because we believe that adversaries who can violate the physical security of the

DRE will always be able to subvert the operation of that DRE, no matter how it is designed or

implemented. Also, we are less concerned about physical attacks by outsiders because they are

typically retail attacks: they require modifying each individual voting machine one-by-one, which

is not practical to do on a large scale. For example, to attack privacy, a poll worker could mount a

camera in the voting booth or, more challenging but still conceivable, an outsider could use Tem-
pest technologies to infer a voter’s vote from electromagnetic emissions [43, 88]. To attack the

integrity of the voting process, a poll worker with enough resources could replace an entire DRE

with a DRE of her own. Since this attack is possible, we also do not try to protect against a poll

worker that might selectively replace internal components in a DRE. We assume election officials

have deployed adequate physical security to defend against these attacks.

We assume that operating procedures are adequate to prevent unauthorized modifications

to the voting machine’s hardware or software. Consequently, the problem we consider is how to

ensure that the original design and implementation are secure. While patches and upgrades to the

voting system firmware and software may occasionally be necessary, we do not consider how to

Page 81 of 157

Page 82 of 157

71

securely distribute software, firmware, and patches, nor do we consider version control between

components.

Attentive voters. We assume that voters are attentive. We require voters to check that the votes

shown on the confirmation screen do indeed accurately reflect their intentions; otherwise, we will

not be able to make any guarantees about whether the voter’s ballot is cast as intended. Despite our

reliance on this assumption, we realize it may not hold for all people. Voters are fallible and not all

will properly verify their choices. To put it another way, our system offers voters the opportunity to

verify their vote. If voters do not take advantage of this opportunity, we cannot help them. We do

not assume that all voters will avail themselves of this opportunity, but we try to ensure that those

who do, are protected.

5.3 Architecture

We focus this chapter on our design and implementation of the “active voting” phase of

the election process (cf. Figure 2.1). We choose to focus on this step because we believe it to be one

of the most crucial and challenging part of the election, requiring interaction with voters and the

ability to ensure the integrity and privacy of their votes. We remark that we attempt to reduce the

trust in the canvassing phase by designing a DRE whose output record is both privacy-preserving

(anonymized) and integrity-protected.

5.3.1 Architecture motivations

To see how specific design changes to traditional voting architectures can help verify

properties, we will go through a series of design exercises starting from current DRE architectures

Page 82 of 157

Page 83 of 157

72

✁ ✂✄ ☎ ✄ ✆ ✄ ✝ ✂ ✞ ✁ ✟

✠ ✡ ☛ ☞ ✆ ✂ ✞ ✌ ✆ ✄ ✍ ✁ ✎

✏ ✑ ✒ ✓ ✟ ✔

✕ ✁ ☞ ✝ ✖ ☎ ✝ ✎ ✄ ✄ ✟

✗ ✄ ✘ ✄ ✂ ☛ ✁ ✔ ☞ ✆ ✄

✕ ✁ ✙ ✄ ✟

✗ ✄ ✓ ✔ ✄ ✎

✁ ✂✄ ✑ ✁ ✟ ✚ ✞ ✎ ✛ ✓ ✂ ✞ ✁ ✟

✁ ✂✄ ✑ ✁ ✎ ✄

Figure 5.1: Our architecture, at an abstract level. For the properties we consider, the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟

module need not be trusted, so it is colored red.

and finishing at our design. The exercises will be motivated by trying to design a system that clearly

exhibits Properties 1 and 2.

Resetting for independence. Chapter 4 highlights our approach to achieving privacy in a DRE.

Recall, to satisfy the conditions of the approach, two conditions must be met:

1. Ensure that a reboot is always triggered after a voter ends their session.

2. Check every place a file can be opened to ensure that data files are write-only, and configura-
tion files are read-only.

For our architecture, we introduce a separate component whose sole job is to manage the

reset process. The ✜✌ ✆ ✆✁ ✂ ✜✁✢

triggers the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

after a ballot is stored. The reset module then

reboots a large portion of the DRE and manages the startup process. We use a separate component

so that it is simple to audit the correctness of the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄.

Page 83 of 157

Page 84 of 157

73

Isolation of confirmation process. In considering Property 2, which requires the voter’s consent

to cast in order for the ballot to be stored, we will again see how modifying the DRE’s architecture

in specific ways can help verify correctness of this property.

The consent property in consideration requires auditors to confidently reason about the

casting procedures. An auditor (perhaps using program analysis tools) may have an easier time

reasoning about the casting process if it is isolated from the rest of the voting process. In our archi-
tecture, we take this approach in combining the casting and confirmation process, while isolating it

from the vote selection functionality of the DRE. With a careful design, we only need to consider

this sub-portion to verify Property 2.

From our DRE design in the previous section, we introduce a new component, called

the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module. With this change, the voter first interacts with a

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟

module that presents the ballot choices. After making their selections, control flow passes to the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module that performs a limited role: presenting the voter’s prior selections and

then waiting for the voter to either 1) choose to modify their selections, or 2) choose to cast their

ballot. Since the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module has limited functionality, it only needs limited support

for GUI code; as we show in Section 5.5.1 we can more easily analyze its correctness since its scope

is limited. If the voter decides to modify the ballot, control returns to the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module.

Note the voter interacts with two separate components: first the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ component

and then

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟. There are two ways to mediate the voter’s interactions with the two

components: 1) endow each component with its own I/O system and screen; 2) use one I/O system

and a trusted I/O “multiplexor” to manage which component can access the screen at a time. The

latter approach has a number of favorable features. Perhaps the most important is that it preserves

Page 84 of 157

Page 89 of 157

78

5.3.3 Hardware-enforced separation

Our architecture requires components to be protected from each other, so that a malicious

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ component cannot tamper with or observe the state or code of other components.

One possibility would be to use some form of software isolation, such as putting each component

in a separate process (relying on the OS for isolation), in a separate virtual machine (relying on the

VMM), or in a separate Java applet (relying on the JVM).

Instead, we use hardware isolation as a simple method for achieving strong isolation. We

execute each module on its own microprocessor (with its own CPU, RAM, and I/O interfaces).

This relies on physical isolation in an intuitive way: if two microprocessors are not connected

by any communication channel, then they cannot directly affect each other. Verification of the

interconnection topology of the components in our architecture consequently reduces to verifying

the physical separation of the hardware and verifying the interconnects between them. Historically,

the security community has focused primarily on software isolation because hardware isolation was

viewed as prohibitively expensive [71]. However, we argue that the price of a microprocessor has

fallen dramatically enough that today hardware isolation is easily affordable, and we believe the

reduction in complexity easily justifies the extra cost.

With this approach to isolation, the communication elements between modules acquire

special importance, because they determine the way that modules are able to interact. We carefully

structured our design to simplify the connection topology as much as possible. Figure 5.2 summa-
rizes the interconnectivity topology, and we describe several key aspects of our design below.

We remark that when multiple hardware components are used, one should ensure that the

same versions of code run on each component.

Page 89 of 157

Page 90 of 157

79

✁ ✂ ✄ ☎ ✆ ✝

✞ ✟ ✠ ✠

✄ ✡ ☛ ✁✟ ✠ ☛✟ ☞ ✌ ✍

✄ ✎ ✁ ✡ ✄

✏ ✄ ✑

✍ ✒ ✓ ✁ ✂ ✄

✏ ✄ ✔ ☛✑ ✂ ☛ ✓ ✁ ✂ ✄ ✝

✄ ☛

✝ ✁ ✕ ✠

✑ ✖

☞ ✌ ✗

✆ ✖ ☛ ✁ ✘ ✖ ✄ ✙

✟ ✂

✞ ✛

✠ ✍

✡ ✢

✡ ✂ ✄ ✄

✝ ☛

☎ ✆ ☛☛✟ ✠

✑ ✠

✡ ✄ ✖

☎ ✆ ☛☛✟ ✠

✏ ✄

✄ ☛ ✗ ✟ ✍

✆ ✖ ✄

✣ ✟ ☛✄ ✔

✄ ✖ ✄ ✡ ☛ ✁✟ ✠

✜ ✟ ✤

✄ ✠

✏ ✄ ✑

✄ ✂

✟ ☛✄

✞ ✟ ✠ ✥ ✁ ✂ ✦ ✑ ☛ ✁✟ ✠

✣ ✟ ☛✄ ✞ ✟ ✂ ✄

Figure 5.2: Our architecture, showing the hardware communication elements.

Buses and wires. Our hardware-based architecture employs two types of communication chan-
nels: buses and wires. Buses provide high-speed unidirectional or bidirectional communication

between multiple components. Wires are a simple signaling element with one bit of state; they can

be either high or low, and typically are used to indicate the presence or absence of some event. Wires

are unidirectional: one component (the sender) will set the value of a wire but never read it, and the

other component (the receiver) will read the value of the wire but never set it. Wires are initially

low, and can be set, but not cleared; once a wire goes high, it remains high until its controlling

component is reset. We assume that wires are reliable but buses are potentially unreliable.

To deal with dropped or garbled messages without introducing too much complexity, we

Page 90 of 157

Page 91 of 157

80

use an extremely simple communication protocol. Our protocol is connectionless and does not

contain any in-band signaling (e.g., SYN or ACK packets). When a component in our architecture

wishes to transmit a message, it will repeatedly send that message over the bus until it is reset or

it receives an out-of-band signal to stop transmitting. The sender appends a hash of the message

to the message. The receiver accepts the first message with a valid hash, and then acknowledges

receipt with an out-of-band signal. This acknowledgment might be conveyed by changing a wire’s

value from low to high, and the sender can poll this wire to identify when to stop transmitting.

Components that need replay protection can add a sequence number to their messages.

Using buses and wires. We now describe how to instantiate the communication paths in our

high-level design from Section 5.3.2 with buses and wires. Once the

✁ ✂ ✄ ✠ ✁ ☛✄ module reads a valid

token, it repeatedly sends the data on the token to

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ until it receives a message from

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟. After storing the vote and canceling the authentication token, the

✁ ✂ ✄ ✠✁ ☛✄

module triggers a reset by setting its wire to the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

high.

To communicate with the voter, the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ component creates a bitmap of an

image, packages that image into a message , and repeatedly sends that message to the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛.

Since the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module may send many images, it includes in each message a sequence

number; this sequence number does not change if the image does not change. Also included in the

message is a list of virtual buttons, each described by a globally unique button name and the x- and

y-coordinates of the region. The

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ will continuously read from its input source (initially

the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module) and draw to the LCD every bitmap that it receives with a new sequence

number. The

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ also interprets inputs from the touch screen, determines whether the

inputs correspond to a virtual button and, if so, repeatedly writes the name of the region to the

Page 91 of 157

Page 92 of 157

81

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module until it has new voter input. Naming the regions prevents user input on one

screen from being interpreted as input on a different screen.

When the voter chooses to proceed from the vote selection phase to the vote confir-
mation phase, the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module will receive a ballot from the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ mod-
ule. The

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module will then set its wire to the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ high. When the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ detects this wire going high, it will empty all its input and output bus buffers, reset its

counter for messages from the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module, and then only handle input and output for the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module (ignoring any messages from

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟). If the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟

module determines that the user wishes to return to the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module and edit her votes, the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module will set its wire to the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module high. The

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟

module will then use its bus to

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ to repeatedly acknowledge that this wire is

high. After receiving this acknowledgment, the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module will reset itself, thereby

clearing all internal state and also lowering its wires to the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ and

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ mod-
ules. Upon detecting that this wire returns low, the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ will clear all its input and out-
put buffers and return to handling the input and output for

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟. The purpose for the

handshake between the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module and the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module is to prevent the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module from resetting and then immediately triggering on the receipt of the

voter’s previous selection (without this handshake, the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module would continuously

send the voter’s previous selections, regardless of whether

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ reset itself).

5.3.4 Reducing the complexity of trusted components

We now discuss further aspects of our design that facilitate the creation of implementa-
tions with minimal trusted code.

Page 92 of 157

Page 93 of 157

82

Resets. Each module (except for the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

) interacts with the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄ via three

wires, the initial values of which are all low: a ready wire controlled by the component and reset

and start wires controlled by the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

. The purpose of these three wires is to coordinate

resets to avoid a situation where one component believes that it is handling the ✡-th voter while

another component believes that it is handling the ✟✡

☎✠-th voter.

The actual interaction between the wires is as follows. When a component first boots, it

waits to complete any internal initialization steps and then sets the ready wire high. The component

then blocks until its start wire goes high. After the ready wires for all components connected to the

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄ go high, the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

sets each component’s start wire high, thereby allowing

all components to proceed with handling the first voting session.

Upon completion of a voting session, i.e., after receiving a signal from the

✁ ✂ ✄ ✠ ✁ ☛✄ com-
ponent, the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄ sets each component’s reset wire high. This step triggers each component

to reset. The ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄ keeps the reset wires high until all the component ready wires go low,

meaning that the components have stopped executing. The ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄ subsequently sets the re-
set wire low, allowing the components to reboot. The above process with the ready and start wires

is then repeated.

Cast and cancel buttons. Our hardware architecture uses two physical buttons, a cast button and

a cancel button. These buttons directly connect the user to an individual component, simplifying the

task of establishing a trusted path for cast and cancel requests. Our use of a hardware button (rather

than a user interface element displayed on the LCD) is intended to give voters a way to know that

their vote will be cast. If we used a virtual cast button, a malicious

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module could

draw a spoofed cast button on the LCD and swallow the user’s vote, making the voter think that

Page 93 of 157

Page 94 of 157

83

they have cast their vote when in fact nothing was recorded and leaving the voter with no way to

detect this attack. In contrast, a physical cast button allows attentive voters to detect these attacks

(an alternative might be to use a physical “vote recorded” light in the

✁ ✂ ✄ ✠ ✁ ☛✄ ). Additionally, if we

used a virtual cast button, miscalibration of the touch screen could trigger accidental invocation of

the virtual cast button against the voter’s wishes. While calibration issues may still affect the ability

of a user to scroll through a multi-screen confirmation process, we anticipate that such a problem

will be easier to recover from than touch screen miscalibrations causing the DRE to incorrectly

store a vote. To ensure that a malicious

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ module does not trick the user into pressing

the cast button prematurely, the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module will only enable the cast button after it

detects that the user paged through all the vote confirmation screens.

We want voters to be able to cancel the voting process at any time, regardless of whether

they are interacting with the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟ or

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ modules. Since the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟

module is untrusted, one possibility would be to have the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ implement a virtual cancel

button or conditionally pass data to the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module even when the

✁ ✂ ✄ ☎ ✄ ✆✄ ✝ ✂ ✞✁ ✟

module is active. Rather than introduce these complexities, we chose to have the

✁ ✂ ✄ ✠✁ ☛✄ module

handle cancellation via a physical cancel button. The cancel button is enabled (and physically lit

by an internal light) until the

✁ ✂ ✄ ✠ ✁ ☛✄ begins the process of storing a ballot and canceling an

authentication token.

5.4 Prototype implementation

To evaluate the feasibility of the architecture presented in Section 5.3, we built a proto-
type implementation. Our prototype uses off-the-shelf “gumstix connex 400xm” computers. These

Page 94 of 157

Page 101 of 157

90

Our prototype consists of five component boards wired together in accordance with Fig-
ure 5.2. We implement all of the functionality except for the cancel button. See Figure 5.5 for a

picture showing the five components and all of their interconnections. Communication uses physi-
cal buses and wires. The I/O multiplexer, after each update operation, sends an image over a virtual

bus connected (connected via the USB network) to the PC for I/O. It sends the compressed image it

would ordinarily blit to the framebuffer to the PC so that the PC can blit it to its display. The gum-
stix only recently supported LCD displays, and we view our PC display as an interim solution. The

additional software complexity for using the LCD is minimal as it only requires blitting an image

to memory.

Figure 5.6 shows our voting software running on the gumstix. We used ballot data from

the November 2005 election in Alameda County, California.

5.5 Evaluation

5.5.1 Verifying the desired properties

Property 1. Recall that to achieve “memorylessness” we must be able to show the DRE is always

reset after a voter has finished using the machine, and the DRE only opens a given file read-only or

write-only, but not both. To show that the DRE is reset after storing a vote, we examine a snippet of

the source code from VoteCore.java, the source code for the

✁ ✂ ✄ ✠✁ ☛✄ module in Figure 5.7. In

line 7, after storing the ballot into the ballot box, the

✁ ✂ ✄ ✠✁ ☛✄ module continuously raises the reset

wire high. Looking at the connection diagram from Figure 5.2, we note the reset wire terminates at

the ✣

✄ ✤ ✄ ✂ ✥✁ ✦ ✧ ✆✄

and induces it to restart all components in the system. Further inspecting code not

reproduced in Figure 5.7 reveals the only reference to the ballotbox is in the constructor and in

Page 101 of 157

Page 102 of 157

91

1 grabio.set();

2 … UPDATE DISPLAY …

3 castenable.set();

4 if (cast.isSet())

5 while (true)

6 toVoteCore.write(ballot);

7 ✁

8 ✁

Confirm.java

1 byte [] ballot =

2 fromVoteConf.read();

3 if (ballot != null)

4 … INVALIDATE VOTER TOKEN …

5 ballotbox.write (ballot);

6 while (true)

7 resetWire.set();

8 ✁

9 ✁

VoteCore.java

Figure 5.7: Code extracts from the

✁✂✄✂✁✟✄☎✆✝✂✞✁✟and

✁✂✄✂✁☎✄ modules, respectively. Examining these code snippets with the con-
nection topology helps us gain assurance that the architecture achieves Properties 1 and 2.

Page 102 of 157

Page 103 of 157

92

line 5, so writes to it are confined to line 5.

Finally, we need merely examine every file open call to make sure they are either read-
only or write only. In practice, we can guarantee this by ensuring writable files are append-only, or

for more sophisticated vote storage mechanisms as proposed by Molnar et al., that the storage layer

presents a write-only interface to the rest of the DRE.

Property 2. For the “consent-to-cast” property, we need to verify two things: 1) the ballot can only

enter the

✁ ✂ ✄ ✠ ✁ ☛✄ through the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module, and 2) the voter’s consent is required

before the ballot can leave the

✁ ✂ ✄ ✠ ✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module.

Looking first at Confirm.java in Figure 5.7, the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module first en-
sures it has control of the touch screen as it signals the

✁ ✥ ✧ ✆✂ ✞✂ ✆✄✢ ✁ ☛ with the “grabio” wire. It then

displays the ballot over the bus, and subsequently enables the cast button. Examining the hardware

will show the only way the wire can be enabled is through a specific GPIO, in fact the one controlled

by the “castenable” wire. No other component in the system can enable the cast button, since it is

not connected to any other module. Similarly, no other component in the system can send a ballot

to the

✁ ✂ ✄ ✠✁ ☛✄ module: on line 6 of Confirm.java, the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ sends the ballot on

a bus named “toVoteCore”, which is called the “fromVoteConf” bus in VoteCore.java. The

ballot is demarshalled on line 1. Physically examining the hardware configuration confirms these

connections, and shows the ballot data structure can only come from the

✁ ✂ ✄ ✠✁ ✟✡ ☛☞ ✌ ✂ ✞✁ ✟ module.

Finally, in the

✁ ✂ ✄ ✠ ✁ ☛✄ module, we see the only use of the ballotbox is at line 5 where the ballot is

written to the box. There are only two references to the ✜✌ ✆ ✆✁ ✂ ✜✁✢

in the VoteCore.java source

file (full file not shown here), one at the constructor site and the one shown here. Thus we can be

confident that the only way for a ballot to be passed to the ✜✌ ✆ ✆✁ ✂ ✜✁✢

is if a voter presses the cast

Page 103 of 157

Page 109 of 157

98

Chapter 6

Environment-freeness

In this chapter, we seek to develop software analysis techniques that guarantee that the in-
memory copy of the ballot can be properly recovered after serialization for later tallying. To do so,

we introduce the notion of environment-free functions, where the function’s behavior depends only

and deterministically on the arguments to the function. Then, we show to use this concept to verify

the correct invertability of

✟✝ ✁ ✦ ✄

operations such as serialization, compression, and encryption

through a mixture of static analysis and runtime checks. The strategy is to first verify that the

✁✄ ✝ ✁ ✦ ✄

implementation is environment-free and then add a simple runtime check to ensure that

the encoded data can and will be correctly decoded in the future. We develop a static analysis

for verifying that Java code is environment-free. To demonstrate its feasibility, we implemented

our algorithm as an Eclipse plug-in and used it to analyze the serialization routines in our voting

architecture from Chapter 3 and also to verify that decryption is the inverse of encryption in a Java

cryptography implementation.

Parts of this work are drawn with permission from prior work [75].

Page 109 of 157

Page 110 of 157

99

6.1 Introduction and motivation

Many computer programs perform serialization and deserialization, converting an in-
memory version of a data structure into a form suitable for storage or transmission and back again.

In this chapter, we develop novel methods for verifying the correctness of serialization and deserial-
ization code. In particular, we wish to verify that deserialization is the inverse of serialization, i.e.,

that serializing a data structure and then deserializing the result will give you back the same data

structure you started with.

Verifying the correctness of serialization and deserialization is a difficult task. Serial-
ization and deserialization typically involve walking a (potentially cyclic) object graph, and thus

inevitably implicate complex aliasing issues. Reasoning about aliasing is well known to be chal-
lenging. Also, the invariants needed to prove the correctness of serialization and deserialization

may not be immediately apparent from the code and may be messy and unilluminating when writ-
ten down explicitly. Therefore, standard formal methods appear to be ill-suited for this task.

More broadly, serialization is just one of a family of common data transformation routines

that litter voting software. Two others in the family include encryption/decryption and compres-
sion/decompression.

We seek to verify the following property about a pair of algorithms, ✟

✟✝ ✁ ✦ ✄

✡ ✁✄ ✝ ✁ ✦ ✄

✠:

namely, for all ☛, ✁✄ ✝ ✁ ✦ ✄

✟✝ ✁ ✦ ✄

✟☛ ✠ ✠ should yield some output ☛

that is functionally equivalent

to ☛. We want this property to hold even if ✁✄ ✝ ✁ ✦ ✄

is invoked at some later time on some other

machine, so we will also need to verify that ✁✄ ✝ ✁ ✦ ✄

does not implicitly depend on any data (other

than its input) that might be different on some other machine. We call this the Inverse Property,

since the goal is to verify that ✁✄ ✝ ✁ ✦ ✄

is a left inverse of

✟✝ ✁ ✦ ✄

. In many contexts, it is a serious

Page 110 of 157

Page 111 of 157

100

error if ✁✄ ✝ ✁ ✦ ✄

fails to yield the original input.

We use one specific aspect of voting machine accuracy as a running example in this paper.

As the voter makes selections, the voting machine accumulates these selections into a data structure

in RAM. When the voter casts her ballot, the machine must serialize (

✟✝ ✁ ✦ ✄

) this data structure to

disk. During the tallying stage, the disk will be read, and the choices will need to be deserialized

(✁✄ ✝ ✁ ✦ ✄

) into the voter’s original data structure in order to compute the tally. We wish to verify that

the vote data structure that is serialized and recorded to disk when the voter casts her ballot can later

be reconstructed exactly as it was when the voter cast her ballot. A failure to reconstruct the original

data structure would be a serious problem, because it would mean that a voter’s choices could not

be recovered accurately, disenfranchising the voter.

6.2 Static analysis to enable dynamic checking

Statically analyzing the correctness of a pair of algorithms to verify that the second is

always the inverse of the first is beyond our expertise. It is easier to support fail-stop operation, in

which errors are detected at runtime but before any harmful consequences have taken place. The

current transaction leading to the error is then cancelled (or possibly retried, if the error is likely to

be transitory).

Returning to our example, a voting machine endowed with this mechanism would verify

the Inverse Property for each voter’s ballot before announcing to that voter that their vote was

successfully cast. If the check fails, the voter would be notified and advised to use another voting

machine. Without the check, the voter would never know that their ballot had been improperly

serialized (and hence stored); depending upon the nature of the deserialization error, the problem

Page 111 of 157

Page 112 of 157

101

may or may not be caught at tally time when their vote is counted.

Note that checking the Inverse Property requires knowledge about a hypothetical future;

to confirm a voter’s vote we must be confident that any future attempt to deserialize their ballot

will be successful. Ensuring this requires us to be able to predict the future behavior of the ✁✄ ✝ ✁ ✦ ✄

method. The easiest way to make such a method predictable is to require it to “always do the same

thing” and to check its behavior once, with a check like the following:

✁✂

✟✝ ✁ ✦ ✄

✟☛ ✠

✌ ✁ ✁ ☛✂ ✞✂ ☛ ✂✞ ✁✄ ✝ ✁ ✦ ✄

For instance, in the voting machine example, we would translate the pseudo-code above into a

concrete Java implementation as follows:

byte[] bytes = ballot.serialize();

assert(ballot.equals(

Ballot.deserialize(bytes)));

The runtime assertion check is intended to ensure that the serialized bytes will properly

deserialize into the ballot. By checking that the deserialization is correct at the time of seri-
alization, we’d like to then infer that deserialization will be correct at some later time, when the

deserialize() function (or more generally the ✁✄ ✝ ✁ ✦ ✄

function) will be run. However, this in-
ference is only valid if we make several assumptions about the behavior of the deserialize()

and equals() methods.

1. The result of the deserialize() function must be a deterministic function of its argu-
ments, namely bytes. Its output must not depend upon any other values, such as the values

of global variables, the time of day, or the contents of the filesystem. The deserialize()

Page 112 of 157

Page 113 of 157

102

function must yield the same results when it is later run on the same input, even if it is run on

another machine at a later time.

2. The deserialize() function must not be able to modify global state; i.e. it can only

modify objects reachable from its arguments 1

.

3. The equals() method must check all relevant properties of the ballot object and does

not have any side-effects. We will take it as the specification of what it means for two ballot

objects to be functionally equivalent.

4. The deserialize() function that will be executed later (including any methods or static

declarations it makes use of) must be the same one used in the runtime check.

If we can statically verify that these four requirements are met, then we will be entitled to conclude

that the serialized data will later be deserialized correctly.

Note that we have explicitly not restricted the serialization function in any way. For ex-
ample, we don’t require the

✟✝ ✁ ✦ ✄

function to be deterministic. In general,

✟✝ ✁ ✦ ✄

might depend

on a source of randomness or non-determinism in generating its output. This is particularly im-
portant for encryption functions. As long as the ✁✄ ✝ ✁ ✦ ✄

function deterministically reconstructs the

original data, it does not matter how it operates in any way. For example, we don’t require the

serialize() function to be deterministic. In the general case,

✟✝ ✁ ✦ ✄

should be able to depend

on a source of non-determinism in generating its output. This is particularly important for encryp-
tion functions. As long as the ✁✄ ✝ ✁ ✦ ✄

function deterministically reconstructs its input, it does not

matter how the

✟✝ ✁ ✦ ✄

function works.

If the deserialize() function is passed a new deep copy of any arguments that it may mutate, the assert()

statement does not change the behavior of the program if it succeeds. In our case, making a deep copy of a byte[] is

trivial.

Page 113 of 157

Page 114 of 157

103

In summary, our strategy is as follows. First, we transform the code by introducing a

run-time assertion check after every call to

✟✝ ✁ ✦ ✄

. For arguments that are mutated by the ✁✄ ✝ ✁ ✦ ✄

function, we pass it deep copies instead of the originals. Second, we manually confirm that the

third and fourth requirements are met. Finally, we use static analysis to verify that that the first two

requirements are met. This strategy suffices to ensure that the program satisfies fail-stop correct-
ness: if the transformed program does not abort, then the Inverse Property will be satisfied on that

execution.

This paper addresses the first two of the above requirements; we develop a static analysis

to make sure that the ✁✄ ✝ ✁ ✦ ✄

function computes its output deterministically based only on its input

and does not cause disruptive side effects. Our static analysis is designed to place as few restrictions

on the rest of the code as possible.

6.3 Environment-free and compile-time constants

6.3.1 Overview

One possible method to enable the fail-stop approach outlined in Section 6.2 is to require

the ✁✄ ✝ ✁ ✦ ✄

function be pure. A pure function is required to be free of side-effects; executing such

a function and discarding the result should be a no-op. Depending on whose definition one uses, a

pure function may or may not be allowed to read the values of potentially mutable global state; JML

seems to allow it [73] as it does not violate the no-op-equivalence requirement.

Pureness, at least in the JML sense, is thus both overly restrictive and not restrictive

enough for our purposes. We do not require the ✁✄ ✝ ✁ ✦ ✄

function be side-effect free in general, but

we do restrict its side effects to objects reachable from its arguments. In-place array manipulations

Page 114 of 157

Page 123 of 157

112

Arrays

Arrays have many uses as compile-time constants, particularly as lookup tables for de-
cryption functions. However, supporting them in Java requires extra work since the entries of a Java

array can be modified at any time. For an array variable to be a compile-time constant requires that

the variable reference can’t change, the constituent element references can’t change, and each item

should be immutable. Enforcing and checking the first and last conditions is relatively simple: the

array must be declared final and its base type must implement the Immutable interface. However,

this does not prevent the array from being modified; an element or can be updated with a different

value.

To solve this, we must make sure the array’s elements are not changed after initialization

time. This can happen when the array or its element is used as an l-value in an assignment expres-
sion. If this occurs after initialization, this indicates an element of the array is being overwritten.

The checker looks for compile-time constant arrays used inside l-values flags and them as errors.

In Java, it is possible to alias an array or a subarray to a different variable. If such aliases

were made of the array, a na ̈ıve checker would miss mutations of the array by way of the alias. This

risk is prevented by requiring that all occurrences of the array variable aside from its declaration

occur within expressions that index the array to its full depth. We view passing partial index values

explicitly as an acceptable alternative to using a partially indexed array. The other use of partially

indexing arrays is when reading the length field of a subarray. This represents a legitimate case

where the array is not fully indexed; given the frequency of this coding paradigm, we make a special

case exception to allow partial indexing of an array only when the length field is being accessed.

Thus, referring to a compile-time constant array as a whole or partially indexing a multidimensional

Page 123 of 157

Page 124 of 157

113

compile-time constant array without accessing its length field is flagged as an error by our checker.

This analysis requires a “closed-world” assumption, i.e. that the full source code of the program is

present in order for this reasoning to be sound. If there were unchecked code present in the system,

it could bypass these restrictions and modify the array.

Initializers

Not only must a compile-time constant be Immutable, but it must also be initialized to the

same value every time. This means that its initializer expression should be a deterministic function,

i.e. it must be environment-free. In the course of making the compile-time constant checks, the

checker generates a queue of all variable initializers for compile-time constants. These will later be

checked just by the environment-free checker, and which treats them as methods with no arguments.

Since all compile-time constants must be final, a compile-time constant that doesn’t have a variable

initializer must be initialized in a static initializer block. These too must be environment-free, and

thus are added to the list of environment-free methods as they are encountered.

6.4.4 Environment-free methods

As discussed in Section 6.3.2, an environment-free method may only call a method if it is

environment-free. Additionally, an environment-free method must not access global variables that

are not compile-time constants.

Constructors

Constructors are treated like any other method, and any constructor that is invoked due

to a new object instantiation from within an environment-free method must itself be considered

Page 124 of 157

Page 125 of 157

114

environment-free. Thus, any methods that the constructor invokes must be checked for environment-
freeness. This includes chained constructors or any superclass constructors that may be invoked

implicitly.

Overridden methods

A class can only override an environment-free method with an environment-free method.

If this were not the case, invoking the method on the base class could actually invoke the overridden

method when the runtime type differs from the static type of the object. If at static analysis time,

the method is deemed to be environment-free, we must ensure that the runtime method is also

environment-free. Effectively, the environment-free attribute is a part of the method’s signature that

must be inherited with any overridden methods. The checker verifies this property. In the general

case, this requires the whole program to be present. (Alternately, we could require environment-
free methods to be final, but we already require a closed world for our treatment of compile-time

constant arrays.)

Whitelist

Library methods called by an environment-free method require special care. In general,

the checker does not have the source code to such methods so it cannot assess whether they are

environment-free or not. The conservative action in this case would be to flag all calls to a library

from an environment-free method as errors.

However, excluding all library functions is not practical given the size and utility of the

Java library. Forbidding environment-free functions from using the large subset of the library that

is environment-free unfairly constrains the programmer and represents a serious usability burden.

Page 125 of 157

Page 129 of 157

118

be thrown by a function. Additionally, compile-time constant initializer expressions are sup-
posed to be environment-free, but Exception creation is not, even when called from a static

initializer. The stack trace depends upon class load order, which could vary depending upon

the behavior of non–environment-free code.3

3. A third option would be to wrap calls to environment-free entry-point functions so that all

Throwables are caught and something else is returned. The easiest way to do this would

be to return a null reference, as null is a valid value for any object type. This would keep

the library’s control flow and exception handling the same at the cost of losing debugging

information. While this option is feasible, the loss of information and need to modify the

program make this unattractive.

4. One could “define away” the problem by allowing the return value of an environment-free

function to depend on its method-call stack, i.e. by treating these method calls as an implicit

argument to the method. One must be careful not to relax too far, however, or environment-
freeness ceases to mean much. If the function can have arbitrary dependencies on the stack,

we can no longer derive the properties we want. Its dependency on the stack must be limited

so that it allows for the use of exceptions but does not allow for harmful nondeterminism.

We chose a variant of the last option. We allow the return value of an environment-
free function to depend on its execution stack only in the stack trace of any throwables it returns

or throws. This is the semantics that results from allowing the construction of exceptions (and

encountering exceptions resulting from method calls and language operations) but disallowing any

querying of the stack traces contained within such exceptions. Adherence to this rule relies only on ✁

The stack trace includes the context of the field access or method call that referenced the class being statically

initialized and thus caused it to be loaded.

Page 129 of 157

Page 130 of 157

119

ensuring that the whitelisted methods don’t allow access to the stack traces of throwables; we have

verified that this is the case.

6.4.5 Implementation

We implement our checker as an Eclipse 3.2.1 [1] plugin to check Java 1.4 source code.

The checker is 1199 lines of code. We rely on Eclipse’s visitor functionality to perform our anal-
ysis. The visitation functionality allows the checker to rely on Eclipse for parsing, name and type

resolution, and walking over the typed AST. Our checks were simple enough that we did not need a

data-flow engine; analysis simply consists of several visitation passes over the AST of a program.

Figure 6.1 shows an image of the plugin running under Eclipse on an AES implementa-
tion. In Section 6.5.1, we discuss the results of the analysis.

6.5 Results and Discussion

We tested our checker on two applications. The tests were meant to show that the checker

can find real bugs in real code as well as to verify useful properties about interesting programs. In

this section, we discuss the results of running our checker as well as additional issues regarding

non-determinism.

6.5.1 AES block cipher

We analyze an AES block cipher implementation to ensure that the cipher will be able

to decrypt the ciphertext to the original plaintext at some later time. We analyze a third-party

AES implementation [10] and check that its decryption method is environment-free. This property

Page 130 of 157

Page 131 of 157

120

Figure 6.1: Screenshot of the environment-free checker detecting errors in AES code. The constants array tables log and alog are

generated
at class load time. This represents a modification to a compile-time
constant array; we eliminate the static code block, and instead

use variable initializers. After these modifications, the checker did not find any errors.

Page 131 of 157

Page 132 of 157

121

guarantees, for example, that if the cipher is used to encrypt data, it is guaranteed to be recoverable

using the decrypt function and the key. We checked its 876 lines of Java source code. We added a

check function, including one annotation:

/** @envfree */

static boolean check (byte[] plaintext,

byte[] encr, byte[] key) {

AES aes = new AES();

aes.setKey (key);

return Arrays.equals (aes.decrypt(encr),

plaintext);

}

For the above check to guarantee decryption will be the same at some later time, the

check() function must be environment-free, which is indicated with the annotation. The checker

detected three errors, as depicted in the screenshot in Figure 6.1. The errors stemmed from the

decryption function relying on two static final arrays: int[] log and int[] alog. These

are logarithm and anti-logarithm tables computed at class load time in a static initializer block.

The environment-free checker flagged the initialization process as erroneous. To fix the errors, we

replaced the code with precomputed array initializers. After this change, the checker did not report

any errors. An alternative fix would be to inspect the code and note the writes were only used for

initialization and to further verify that the initializer did not make any use of the static tables before

their array values were initialized.

6.5.2 Serialization of voting data structures

As detailed in Section 6.1, we began thinking about proving security properties of election

systems after analyzing two commercial voting systems. Further inspecting our own prototype vot-
ing system [74], we realized that manually proving serialization is not easy. Unintended bugs (or in

Page 132 of 157

Page 140 of 157

129

the machines for integration with Diebold DREs noted that the prototype, while well designed, did

not completely implement the advertised specification [83].

The Dutch water board recently used a system called Rijnland Internet Election System

(RIES). The system allows voters to vote over the Internet. Before the election starts, election

officials generate a key ☞ ✌ for each voter; for each voter ✡, the officials create and record a string

✏ ✆ ✟election id✠ ✄ ✄

✏ ✆ ✟candidate 1✠ ✄ ✄ ✆ ✆ ✆ ✄ ✄

✏ ✆ ✟candidate ✍ ✠. The officials use an out of band paper

channel, such as the postal system, to deliver the voter specific key. The officials then destroy the

voter specific key. During the election period, the voter visits the election website, enters their key

☞ ✌ from the mail, and then makes their selection. The voter’s browser then computes and sends

✏ ✆ ✟election id✠ ✄ ✄

✏ ✆ ✟candidate index✠. The voter can verify their proper selection was recorded

by visiting the website; the election officials tally the votes by looking up the voter’s selection in

the list of candidates specific to the voter. The system, however, suffers from the list of flaws that

Jefferson et al. noted that any Internet voting scheme suffers: a reliance on the DNS systems, lack

of privacy, vulnerability to denial of service attacks, and susceptibility to worms surreptitiously

changing a voter’s selection and even subsequent verification [35, 34]. Hence, this approach may

bring convenience but seems to sacrifices too much in the way of security for use in government

elections.

In Chapter 3, we analyzed two existing cryptographic voting schemes [60, 19, 39]. Moran

and Naor have produced follow on work that is based on Neff’s general approach [56]. It provides

integrity protection and preserves privacy even from computationally unbounded adversaries that

have access to the bulletin board. They rely on a special property of Pedersen commitments, and

then generalize their results to general commitment schemes. As with Neff’s scheme, the use of a

Page 140 of 157

Page 141 of 157

130

bulletin board invites privacy vulnerabilities.

There are other cryptographic voting protocols, but they unfortunately are not nearly as

complete as Neff’s or Chaum’s: they remain protocols and are not yet systems. For example, Josh

Benaloh presents an outline of two cryptographic approaches, one similar to the FROGS system [8].

However, as we showed in Chapter 3, there is a large gap between protocol and a system, and that

gap can often impact security. A second lesson is that the cryptographic voting protocols cannot treat

humans as perfect actors, as is typical in traditional security protocols: a person will make mistakes

and may not follow their end of the protocol. Attackers can take advantage of this fallibility to erode

a voter’s privacy or steal their vote.

Ka-Ping Yee et al. designed a voting system using pre-rendered user interfaces to also

minimize the amount of trust in a voting system [95]. He uses a data structure similar to a de-
terministic finite state machine with the user’s input controlling the transitions between states of

pre-rendered ballot images. The pre-rendered ballot images eliminate UI toolkits and a large part

of the application and OS complexity from the voting machine. Yee’s prototype is written in fewer

than 300 lines of Python, making manual verification of the software a possibility.

Work in conjunction with Molnar et al. described algorithmic and hardware techniques

to store votes on a programmable read-only memory device [55]. Their storage mechanism was

meant to preserve anonymity through a history independence property and by eliminating subliminal

channels in the storage format, while retaining the ability to detect tampering with the storage media

after polls have closed. Follow on work has eliminated the need for special hardware by using

cryptographic techniques [9].

Page 141 of 157

Page 142 of 157

131

7.2 Information Flow

One of the techniques we leverage is managing the flow of confidential information within

the application: if a component cannot see confidential information it cannot leak it. This principle

of guarding information flow based on principals has been more generally studied in the context

of multilevel security (MLS) [77]. Multilevel security systems manage data sources with different

secrecy labels (e.g. unclassified, secret, top secret) and ensure that the programs that interact with

these data sources also honor the secrecy labels.

The LOCK program from SRI tried for 17 years to build a MLS system. They originally

intended to use a separate processor called the SIDEARM as a reference monitor [76]. The LOCK

program had its roots in the PSOS (Provably Secure Operating System) project [24, 63]. They faced

problems with their hardware based reference monitor since it added cost and time to completion.

Additionally, the LOCK designers intended to write formal specifications and ensure their correct-
ness with the GYPSY proof checker. An important realization of their effort was that GYPSY was

not sophisticated enough and ultimately did not help in detecting bugs. This cautionary tale about

the difficulty in formal verification steered our efforts towards architectures to simplify verification

instead of work on formal tools. The exercise was not a waste, however, since they found that the

time spent to consider the formalisms and prepare the specifications led the designers themselves to

catch bugs they believe they would have otherwise missed. There are important differences, how-
ever; they were trying to build a general purpose system, while we are designing a specific one.

Additionally, formal methods have advanced greatly in the intervening years, and as we show, can

be used to achieve successes.

The Starlight Interactive Link is a hardware device that allows a workstation trusted with

Page 142 of 157

Page 147 of 157

136

systems [78].

A more recent success story verifies the containment mechanism in the EROS operating

system [82]. EROS is a capability based operating system, and they were able to verify the OS’s

containment mechanism, whereby the operating system creates a restricted environment with a

limited set of capabilities. They demonstrate that the restricted environment can only access the

resources granted by its capability set and no others.

Joe-E is a subset of Java that enforces the capability discipline [53]. We drew inspiration

for the environment-free checker from their work; they provide a useful framework for immutability

that we use as the basis for the environment-free checker’s compile time constants.

It is now possible to soundly detect all format string vulnerabilities in C code [81] and find

all user-kernel bugs in the Linux kernel [36]. Both techniques rely on type inference, a technique

for developers to add a few annotations to the type system and then perform analyses to detect

inconsistencies in the enriched type system, which are possible bugs in the application software.

These techniques show the promise of being able to prove real security properties about real code.

Spec# [7] and JML [15, 44] are language extensions that allow the programmer to specify

pre-conditions and post-conditions on methods as well as invariants for classes for the C# and Java

language respectively. They followed Bertrand Meyer’s work where he suggested that classes and

methods should have a contract specified through annotations [54]. Using these extra annotations,

program verifiers check that the code is consistent with the specification. These tools provide a first

step in proving systems correct.

Additionally, it should be mentioned that safe languages, such as Java or C#, eliminate

a large class of vulnerabilities since the virtual machine in which they run enforces the type-safety

Page 147 of 157

Page 148 of 157

137

of the code it executes. We take advantage of these features to ease the verification task since the

language itself does not allow for programs with certain vulnerabilities to be considered valid.

7.5 State management

The Recovery Oriented Computing (ROC) project advocates a unique view to state man-
agement [65]. The project seeks to increase reliability and availability of software services; as

a part of this, they suggest that components in a software application should be designed for re-
boot [16, 17]. Each component should be able to be restarted at any time, and in fact they call for

prophylactic reboots to reset state in volatile member variables, based in part by work by Huang

et al. [31]. In order for a component to be rebootable, it needs to store all persistent state in a sepa-
rate module and not hold any pointers across component boundaries. Our work also uses rebootable

components, but for a different purpose: security. A voter who knows that a component reboots

after leaving the voting booth can be better assured that their sensitive information cannot leak to

the next voter if there is no way for sensitive information to leave the ballot box; secondly, a voter

who knows that the voting machine reboots before they arrive to use it can be better assured that the

previous voter’s actions will not affect their voting session.

Page 148 of 157

Page 149 of 157

138

Chapter 8

Conclusion

In this dissertation, we have explored a property based approach to improving voting

security. Under this view, one must be cognizant of how endowing a voting system with one property

impacts the system’s goals. It is important, also, to consider the voting system as a whole, including

the technology as well as the humans that interact with the technology: the technology does not

exist in a vacuum.

Our solutions apply to a range of voting platforms and address different properties. Re-
booting can be used as an effective approach to stem privacy violations across voter sessions for a

variety of different voting technologies. Likewise, our componentised voting architecture applies to

DRE based systems to more easily prove a few voting properties. Our software analysis techniques

can prove deserialization and decryption are correct in a fail-stop model. These analyses are useful

for all voting platforms, and can even apply in non-voting contexts.

People should be able to trust their voting technology has sufficient security guarantees.

The fully verified voting machine is not yet in our grasp. But this should not stop us from attempting

Page 149 of 157

Page 150 of 157

139

to design and build voting systems that meet increasingly more security properties. This dissertation

begins that path towards the verified voting machine.

Page 150 of 157

Page 151 of 157

140

Bibliography

[1] The Eclipse Platform. http://www.eclipse.org.

[2] Auditability and voter-verifiability for electronic voting terminals. http://www.scytl.

com/docs/pub/a/PNYX.DRE-WP.pdf, December 2004. White paper.

[3] Atul Adya, William Bolosky, Miguel Castro, Gerald Cermak, Ronnie Chaiken, John Douceur,

Jon Howell, Jacob Lorch, Marvin Theimer, and Roger Wattenhofer. FARSITE: Federated,

available, and reliable storage for an incompletely trusted environment. In 5th Symposium on

Operating System Design and Implementation (OSDI), pages 1–14, December 2002.

[4] M. Anderson, C. North, J. Griffin, R. Milner, J. Yesberg, and K. Yiu. Starlight: Interactive

Link. In Proceedings of the 12th Annual Computer Security Applications Conference (AC-
SAC), 1996.

[5] Jonathan Bannet, David W. Price, Algis Rudys, Justin Singer, and Dan S. Wallach. Hack-
a-vote: Demonstrating security issues with electronic voting systems. IEEE Security and

Privacy Magazine, 2(1):32–37, Jan./Feb. 2004.

[6] Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Time Harris, Alex Ho, Rolf Neuge-
bauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the

19th ACM Symposium on Operating Sstems Principles (SOSP 2003), October 2003.

[7] Mike Barnett, K. Rustan Leino, and Wolfram Schulte. The Spec# programming system: An

overview. In Proceedings of Construction and Analysis of Safe, Secure and Interoperable

Smart Devices (CASSIS), 2004.

[8] Josh Benaloh. Simple verifiable elections. In USENIX/ACCURATE Electronic Voting Tech-
nology Workshop, October 2006.

[9] John Bethencourt, Dan Boneh, and Brent Waters. Cryptographic methods for storing ballots on

a voting machine. In 14th Annual Network & Distributed System Security Conference (NDSS

2007), February 2007.

[10] Lawrie Brown. AEScalc. http://www.unsw.adfa.edu.au/ ̃lpb/src/AEScalc/

AEScalc.jar.

[11] Shuki Bruck, David Jefferson, and Ronald Rivest. A modular voting architecture (“Frogs”).

http://www.vote.caltech.edu/media/documents/wps/vtp_wp3.pdf, Au-
gust 2001. Voting Technology Project Working Paper.

Page 151 of 157

Page 152 of 157

141

[12] David Brumley and Dawn Song. Privtrans: Automatically partitioning programs for privilege

separation. In Proceedings of the 13th USENIX Security Symposium, August 2004.

[13] Jeremy Bryans and Peter Ryan. A dependability analysis of the Chaum digital voting scheme.

Technical Report CS-TR-809, University of Newcastle upon Tyne, July 2003.

[14] Edouard Bugnion, Scott Devine, and Mendel Rosenblum. Disco: Running commodity oper-
ating systems on scalable multiprocessors. In Proceedings of the 16th ACM Symposium on

Operating Systems Principles (SOSP), October 1997.

[15] Lilian Burdy, Yoonsik Cheon, David Cok, Michael Ernst, Joseph Kiniry, Gary Leavens,

K. Rustan Leino, and Erik Poll. An overview of JML tools and applications. International

Journal on Software Tools for Technology Transfer (STTT), 7(3):212–232, June 2005.

[16] George Candea and Armando Fox. Recursive restartability: Turning the reboot sledgehammer

into a scalpel. In Proceedings of the 8th Workship on Hot Topics in Operating Systems (HotOS-
VIII), May 2001.

[17] George Candea, Shinishi Kawamoto, Yuichi Fujiki, Greg Friedman, and Armando Fox. Mi-
croreboot – a technique for cheap recovery. In 6th Symposium on Operating System Design

and Implementation (OSDI), December 2004.

[18] RABA Innovative Solution Cell. Trusted agent report Diebold AccuVote-TS voting system,

January 2004.

[19] David Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy

Magazine, 2(1):38–47, Jan.–Feb. 2004.

[20] David Chaum, February 2005. Personal Communication.

[21] CIBER. Diebold Election Systems, Inc. Source code review and functional testing. Califor-
nia Secretary of State’s Voting Systems Technology Assessment Advisory Board (VSTAAB),

February 2006.

[22] Frank Dabek, M. Frans Kaashoek, David Karger, Robert Morris, and Ion Stoica. Wide-area

cooperative storage with CFS. In Proceedings of the 18th ACM Symposium on Operating

Systems Principles (SOSP ’01), pages 202–215, October 2001.

[23] Dawson Engler, M. Frans Kaashoek, and James O’Toole. Exokernel: An operating system

architecture for application-level resource management. In Proceedings of the 15th ACM Sym-
posium on Operating Systems Principles (SOSP), October 1995.

[24] Richard Feiertag and Peter Neumann. The foundations of a Provably Secure Operating System

(PSOS). In Proceedings of the National Computer Conference, pages 329–334, 1979.

[25] Ariel Feldman, J. Alex Halderman, and Edward W. Felten. Security analysis of the Diebold

AccuVote-TS voting machine. In submission.

[26] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System

Sciences, 28(2):270–299, April 1984.

Page 152 of 157

Page 153 of 157

142

[27] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interac-
tive proof systems. SIAM Journal on Computing, 18(2):270–299, 1984.

[28] Nevin Heintze and J. D. Tygar. A model for secure protocols and their compositions. IEEE

Transactions on Software Engineering, 22(1):16–30, January 1996.

[29] Gernot Heiser. Secure embedded systems need microkernels. USENIX ;login, 30(6):9–13,

December 2005.

[30] C.A.R. Hoare. An axiomatic basis for computer programming. Communications of the ACM,

12(10):576–580, 1969.

[31] Yennun Huang, CHandra Kintala, Nick Kolettis, and N. Dudley Fulton. Software rejuvena-
tion: Analysis, module and applications. In Twenty-Fifth International Symposium on Fault-
Tolerant Computing, 1995.

[32] Markus Jakobsson. A practical mix. In Advances in Cryptology – EUROCRYPT 1998, volume

1403 of Lecture Notes in Computer Science, pages 448–461. Springer-Verlag, May/June 1998.

[33] Markus Jakobsson, Ari Juels, and Ronald Rivest. Making mix nets robust for electronic voting

by randomized partial checking. In 11th USENIX Security Symposium, pages 339–353, August

2002.

[34] David Jefferson, Aviel Rubin, Barbara Simons, and David Wagner. Analyzing Internet voting

security. Communications of the ACM, 47(10):59–64, October 2004.

[35] David Jefferson, Aviel Rubin, Barbara Simons, and David Wagner. A security analysis

of the secure electronic registration and voting experiment (SERVE). http://www.cs.

berkeley.edu/ ̃daw/papers/servereport.pdf, January 2004. Report to the De-
partment of Defense (DoD).

[36] Rob Johnson and David Wagner. Finding user/kernel pointer bugs with type inference. In

Proceedings of the 13th USENIX Security Symposium, August 2004.

[37] Douglas Jones and Tom Bowersox. Secure data export and auditing using data diodes. In

USENIX/ACCURATE Electronic Voting Technology Workshop, October 2006.

[38] Myong Kang, Judith Froscher, and Ira Moskowitz. An architecture for multilevel secure in-
teroperability. In Proceedings of the 13th Annual Computer Security Applications Conference

(ACSAC 97), 1997.

[39] Chris Karlof, Naveen Sastry, and David Wagner. Cryptographic voting protocols: A systems

perspective. In Fourteenth USENIX Security Symposium (USENIX Security 2005), August

2005.

[40] Arthur Keller, David Mertz, Joseph Hall, and Arnold Urkin. Privacy issues in an electronic

voting machine. In ACM Workshop on Privacy in the Electronic Society, pages 33–34, October

2004. Full paper available at http://www.sims.berkeley.edu/ ̃jhall/papers/.

Page 153 of 157

Page 154 of 157

143

[41] Paul Kocher and Bruce Schneier. Insider risks in elections. Communications of the ACM,

47(7):104, July 2004.

[42] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach. Analysis of an

electronic voting system. In IEEE Symposium on Security and Privacy, pages 27–40, May

2004.

[43] Markus Kuhn. Optical time-domain eavesdropping risks of CRT displays. In IEEE Symposium

on Security and Privacy, May 2002.

[44] Gary Leavens and Yoonsik Cheon. Design by contract with JML. ftp://ftp.cs.

iastate.edu/pub/leavens/JML/jmldbc.pdf.

[45] Matt Lepinski, Silvio Micali, and abhi shelat. Collusion-free protocols. In Proceedings of the

37th ACM Symposium on Theory of Computing, May 2005.

[46] Matt Lepinski, Silvio Micali, and abhi shelat. Fair zero knowledge. In Proceedings of the 2nd

Theory of Cryptography Conference, February 2005.

[47] Jochen Liedtke. Toward real microkernels. Communications of the ACM, 39(9):70, September

1996.

[48] Heiko Mantel. On the composition of secure systems. In IEEE Symposium on Security and

Privacy, pages 88–101, May 2002.

[49] Daryl McCullough. Noninterference and the composability of security properties. In IEEE

Symposium on Security and Privacy, May 1988.

[50] Rebecca Mercuri. Electronic Vote Tabulation Checks & Balances. PhD thesis, School of

Engineering and Applied Science of the University of Pennsylvania, 2000.

[51] Rebecca Mercuri. A better ballot box? IEEE Spectrum, 39(10):46–50, October 2002.

[52] David Mertz. XML Matters: Practical XML data design and manipulation for

voting systems. http://www-128.ibm.com/developerworks/xml/library/

x-matters36.html, June 2004.

[53] Adrian Mettler and David Wagner. The Joe-E language specification (draft). Technical Report

UCB/EECS-2006-26, EECS Department, University of California, Berkeley, March 17 2006.

[54] Bertrand Meyer. Applying “Design by contract”. IEEE Computer, 25(10):40–51, 1992.

[55] David Molnar, Tadayoshi Kohno, Naveen Sastry, and David Wagner. Tamper-evident, history-
independent, subliminal-free data structures on PROM storage -or- How to store ballots on a

voting machine (extended abstract). In IEEE Symposium on Security and Privacy, May 2006.

[56] Tal Moran and Moni Naor. Receipt-free universally-verifiable voting with everlasting privacy.

In Advances in Cryptology – CRYPTO 2006, volume 4117 of Lecture Notes in Computer

Science, pages 373–392, August 2006.

Page 154 of 157

Page 155 of 157

144

[57] Deirdre Mulligan and Joseph Hall. Preliminary analysis of e-voting problems highlights need

for heightened standards and testing. A whitepaper submission to the NRC’s Committee

on Electronic Voting, http://www7.nationalacademies.org/cstb/project_

evoting_mulligan.pdf, December 2004.

[58] C. Andrew Neff. A verifiable secret shuffle and its application to e-voting. In 8th ACM Con-
ference on Computer and Communications Security (CCS 2001), pages 116–125, November

2001.

[59] C. Andrew Neff, October 2004. Personal Communication.

[60] C. Andrew Neff. Practical high certainty intent verification for encrypted votes. http:

//www.votehere.net/vhti/documentation, October 2004.

[61] C. Andrew Neff. Verifiable mixing (shuffling) of El Gamal pairs. http://www.

votehere.net/vhti/documentation, April 2004.

[62] Peter Neumann. Security criteria for electronic voting. In Proceedings of the 16th National

Computer Security Conference, September 1993.

[63] Peter Neumann and Richard Feiertag. PSOS revisited. In Proceedings of the 19th Annual

Computer Security Applications Conference (ACSAC 2003), 1997.

[64] Peter G. Neumann. Principled assuredly trustworthy composable architectures. Final report for

Task 1 of SRI Project 11459, as part of DARPA’s Composable High-Assurance Trustworthy

Systems (CHATS) program, 2004.

[65] David Patterson, Aaron Brown, Pete Broadwell, George Candea, Mike Chen, James Cutler,

Patricia Enriquez, Armando Fox, Emre Kiciman, Matthew Merzbacher, David Oppenheimer,

Naveen Sastry, William Tetzlaff, Jonathan Traupman, and Noah Treuhaft. Recovery Oriented

Computing (ROC): Motivation, definition, techniques, and case studies. Technical report,

University of California, Berkeley, March 2002.

[66] Birgit Pfitzmann and Andreas Pfitzmann. How to break the direct RSA-implementation of

MIXes. In Advances in Cryptology – EUROCRYPT 1989, volume 434 of Lecture Notes in

Computer Science, pages 373–381. Springer-Verlag, April 1989.

[67] Niels Provos, Markus Friedl, and Peter Honeyman. Preventing privilege escalation. In Pro-
ceedings of the 12th USENIX Security Symposium, August 2003.

[68] Mohan Rajagopalan, Saumya Debray, Matti Hiltunen, and Richard Schlichting. Automated

operating system specialization via binary rewriting. Technical Report TR05-03, University

of Arizona, February 2005.

[69] Richard Rashid Jr., Avadis Tevanian, Michael Young, Michael Young, David Golub, Robert

Baron, David Black, William Bolosky, and Jonathan Chew. Machine-independent virtual

memory management for paged uniprocessor and multiprocessor architectures. In Proceedings

of the 2nd Symposium on Architectural Support for Programming Languages and Operating

Systems, October 1987.

Page 155 of 157

Page 156 of 157

145

[70] Sean Rhea, Patrick Eaton, Dennis Geels, Hakim Weatherspoon, Ben Zhao, and John Kubia-
towicz. Pond: the OceanStore prototype. In 2nd USENIX Conference on File and Storage

Technologies (FAST ’03), pages 1–14, March 2003.

[71] John Rushby. Design and verification of secure systems. In Proceedings of the 8th ACM

Symposium on Operating Systems Principles (SOSP), December 1981.

[72] Science Applications International Corporation (SAIC). Risk assessment report Diebold

AccuVote-TS voting system and processes, September 2003.

[73] Alexandru Salcianu and Martin C. Rinard. Purity and side effect analysis for Java programs.

In VMCAI, pages 199–215, 2005.

[74] Naveen Sastry, Tadayoshi Kohno, and David Wagner. Designing voting machines for verifica-
tion. In Fifteenth USENIX Security Symposium (USENIX Security 2006), August 2006.

[75] Naveen Sastry, Adrian Mettler, and David Wagner. Verifying serialization through

environment-freeness, 2007. In submission to PLAS 2007.

[76] O. Sami Saydjari. LOCK: An historical perspective. In Proceedings of the 18th Annual

Computer Security Applications Conference (ACSAC), 2002.

[77] O. Sami Saydjari. Multilevel security: Reprise. IEEE Security and Privacy, 2(5):64–67, 2004.

[78] Fred Schneider, editor. Trust in Cyberspace. National Research Council, 1999.

[79] Ted Selker and Jonathan Goler. The SAVE system – secure architecture for voting electroni-
cally. BT Technology Journal, 22(4), October 2004.

[80] Arvind Seshadri, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla. SWAtt: Software-
based attestation for embedded devices. In Proceedings of the IEEE Symposium on Security

and Privacy, May 2004.

[81] Umesh Shankar, Kunal Talwar, Jeffrey Foster, and David Wagner. Detecting format-string

vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium,

August 2001.

[82] Jonathan Shapiro and Samuel Weber. Verifying the EROS confinement mechansim. In IEEE

Symposium on Security and Privacy, May 2000.

[83] Alan T. Sherman, Aryya Gangopadhyay, Stephen H. Holden, George Karabatis, A. Gunes

Koru, Chris M. Law, Donald F. Norris, John Pinkston, Andrew Sears, , and Dongsong Zhang.

An examination of vote verification technologies: Findings and experiences from the maryland

study. In USENIX/ACCURATE Electronic Voting Technology Workshop, October 2006.

[84] Jonathan Silverman. Reflections on the verification of the security of an operating system

kernel. In Proceedings of the 9th ACM Symposium on Operating Systems Principles (SOSP),

December 1983.

Page 156 of 157

Page 157 of 157

146

[85] Pete Slover. Some Texas counties are clinging to the chad. Dallas Morning News, March 8

2004.

[86] Michael Swift, Muthukaruppan Annamalai, Brian Bershad, and Henry Levy. Recovering de-
vice drivers. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design

and Implementation, December 2004.

[87] Michael Swift, Brian Bershad, and Henry Levy. Improving the reliability of commodity op-
erating systems. In Proceedings of the 19th ACM Symposium on Operating Sstems Principles

(SOSP 2003), October 2003.

[88] Wim van Eck. Electromagnetic radiation from video display units: An eavesdropping risk?

Computers & Security, 4, 1985.

[89] Poorvi Vora. David Chaum’s voter verification using encrypted paper receipts. Cryptology

ePrint Archive, Report 2005/050, February 2005. http://eprint.iacr.org/.

[90] David Wagner, David Jefferson, Matt Bishop, Chris Karlof, and Naveen Sastry. Security

analysis of the Diebold AccuBasic interpreter. California Secretary of State’s Voting Systems

Technology Assessment Advisory Board (VSTAAB), February 2006.

[91] Clark Weissman. MLS-PCA: A high assurance security architecture for future avionics. In

Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003),

2003.

[92] Andrew Whitaker, Marianne Shaw, and Steven Gribble. Denali: A scalable isolation kernel.

In 10th ACM SIGOPS European Workship, September 2002.

[93] Andrew Whitaker, Marianne Shaw, and Steven Gribble. Scale and performance in the denali

isolation kernel. In Proceedings of the 5th ACM/USENIX Symposium on Operating System

Design and Implementation, December 2002.

[94] Alec Yasinsac, David Wagner, Matt Bishop, Ted Baker, Breno de Madeiros, Gary Tyson,

Michael Shamos, and Mike Burmester. Software review and security analysis of the ES&S iV-
oteronic 8.0.1.2 voting machine firmware. Report commissioned by the Florida State Division

of Elections,, February 23 2007.

[95] Ka-Ping Yee, David Wagner, Marti Hearst, and Steven Bellovin. Prerendered user interfaces

for high-assurance electronic voting. In USENIX/ACCURATE Electronic Voting Technology

Workshop, October 2006.

[96] I-Ling Yen and Ray Paul. Key applications for high-assurance systems. IEEE Computer,

31(4):35–45, April 1998.

Page 157 of 157

Page 157 of 157
comments (0)
12/26/16
2090 Tue 27 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://www.abplive.in/…/not-even-1-4th-of-the-promises-made… Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief http://media.photobucket.com/…/W…/media/SilentHill.gif.html… https://scroll.in/…/silent-disquiet-what-explains-the-lack-… THE THIN EDGE Silent disquiet: What explains the lack of large-scale public anger in the face of oppression? http://indiatoday.intoday.in/…/rahul-gandhi-p…/1/843007.html Congress was bad, but Murderer of democratic institutions (Modi) turned our country into a malevolent enemy of the people.up a level தமிழில் திரபிடக மூன்று தொகுப்புகள்TIPITAKA-ஸுத்தபிடக-Section-C- from FREE ONLINE eNālāndā Research and Practice UNIVERSITY through http://sarvajan.ambedkar.org இந்த நூட்கள் வெளியீடு காட்சிமுறை உருவரைக்குறிப்பு தேவனாகரி எழுத்துப் பிரதியில் திபிடக முக்கூடைகளின் சஹ்ஹுவ ஸாக்யன (ஆறாவது மன்றம்) பதிப்பு.
Filed under: General
Posted by: site admin @ 8:54 pm



2090 Tue 27 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvaj
an Hitay sarvajan Sukhay.

http://www.abplive.in/…/not-even-1-4th-of-the-promises-made…

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief

http://media.photobucket.com/…/W…/media/SilentHill.gif.html…

https://scroll.in/…/silent-disquiet-what-explains-the-lack-…

THE THIN EDGE

Silent disquiet: What explains the lack of large-scale public anger in
the face of oppression?

http://indiatoday.intoday.in/…/rahul-gandhi-p…/1/843007.html


Congress was bad, but Murderer of democratic institutions (Modi) turned
our country into a malevolent enemy of the people.

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief
Monday, 26 December 2016 1:09 PM


It is being said that Cong and SP will form alliance, final call will
be taken when its realised that BJP will benefit from alliance: Mayawati

For latest breaking news, other top stories log on to: http://www.abplive.in & https://www.youtube.com/c/abpnews


It
is being said that Cong and SP will form alliance, final call will be
taken when its realised that BJP will benefit from alliance: MayawatiFor
latest breaking news, other…
abplive.in
http://www.watch-latest-news.com/watch-mayawatis-press-conference-eyeing-upcoming-assembly-election-in-up-26-12-2016/

Watch : Mayawati’s Press Conference eyeing upcoming assembly election in UP 26-12-2016

Watch : Mayawati’s Press Conference eyeing upcoming assembly election in UP
Mayawati’s
Press Conference eyeing upcoming assembly election in U.P. Watch
complete news story of News @ 12:00 PM to get the detailed news updates!

http://www.aplatestnews.com/usnewsvideo.php?vidtype=10&idx=mayawati-press-conference-against-demonetization-2016-11-26

Mayawati Press Conference Against Demonetization

http://media.photobucket.com/…/W…/media/SilentHill.gif.html…

https://scroll.in/…/silent-disquiet-what-explains-the-lack-…

THE THIN EDGE

Silent disquiet: What explains the lack of large-scale public anger in
the face of oppression?

We believe in servitude and obedience, constantly adjusting to the
powerful, applying exactly the same oppressive techniques on those
weaker than us.

8 hours ago
Updated 3 hours ago

TM Krishna

The spirit is mute, maybe it lost its voice a long time ago and I just
didn’t notice. The spark, the verve in our voice has wearied – its
timbre is missing. The gentle smile that opens into a hearty laugh
even among the poorest of the poor has lost its shine. Among a
section, there is nervousness, many finding recourse in the safety of
silence and an equal number resigned to whatever is thrown at them.

Of course, there are those who feel vindicated – “our time has come,”
they say. Somewhere at the very epicentre of that pride, there is
thirst for blood, revenge targeted at an unknown past, curated to
refer to a mirage of characters, long gone. Sharing has become an
exercise in socio-political incest, when everyone else is a fool or a
dangerous pariah.

I am unable to frame words with exactitude that describe this silent
disquiet among many. But as I watch people, listen to conversations,
overhear whispers at railway stations and airports, speak to auto
drivers, street vendors and shopkeepers, there is a sense of
acceptance about the various infringements we have been mute witnesses to over the past few years.


The maya of pseudo-morality has been so wonderfully mass-marketed and
installed in our minds that any expression of dissent makes us feel
lesser, corrupt and unfaithful. And, hence, even the doubtful are
surrendering to the possibility that all this is for our betterment.

Just like we feel that punishment at school is necessary to instil
discipline and moral correctness, today we sit in the classroom of our
land, policed by our headmaster, Narendra Modi, receiving a few lashes at all those ideals that he says have led us astray.

Before proceeding , it is important to state that cultural and economic
manipulations are not new to our nation. The Congress has employed
them to put us in our place too. But I will be lying to myself if I do
not express my feeling that ever since Modi came to power, we have
been witness to a tactical and systematic orchestration of
manipulation of various shades. I am stopping just short of calling it
sinister, but I cannot but wonder.

The evil, most tragically, is targeted at the very conscience of our
modern existence – the Constitution. And the fact that many are
convinced that this is the way to move forward makes all this even
more dangerous.

Machiavellian governance is today being justified by majoritarianism.

Even the labeled anti-lot are struggling to come to terms with this
emotional seed that Modi has planted in our hearts. Within this
internal quagmire exists religious and nationalistic fidelity. How
does one fight it without feeling or sounding immoral? The
psychological war unleashed by this government has effectively crushed
response by instilling doubt. And my worry is that by the time we
realise the fallacy of the weapons or develop the courage to respond
with conviction, the boat may have left the jetty.

The marginalised struggle to retain their culture-specific identities,
dignity and relevance. The few voices of protest are targeted with
vengeance. Our bravado only worsened the Kashmir crisis and we may have
turned the clock back by at least a decade or more – all for
machismo and display of another form of ugly morality. And the
economically disfranchised across sections of society have been hit
hard by an unimaginable financial act of insanity.

Ironically, every secular Hindu quote aids and abets Modi’s discourse,
making us think twice before we stand up and say anything to the
contrary.

Stuck in the past

There is something missing in us. I do not know if it is cultural or
conditioned, but as a people, we do not recognise rights as a
fundamental nature of living. This is as true of the privileged as it
is of the ones on the fringes. We will oppress, twist the system and
justify that in the name of survival. At the same time, rarely will we
realise that the rights given by our Constitution to all inhabitants
of this land are not benevolence showered on us by some supreme power
but a beautiful gift we gave ourselves. Exercising our rights is seen by
many as obstructive and of nuisance value. Some even feel they are
committing a wrong when they assert themselves, and there are those who
will not take the risk, held back by fear.

We do not respect ourselves as people of ethical power, power that
gives us the right to live with dignity, privacy, empathy and
empowerment. And, hence, we are nervous about voicing those demands.

This is disrespect of our own humanity and, ironically, that gives us
the right to manipulate it unabashedly. We believe in servitude and
obedience, constantly adjusting to the powerful, applying exactly the
same oppressive techniques on those who are lower in our social
ladder, the worst hit being the SC/STs, Muslims and women.


Therefore, the lack of large-scale public anger at all that has been
going on is not to be equated with a certification, it is an odd mixture
of fatalism, false morality and an inability to ask for what is ours.
Our
idea of the self is not derived from the Constitution, it comes from
elsewhere, an intangible vague past.


We are a confluence of an old civilisation and a new democracy. If you
ask an Indian, they will instantly connect with the cultural antiquity
of who we are and not with the modern constitutional democracy that is
India today. Many of our cultural practices and faiths contravene
democracy, making reconciliation next to impossible. This is the
reason why we are unable to understand ideas such as liberty,
equality, fraternity and justice in a 21st-century sense. We interpret
all this in relation to an ambiguous past, and we are unable to trust
the contemporary.

For us, the old is far more valuable than the new and our Constitution
is new and hence, must submit to an old age scrutiny. We are
uncomfortable in our Democratic Republic skin and always looking out
for that monarch. And unfortunately, in Modi many have found that
tough, benevolent raja. The only history that he and his government
want to destroy is the one that began in 1950 and was told from then
on. They lose no opportunity to constantly reiterate that ancient
past, when we were supposedly pure, unpolluted by outsiders. A
cultural technique to subvert India – the Secular Socialist Democratic
Republic.


Need for deep reflection Modi probably believes he is the saviour on
the white horse and has convinced us that the modern lies in the
employment of technological tools, though behind these technologies are
parochial, casteist, religiously divisive and economically invasive
stratagems. Technology is the perfect facade to hide behind and Modi
does it to perfection.

The fraud EVMs have been tampered for Modi to gobble the Master Key.
The Ex CJI had committed agrave error of judgement by ordering that the
EVMs could be replaced in a phased manner as suggested by the ex CEC
Sampath. Only 8 out of 543 seats in 2014 Lok Sabha were replaced.
The present CEC says that only in 2019 the entire EVMs will be replaced.
None of them ordered for paper ballotrs to be used till the entire EVMs
were replaced. And the central and state governments selected by these
fraud EVMs to be dissolved and go for fresh elections with paper
ballots.

Similarly, he has reduced corruption to only its
financial mmanifestation. While until now, he and Modi may be clear of
financial corruption,they are culturally and socially corrupt. But do we
really care to think of these as forms of corruption?

As we enter a new year, we need to reflect deeply on those whose
voices we do not hear. The lack of voices of dissidence does not
indicate support. And a victory in an election, too, does not
necessarily infer validation. We have to search with greater intensity
and subtlety, because only then will this nation mature to become what
our founding fathers believed was possible. Today, we are a mockery of
what we could have been, and have nobody but ourselves to blame.

Decades of philosophical and political degeneration has led us to
where we are and, therefore, I will not lay all blame at Modi’s
doorstep. After all, we let him happen and that says something about
us. And this country celebrates nationhood when death, sorrow,
unhappiness and unimaginable hardship are forced upon people. What a shame!


Peace Is Doable

silent hill gif photo: Silent Hill Shattered Memories SilentHill.gif

http://indiatoday.intoday.in/…/rahul-gandhi-p…/1/843007.html


Congress was bad, but Murderer of democratic institutions (Modi) turned
our country into a malevolent enemy of the people. Always threatening
with newer punitive measures, taking your money away, making you stand
in lines in his QUEUE INDIA MOVEMENT. And all the collected money from
ordinary people will go to Bahuth Jiyadha Psychopath (BJP) friends, not a
penny back to us, except build a hospital here and a statue there.
Corruption by congress was big and under the surface, but BJP greed took
the food out of poor peoples mouth, only dictators in Africa do this.


Congress vice-president Rahul Gandhi claims that Modi was paid huge
money in kickbacks during his stint as Gujarat chief minister.

He accused Modi of receiving crores from the two big corporate houses and demanded an independent probe into the matter.


Congress’ Uttar Pradesh chief ministerial candidate Sheila Dikshit on
Monday too washed her hands off the allegation made in the diaries
against her. Among others, the list contains an entry against Dikshit,
the then Delhi chief minister. The diary entry showed that Rs 1 crore in
cash was paid to her on September 23, 2013.

Rahul earlier claimed whether it was a sin to have a brahmin as CM of UP.

1. BOFORS SCAM


Diary entries in the Bofors scam played a major role during trial
in Sweden. Former head of the Swedish police Sten Lindstrom claimed that
he leaked about 350 documents, which included payment instructions to
banks, contracts, handwritten notes, minutes of meetings and Bofors
managing director Martin Ardbo’s diary that carried a lot of sensitive
information.

In an interview to The Hindu, Lindstrom’s commented
on former prime minister Rajiv Gandhi and Ottavio Quattrocchi, the
Italian businessman accused of being a middleman in the deal:

But
Rajiv Gandhi watched the massive cover-up in India and Sweden and did
nothing. Many Indian institutions were tarred, innocent people were
punished while the guilty got away. The evidence against Ottavio
Quattrocchi was conclusive.

Former prime minister VP Singh
raised the issue during Rajiv Gandhi’s tenure as PM. This led to
Gandhi’s defeat in the 1989 Lok Sabha elections and Singh succeeded him
as the PM.

2. JAIN HAWALA SCAM

The sensational Jain
Hawala scam of 1996 also affected the political careers of several
leaders. Names of at least 60 politicians, civil servants and
businessmen appeared in coded entries in two diaries seized by the
police from a prominent New Delhi businessman in 1991. According to the
prosecutors, SK Jain - one of two brothers who kept the diaries -
claimed that the entries reflected payoffs made from 1988 to 1991 for
government contracts and other favours.

On the directive from
the Supreme Court in January 1996, a special hawala court was set up.
This forced three senior ministers - Madhavrao Scindia, VC Shukla and
Balram Jakhar - of the PV Narasimha Rao government to resign. The then
BJP president LK Advani too resigned from Parliament and pledged not to
contest till his name was cleared from the scam.

3. APPLE ORCHARD SCAM OF VIRBHADRA SINGH


The Income Tax department, during its raids in December 2012 at
Ispat Industries premises, found diaries with entries made about
off-the-book cash transactions. Some notings between 2008 and 2010 were
under the title ‘VBS’. The raids took place when the present Himachal
Pradesh Chief Minister Virbhadra Singh was the Union Steel Minister in
the Manmohan Singh’s UPA government rocked by scams. The seized
documents revealed that payments of Rs 50 lakh each on 28 October 2009
and 21 December 2009; Rs 28 lakh on 21 April 2010, and Rs 1 crore on 8
August 2010 had been made. Similar entries in the diaries hinted at
payments made to Virbhadra through his aides.
The entries were
made at the same time when the Income Tax department laid its hands on
three large cash deposits made by an LIC agent, Anand Chauhan, into
account number 524185 of Punjab National Bank’s branch at Sinjauli, near
Shimla, the capital of Himachal Pradesh. The agent deposited Rs 5 crore
between 2008 and 2011 and then i,Rassued cheques to pay for one-time
life insurance premium of ‘Veerbhadra Singh Hindu United Family’,
comprising the CM, his wife and two children. Virbhadra told the Income
Tax officials that the payments had been made to Chauhan for managing
his apple orchards.
The said income from apple orchards saw
multifold jump - from Rs 10-20 lakh every year to an additional profit
of Rs 6.15 crore. Noose is tightening around Virbhadra and the
Opposition BJP is all set to raise it during forthcoming Assembly
elections.

4. PDS SCAM OF RAMAN SINGH

The PDS scam
came into limelight following allegations levelled by senior senior
Congress leaders against Chhattisgarh Chief Minister Raman Singh. In
March 2015, Congress spokesperson Abhishek Manu Singhvi, on the basis of
unverified “documentary evidence”, alleged that over Rs 34 crore were
sent to the CM’s house on June 8, 2014, as “payment of ill-gotten
wealth”.
Singhvi claimed that Raman Singh, his close relatives
and personal staff earned several crores worth of “ill-gotten wealth”
through the alleged scam in the state’s public distribution system
(PDS). Based on daily entries made in a diary of one Shiv Shankar Bhatt
of the State Civil Supplies Corporation, Congress accused Singh, his
wife and her close relatives, state ministers as well as the CM’s
personal cook, courier and aides of indulging in “unprecedented
corruption”.
The PDS rice scam is a tale of “ministers, chief
minister, CM’s close relatives, CM’s close personnel and staff
completely immersed neck deep in corruption,” Singhvi had told the media
while distributing copies of the diary entries.

5. EX-CBI DIRECTOR RANJIT SINHA


Former CBI Director Ranjit Sinha was indicted by a Supreme
Court-appointed panel which held that prima facie there was an attempt
to influence investigation into the multi-crore coal block allocation
scam, again during the Congress-led UPA government. Sinha was accused of
meeting some of the high- profile accused in the scam. The court also
pulled up CBI for its sluggish probe in the scam and directed the agency
to complete the investigation expeditiously.
Attorney General
Mukul Rohatgi informed the apex court that the panel headed by former
CBI special director ML Sharma held that Sinha’s meetings prima facie
indicated that there was an attempt to influence the investigation.

This case too was based on a visitors’ diary at Sinha’s residence.
Rohtagi said he had gone through the report which has found that the
entries made in the diary were genuine.

B K

Sheila
Dikshit era of Delhi witnessed number of money laundering and
corruptions in Delhi. Her removal from UP election process may not
benefit the party as Sonia herself made the impression of the party as
the most corrupt party in the country. The scam prone Sonia cheated
farmers, poor of the country while she encouraged scams after scams in
her 10 years of rule. Sonia’s corrupt image discouraged people to leave
the party.

Chand

The oldest political party is suffering
from aimless and poor leadership. The so called earthquake seems to be
happening within the party.

Jaitley Sabotaging Even Petty Gains, Soft On Corporate, Traders


Jaitley as FM had bungled everyday. It was Most Lunatic to keep Shops
and Businesses Run 24 Hrs/day as if 8 hrs/day is not enough. Even
BSE/NSE work for 25 Hr/Week - Led to Rs.2-3 Lakh Cr Black Money
Conversion in few days.

Who Prevented Traders from Accepting
Checks? – A Trader may E-Mail Check Number to the Bank And Bank Then
Transfer The Money in to Traders Account, Check is then deposited with
Bank for record, First of 3 Lunatics yesterday.

There was a 20 Yr
Old Bobby Deol film also which depicted how Accounts of a Criminal was
Cleaned up remotely from a Cruise Ship in seconds. E-Banking means $b
money can flow from one account to another to another in seconds.


Had I advised him at 8PM on Nov08, 2016 It would have been to Unplug
all the ATMs, Inter-Bank transactions and directed all banks to Switch
off Power supply and shut down banking transactions. Directed people to
buy essential supplies, made Quick Arrangement to Deposit Old notes in
Sealed Bags with Copy of Aadhar Card after making them unusable by
dipping an end of it in ink or oil with Third Party like Schools used
for Elections.

This would have ensured ALL THE CURRENCY NOTES are
Safely deposited with Third Party in few days QUICKLY – Leaving the
banks to do Normal Business through Written Pay Orders and Do Normal
Business through ATMs in 2-5 day.

It is Laughable India’s
Finance Minister had no idea that Businesses Use FAKE ACCOUNTS to
LAUNDER BLACK MONEY and Secret Accounts to keep Money.

Second
Lunatics he said PM is Wrong when he wanted Stock Market ‘Profits’
should be TAXED like any other income, next Third he said ‘Cashless
means less cash, not no cash’. This is LUNATIC – means Earning Money At
Stock Market is TAX FREE and Buying a Pizza attract 17% to 20% S.Tax
plus Taxes on Business.

http://www.ril.com/ar2014-15/RIL%20AR%202014%20-15.pdf
SCANDALOUS CORPORATE BEHAVIOR OF RIL IS ILLUSTRATED BY THE FACT THAT
ITS CONSOLIDATED NET PROFIT IS Rs.23,556 Cr BUT STANDALONE NET PROFIT IS
Rs.22,719 Cr IS REPORTED PAGE 49 of RIL AR 201-15>
Ø THUS NET
PROFIT FROM Rs.100,000 Cr INVESTING & FINANCING ACTIVITIES, 100
Plus Subsidiaries Generated Just Rs.763 Cr Profit.
Ø THUS
Rs.20,000 Cr Tax Evasion & Black Money Conversion Business Within
RIL. i.e. Rs.8,613 Other Income should attract Rs.2500 Cr Income Tax.
Ø INSTEAD OF RELEASING Rs.15-20 Lakh Cr LOCKED In Corporate &
Rs.2 Lakh Cr Tax Evasion By SPLITTING Companies – He Gave Us
Demonetization.

silent hill gif photo: Silent Hill Shattered Memories SilentHill.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

up a level
மிழில் திபி  மூன்று தொகுப்புள்TIPITAKA-ஸுத்தபிடக-Section-C-
from FREE ONLINE  eNālāndā Research and
Practice UNIVERSITY through http://sarvajan.ambedkar.org


இந்த  நூட்கள் வெளியீடு
காட்சிமுறை உருவரைக்குறிப்பு தேவனாகரி எழுத்துப் பிரதியில் திபிடக 
முக்கூடைகளின் சஹ்ஹுவ ஸாக்யன (ஆறாவது மன்றம்) பதிப்பு.

This outline displays the publication of books in the Devan±gari-script edition of the
Chaμμha Saag±yana (Sixth Council) Tipiμaka. The names of the volumes are displayed
in italics with the suffix “-p±1⁄4i” indicating
the volume is part of the root Tipiμaka, rather than commentarial literature. This outline lists the root volumes only.
Please note: These books are in P±li only, in Devan±gari script, and are not for sale.

No set of English translations is available. For further information please see: www.tipitaka.org

விநய பியுயக Vinaya Piμaka
(மூன்று மண்டலங்கள், 5 நூட்களாக அச்சடிக்கப்பட்டது)

(Three divisions, printed in 5 books)

1.ஸுத்த விபாக(ஒரு சர  மண்டலம்) [பிக்குக்கள் மற்றும் பிக்குனிகளுக்கான தன்னகம் கொண்ட
விதிகளின் இரண்டு நூட்கள்]

Sutta Vibhaaga [two books containing rules for the bhikkhus and
bhikkhunis, outlining eight classes of offences]


திபிடக  முக்கூடைகள்

Tipiμaka (three “baskets”)

ஸுத்த பியுயக

( ஐந்து திரட்டுகள்)

Sutta Piμaka

(Five nik±yas, or collections)

The
Sutta Piṭaka contains the essence of the Buddha’s teaching regarding
the Dhamma. It contains more than ten thousand suttas. It is divided in
five collections called Nikāyas (A multitude, assemblage; a collection; a
class, order, group; an association, fraternity, congregation; a house,
dwelling).

நெறி முறைக் கட்டளை ஆணைக் கூடை தம்மா பற்றி புத்தர்
கற்பித்த மெய்ம்மை சாறு நிரம்பியது.  அது பதினாயிரம் விஞ்சி மிகுதியாக நெறி
முறைக் கட்டளை ஆணை நிரம்பியது. அது நிகாய ( ஒரு பேரெண்ணிக்கை,
ஒன்றுகூடுதல் ஒரு வகை, வரிசைமுறை, குவியல், ஓர் கூட்டமைப்பு,
பொதுநோக்கங்கள் கொண்ட, ஒருங்கு கூட்டுதல், ஒரு குடும்பமரபுக் குழு,
கருத்தூன்றி நீடித்த ) என அழைக்கப்படும் ஐந்து திரட்டுகளாக பிரிந்துள்ளது.

Dīgha Nikāya
[dīgha:
long] The Dīgha Nikāya gathers 34 of the longest discourses given by
the Buddha. There are various hints that many of them are late additions
to the original corpus and of questionable authenticity.

நீளமான நிகாய (திரட்டுகள்)
புத்தரால் கொடுக்கப்பட்ட 34 நீளமான போதனையுரைகள் கொய்சகமாக்கப்பட்டது.

Majjhima Nikāya
[majjhima:
medium] The Majjhima Nikāya gathers 152 discourses of the Buddha of
intermediate length, dealing with diverse matters.

 மத்திம (நடுத்தரமான) நிகாய (திரட்டுகள்)

புத்தரால்
கொடுக்கப்பட்ட 152 மத்திம ( நடுத்தரமான நீட்சி ) பல்வேறு வகைப்பட்ட
விஷயங்கள் செயல் தொடர்பு உடன் போதனையுரைகள் கொய்சகமாக்கப்பட்டது.

Saṃyutta Nikāya
[samyutta:
group] The Saṃyutta Nikāya gathers the suttas according to their
subject in 56 sub-groups called saṃyuttas. It contains more than three
thousand discourses of variable length, but generally relatively short.

குவியல் நிகாய (திரட்டுகள்)

குவியல்
நிகாய (திரட்டுகள்) என அழைக்கப்படும் நெறி முறைக் கட்டளை ஆணை அவற்றினுடைய
பொருளுக்கு ஏற்ப 56 பங்குவரி குவியலாக கொய்சகமாக்கப்பட்டது. அது மூவாயிரம்
விஞ்சி மிகுதியாக மாறும் தன்மையுள்ள நீளம் ஆனால் பெரும்பாலும் ஒப்பு
நோக்காக சுருக்கமான நெறி முறைக் கட்டளை ஆணை நிரம்பியது.

Aṅguttara Nikāya
[aṅg:
factor | uttara: additionnal] The Aṅguttara Nikāya is subdivized in
eleven sub-groups called nipātas, each of them gathering discourses
consisting of enumerations of one additional factor versus those of the
precedent nipāta. It contains thousands of suttas which are generally
short.

கூடுதல் அங்கமான (ஆக்கக்கூறு) நிகாய (திரட்டுகள்)

இறங்குதல்
காரணி, கருத்தைக் கவர்கிற, கீழ் நோக்கி அல்லது ஏறத்தாழ தற்போதைக்கு
உதவுகிற என அழைக்கப்படும் பதினொன்று பங்குவரி, ஒவ்வொன்று
கொய்சகமாக்கப்பட்டது நெறி முறைக் கட்டளை ஆணை கணக்கிடல் ஆக்கை ஒரு
குறிப்பிட்ட கூடுதல் ஆக்கக் கூறு எதிராக அவை முன்னோடி மாதிரி இறங்குதல்
காரணி. அது ஆயிரக்கணக்கான பெரும்பாலும் சுருக்கமான நெறி முறைக் கட்டளை ஆணை
நிரம்பியது. தன்னகம் கொண்டிரு

Khuddaka Nikāya
[khuddha: short,
small] The Khuddhaka Nikāya short texts and is considered as been
composed of two stratas: Dhammapada, Udāna, Itivuttaka, Sutta Nipāta,
Theragāthā-Therīgāthā and Jātaka form the ancient strata, while other
books are late additions and their authenticity is more questionable.

சுருக்கமான, சிறிய நிகாய (திரட்டுகள்)

சுருக்கமான,
சிறிய நிகாய (திரட்டுகள்) வாசகம் மற்றும் ஆலோசனை மிக்க மாதிரி தணிந்த
இரண்டு படுகைகள் : தம்மபத (ஒரு சமய சம்பந்தமான முற்றுத் தொடர் வாக்கியம் ,
மூன்று கூடைகள் நூட்கள்  ஒன்றின் பெயர் , தம்மாவின் உடற்பகுதி அல்லது
பாகம்), உதான (வார்த்தைகளால்,
மேல்நோக்கிய பேரார்வம், ஆவல் கொண்ட அல்லது
மகிழ்ச்சி கூற்று, சொற்றொடர் , உணர்ச்சிமிக்க உறுதலுணர்ச்சி, மகிழ்ச்சி
அல்லது மனத்துயரம் இரண்டனுள் ஒன்று), இதிவுத்தக ( இது குத்தகனிகாய நான்காம்
புத்தகம் பெயர்), ஸுத்த ( ஒரு சரம், இழை ,: புத்தசமயம், சவுகதநூல் ஒரு
பாகம்; ஒரு விதி, நீதி வாக்கியம் இறங்குதல் காரணி),தேரகாத-தேரிகாத(
தேராக்களுக்கு உரியதானது), மற்றும் ஒரு சரடு ஜாதக ( பிறப்பு , பிறப்பிடம் ,
ஒரு பிறப்பு அல்லது : புத்தசமயம் விவேகம் வாழ்தல் , ஒரு ஜாதக, அல்லது
புத்தரின் முந்திய பிறப்பு கதைளில் ஒன்று.)



2090 Tue 27 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvaj
an Hitay sarvajan Sukhay.

http://www.abplive.in/…/not-even-1-4th-of-the-promises-made…

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief

http://media.photobucket.com/…/W…/media/SilentHill.gif.html…

https://scroll.in/…/silent-disquiet-what-explains-the-lack-…

THE THIN EDGE

Silent disquiet: What explains the lack of large-scale public anger in
the face of oppression?

http://indiatoday.intoday.in/…/rahul-gandhi-p…/1/843007.html


Congress was bad, but Murderer of democratic institutions (Modi) turned
our country into a malevolent enemy of the people.

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief
Monday, 26 December 2016 1:09 PM


It is being said that Cong and SP will form alliance, final call will
be taken when its realised that BJP will benefit from alliance: Mayawati

For latest breaking news, other top stories log on to: http://www.abplive.in & https://www.youtube.com/c/abpnews


It
is being said that Cong and SP will form alliance, final call will be
taken when its realised that BJP will benefit from alliance: MayawatiFor
latest breaking news, other…
abplive.in
http://www.watch-latest-news.com/watch-mayawatis-press-conference-eyeing-upcoming-assembly-election-in-up-26-12-2016/

Watch : Mayawati’s Press Conference eyeing upcoming assembly election in UP 26-12-2016

Watch : Mayawati’s Press Conference eyeing upcoming assembly election in UP
Mayawati’s
Press Conference eyeing upcoming assembly election in U.P. Watch
complete news story of News @ 12:00 PM to get the detailed news updates!

http://www.aplatestnews.com/usnewsvideo.php?vidtype=10&idx=mayawati-press-conference-against-demonetization-2016-11-26

Mayawati Press Conference Against Demonetization

http://media.photobucket.com/…/W…/media/SilentHill.gif.html…

https://scroll.in/…/silent-disquiet-what-explains-the-lack-…

THE THIN EDGE

Silent disquiet: What explains the lack of large-scale public anger in
the face of oppression?

We believe in servitude and obedience, constantly adjusting to the
powerful, applying exactly the same oppressive techniques on those
weaker than us.

8 hours ago
Updated 3 hours ago

TM Krishna

The spirit is mute, maybe it lost its voice a long time ago and I just
didn’t notice. The spark, the verve in our voice has wearied – its
timbre is missing. The gentle smile that opens into a hearty laugh
even among the poorest of the poor has lost its shine. Among a
section, there is nervousness, many finding recourse in the safety of
silence and an equal number resigned to whatever is thrown at them.

Of course, there are those who feel vindicated – “our time has come,”
they say. Somewhere at the very epicentre of that pride, there is
thirst for blood, revenge targeted at an unknown past, curated to
refer to a mirage of characters, long gone. Sharing has become an
exercise in socio-political incest, when everyone else is a fool or a
dangerous pariah.

I am unable to frame words with exactitude that describe this silent
disquiet among many. But as I watch people, listen to conversations,
overhear whispers at railway stations and airports, speak to auto
drivers, street vendors and shopkeepers, there is a sense of
acceptance about the various infringements we have been mute witnesses to over the past few years.


The maya of pseudo-morality has been so wonderfully mass-marketed and
installed in our minds that any expression of dissent makes us feel
lesser, corrupt and unfaithful. And, hence, even the doubtful are
surrendering to the possibility that all this is for our betterment.

Just like we feel that punishment at school is necessary to instil
discipline and moral correctness, today we sit in the classroom of our
land, policed by our headmaster, Narendra Modi, receiving a few lashes at all those ideals that he says have led us astray.

Before proceeding , it is important to state that cultural and economic
manipulations are not new to our nation. The Congress has employed
them to put us in our place too. But I will be lying to myself if I do
not express my feeling that ever since Modi came to power, we have
been witness to a tactical and systematic orchestration of
manipulation of various shades. I am stopping just short of calling it
sinister, but I cannot but wonder.

The evil, most tragically, is targeted at the very conscience of our
modern existence – the Constitution. And the fact that many are
convinced that this is the way to move forward makes all this even
more dangerous.

Machiavellian governance is today being justified by majoritarianism.

Even the labeled anti-lot are struggling to come to terms with this
emotional seed that Modi has planted in our hearts. Within this
internal quagmire exists religious and nationalistic fidelity. How
does one fight it without feeling or sounding immoral? The
psychological war unleashed by this government has effectively crushed
response by instilling doubt. And my worry is that by the time we
realise the fallacy of the weapons or develop the courage to respond
with conviction, the boat may have left the jetty.

The marginalised struggle to retain their culture-specific identities,
dignity and relevance. The few voices of protest are targeted with
vengeance. Our bravado only worsened the Kashmir crisis and we may have
turned the clock back by at least a decade or more – all for
machismo and display of another form of ugly morality. And the
economically disfranchised across sections of society have been hit
hard by an unimaginable financial act of insanity.

Ironically, every secular Hindu quote aids and abets Modi’s discourse,
making us think twice before we stand up and say anything to the
contrary.

Stuck in the past

There is something missing in us. I do not know if it is cultural or
conditioned, but as a people, we do not recognise rights as a
fundamental nature of living. This is as true of the privileged as it
is of the ones on the fringes. We will oppress, twist the system and
justify that in the name of survival. At the same time, rarely will we
realise that the rights given by our Constitution to all inhabitants
of this land are not benevolence showered on us by some supreme power
but a beautiful gift we gave ourselves. Exercising our rights is seen by
many as obstructive and of nuisance value. Some even feel they are
committing a wrong when they assert themselves, and there are those who
will not take the risk, held back by fear.

We do not respect ourselves as people of ethical power, power that
gives us the right to live with dignity, privacy, empathy and
empowerment. And, hence, we are nervous about voicing those demands.

This is disrespect of our own humanity and, ironically, that gives us
the right to manipulate it unabashedly. We believe in servitude and
obedience, constantly adjusting to the powerful, applying exactly the
same oppressive techniques on those who are lower in our social
ladder, the worst hit being the SC/STs, Muslims and women.


Therefore, the lack of large-scale public anger at all that has been
going on is not to be equated with a certification, it is an odd mixture
of fatalism, false morality and an inability to ask for what is ours.
Our
idea of the self is not derived from the Constitution, it comes from
elsewhere, an intangible vague past.


We are a confluence of an old civilisation and a new democracy. If you
ask an Indian, they will instantly connect with the cultural antiquity
of who we are and not with the modern constitutional democracy that is
India today. Many of our cultural practices and faiths contravene
democracy, making reconciliation next to impossible. This is the
reason why we are unable to understand ideas such as liberty,
equality, fraternity and justice in a 21st-century sense. We interpret
all this in relation to an ambiguous past, and we are unable to trust
the contemporary.

For us, the old is far more valuable than the new and our Constitution
is new and hence, must submit to an old age scrutiny. We are
uncomfortable in our Democratic Republic skin and always looking out
for that monarch. And unfortunately, in Modi many have found that
tough, benevolent raja. The only history that he and his government
want to destroy is the one that began in 1950 and was told from then
on. They lose no opportunity to constantly reiterate that ancient
past, when we were supposedly pure, unpolluted by outsiders. A
cultural technique to subvert India – the Secular Socialist Democratic
Republic.


Need for deep reflection Modi probably believes he is the saviour on
the white horse and has convinced us that the modern lies in the
employment of technological tools, though behind these technologies are
parochial, casteist, religiously divisive and economically invasive
stratagems. Technology is the perfect facade to hide behind and Modi
does it to perfection.

The fraud EVMs have been tampered for Modi to gobble the Master Key.
The Ex CJI had committed agrave error of judgement by ordering that the
EVMs could be replaced in a phased manner as suggested by the ex CEC
Sampath. Only 8 out of 543 seats in 2014 Lok Sabha were replaced.
The present CEC says that only in 2019 the entire EVMs will be replaced.
None of them ordered for paper ballotrs to be used till the entire EVMs
were replaced. And the central and state governments selected by these
fraud EVMs to be dissolved and go for fresh elections with paper
ballots.

Similarly, he has reduced corruption to only its
financial mmanifestation. While until now, he and Modi may be clear of
financial corruption,they are culturally and socially corrupt. But do we
really care to think of these as forms of corruption?

As we enter a new year, we need to reflect deeply on those whose
voices we do not hear. The lack of voices of dissidence does not
indicate support. And a victory in an election, too, does not
necessarily infer validation. We have to search with greater intensity
and subtlety, because only then will this nation mature to become what
our founding fathers believed was possible. Today, we are a mockery of
what we could have been, and have nobody but ourselves to blame.

Decades of philosophical and political degeneration has led us to
where we are and, therefore, I will not lay all blame at Modi’s
doorstep. After all, we let him happen and that says something about
us. And this country celebrates nationhood when death, sorrow,
unhappiness and unimaginable hardship are forced upon people. What a shame!


Peace Is Doable

silent hill gif photo: Silent Hill Shattered Memories SilentHill.gif

http://indiatoday.intoday.in/…/rahul-gandhi-p…/1/843007.html


Congress was bad, but Murderer of democratic institutions (Modi) turned
our country into a malevolent enemy of the people. Always threatening
with newer punitive measures, taking your money away, making you stand
in lines in his QUEUE INDIA MOVEMENT. And all the collected money from
ordinary people will go to Bahuth Jiyadha Psychopath (BJP) friends, not a
penny back to us, except build a hospital here and a statue there.
Corruption by congress was big and under the surface, but BJP greed took
the food out of poor peoples mouth, only dictators in Africa do this.


Congress vice-president Rahul Gandhi claims that Modi was paid huge
money in kickbacks during his stint as Gujarat chief minister.

He accused Modi of receiving crores from the two big corporate houses and demanded an independent probe into the matter.


Congress’ Uttar Pradesh chief ministerial candidate Sheila Dikshit on
Monday too washed her hands off the allegation made in the diaries
against her. Among others, the list contains an entry against Dikshit,
the then Delhi chief minister. The diary entry showed that Rs 1 crore in
cash was paid to her on September 23, 2013.

Rahul earlier claimed whether it was a sin to have a brahmin as CM of UP.

1. BOFORS SCAM


Diary entries in the Bofors scam played a major role during trial
in Sweden. Former head of the Swedish police Sten Lindstrom claimed that
he leaked about 350 documents, which included payment instructions to
banks, contracts, handwritten notes, minutes of meetings and Bofors
managing director Martin Ardbo’s diary that carried a lot of sensitive
information.

In an interview to The Hindu, Lindstrom’s commented
on former prime minister Rajiv Gandhi and Ottavio Quattrocchi, the
Italian businessman accused of being a middleman in the deal:

But
Rajiv Gandhi watched the massive cover-up in India and Sweden and did
nothing. Many Indian institutions were tarred, innocent people were
punished while the guilty got away. The evidence against Ottavio
Quattrocchi was conclusive.

Former prime minister VP Singh
raised the issue during Rajiv Gandhi’s tenure as PM. This led to
Gandhi’s defeat in the 1989 Lok Sabha elections and Singh succeeded him
as the PM.

2. JAIN HAWALA SCAM

The sensational Jain
Hawala scam of 1996 also affected the political careers of several
leaders. Names of at least 60 politicians, civil servants and
businessmen appeared in coded entries in two diaries seized by the
police from a prominent New Delhi businessman in 1991. According to the
prosecutors, SK Jain - one of two brothers who kept the diaries -
claimed that the entries reflected payoffs made from 1988 to 1991 for
government contracts and other favours.

On the directive from
the Supreme Court in January 1996, a special hawala court was set up.
This forced three senior ministers - Madhavrao Scindia, VC Shukla and
Balram Jakhar - of the PV Narasimha Rao government to resign. The then
BJP president LK Advani too resigned from Parliament and pledged not to
contest till his name was cleared from the scam.

3. APPLE ORCHARD SCAM OF VIRBHADRA SINGH


The Income Tax department, during its raids in December 2012 at
Ispat Industries premises, found diaries with entries made about
off-the-book cash transactions. Some notings between 2008 and 2010 were
under the title ‘VBS’. The raids took place when the present Himachal
Pradesh Chief Minister Virbhadra Singh was the Union Steel Minister in
the Manmohan Singh’s UPA government rocked by scams. The seized
documents revealed that payments of Rs 50 lakh each on 28 October 2009
and 21 December 2009; Rs 28 lakh on 21 April 2010, and Rs 1 crore on 8
August 2010 had been made. Similar entries in the diaries hinted at
payments made to Virbhadra through his aides.
The entries were
made at the same time when the Income Tax department laid its hands on
three large cash deposits made by an LIC agent, Anand Chauhan, into
account number 524185 of Punjab National Bank’s branch at Sinjauli, near
Shimla, the capital of Himachal Pradesh. The agent deposited Rs 5 crore
between 2008 and 2011 and then i,Rassued cheques to pay for one-time
life insurance premium of ‘Veerbhadra Singh Hindu United Family’,
comprising the CM, his wife and two children. Virbhadra told the Income
Tax officials that the payments had been made to Chauhan for managing
his apple orchards.
The said income from apple orchards saw
multifold jump - from Rs 10-20 lakh every year to an additional profit
of Rs 6.15 crore. Noose is tightening around Virbhadra and the
Opposition BJP is all set to raise it during forthcoming Assembly
elections.

4. PDS SCAM OF RAMAN SINGH

The PDS scam
came into limelight following allegations levelled by senior senior
Congress leaders against Chhattisgarh Chief Minister Raman Singh. In
March 2015, Congress spokesperson Abhishek Manu Singhvi, on the basis of
unverified “documentary evidence”, alleged that over Rs 34 crore were
sent to the CM’s house on June 8, 2014, as “payment of ill-gotten
wealth”.
Singhvi claimed that Raman Singh, his close relatives
and personal staff earned several crores worth of “ill-gotten wealth”
through the alleged scam in the state’s public distribution system
(PDS). Based on daily entries made in a diary of one Shiv Shankar Bhatt
of the State Civil Supplies Corporation, Congress accused Singh, his
wife and her close relatives, state ministers as well as the CM’s
personal cook, courier and aides of indulging in “unprecedented
corruption”.
The PDS rice scam is a tale of “ministers, chief
minister, CM’s close relatives, CM’s close personnel and staff
completely immersed neck deep in corruption,” Singhvi had told the media
while distributing copies of the diary entries.

5. EX-CBI DIRECTOR RANJIT SINHA


Former CBI Director Ranjit Sinha was indicted by a Supreme
Court-appointed panel which held that prima facie there was an attempt
to influence investigation into the multi-crore coal block allocation
scam, again during the Congress-led UPA government. Sinha was accused of
meeting some of the high- profile accused in the scam. The court also
pulled up CBI for its sluggish probe in the scam and directed the agency
to complete the investigation expeditiously.
Attorney General
Mukul Rohatgi informed the apex court that the panel headed by former
CBI special director ML Sharma held that Sinha’s meetings prima facie
indicated that there was an attempt to influence the investigation.

This case too was based on a visitors’ diary at Sinha’s residence.
Rohtagi said he had gone through the report which has found that the
entries made in the diary were genuine.

B K

Sheila
Dikshit era of Delhi witnessed number of money laundering and
corruptions in Delhi. Her removal from UP election process may not
benefit the party as Sonia herself made the impression of the party as
the most corrupt party in the country. The scam prone Sonia cheated
farmers, poor of the country while she encouraged scams after scams in
her 10 years of rule. Sonia’s corrupt image discouraged people to leave
the party.

Chand

The oldest political party is suffering
from aimless and poor leadership. The so called earthquake seems to be
happening within the party.

Jaitley Sabotaging Even Petty Gains, Soft On Corporate, Traders


Jaitley as FM had bungled everyday. It was Most Lunatic to keep Shops
and Businesses Run 24 Hrs/day as if 8 hrs/day is not enough. Even
BSE/NSE work for 25 Hr/Week - Led to Rs.2-3 Lakh Cr Black Money
Conversion in few days.

Who Prevented Traders from Accepting
Checks? – A Trader may E-Mail Check Number to the Bank And Bank Then
Transfer The Money in to Traders Account, Check is then deposited with
Bank for record, First of 3 Lunatics yesterday.

There was a 20 Yr
Old Bobby Deol film also which depicted how Accounts of a Criminal was
Cleaned up remotely from a Cruise Ship in seconds. E-Banking means $b
money can flow from one account to another to another in seconds.


Had I advised him at 8PM on Nov08, 2016 It would have been to Unplug
all the ATMs, Inter-Bank transactions and directed all banks to Switch
off Power supply and shut down banking transactions. Directed people to
buy essential supplies, made Quick Arrangement to Deposit Old notes in
Sealed Bags with Copy of Aadhar Card after making them unusable by
dipping an end of it in ink or oil with Third Party like Schools used
for Elections.

This would have ensured ALL THE CURRENCY NOTES are
Safely deposited with Third Party in few days QUICKLY – Leaving the
banks to do Normal Business through Written Pay Orders and Do Normal
Business through ATMs in 2-5 day.

It is Laughable India’s
Finance Minister had no idea that Businesses Use FAKE ACCOUNTS to
LAUNDER BLACK MONEY and Secret Accounts to keep Money.

Second
Lunatics he said PM is Wrong when he wanted Stock Market ‘Profits’
should be TAXED like any other income, next Third he said ‘Cashless
means less cash, not no cash’. This is LUNATIC – means Earning Money At
Stock Market is TAX FREE and Buying a Pizza attract 17% to 20% S.Tax
plus Taxes on Business.

http://www.ril.com/ar2014-15/RIL%20AR%202014%20-15.pdf
SCANDALOUS CORPORATE BEHAVIOR OF RIL IS ILLUSTRATED BY THE FACT THAT
ITS CONSOLIDATED NET PROFIT IS Rs.23,556 Cr BUT STANDALONE NET PROFIT IS
Rs.22,719 Cr IS REPORTED PAGE 49 of RIL AR 201-15>
Ø THUS NET
PROFIT FROM Rs.100,000 Cr INVESTING & FINANCING ACTIVITIES, 100
Plus Subsidiaries Generated Just Rs.763 Cr Profit.
Ø THUS
Rs.20,000 Cr Tax Evasion & Black Money Conversion Business Within
RIL. i.e. Rs.8,613 Other Income should attract Rs.2500 Cr Income Tax.
Ø INSTEAD OF RELEASING Rs.15-20 Lakh Cr LOCKED In Corporate &
Rs.2 Lakh Cr Tax Evasion By SPLITTING Companies – He Gave Us
Demonetization.

silent hill gif photo: Silent Hill Shattered Memories SilentHill.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

up a level
மிழில் திபி  மூன்று தொகுப்புள்TIPITAKA-ஸுத்தபிடக-Section-C-
from FREE ONLINE  eNālāndā Research and
Practice UNIVERSITY through http://sarvajan.ambedkar.org


இந்த  நூட்கள் வெளியீடு
காட்சிமுறை உருவரைக்குறிப்பு தேவனாகரி எழுத்துப் பிரதியில் திபிடக 
முக்கூடைகளின் சஹ்ஹுவ ஸாக்யன (ஆறாவது மன்றம்) பதிப்பு.

This outline displays the publication of books in the Devan±gari-script edition of the
Chaμμha Saag±yana (Sixth Council) Tipiμaka. The names of the volumes are displayed
in italics with the suffix “-p±1⁄4i” indicating
the volume is part of the root Tipiμaka, rather than commentarial literature. This outline lists the root volumes only.
Please note: These books are in P±li only, in Devan±gari script, and are not for sale.

No set of English translations is available. For further information please see: www.tipitaka.org

விநய பியுயக Vinaya Piμaka
(மூன்று மண்டலங்கள், 5 நூட்களாக அச்சடிக்கப்பட்டது)

(Three divisions, printed in 5 books)

1.ஸுத்த விபாக(ஒரு சர  மண்டலம்) [பிக்குக்கள் மற்றும் பிக்குனிகளுக்கான தன்னகம் கொண்ட
விதிகளின் இரண்டு நூட்கள்]

Sutta Vibhaaga [two books containing rules for the bhikkhus and
bhikkhunis, outlining eight classes of offences]


திபிடக  முக்கூடைகள்

Tipiμaka (three “baskets”)

ஸுத்த பியுயக

( ஐந்து திரட்டுகள்)

Sutta Piμaka

(Five nik±yas, or collections)

The
Sutta Piṭaka contains the essence of the Buddha’s teaching regarding
the Dhamma. It contains more than ten thousand suttas. It is divided in
five collections called Nikāyas (A multitude, assemblage; a collection; a
class, order, group; an association, fraternity, congregation; a house,
dwelling).

நெறி முறைக் கட்டளை ஆணைக் கூடை தம்மா பற்றி புத்தர்
கற்பித்த மெய்ம்மை சாறு நிரம்பியது.  அது பதினாயிரம் விஞ்சி மிகுதியாக நெறி
முறைக் கட்டளை ஆணை நிரம்பியது. அது நிகாய ( ஒரு பேரெண்ணிக்கை,
ஒன்றுகூடுதல் ஒரு வகை, வரிசைமுறை, குவியல், ஓர் கூட்டமைப்பு,
பொதுநோக்கங்கள் கொண்ட, ஒருங்கு கூட்டுதல், ஒரு குடும்பமரபுக் குழு,
கருத்தூன்றி நீடித்த ) என அழைக்கப்படும் ஐந்து திரட்டுகளாக பிரிந்துள்ளது.

Dīgha Nikāya
[dīgha:
long] The Dīgha Nikāya gathers 34 of the longest discourses given by
the Buddha. There are various hints that many of them are late additions
to the original corpus and of questionable authenticity.

நீளமான நிகாய (திரட்டுகள்)
புத்தரால் கொடுக்கப்பட்ட 34 நீளமான போதனையுரைகள் கொய்சகமாக்கப்பட்டது.

Majjhima Nikāya
[majjhima:
medium] The Majjhima Nikāya gathers 152 discourses of the Buddha of
intermediate length, dealing with diverse matters.

 மத்திம (நடுத்தரமான) நிகாய (திரட்டுகள்)

புத்தரால்
கொடுக்கப்பட்ட 152 மத்திம ( நடுத்தரமான நீட்சி ) பல்வேறு வகைப்பட்ட
விஷயங்கள் செயல் தொடர்பு உடன் போதனையுரைகள் கொய்சகமாக்கப்பட்டது.

Saṃyutta Nikāya
[samyutta:
group] The Saṃyutta Nikāya gathers the suttas according to their
subject in 56 sub-groups called saṃyuttas. It contains more than three
thousand discourses of variable length, but generally relatively short.

குவியல் நிகாய (திரட்டுகள்)

குவியல்
நிகாய (திரட்டுகள்) என அழைக்கப்படும் நெறி முறைக் கட்டளை ஆணை அவற்றினுடைய
பொருளுக்கு ஏற்ப 56 பங்குவரி குவியலாக கொய்சகமாக்கப்பட்டது. அது மூவாயிரம்
விஞ்சி மிகுதியாக மாறும் தன்மையுள்ள நீளம் ஆனால் பெரும்பாலும் ஒப்பு
நோக்காக சுருக்கமான நெறி முறைக் கட்டளை ஆணை நிரம்பியது.

Aṅguttara Nikāya
[aṅg:
factor | uttara: additionnal] The Aṅguttara Nikāya is subdivized in
eleven sub-groups called nipātas, each of them gathering discourses
consisting of enumerations of one additional factor versus those of the
precedent nipāta. It contains thousands of suttas which are generally
short.

கூடுதல் அங்கமான (ஆக்கக்கூறு) நிகாய (திரட்டுகள்)

இறங்குதல்
காரணி, கருத்தைக் கவர்கிற, கீழ் நோக்கி அல்லது ஏறத்தாழ தற்போதைக்கு
உதவுகிற என அழைக்கப்படும் பதினொன்று பங்குவரி, ஒவ்வொன்று
கொய்சகமாக்கப்பட்டது நெறி முறைக் கட்டளை ஆணை கணக்கிடல் ஆக்கை ஒரு
குறிப்பிட்ட கூடுதல் ஆக்கக் கூறு எதிராக அவை முன்னோடி மாதிரி இறங்குதல்
காரணி. அது ஆயிரக்கணக்கான பெரும்பாலும் சுருக்கமான நெறி முறைக் கட்டளை ஆணை
நிரம்பியது. தன்னகம் கொண்டிரு

Khuddaka Nikāya
[khuddha: short,
small] The Khuddhaka Nikāya short texts and is considered as been
composed of two stratas: Dhammapada, Udāna, Itivuttaka, Sutta Nipāta,
Theragāthā-Therīgāthā and Jātaka form the ancient strata, while other
books are late additions and their authenticity is more questionable.

சுருக்கமான, சிறிய நிகாய (திரட்டுகள்)

சுருக்கமான,
சிறிய நிகாய (திரட்டுகள்) வாசகம் மற்றும் ஆலோசனை மிக்க மாதிரி தணிந்த
இரண்டு படுகைகள் : தம்மபத (ஒரு சமய சம்பந்தமான முற்றுத் தொடர் வாக்கியம் ,
மூன்று கூடைகள் நூட்கள்  ஒன்றின் பெயர் , தம்மாவின் உடற்பகுதி அல்லது
பாகம்), உதான (வார்த்தைகளால்,
மேல்நோக்கிய பேரார்வம், ஆவல் கொண்ட அல்லது
மகிழ்ச்சி கூற்று, சொற்றொடர் , உணர்ச்சிமிக்க உறுதலுணர்ச்சி, மகிழ்ச்சி
அல்லது மனத்துயரம் இரண்டனுள் ஒன்று), இதிவுத்தக ( இது குத்தகனிகாய நான்காம்
புத்தகம் பெயர்), ஸுத்த ( ஒரு சரம், இழை ,: புத்தசமயம், சவுகதநூல் ஒரு
பாகம்; ஒரு விதி, நீதி வாக்கியம் இறங்குதல் காரணி),தேரகாத-தேரிகாத(
தேராக்களுக்கு உரியதானது), மற்றும் ஒரு சரடு ஜாதக ( பிறப்பு , பிறப்பிடம் ,
ஒரு பிறப்பு அல்லது : புத்தசமயம் விவேகம் வாழ்தல் , ஒரு ஜாதக, அல்லது
புத்தரின் முந்திய பிறப்பு கதைளில் ஒன்று.)


https://drive.google.com/file/d/0B3FeaMu_1EQyaVhnam1kRlZOZEk/view

FIXING



THE



VOTE



ELECTRONIC VOTING MACHINES PROMISE TO MAKE



ELECTIONS MORE ACCURATE THAN EVER BEFORE, BUT



ONLY IF CERTAIN PROBLEMS—WITH THE MACHINES



AND THE WIDER ELECTORAL PROCESS—ARE RECTIFIED



By Ted Selker



90 SCIENTIFIC AMERICAN OCTOBER 2004



COURTESY OF SEQUOIA VOTING SYSTEMS



COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 1 of 8

For more details on FIXING THE VOTE
please visit http://sarvajan.ambedkar.org

http://bestanimations.com/Holidays/Thankyou-01-june.gif


comments (0)
FIXING THE VOTE ELECTRONIC VOTING MACHINES PROMISE TO MAKE -https://drive.google.com/file/d/0B3FeaMu_1EQyaVhnam1kRlZOZEk/view
Filed under: General
Posted by: site admin @ 8:28 pm

https://drive.google.com/file/d/0B3FeaMu_1EQyaVhnam1kRlZOZEk/view

Page
8
/
8

Page 1 of 8

FIXING

THE

VOTE

ELECTRONIC VOTING MACHINES PROMISE TO MAKE

ELECTIONS MORE ACCURATE THAN EVER BEFORE, BUT

ONLY IF CERTAIN PROBLEMS—WITH THE MACHINES

AND THE WIDER ELECTORAL PROCESS—ARE RECTIFIED

By Ted Selker

90 SCIENTIFIC AMERICAN OCTOBER 2004

COURTESY OF SEQUOIA VOTING SYSTEMS

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 1 of 8

Page 2 of 8

Voting may seem like a simple activity—cast ballots, then count them. Complexity arises, how-
ever, because voters must be registered and votes must be recorded in secrecy, transferred se-
curely and counted accurately. We vote rarely, so the procedure never becomes a well-practiced

routine. One race between two candidates is easy. Half a dozen races, each between several can-
didates, and ballot measures besides—that’s harder. This complex process is so vital to our democ-
racy that problems with it are as noteworthy as engineering faults in a nuclear power plant.

Votes can be lost at every stage of the process. The infamous 2000 U.S. presidential election

dramatized some very basic, yet systemic, flaws concerning who got to vote and

how the votes were counted. An estimated four million to six

million ballots were not counted or were prevented

from being cast at all—well over 2 percent of the 150

million registered voters. This is a shockingly large

number considering that the decision of which can-
didate would assume the most powerful office in the

world came to rest on 537 ballots in Florida.

Three simple problems were to blame for these

losses. The first, which made up the largest contri-
bution, was from registration database errors that

prevented 1.5 million to three million votes; this

problem was exemplified by 80,000 names taken off

the Florida lists because of a poorly designed com-
puter algorithm. Second, a further 1.5 million to two

million votes were uncountable because of equip-
ment glitches, mostly bad ballot design. For exam-
ple, the butterfly ballot of Palm Beach County con-
fused many into voting for an unintended candidate

and also contributed to another appalling outcome:

19,235 people, or 4 percent of voters, selected more

than one presidential candidate. Equipment prob-
lems such as clogged punch holes resulted in an ad-
ditional 682 dimpled ballots that were not counted

there. Finally, according to the U.S. Census Bureau,

about one million registered voters reported that

polling-place difficulties such as long lines prevent-
ed them from casting a vote.

Thus, registration and polling-place troubles ac-
counted for about two thirds of the documentable

lost votes in 2000. The remaining one third were

technology-related, most notably ballot design and

mechanical failures. In the aftermath of the 2000

election, officials across the country, at both the fed-
eral and local levels, have scrambled to abandon old

approaches, such as lever machines and punch cards,

in favor of newer methods. Many are turning to elec-
tronic voting machines. Although these machines of-
fer many advantages, we must make sure that these

SCIENTIFIC AMERICAN 91

VOTING

MACHINE—here,

Sequoia Voting Systems’s

AVC Edge—is fairly typical

of direct record electronic

(DRE) voting machines

on the market. Voters enter

their votes via a touch-
screen interface.

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 2 of 8

Page 3 of 8

new systems simplify the election process, reduce errors and

eliminate fraud.

Some countries have introduced electronic systems with

great success. Brazil started testing electronic voting machines

in the mid-1990s and since 2000 has been using one type of ma-
chine across its vast pool of 106 million voters. It has multiple

organizations responsible for different aspects of voting equip-
ment development as part of the safeguards. It also introduced

the machines in carefully controlled stages—with 40,000 voters

in 1996 (7 percent of whom failed to record their votes elec-
tronically) and 150,000 in 1998 (2 percent failure). Improve-
ments based on those experiments reduced the failure rate to

an estimated 0.2 percent in 2000.

Voting Technology

VOTING SYSTEMS have a long history of advancing with tech-
nology. In ancient Greece, Egypt and Rome, marks were made

for candidates on pieces of discarded pottery called ostraca. Pa-
per superseded pottery in the hand-counted paper ballot, which

is still used by 1.3 percent of U.S. voters. Other modern tech-
nologies are lever machines, punch cards and mark-sense bal-
lots (where each candidate’s name is next to an empty oval or

other shape that must be marked correctly to indicate the selec-
tion, and a scanner counts the votes automatically). The table

on pages 94 and 95 summarizes the benefits and drawbacks of

each of these methods and suggests ways to improve them. A

lengthier discussion of nonelectronic systems is at www.sciam.

com/ontheweb.

Electronic voting machines have been around for 135

years—Thomas Edison patented one in 1869. Elections started

testing electronic voting machines in the 1970s, when display-
ing and recording a ballot directly into a computer file became

economical. At first, many were mixed-media machines, using

paper to present the selections and buttons to record the votes.

Officials had to carefully align the paper with the buttons and

indicator lights. Electronic voting machines that use such pa-
per overlays are still on the market. More modern direct record

electronic (DRE) voting machines present the ballot and feed-
back information on an electronic display, which may be com-
bined with audio.

Such machines have many advantages: they can stop a vot-
er from choosing too many candidates (called overvoting), and

they can warn if no candidate is picked on a race (undervoting).

For instance, when Georgia changed over to DREs in 2002,

residuals (the total of overvotes and undervotes combined)

were reduced from among the worst in the nation at 3.2 per-
cent on the top race in 2000 to 0.9 percent in 2002. So-called

ballotless voting allows the machines to eliminate tampering

with physical ballots during handling or counting. (Lever ma-
chines, dating back to 1892, share many of those features.)

Yet the birthing of DRE voting equipment in the U.S. has not

been easy. The voting machine industry is fragmented, with nu-
merous companies pursuing a variety of products and without

a mature body of industry-wide standards in place. Deciding

what is a good voting machine is still being discussed by various

advocacy organizations and groups such as the IEEE Project

1583 on voting equipment standards. Allegations of voting com-
panies using money to influence testing and purchasing of

equipment are not uncommon.

Complicating matters, local jurisdictions across the coun-
try have different rules and approaches to testing and using vot-
ing equipment. Some counties, such as Los Angeles, are so-
phisticated enough that they commission voting machines built

to their own specifications. Many other municipalities know so

little about voting that they employ voting companies to run

the election and report the results.

Polling-place practices add further hazards of insecurity and

potential malfunctions. I recall walking into the central election

warehouse (where the voting machines are stored and the

precinct vote tallies are combined) in Broward County, Flori-
da, when it was being used for a recount in December 2002.

The building’s loading dock was opened to the outdoors for

ventilation. The control center for tallying all the votes was a

small computer room; the door to that room was ajar and no

log was kept of personnel entering and leaving.

Beyond external issues, DRE machines themselves have had

technological shortcomings that have slowed their adoption.

Voters have found their displays confusing or challenging to

use. Software bugs and difficulties in setting up DREs have also

presented problems. During the 2002 Broward County re-
count, I was allowed to try out machines from Electronic Sys-
tems and Services (ESS), one of the country’s major election ma-
chine makers. The ESS machines had an excessive undervote

because the “move to next race” button was too close to the

“deposit my ballot” button. An audio ballot was so poorly de-
signed it took about 45 minutes to vote.

On machines made by the company Sequoia, people who

chose a straight party vote and then tried to select that party’s

presidential candidate were unaware that they were deselecting

their presidential choice. A massive 10 percent undervote was

registered in one county using Sequoia machines in New Mexico.

Examining the insides of new voting machines still reveals

92 SCIENTIFIC AMERICAN OCTOBER 2004

■ Following the infamous 2000 presidential election,

electoral officials around the country have scrambled to

upgrade their voting technology with newer systems,

such as direct record electronic voting machines (DREs).

■ A state or county that is considering buying DREs should

hire experts to test the machines thoroughly for bugs,

malicious software and security holes and to assess the

quality of the user interface.

■ Election officials and polling-place workers should be well

versed in the operation of their machines and should follow

practices that do not compromise the security of the vote.

■ In addition to these technology-related issues, the voter

registration process and polling-place practices in general

must be improved to prevent massive losses of votes.

Overview/Electronic Voting

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 3 of 8

Page 4 of 8

many physical security faults. For example, some machines have

a lifetime electronic odometer that is supposed to read every vote

that the machine makes. But the odometer is connected to the

rest of the machine by a cable that a corrupt poll worker could

unplug to circumvent it without breaking a seal.

Source code for voting machines made by different compa-
nies, like most commercial software, is a trade secret. Election

machine companies allow buyers to show the source code to

experts under confidential terms. Unfortunately, the local elec-
tion officials might not know how to find a qualified expert.

And when they find one, will the voting companies be required

to listen? For instance, in 1997 Iowa was considering a voting

machine made by Global Election Systems, which was later

bought out by Diebold. Computer scientist Douglas W. Jones

of the University of Iowa pointed out security issues, and the

state bought Sequoia machines instead. In February 2003

Diebold left its software on unsecured servers, and DRE crit-
ics posted Diebold’s code on the Internet for everyone to see.

The problems that Jones saw six years earlier had not been

fixed. Any person with physical access to the machines and a

moderate amount of computer knowledge could have hacked

into them to produce any outcome desired.

The best computer security available depends on sophisti-
cated encryption and carefully designed protocols. Yet to know

the system has not been compromised requires testing. DRE

machines have not received the constant testing that they re-
quire. Security of today’s voting machines is wholly dependent

on election workers and the procedures that they follow.

Because virtually all tallies, no matter what voting method

is used, are now stored and transmitted in some electronic form,

computer fraud is possible with all voting systems. The advent

of DRE machines potentially allows such tampering to go

www.sciam.com SCIENTIFIC AMERICAN 93

DON FOLEY (illustration); COURTESY OF SEQUOIA VOTING SYSTEMS (photograph)

AUDIT TRAILS

VERIVOTE PRINTER UPGRADE to Sequoia Voting

Systems’s AVC Edge voting machine produces

a paper copy of the votes made on it and

displays it behind a window. Before leaving the

voting booth, the voter can verify her vote by

inspecting the paper record, which is retained

by the machine for use in recounts

An audit trail printed on

paper or recorded on tape

or CD would enable an

independent recount

of votes made on an

electronic voting machine.

1Voter makes selections

using a touch screen

2Audio confirmation

is played to the voter

over headphones as each

selection is made

3A tape recorder

also records the

audio confirmations,

providing a permanent

human- and machine-
readable audit trail for

the votes

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 4 of 8

Page 5 of 8

unchecked from the point at which the voter attempts to cast

a ballot. Schemes for altering ballots have always existed, but

a computerized attack could have widespread effects were it

waged on a large jurisdiction that uses one kind of software on

one type of machine. Using a single system allows large juris-
dictions to get organized and improve their results but must be

accompanied by stringent controls.

The successful reduction of residuals across all of Georgia,

mentioned earlier, is a case in point. Thorough tests on the

DREs at Kenisaw State University found many problems,

which were resolved before the machines were put into use.

This rigorous testing and careful introduction of the machines

were central to the state’s success.

Electronic Fraud

HOW CAN WE FIND all the dangers created by bad software

and prevent or correct them before they compromise an elec-
tion? Reading source code exposes its quality and its use of se-
curity approaches and can reveal bugs. But the only complete-
ly reliable way to test software is by running it through all the

possible situations that it might be faced with.

In 1983 Ken Thompson, on receipt of the Association for

Computing Machinery’s Turing Award (the most prestigious

award in computer science), gave a lecture entitled “Reflections

on Trusting Trust.” In it he showed the possibility of hazards

such as “Easter eggs”—pieces of code that are not visible to a

reader of the program. In a voting machine, such code would do

nothing until election day, when it would change how votes

were recorded. Such code could be loaded into a voting machine

in many ways: in the voting software itself, in the tools that as-
semble the software (compiler, linker and loader), or in the tools

the program depends on (database, operating system scheduler,

memory management and graphical-user-interface controller).

Tests must therefore be conducted to catch Easter eggs and

bugs that occur only on election day. Many electronic voting

machines have clocks in them that can be set forward to the day

of the election to perform a test. But these clocks could be ma-
nipulated by officials to rerun an election and create bogus vot-
ing records, so a safer voting machine would not allow its clock

to be set in the field. Such machines would need to be tested

for Easter egg fraud on election day. In November 2003 in Cal-
ifornia a random selection of each electronic voting system was

taken aside on the day of election, and careful parallel elections

were conducted to show that the machines were completely ac-
curate at recording votes. These tests demonstrated that the vot-
ing machines were working correctly.

To prepare for a fraud-free voting day requires that every ef-
fort be made to create voting machines that do not harbor ma-
licious code. The computer science research community is con-
stantly debating the question of how to make provably secure

software. Computer security experts have devised many ap-
proaches to keep computers reliable enough for other purpos-
es, such as financial transactions. Financial software transfers

billions of dollars every day, is extensively tested and holds up

well under concerted attacks. The same security techniques can

be applied to voting machines. Some researchers believe that the

security precautions of “open source” (making the programs

available for anyone to examine) and encryption techniques can

help but not completely guard against Easter eggs.

Guarding votes against being compromised has always re-

94 SCIENTIFIC AMERICAN OCTOBER 2004

ELIZA JEWETT

EXISTING VOTING TECHNOLOGIES

Improving or optimizing an existing technology may be a better choice for many counties than hasty adoption of a new system—

introduction of a new technology is often accompanied by an increase in errors.

TECHNOLOGY Hand-counted Lever machines Punch cards

paper ballots

COMMENTS ■ Used by 1.3 percent of U.S. ■ First used in 1892 in Lockport, N.Y. ■ First used in 1964 in Fulton

and De Kalb counties, Georgia

ADVANTAGES ■ Simple ■ Overvotes are impossible ■ Removes human errors of tallying

■ Lowest residual* rate ■ Guarantees secrecy of vote ■ Compact machines

DISADVANTAGES ■ Recounts differ from original count ■ Bulky, massive machines ■ Hard to punch holes correctly

by twice as much as machine-counted ■ Defective odometers common ■ Often punch wrong hole

votes do ■ Misreading of odometers ■ Ballot design troubles

■ Persistent allegations of votes being ■ Voting falloff on lower races (for ■ Card readers jam frequently

altered, added, lost, and so on Senate, state office, for example) ■ Ballot easy to spoil

WAYS TO IMPROVE ■ Count by mechanical scanner ■ Check and service before each election ■ Optical way to check ballot while

■ Treat paper with light, heat or coating ■ Monitor odometers with video cameras in booth might help

material to make vote indelible ■ Improve labeling of groups of levers

forming a race

■ Adjustable height of machines

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 5 of 8

Page 6 of 8

quired multiple human agents watching each other for mistakes

or malice. The best future schemes might include computer

agents that check one another and create internal audits to val-
idate every step of the voting process. The Secure Architecture

for Voting Electronically (SAVE) at the Massachusetts Institute

of Technology is a demonstration research project to explore

such an approach. SAVE works by having several programs car-
ry out the same tasks, but while using such different methods

that each program would have to be breached separately to

compromise the final result. The system knows to call foul when

too many modules disagree.

Audit Trails

SOME CRITICS INSIST that the best way to ameliorate such

attacks is by providing a separate human-readable paper ballot.

This widely promoted scheme is the voter-verified paper ballot

(VVPB) suggested by Rebecca Mercuri, then at Bryn Mawr Col-
lege. The voting machine prints out a receipt, and the voter can

look at it after voting and assure himself that at least the paper

records his intention. The receipt remains behind a clear screen

so no one can tamper with it during its inspection, and it is re-
tained by the machine. If a dispute about the electronic count

arises, a recount can be conducted using the printed receipts. (It

is not a good idea for the voter to have a copy, because such re-
ceipts could encourage the selling of votes.)

Although the VVPB looks quite appealing at first glance, a

deeper inspection exposes some serious flaws. First, it is com-
plicated for the voter. Elections in this country often have many

races. Validating all the selections on a separate paper after the

ballot has been filled out is not a simple task. Experience shows

that even when confronted with a printout that tells voters in

which race they have made a mistake, few are willing to go back

and correct it. Anything that takes a voter’s attention away from

the immediate act of casting a ballot will reduce the chances of

the person voting successfully. Every extra button, every extra

step, every extra decision is a source of lost votes.

The scheme is also complicated for the officials. If a voter

claims fraud, what is the official to do? The voter claims she vot-
ed for Jane, but both the DRE screen and the receipt show a vote

for John. Should they close the polling station? On top of this,

the officials are not legally allowed to see an individual voter’s

ballot.

VVPB addresses only a small part of the fraud problem. The

paper trails themselves could be made part of a scheme for de-
frauding an election if a hacker tampers with the printing soft-
ware. The paper can be manipulated in all the usual ways after

the election.

A better option would allow people to verify their selections

www.sciam.com SCIENTIFIC AMERICAN 95

TED SELKER is the Massachusetts Institute of Technology direc-
tor of the California Institute of Technology/M.I.T. voting project,

which evaluates the impact of technology on the election process.

A large part of his research in voting concerns inventing and test-
ing new technology. Examples include new approaches to user in-
terfaces and ballot design and secure electronic architectures.

Selker’s Context Aware Computing group at the M.I.T. Media Labo-
ratory strives to create a world in which people’s desires and in-
tentions guide computers to help them. This work is developing

environments that use sensors and artificial intelligence to form

keyboardless computer scenarios.

THE AUTHOR

Mark-sense Electronic machines Internet voting, phone

ballots messaging, interactive TV

■ First used in 1962 in California ■ First used in 1976 ■ Internet voting first used in 2000 primary

in Phoenix, Ariz.

■ With in-precinct scanning, has lowest ■ Overvotes are impossible ■ Vote from home

residuals of any mechanical method ■ No human errors of tallying ■ People with physical disabilities can use their own

■ Easier than punching holes ■ Easy for people with physical disabilities to use special-needs setup

■ Voter can read candidates right on ballot ■ Good feedback ■ No human errors in tallying

■ Ballot readers are slower, harder to calibrate ■ User interface often poor ■ Concerns about malicious software, network

and more prone to jamming than card readers ■ Concerns about malicious software problems and hackers

■ Bulky ballot ■ Concerns about computer obsolescence

■ Ballot easy to spoil

■ Use an in-precinct scanner to catch problems ■ Test ballots ■ Use special Web browser

and give the voter a second chance to vote ■ Consider closed systems ■ System on a CD

■ Use DRE to mark ballot ■ Test system, including on day of election ■ New approaches to security needed,

■ “Fill in the shape” version better such as multiple software agents

than “connect the arrow” version

*Residuals are ballots with votes for too many (overvote) or too few (undervote) candidates.

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 6 of 8

Page 7 of 8

with recorded audio feedback. An audio transcript on tape or a

CD has an integrity that is harder to compromise than a collec-
tion of paper receipts. Most current electronic voting machines

can be set up to speak the choices to the voter while he looks at

the visual interface. The tape can be read by a computer or lis-
tened to by people. Because misreads of paper are a major dif-

ficulty with all counting machines today, the tape can be better

verified than paper receipts. An audio receipt is also preferable

to a paper receipt because it is hard to change or erase the au-
dio verifications without such alterations being noticed (think

about the 18-minute gap on the Watergate tapes). Also, a small

number of cassette tapes or CDs are easier to store and trans-
port than thousands of paper receipts.

Other proposals for voter verification include recording the

video image of the DRE and showing the ballot as it has been

received by the central counting databases while the voter is in

the booth. The advantage of these techniques is that they are

passive—they do not require additional actions on the part of

the voter.

Here is how voting might go using a well-designed audio

record. Imagine you are voting on a computer. You like Abby

Roosevelt, Independent. You press the touch-screen button for

your choice. The name is highlighted, and the vote button on

one side is replaced with an unvote button on the other side. The

tab on the screen for this race shows that a selection has been

made. The earphones you are wearing tell you that you have vot-
ed for “Ben Jefferson” (and these words are recorded on a back-
up tape).

Wait a minute! “Ben Jefferson”? You realize that you must

have pressed the wrong button by mistake. You study the

screen and see a prominent “cancel vote” button. You press it.

“Vote for Ben Jefferson for president canceled,” the computer

intones onto a tape and into your ears. The screen returns to its

prevote state, and this time you press more carefully and are re-
warded with “Vote cast for Abby Roosevelt, Independent, for

president.” You go on to the Senate race.

The features just described are designed to give feedback

in ways you are most adept at understanding. People are good

at noticing labels moving, tabs changing, and contrast and tex-
ture changes. We have trouble doing things accurately without

such feedback. The audio verification comes right at a time

when the user is performing the action. Perceptual tasks (see-
ing movement and hearing the audio) are easier to perform than

cognitive ones (reading a paper receipt and remembering all the

candidates one intended to vote for). A tape or CD recording is

a permanent, independent transcript of your vote.

96 SCIENTIFIC AMERICAN OCTOBER 2004

In the Courts and in the News

In recent months, electronic voting machines have been in the news a lot, as groups file legal actions both for and against use

of the machines and new problems with elections are uncovered. —Graham P. Collins, staff editor

March—In a case brought by the American Association of

Disabled Persons, a federal judge in Florida orders Duval County

to have at least one machine that allows the visually impaired to

vote without assistance at 20 percent of its polling places. Duval

County appeals, and in April the judge stays his own ruling.

April—In Maryland, local politicians and activists from the

Campaign for Verifiable Voting file suit against the Maryland

Board of Elections to block the use of the state’s 16,000 direct

record electronic (DRE) voting machines, which do not have

printers to produce paper receipts as required by state law. The

move follows reports of glitches in the March 2 primary election;

some voters who demanded paper ballots were given them but

later learned their votes were invalidated.

April—Citing security and reliability concerns and following

problems in the March 2 primary election, California’s secretary

of state bans the use, in the November 2004 election, of more

than 14,000 DREs made by Diebold, Inc. He also conditionally

decertifies 28,000 other DREs, pending steps to upgrade their

security. (Some counties have their systems recertified in

June.) Three counties file suit to block his order. A group of

disabled voters also sues to undo the order. In addition, the

California secretary of state recommends that the state’s

attorney general look into possible civil and criminal charges

against Diebold because of what he calls “fraudulent actions by

Diebold.” A report accuses the company of breaking state

election law by installing uncertified software on DREs in four

counties and then lying about those machines.

May—In Florida, Representative Robert Wexler sues to block the

use of Election Systems and Services voting technology in

Broward and Miami-Dade counties.

June—The League of Women Voters, which in 2003 endorsed

paperless electronic voting, drops that support. Instead it

adopts a resolution to favor “secure, accurate, recountable and

accessible” systems such as those with printed receipts.

June—The head of the Election Assistance Commission calls

for tougher security measures for electronic voting by the

November election.

July—Advocacy groups in Florida ask a Tallahassee judge to

step in before the August 31 primary election and override

Governor Jeb Bush’s decision not to allow manual recounts in

the 15 counties that have touch-screen voting machines. Also in

Florida, audit records of the 2002 governor’s primary and

general election are reported permanently lost because of

computer failures. After a few days the records are rediscovered

on a disk in an adjoining room.

September—Nevada, in a primary election, will be the first to

use DREs that print paper receipts statewide.

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 7 of 8

Page 8 of 8

These features are all implementable now as ballot im-
provements on current voting machines. Extra work would be

needed to allow sight- or hearing-impaired people to verify mul-
tiple records of their ballot as well.

Some researchers are studying alternatives to DREs, in the

form of Internet voting or voting using familiar devices such

as the phone. Since May 2002, England has been experiment-
ing with a number of systems intended to increase turnout.

These methods include mailing in optically readable paper bal-
lots (absentee voting), using a standard phone call and the

phone’s keypad, using the instant-messaging facilities on cell

phones and using interactive TV that is available in English

homes. Swindon Borough, for example, included more than

100,000 voters in an experiment using the Internet and tele-
phones. A 10-digit PIN was hand-delivered to voters’ homes.

This PIN was used in conjunction with a password the voters

had been sent separately to authorize them to vote. No fraud

was detected or reported. But the effort only improved turnout

by 3 percentage points (from 28 to 31 percent).

In contrast, introducing the option of absentee voting in-
creased voter turnout by 15 percentage points—but with a down-
side: large-scale vote buying was reported in Manchester and

Bradford. (Being able to prove whom you have voted for, such

as by showing the ballot you are mailing in, enables vote buying.)

What Must Be Done

THE UNIVERSAL ADOPTION of perfect voting machines will

not be happening anytime soon. But quite independent of the

specific machines used, much can and should be done simply

to ensure that votes are collected and accurately counted in the

U.S. We must be adamant about the following improvements:

1. We must simplify the registration system. The largest loss

of votes in 2000 occurred because errors in registration data-
bases prevented people from voting. Registration databases

must be properly checked to make sure they include all eligi-
ble people who want to be registered. We must develop na-
tional standards and technology to ensure that people can reg-
ister reliably but that they do not register and vote in multi-
ple places.

2. Local election officials must understand the operation of

their equipment and test its performance thoroughly when it

is delivered and before each election. DREs should be tested

on election day, using dummy precincts.

3. Local election officials must teach their workers using sim-
ple procedures to run the equipment and other processes. Bal-
lot making, marking, collecting and counting all must be care-
fully set up to avoid error and fraud. Many voting officials in-
advertently use procedures that compromise accuracy,

security and integrity of ballots by, for example, turning off

precinct scanning machines that check for overvotes and in-
specting and “correcting” ballots.

4. Each step in the voting process must be resistant to tam-
pering. Collecting, counting and storing of ballots must be

done with documentation of who touches everything and with

clear procedures for what to do with the materials at each

stage. Multiple people must oversee all critical processes.

5. Each task in the voting process must be clear and accessible,

have helpful feedback and allow a person to validate it. Per-
ceptual, cognitive, motor and social capabilities of people must

be taken into account when designing machines and ballots.

Ballot designs should pass usability and countability tests be-
fore being shown for final approval to the parties invested in the

election. Voters must be able to understand how to make their

selections, and votes must be easy to count in mass quantities.

6. The government should invest in research to develop and

test secure voting technology, including DREs and Internet

voting. Rushing to adopt present-day voting machines is not

the best use of funds in the long term.

7. Standards of ethics must be set and enforced for all poll

workers and also for voting companies regarding investments

in them and donations by them or their executives.

Only when these requirements are met will we have a truly

secure and accurate voting system, no matter what underlying

technology is used.

www.sciam.com SCIENTIFIC AMERICAN 97

COURTESY OF DIEBOLD ELECTION SYSTEMS

Misvotes, Undervotes and Overvotes: The 2000 Presidential Election in

Florida. Alan Agresti and Bret Presnell in Statistical Science, Vol. 17, No. 4,

pages 436–440; 2002. Available at web.stat.ufl.edu/~presnell/Tech-
Reps/election2000.pdf

A Better Ballot Box? Rebecca Mercuri in IEEE Spectrum, Vol. 39, No. 10,

pages 46–50; October 2002. Available at

www.spectrum.ieee.org/WEBONLY/publicfeature/oct02/evot.html

Security Vulnerabilities and Problems with VVPT. Ted Selker and Jon

Goler. April 2004. Available at

www.vote.caltech.edu/Reports/vtp_wp13.pdf

The Caltech/M.I.T. Voting Technology Project is at www.vote.caltech.edu;

the project’s July 2004 report with recommendations for the 2004

presidential election is at www.vote.caltech.edu/Reports/EAC.pdf

The U.S. Election Assistance Commission Web site is at www.eac.gov

MORE TO EXPLORE

DIEBOLD ELECTION SYSTEMS’S AccuVote TSX, another typical modern

electronic voting machine, was decertified in California.

COPYRIGHT 2004 SCIENTIFIC AMERICAN, INC.

Page 8 of 8

Page 8 of 8
comments (0)
12/25/16
2089 Mon 26 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://www.abplive.in/…/not-even-1-4th-of-the-promises-made… Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief http://timesofindia.indiatimes.com/…/modi-govt-adopting-dou… Modi adopting double standards with respect to monuments dedicated to nation’s leaders: Mayawati http://timesofindia.indiatimes.com/…/black-money-collected-… Attacking Modi, BSP supremo Mayawati criticised Modi for not doing proper planning ahead of the demonatisation move. Mayawati said people who are suffering the most were poor, labours and farmers. She added that black money collected by Modi should be deposited in accounts of poor. http://www.newsnation.in/…/150557-watch-live-bsp-supremo-ma… BJP has created an emergency like situation with currency ban in the country, says Mayawati http://indiatoday.intoday.in/…/year-rewind-in…/1/842545.html Here’s what most people were talking about in 2016
Filed under: General
Posted by: site admin @ 6:35 pm



2089 Mon 26 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.

http://www.abplive.in/…/not-even-1-4th-of-the-promises-made…

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief

http://timesofindia.indiatimes.com/…/modi-govt-adopting-dou…

Modi adopting double standards with respect to monuments dedicated to nation’s leaders: Mayawati

http://timesofindia.indiatimes.com/…/black-money-collected-…


Attacking Modi, BSP supremo Mayawati criticised Modi for not doing
proper planning ahead of the demonatisation move. Mayawati said people
who are suffering the most were poor, labours and farmers. She added
that black money collected by Modi should be deposited in accounts of
poor.

http://www.newsnation.in/…/150557-watch-live-bsp-supremo-ma…

BJP has created an emergency like situation with currency ban in the country, says Mayawati

http://indiatoday.intoday.in/…/year-rewind-in…/1/842545.html

Here’s what most people were talking about in 2016

http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.abplive.in/…/not-even-1-4th-of-the-promises-made…

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief

Not even 1/4th of the promises made by BJP are fulfilled: Mayawati, BSP Chief

See more

It
is being said that Cong and SP will form alliance, final call will be
taken when its realised that BJP will benefit from alliance: MayawatiFor
latest breaking news, other…
abplive.in

http://timesofindia.indiatimes.com/…/black-money-collected-…


Attacking Modi, BSP supremo Mayawati criticised Modi for not doing
proper planning ahead of the demonatisation move. Mayawati said people
who are suffering the most were poor, labours and farmers. She added
that black money collected by Modi should be deposited in accounts of
poor.

Modi promised to deposit Rs 15 lakhs in every citizens’ account after bringing back the black money.


Attacking the Centre, BSP supremo Mayawati…
timesofindia.indiatimes.com

http://timesofindia.indiatimes.com/…/modi-govt-adopting-dou…

Modi adopting double standards with respect to monuments dedicated to nation’s leaders: Mayawati

BSP supremo Mayawati said that Modi, is adopting double standards when
it comes to building monuments in memory of saints and leaders of the
country.

http://www.newsnation.in/…/150557-watch-live-bsp-supremo-ma…

BJP has created an emergency like situation with currency ban in the country, says Mayawati


BSP supremo Mayawati addresses Press Conference in Lucknow on Thursday.
This is for the second time in this month that Mayawati is addressing a
PC highlighting the failures of Modi.

New Delhi :


BSP supremo Mayawati addressed a press conference in Lucknow on
Thursday highliting the failures of the BJP-led NDA . This is for the
second time in November that Mayawati has called a press meet.


Speaking on the plight of common man, Mayawati condemned the Modi for
his draconian announcement of Rs 500 and 1000 note ban. (Read News in
Hindi)

Here are the highlights of her press conference:

#Modi is trying to deviate the attention from its failures.

#All citizens want a corruption-free Country.

#BJP is repeating what Congress did in the past.

#Modi has created an emergency situation in the country.

#90 percent of people are not happy with this note ban.

#In two-and-a-half years of Modi, he has tried to benefit the big businessmen, tycoons.

#Modi does not like SC/STs says Mayawati.

#People are facing problems at medical stores as they are not accepting the old currency notes.

#Soon after the announcement of note ban, people were forced to shut down their shops, people are badly affected by it.

#PM Modi’s decision is bit selfish, if they really wanted to curb black money then why he took this decision after two years.

#To hide their inefficiency, economic emergency like situations have been created by Modi as elections in UP are coming close.

#Banning of notes in the name of crackdown on black money reflects only blind following by people.


BSP
supremo Mayawati addresses Press Conference in Lucknow on Thursday.
This is for the second time in this month that Mayawati is addressing a
PC highlighting the…
newsnation.in

http://indiatoday.intoday.in/…/year-rewind-in…/1/842545.html

Here’s what most people were talking about in 2016

From sedition to demonetisation, here is what most of the Indians discussed in 2016.


Last year, it was the word ‘intolerance’ that went on the become the
most popular word of the year. But while there were many debates on
sedition, surgical strikes this year, there is one word that has
probably changed the whole economic scenario in the country.

It
was the 1% intolerant, violent, militant, shooting, lynching, lunatic,
mentally retarded, cannibal psychopath chitpawan brahmin Rakshsa Swayam
Sevaks (RSS) guided BJP (Bahuth Jiyadha Psychopaths), VHP (Visha
Hindutva Psychopaths), ABVP (All Brahmins Venomous Psychopaths) Bajan
Dal, terrorist Sanathan Sanstha Dal and all other instant mushroom
avthars for stealth, shadowy discriminating hindutva cult rashtra.

Because of ABVP (All Brahmins Venomous Psychopaths)


JNUSU president Kanhaiya Kumar was later arrested in sedition case.
After Kanhaiya, many others were also booked in sedition charge.
Sedition was not new in law, but it was not commonly used till 2016, in
last 62 years only around 300 cases in High Court and close to 20
reached the Supreme Court.

But this year this word became more common and was also much debated about.

DEMON Demonetisation

This year, DEMON demonetisation has become the the most used and talked about word of this year.

http://nationalinterest.org/…/washington-watching-the-5-dea…

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

http://www.dailymail.co.uk/…/One-village-one-one-crematoriu…


Rakshasa Swayam Sevaks (RSS) is a non-entity which do not believe in
our Modern Constitution but in a stealth, shadowy discriminating
hindutva cult rashtra. Their leaders are not elected in a democratic
manner but are selected among the inner circle of just 1% intolerant,
shooting, lynching, lunatic, mentally retarded, cannibal psychopath
chitpawan brahmins who believe in brahmins as 1st rate athmas,
kshatriyas as 2nd rate, vysias as 3rd rate, shudhras as 4th rate souls
and the aboriginal panchamas (SC/STs0 have no soul, so that they cand
commit any crime on them. But the Buddha never believed in any soul. He
said all are equal. Hence Babasaheb returned back with millions of
people back to their original home Buddhism. According to the Architect
of the Modern Constitution Dr BR Ambedkar, irrespect of caste, religion,
creed and colour anyone can acquire education and not just the brahmins
as per manuvad, Anyone can rule this country unlike the kashatrias as
per manu. Anyone can do trade and business unlike vysias as per manuvad.
As mer manu women has no right like the men. But the modern
constitution made provisions for women even to become rulers. Ex Indira
gandhi, Jayalilita, Mamata Banerji etc., But for Dr Ambedkar they would
have not been recognised. Irrespect of caste and religion Devegowda
etc., would have not become the PM of this country.

This is intolerated by RSS which is opposed to reservation.

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

RSS is one of the Biggest Terrorist Organisations in the World. They are
Mad Horrorists threat group - shadowy, stealth and discriminatory group
trying to establish hindutva cult.

New Delhi: A US-based risk management and consulting company has put the
Rashtriya Swayamsevak Sangh (RSS) because RSS is killing so many people
and bombing and cutting of people and using suicide bombing techniques
and raping and honor killing women … it all happened in Gujrat and
happening in parts of the country.. Go get a life and become a Hindu
mr…. What is it? the one who have at least common sense, do u think he
or she become hindu? do u think that? Most of the people in the world
becoming muslim without any pressure, force or demand… think about
that…. See that RSS gentleman who studied about islam to oppose them and
became a muslim…. use your common sense and refrain from your bad
thoughts and paths.�They will have the end.. Rss have to be banned in
india with its.. hindhuthuva branches.. in south tamilnadu.. this rss
and hindhutva terrorist and Horrorist gang made problem to the people
who celebrating new year of 2015 night..

Increasing threats to the democratic-secular Indian polity from the Hindutva
organizations - a concise document on the anti-national game-plan of the
RSS.

Hence this technological game of 1% Chitpawan RSS plan has to be defeated by
strengthening the 99% intellectuals by exposing the fradulent EVMs as
done by 80 democracies of the world in the larger interest of Sarvajan
Hitaye Sarvajan Sukhaye i.e., for the peace, happiness and welfare of
all societies including SC/STs/ OBCs/ Minorities and the poor brahmins
and baniyas for distributing the wealth of this country among all
sections of the society as enshrined in the Constitution by making the
Supreme Court to pass orders to replace all fradulent EVMs and till such
time to scrap all elections conducted by these fradulent EVMs and then
to conduct elections with tamper proof voting system to save democracy,
equality, fraternity and liberty.

RSS means Rakshasa Swayam Sevaks in a non -entity undemocratic organisation
with all its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth
Jiyadha Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin
Venomous Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic.,
that become active during all elections for the greed of power for
Murderer of democratic instituitions (Modi) who is just a meant time
stooge of the 1% intolerant, violent, militant, shooting, lynching,
lunatic, mentally retarded cannibal chitpawan brahmin psychopaths who
always keep heckling and giggling like mad people thinking that they are
great achievers.Murderer of democratic institutions (Modi) and all its
associate avathars are shani and peda of the nation which is eclipsing
the development and progress as enshrined in the modern Constitution
whose architect is Dr BR Ambedkar.

After gobbling the MASTER KEY by tampering the fraud EVMs for Murderer of
democratic institutions (Modi) remotely controlled by RSS meaning
Rakshasa Swayam Sevaks, a non -entity undemocratic organisation with all
its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth Jiyadha
Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin Venomous
Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic., that become
active during all elections for the greed of power for Murderer of
democratic instituitions (Modi) who is just a meant time stooge of the
1% intolerant, violent, militant, shooting, lynching, lunatic, mentally
retarded cannibal chitpawan brahmin psychopaths who always keep heckling
and giggling like mad people thinking that they are great achievers.

They are Shani and Pedal of the nation trying to bury the
Techno-Politico-Socio Transformation and Economic Emancipation Movement
and the teachings of the Awaken One with Awareness without knowing that
they are seeds that keep sprouting as Bodhi Trees.

If all the fraud EVMs are replaced by paper ballots they will not even get 1% of the votes.

Only Ms Mayawati’s BSP which got majority of the seats in UP Panchayat
Elections with these paper ballots will the not only become the CM of UP
but also the next PM of Prabuddha Bharath.

RSS’s Mohan Bhagwat,Bhaiyyaji Joshi and 41 regional pracharaks are all drop
outs including Mohan Agarwal.Also Ram Lal and Ram Madhav,Rajnath Singh
and Amit Shahlike doubtful education of Murderer of democratic
institutions (Modi).

Caste by caste, BSP fields ‘bhaichara coordinators’

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the reserved seats in
eastern UP, central UP and Bundelkhand, and MLA Ramvir Upadhyay the
reserved seats of western UP.

The BSP has fielded some of its most prominent non-SC/ST leaders to
reach out to the communities they represent. Ahead of the UP elections,
the BSP has assigned specific regions to these bhaichara coordinators.

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the
reserved seats in eastern UP, central UP and Bundelkhand, and MLA Ramvir
Upadhyay the reserved seats of western UP. Misra addressed a rally in
Gorakhpur’s Khajani Sunday, with BSP candidates from seven reserved
seats attending. Statewide, Misra will be assisted by other Brahmin
leaders including his son-in-law Paresh and former MLC Gopal Narain
Mishra.

For Muslims, the BSP has chosen party general secretary Naseemuddin
Siddiqui for western UP where he is addressing meetings, Rajya Sabha MP
Munquad Ali for Varanasi, Allahabad and Mirzapur divisions, and Naushad
Ali for Bundelkhand, and Athar Khan in Faizabad and Devipatan.

Among OBC leaders, state BSP chief Ram Achal Rajbhar and former
Speaker Sukhdeo Rajbhar have begun addressing sammelans in eastern UP,
while former MLC R S Kushwaha is trying to attract Kushwahas in central
UP. Pratap Singh Baghel is wooing the Gaderiya (Pal) community in Agra
region, former minister Lalji Verma addressing Kurmis in eastern UP and
Terai, and former MP R K Singh Patel is in Bundelkhand and Allahabad.

Former minister Jaivir Singh will work among Thakurs in western UP,
former MLA Jitendra Singh Babloo has been addressing sammelans in
Faizabad and Basti, and Rasra MLA Umashankar Singh in Azamgarh.

http://news.webindia123.com/…/A…/India/20100828/1575461.html
Demonetisation: Continuous cash crunch can adversely impact BJP’s prospects in Uttar Pradesh polls, believes RSS
With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the RSS believed it could adversely impact the chances of
BJP to win.

Soon after Murderer of democratic institutions
(Modi)’s announcement of demonetisation, the banks and ATMs witnessed
long queues of people waiting to either withdraw lower denomination of
banknotes or to exchange their high-value currencies with it.


With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the Rakshasa Swayamsevak Sangh (RSS) believed it could
adversely impact the chances of Bahuth Jiyadha Psychopaths (BJP) to win.
They have reportedly suggested senior functionaries of the Sangh and
the BJP that either cash inflow should be increased at the earliest or
the Uttar Pradesh elections
The 5 Deadliest Terrorist Groups on the Planet
“Like it or not, terrorism will continue to be a problem for the United
States, its allies, and the rest of the international community. “
nationalinterest.org
Approaching deadline: What happens after Modis 50-day promise to eradicate black money from India
Narendra Modi on November 8 announced a nationwide currency ban. Asking
for 50 days to transform our country, now the date is near which will
decide the fate of the…
indiatoday.intoday.in

Before November
8 this word used to find its place mostly in the dictionary of
economics but since Murderer of democratic institutions ( Modi ) has
announced the scrapping of Rs 500 and Rs 1000 notes on November 8, this
word has become the talk of the town.

http://indiatoday.intoday.in/…/narendra-modi-…/1/811917.html


common man is suffering due to the demonetisation of Rs 500 and Rs
1,000 notes, the public is angry, politicians had a lot to say about
Murderer of democratic institutions (Modi)’s apparent surgical strike on
black money.

Majority of the people with no stash of currency,
have been standing in queues outside banks and ATMs across Country
because of Midi’s QUEUE INDIA MOVEMENT.

There have been reports
about deaths of people who were standing in queues, of many people
blaming Modi for this sudden move and some of his comments that they
thought were insensitive.

Mayawati

BSP chief Mayawati said
Modi’s decision to demonetise the currency notes is a bit selfish. “To
hide his inefficiency, economic emergency like situation has been
created,” she said.

Even when the demonetisation was announced by Modi it was widely called as ‘Surgical strike against black money’.


Here is what most of the Indians discusses about in the year 2016. Find out which heated topics made it to the list.
indiatoday.intoday.in

It is the fraud EVMs that helped, helping and will continue to help Bahuth Jiyadha Psychopaths (BJP).

Ever
since the ex CJI sathasivam committed a grave error of judgement by
ordering that the EVMs to be replaced in a phsed manner as suggested by
the ex CEC Sampath because of the cost Rs 1600 crores involved in entire
replacement of the EVMs and only 8 out of 543 seats in the Lok Sabha
elections were replaced the BJP is having its heydays to gobble the
Master Key.

The present CEC sais that entire EVMs will only be
replaced in 2019. But non of them ever said that paper ballots as usd in
80 democracies will be used till the entire EVMs were replaced.

Ms
Mayawati’s BSP won majority of the UP Panchayat elections because of
paper ballots while it lost all its Lok Sabha seats because of these
fraud EVMs.

Now it is the duty of all democracy loving people
including the present CJI and CEC to see that the Central and state
governments selected by these fraud EVMs are dissolved and go for fresh
elections with paper ballots until the entire EVMs were replaced.

http://bestanimations.com/Holidays/Thankyou-01-june.gif


comments (0)
ANALYSIS OF ELECTRONIC VOTING SYSTEM https://drive.google.com/file/d/0B3FeaMu_1EQyTG04Y3BGeGV3STA/view
Filed under: General
Posted by: site admin @ 6:27 pm

ANALYSIS OF ELECTRONIC VOTING SYSTEM

https://drive.google.com/file/d/0B3FeaMu_1EQyTG04Y3BGeGV3STA/view

Page
23
/
23

Page 1 of 23

This paper, copyright the IEEE, appears in IEEE Symposium on Security and Privacy 2004. IEEE Computer

Society Press, May 2004. This paper previously appeared as Johns Hopkins University Information Security

Institute Technical Report TR-2003-19, July 23, 2003.

Analysis of an Electronic Voting System

TADAYOSHI KOHNO∗ ADAM STUBBLEFIELD† AVIEL D. RUBIN‡

DAN S. WALLACH§

February 27, 2004

Abstract

With significant U.S. federal funds now available to replace outdated punch-card and mechanical

voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting

systems from a number of different vendors. We present a security analysis of the source code to one such

machine used in a significant share of the market. Our analysis shows that this voting system is far below

even the most minimal security standards applicable in other contexts. We identify several problems

including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network

threats, and poor software development processes. We show that voters, without any insider privileges,

can cast unlimited votes without being detected by any mechanisms within the voting terminal software.

Furthermore, we show that even the most serious of our outsider attacks could have been discovered

and executed without access to the source code. In the face of such attacks, the usual worries about

insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that

the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker,

modify the votes, but that insiders can also violate voter privacy and match votes with the voters who

cast them. We conclude that this voting system is unsuitable for use in a general election. Any paperless

electronic voting system might suffer similar flaws, despite any “certification” it could have otherwise

received. We suggest that the best solutions are voting systems having a “voter-verifiable audit trail,”

where a computerized voting system might print a paper ballot that can be read and verified by the voter.

∗Dept. of Computer Science and Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California

92093, USA. E-mail: tkohno@cs.ucsd.edu. URL: http://www-cse.ucsd.edu/users/tkohno. Most of this work

was
performed while visiting the Johns Hopkins University Information
Security Institute. Supported by a National Defense Science

and Engineering Graduate Fellowship.

Information Security Institute, Johns Hopkins University, 3400 North Charles Street, Baltimore, Maryland 21218, USA. E-
mail: astubble@cs.jhu.edu. URL: http://spar.isi.jhu.edu/ ̃astubble.

Information Security Institute, Johns Hopkins University, 3400 North Charles Street, Baltimore, Maryland 21218, USA. E-
mail: rubin@cs.jhu.edu. URL: http://www.avirubin.com.

§Dept. of Computer Science, Rice University, 3121 Duncan Hall, 6100 Main Street, Houston, Texas 77005, USA. E-mail:

dwallach@cs.rice.edu. URL: http://www.cs.rice.edu/ ̃dwallach.

Page 1 of 23

Page 2 of 23

Contents

1 Introduction 3

2 System overview 5

3 Smartcards 9

3.1 Exploiting the lack of cryptography: Creating homebrew smartcards . . . . . . . . . . . . . 9

3.2 Casting multiple votes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Accessing administrator and poll worker functionality . . . . . . . . . . . . . . . . . . . . . 10

4 Election configurations and election data 11

4.1 Tampering with the system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.2 Tampering with ballot definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.3 Impersonating legitimate voting terminals . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.4 Key management and other cryptographic issues with the vote and audit records . . . . . . . 14

4.5 Tampering with election results and linking voters with their votes . . . . . . . . . . . . . . 15

4.6 Audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.7 Attacking the start of an election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Software engineering 18

5.1 Code legacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Coding style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.3 Coding process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.4 Code completeness and correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6 Conclusions 21

2

Page 2 of 23

Page 3 of 23

1 Introduction

Elections allow the populace to choose their representatives and express their preferences for how they will

be governed. Naturally, the integrity of the election process is fundamental to the integrity of democracy

itself. The election system must be sufficiently robust to withstand a variety of fraudulent behaviors and

must be sufficiently transparent and comprehensible that voters and candidates can accept the results of

an election. Unsurprisingly, history is littered with examples of elections being manipulated in order to

influence their outcome.

The design of a “good” voting system, whether electronic or using traditional paper ballots or mechanical

devices, must satisfy a number of sometimes competing criteria. The anonymity of a voter’s ballot must be

preserved, both to guarantee the voter’s safety when voting against a malevolent candidate, and to guarantee

that voters have no evidence that proves which candidates received their votes. The existence of such

evidence would allow votes to be purchased by a candidate. The voting system must also be tamper-resistant

to thwart a wide range of attacks, including ballot stuffing by voters and incorrect tallying by insiders.

Another factor, as shown by the so-called “butterfly ballots” in the Florida 2000 presidential election, is the

importance of human factors. A voting system must be comprehensible to and usable by the entire voting

population, regardless of age, infirmity, or disability. Providing accessibility to such a diverse population is

an important engineering problem and one where, if other security is done well, electronic voting could be

a great improvement over current paper systems. Flaws in any of these aspects of a voting system, however,

can lead to indecisive or incorrect election results.

ELECTRONIC VOTING SYSTEMS. There have been several studies on using computer technologies to im-
prove elections [4, 5, 20, 21, 25]. These studies caution against the risks of moving too quickly to adopt

electronic voting machines because of the software engineering challenges, insider threats, network vulner-
abilities, and the challenges of auditing.

As a result of the Florida 2000 presidential election, the inadequacies of widely-used punch card vot-
ing systems have become well understood by the general population. Despite the opposition of computer

scientists, this has led to increasingly widespread adoption of “direct recording electronic” (DRE) voting

systems. DRE systems, generally speaking, completely eliminate paper ballots from the voting process. As

with traditional elections, voters go to their home precinct and prove that they are allowed to vote there,

perhaps by presenting an ID card, although some states allow voters to cast votes without any identification

at all. After this, the voter is typically given a PIN, a smartcard, or some other token that allows them to

approach a voting terminal, enter the token, and then vote for their candidates of choice. When the voter’s

selection is complete, DRE systems will typically present a summary of the voter’s selections, giving them

a final chance to make changes. Subsequent to this, the ballot is “cast” and the voter is free to leave.

The most fundamental problem with such a voting system is that the entire election hinges on the cor-
rectness, robustness, and security of the software within the voting terminal. Should that code have security-
relevant flaws, they might be exploitable either by unscrupulous voters or by malicious insiders. Such

insiders include election officials, the developers of the voting system, and the developers of the embedded

operating system on which the voting system runs. If any party introduces flaws into the voting system soft-
ware or takes advantage of pre-existing flaws, then the results of the election cannot be assured to accurately

reflect the votes legally cast by the voters.

Although there has been cryptographic research on electronic voting [13], and there are new approaches

such as [6], currently the most viable solution for securing electronic voting machines is to introduce a

“voter-verifiable audit trail” [10, 20]. A DRE system with a printer attachment, or even a traditional optical

scan system (e.g., one where a voter fills in a printed bubble next to their chosen candidates), will satisfy

this requirement by having a piece of paper for voters to read and verify that their intent is correct reflected.

This paper is stored in ballot boxes and is considered to be the primary record of a voter’s intent. If, for

3

Page 3 of 23

Page 4 of 23

some reason, the printed paper has some kind of error, it is considered to be a “spoiled ballot” and can be

mechanically destroyed, giving the voter the chance to vote again. As a result, the correctness of any voting

software no longer matters; either a voting terminal prints correct ballots or it is taken out of service. If there

is any discrepancy in the vote tally, the paper ballots will be available to be recounted, either mechanically

or by hand. (A verifiable audit trail does not, by itself, address voter privacy concerns, ballot stuffing, or

numerous other attacks on elections.)

“CERTIFIED” DRE SYSTEMS. Many government entities have adopted paperless DRE systems without

appearing to have critically questioned the security claims made by the systems’ vendors. Until recently,

such systems have been dubiously “certified” for use without any public release of the analyses behind these

certifications, much less any release of the source code that might allow independent third parties to perform

their own analyses. Some vendors have claimed “security through obscurity” as a defense, despite the

security community’s universally held belief in the inadequacy of obscurity to provide meaningful protection

[18].

Indeed, the CVS source code repository for Diebold’s AccuVote-TS DRE voting system recently ap-
peared on the Internet. This appearance, announced by Bev Harris and discussed in her book, Black Box

Voting [14], gives us a unique opportunity to analyze a widely used, paperless DRE system and evaluate the

manufacturer’s security claims. Jones discusses the origins of this code in extensive detail [17]. Diebold’s

voting systems are in use in 37 states, and they are the second largest and the fastest growing vendor of

electronic voting machines. We only inspected unencrypted source code, focusing on the AVTSCE, or

AccuVote-TS version 4, tree in the CVS repository [9]. This tree has entries dating from October 2000 and

culminates in an April 2002 snapshot of version 4.3.1 of the AccuVote-TS system. From the comments in

the CVS logs, the AccuVote-TS version 4 tree is an import of an earlier AccuTouch-CE tree. We did not

have source code to Diebold’s GEMS back-end election management system.

SUMMARY OF RESULTS. We discovered significant and wide-reaching security vulnerabilities in the version

of the AccuVote-TS voting terminal found in [9] (see Table 1). Most notably, voters can easily program their

own smartcards to simulate the behavior of valid smartcards used in the election. With such homebrew cards,

a voter can cast multiple ballots without leaving any trace. A voter can also perform actions that normally

require administrative privileges, including viewing partial results and terminating the election early. Similar

undesirable modifications could be made by malevolent poll workers (or janitorial staff) with access to the

voting terminals before the start of an election. Furthermore, the protocols used when the voting terminals

communicate with their home base, both to fetch election configuration information and to report final

election results, do not use cryptographic techniques to authenticate either end of the connection nor do they

check the integrity of the data in transit. Given that these voting terminals could potentially communicate

over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform

untraceable “man-in-the-middle” attacks.

We considered both the specific ways that the code uses cryptographic techniques and the general soft-
ware engineering quality of its construction. Neither provides us with any confidence of the system’s cor-
rectness. Cryptography, when used at all, is used incorrectly. In many places where cryptography would

seem obvious and necessary, none is used. More generally, we see no evidence of disciplined software

engineering processes. Comments in the code and the revision change logs indicate the engineers were

aware of some areas in the system that needed improvement, though these comments only address specific

problems with the code and not with the design itself. We also saw no evidence of any change-control pro-
cess that might restrict a developer’s ability to insert arbitrary patches to the code. Absent such processes,

a malevolent developer could easily make changes to the code that would create vulnerabilities to be later

exploited on Election Day. We also note that the software is written entirely in C++. When programming

in a language like C++, which is not type-safe, programmers must exercise tight discipline to prevent their

programs from being vulnerable to buffer overflow attacks and other weaknesses. Indeed, buffer overflows

4

Page 4 of 23

Page 5 of 23

Figure 1: A Diebold AccuVote-TS voting machine (photo from http://www.sos.state.ga.us/).

Note the smartcard reader in the lower-right hand corner.

caused real problems for AccuVote-TS systems in real elections.1

SUBSEQUENT WORK. Following the release of our results, the state of Maryland hired SAIC [27] and

RABA [24] and the state of Ohio hired Compuware [7] to perform independent analyses of Diebold’s

AccuVote-TS systems. These analyses not only support our findings, but show that many of the issues

we raise and attacks we identify still apply to recent versions of the AccuVote-TS system, and particularly

to the machines recently purchased by Maryland. These analyses also identified security problems with the

back-end GEMS server. Additionally, RABA’s “red team” implemented some of our attacks in a mock elec-
tion setting; e.g., they modified smartcards so that a voter could vote more than once (Section 3.2 and [24,

page 16]) and they implemented our ballot reordering attack, thereby tricking voters to vote for the wrong

candidates (Section 4.2 and [24, pages 18 and 21]). Jones discusses these three reports in more detail [17].

2 System overview

The Diebold AccuVote-TS 4.3.1 system we analyzed [9], which was written in C++, was designed to run on

a Windows CE device, an example of which is shown in Figure 1. The code also compiles and runs (with

slightly different configurations) on regular Microsoft Windows machines, thus enabling us to verify that

the code represents a complete system. We shall refer to a device running the vote collection software as a

voting terminal.

1http://www.sccgov.org/scc/assets/docs/209815KeyboardAttachment-200440211.pdf (page 60 of

the report, page 61 of the PDF)

5

Page 5 of 23

Page 6 of 23

Voter Poll Worker Poll Worker Internet Provider OS Voting Section

(with forged (with access to (with access to (with access to Developer Device

smartcard) storage media) network traffic) network traffic) Developer

Vote multiple times • • • 3.2

using forged smartcard

Access administrative functions • • • • 3.3

or close polling station

Modify system configuration • • • 4.1

Modify ballot definition • • • • • 4.2

(e.g., party affiliation)

Cause votes to be miscounted • • • • • 4.2

by tampering with configuration

Impersonate legitimate voting • • • • • 4.3

machine to tallying authority

Create, delete, and modify votes • • • • • 4.3, 4.5

Link voters with their votes • • • • • 4.5

Tamper with audit logs • • • 4.6

Delay the start of an election • • • • • 4.7

Insert backdoors into code • • 5.3

Table 1: This table summarizes some of the more important attacks on the system.

6

Page 6 of 23

Page 7 of 23

Below we describe the process for setting up and running an election using the Diebold system. In some

cases, where election procedures and policies might vary or where we have insufficient information from

studying the code, we will state our assumptions. We note that, even in cases where election policies and

procedures might provide protection against design shortcomings, those policies and procedures depend on

poll workers who may not fully understand or be able to carry out their responsibilities. As a result, any

failure in the design of the voting system may very well be abused to compromise an election.

SETTING UP. Before an election takes place, one of the first things the election officials must do is specify the

political offices and issues to be decided by the voters along with the candidates and their party affiliations.

Variations on the ballot can be presented to voters based on their party affiliations. We call this data a ballot

definition. In the Diebold system, a ballot definition is encoded as the file election.edb.

Prior to an election, the voting terminals must be configured and installed at each voting location. A

governmental entity using Diebold voting terminals has a variety of choices in how to distribute the ballot

definitions. They also may be distributed using removable media, such as floppy disks or storage cards,

or over a local network, the Internet, or a dial-up connection. The networked approach, if allowed under

the voting precinct’s processes, provides additional flexibility to the election administrator in the event of

last-minute changes to the ballot.

THE ELECTION. Once the voting terminal is initialized with the ballot definitions and the election begins,

voters are allowed to cast their votes. To get started, the voter must have a voter card. The voter card is a

memory card or smartcard; i.e., it is a credit-card sized plastic card with a computer chip on it that can store

data and, in the case of the smartcard, perform computation. Under the most common scenario, we assume

that the voting cards are given to voters at the voting site on election day.

The voter takes the voter card and inserts it into a smartcard reader attached to the voting terminal. The

terminal checks that the smartcard in its reader is a voter card and, if it is, presents a ballot to the voter on the

terminal screen. The actual ballot the voter sees may depend on the voter’s political party, which is encoded

on the voter card. If a ballot cannot be found for the voter’s party, the voter is given a nonpartisan ballot.

Such party-specific ballots are used, for example, in primaries.

At this point, the voter interacts with the voting terminal, touching the appropriate boxes on the screen

for his or her desired candidates. Headphones and keypads are available for visually-impaired voters to

privately interact with the terminal. Before the ballots are committed to storage in the terminal, the voter is

given a final chance to review his or her selections. If the voter confirms this, the vote is recorded on the

voting terminal and the voter card is “canceled.” This latter step is intended to prevent the voter from voting

again with the same card. After the voter finishes voting, the terminal is ready for another voter to use. The

voter returns his or her canceled card to the poll workers, who reprogram it for the next user.

REPORTING THE RESULTS. A poll worker ends the election process by inserting an administrator card

or an ender card (a special card that can only be used to end the election) into the voting terminal. Upon

detecting the presence of such a card (and, in the case of the administrator card, checking a PIN entered by

the card user), the poll worker is asked to confirm that the election is finished. If the poll worker agrees, then

the voting terminal enters the post-election stage. Election results are written to a removable flash memory

card and can also be transmitted electronically to the back-end server.

As we have only analyzed the code for the Diebold voting terminal, we do not know exactly how the

back-end server tabulates the final results it gathers from the individual terminals. Obviously, it collects all

the votes from the various voting terminals. We are unable to verify that there are checks to ensure, for

example, that there are no more votes collected than people who are registered at or have entered any given

polling location.

DETAILED OVERVIEW OF THE CODE. The 4.3.1 snapshot of the AccuVote-TS tree [9] has 136 .h files

totaling 16414 lines and 120 .cpp files totaling 33195 lines, for a total of 256 files and 49609 lines of C++

7

Page 7 of 23

Page 8 of 23

code. While a full description of every module in the Diebold AccuVote-TS 4.3.1 system is beyond the

scope of this paper, we describe the bootstrapping process as well as the main state transitions that occur

within a Diebold system during an election, making explicit references to the relevant portions of the code.

The voting terminal is implemented in the directory BallotStation/, but uses libraries in the

supporting directories Ballot/, DES/, DiagMode/, Shared/, TSElection/, Utilities/, and

VoterCard/.

The method CBallotStationApp::DoRun() is the main loop for the voting terminal software.

The DoRun() method begins by invoking CBallotStationApp::LoadRegistry(), which loads

information about the voting terminal from the registry (the registry keys are stored under HKEY_LOCAL_

MACHINE\Software\Global Election Systems\AccuVote-TS4) . If the program fails to load

the registry information, it believes that it is uninitialized and therefore creates a new instance of the

CTSRegistryDlg class that asks the administrator to set up the machine for the first time. The adminis-
trator chooses, among other things, the COM port to use with the smartcard reader, the directory locations

to store files, and the polling location identifier. The CBallotStationApp::DoRun() method then

checks for the presence of a smartcard reader and, if none is found, gives the administrator the option to

interact with the CTSRegistryDlg again.

The DoRun() method then enters a while loop that iterates until the software is shut down. The

first thing DoRun() does in this loop is check for the presence of some removable media on which to

store election results and ballot configurations (a floppy under Windows or a removable storage card on

a Windows CE device). It then tries to open the election configuration file election.edb. If it fails

to open the configuration file, the program enters the CTSElectionDoc::ES_NOELECTION state and

invokes CBallotStationApp::Download(), which creates an instance of CTransferElecDlg to

download the configuration file. To do the download, the terminal connects to a back-end server using either

the Internet or a dial-up connection. Subsequently, the program enters the CTSElectionDoc::ES_

PREELECT state, invoking the CBallotStationApp::PreElect() method, which in turn creates

an instance of CPreElectDlg. The administrator can then decide to start the election, in which case

CPreElectDlg::OnSetForElection() sets the state of the terminal to CTSElectionDoc::ES_

ELECTION.

Returning to the while loop in CBallotStationApp::DoRun(), now that the machine is in the

state CTSElectionDoc::ES_ELECTION, the DoRun() method invokes CBallotStationApp::

Election(), which creates an instance of CVoteDlg. When a card is inserted into the reader, the

application checks to see if the card is a voter card, administrator card, or ender card. If it is an ender

card, or if it is an administrator card and if the user enters the correct PIN, the CVoteDlg ends and the

user is asked whether he or she wishes to terminate the election and, if so, the state of the terminal is set

to CTSElectionDoc::ES_POSTELECT. If the user entered a voter card, then DoVote() is invoked

(here DoVote() is an actual function; it does not belong to any class). The DoVote() function finds

the appropriate ballot for the user’s voter group or, if none exists, opens the nonpartisan ballot (recall that

the system is designed to support different ballots for different voters, as might occur in a primary party

election). It then creates an instance of CBallotDlg to display the ballot and collect the votes.

We recall that if, during the election process, someone inserted an administrator or ender card into the ter-
minal and chooses to end the election, the system would enter the CTSElectionDoc::ES_POSTELECT

state. At this point the voting terminal would offer the ability to upload the election results to some back-end

server for final tabulation. The actual transfer of results is handled by the CTransferResultsDlg::

OnTransfer() method.

8

Page 8 of 23

Page 9 of 23

3 Smartcards

While it is true that one can design secure systems around the use of smartcards, merely the use of smartcards

in a system does not imply that the system is secure. The system must use the smartcards in an intelligent

and security-conscious way. Unfortunately, the Diebold system’s use of smartcards provides very little (if

any) additional security and, in fact, opens the system to several attacks.

3.1 Exploiting the lack of cryptography: Creating homebrew smartcards

Upon reviewing the Diebold code, we observed that the smartcards do not perform any cryptographic op-
erations. This, in and of itself, is an immediate red flag. One of the biggest advantages of smartcards over

classic magnetic-stripe cards is the smartcards’ ability to perform cryptographic operations internally, and

with physically protected keys. Because of a lack of cryptography, there is no secure authentication of the

smartcard to the voting terminal. This means that nothing prevents an attacker from using his or her own

homebrew smartcard in a voting terminal. One might naturally wonder how easy it would be for an attacker

to make such a homebrew smartcard. First, we note that user-programmable smartcards and smartcard read-
ers are available commercially over the Internet in small quantities and at reasonable prices. Second, an

attacker who knows the protocol spoken between voting terminals and legitimate smartcards could easily

implement a homebrew card that speaks the same protocol. We shall shortly consider how an attacker might

go about learning the protocol if he or she does not know it a priori.

Once the adversary knows the protocol between the terminal and the smartcards, the only impediment

to the mass production of homebrew smartcards is that each voting terminal will make sure that the smart-
card has encoded in it the correct m_ElectionKey, m_VCenter, and m_DLVersion (see DoVote()

in BallotStation/Vote.cpp). The m_ElectionKey and m_DLVersion are likely the same

for all locations and, furthermore, for backward-compatibility purposes it is possible to use a card with

m_ElectionKey and m_DLVersion undefined. The m_VCenter value could be learned on a per-
location-basis by interacting with legitimate smartcards, from an insider, or from inferences based on the

m_VCenter values observed at other polling locations. In short, all the necessary information to create

homebrew counterfeit smartcards is readily available.

In the next subsections we consider attacks that an adversary could mount after creating homebrew

cards. We find the issues we uncovered to be particularly distressing as modern smartcard designs allow

cryptographic operations to be performed directly on the smartcard, making it possible to create systems

that are not as easily vulnerable to such security breaches.

REVERSE ENGINEERING THE SMARTCARD PROTOCOL. It turns out that adversaries, including regular

voters, who do not know a priori the protocol between the smartcard and the terminal can “easily” learn

the protocol, thereby allowing them to produce homebrew voter cards. An adversary, such as a poll worker,

with the ability to interact with a legitimate administrator or ender card could also learn enough information

to produce homebrew administrator and ender cards (Section 3.3).

Let us consider several ways that an adversary could learn the protocol between voter cards and voting

terminals. After voting, instead of returning the canceled card to the poll-worker, the adversary could

return a fake card that records how it is reprogrammed, and then dumps that information to a collaborating

attacker waiting in line to vote. Alternatively, the attacker could attach a “wiretap” device between the voting

terminal and a legitimate smartcard and observe the communicated messages. The parts for building such

a device are readily available and, depending on the setup at each voting location, might be unnoticed by

poll workers. An attacker might not even need to use a wiretap device: as a literal “person-in-the-middle”

attack, the adversary could begin by inserting a smartcard into the terminal that records the terminal’s first

message. The adversary would then leave the voting location, send that message to a real voter card that he

or she stole, and learn the real voter card’s response. The adversary’s conspirator could then show up at the

9

Page 9 of 23

Page 10 of 23

voting location and use the information gained in the first phase to learn the next round of messages in the

protocol, and so on. We comment again that these techniques work because the authentication process is

completely deterministic and lacks any sort of cryptography.

3.2 Casting multiple votes

In the Diebold system, a voter begins the voting process by inserting a smartcard into the voting terminal.

Upon checking that the card is “active,” the voting terminal collects the user’s vote and then deactivates the

user’s card; the deactivation actually occurs by rewriting the card’s type, which is stored as an 8-bit value

on the card, from VOTER_CARD (0×01) to CANCELED_CARD (0×08). Since an adversary can make

perfectly valid smartcards, the adversary could bring a stack of active cards to the voting booth. Doing

so gives the adversary the ability to vote multiple times. More simply, instead of bringing multiple cards

to the voting booth, the adversary could program a smartcard to ignore the voting terminal’s deactivation

command. Such an adversary could use one card to vote multiple times. Note here that the adversary could

be a regular voter, and not necessarily an election insider.

Will the adversary’s multiple-votes be detected by the voting system? To answer this question, we

must first consider what information is encoded on the voter cards on a per-voter basis. The only per-
voter information is a “voter serial number” (m_VoterSN in the CVoterInfo class). m_VoterSN is

only recorded by the voting terminal if the voter decides not to place a vote (as noted in the comments

in TSElection/Results.cpp, this field is recorded for uncounted votes for backward compatibility

reasons). It is important to note that if a voter decides to cancel his or her vote, the voter will have the

opportunity to vote again using that same card (and, after the vote has been cast, m_VoterSN will no

longer be recorded).

If we assume the number of collected votes becomes greater than the number of people who showed

up to vote, and if the polling locations keep accurate counts of the number of people who show up to vote,

then the back-end system, if designed properly, should be able to detect the existence of counterfeit votes.

However, because m_VoterSN is only stored for those who did not vote, there will be no way for the

tabulating system to distinguish the real votes from the counterfeit votes. This would cast serious doubt on

the validity of the election results. The solution proposed by one election official, to have everyone vote

again, does not seem like a viable solution.

3.3 Accessing administrator and poll worker functionality

As noted in Section 2, in addition to the voter cards that normal voters use when they vote, there are

also administrator cards and ender cards, which have special purposes in this system. The administra-
tor cards give the possessor the ability to access administrative functionality (the administrative dialog

BallotStation/AdminDlg.cpp), and both types of cards allow the possessor to end the election

(hence the term “ender card”).

Just as an adversary can manufacture his or her own voter cards, an adversary can manufacture his or her

own administrator and ender cards (administrator cards have an easily-circumventable PIN, which we will

discuss shortly). This attack is easiest if the attacker has knowledge of the Diebold code or can interact with

a legitimate administrator or ender card, since otherwise the attacker would not know what distinguishes an

administrator or ender card from a voter card. (The distinction is that, for a voter card m_CardType is set

to 0×01, for an ender card the value is 0×02, and for an administrator card the value is 0×04.)

As one might expect, an adversary in possession of such illicit cards has further attack options against

the Diebold system. Using a homebrew administrator card, a poll worker, who might not otherwise have

access to the administrator functions of the Diebold system but who does have access to the voting machines

before and after the elections, could gain access to the administrator controls. If a malicious voter entered an

10

Page 10 of 23

Page 11 of 23

administrator or ender card into the voting device instead of the normal voter card, then the voter would be

able to terminate the election and, if the card is an administrator card, gain access to additional administrative

controls.

The use of administrator or ender cards prior to the completion of the actual election represents an in-
teresting denial-of-service attack. Once “ended,” the voting terminal will no longer accept new voters (see

CVoteDlg::OnCardIn()) until the terminal is somehow reset. Such an attack, if mounted simultane-
ously by multiple people, could temporarily shut down a polling place. If a polling place is in a precinct

considered to favor one candidate over another, attacking that specific polling place could benefit the less-
favored candidate. Even if the poll workers were later able to resurrect the systems, the attack might succeed

in deterring a large number of potential voters from voting (e.g., if the attack was performed over the lunch

hour). If such an attack was mounted, one might think the attackers would be identified and caught. We note

that many governmental entities, e.g., California, do not require identification to be presented by voters. By

the time the poll workers realize that one of their voting terminals has been disabled, the perpetrator may

have long-since left the scene. Furthermore, the poll workers may not be computer savvy and might simply

think that all the machines crashed simultaneously.

CIRCUMVENTING THE ADMINISTRATOR PIN. In order to use (or create) an administrator card, the attacker

must know the PIN associated (or to be associated) with the card. Because the system’s use of smartcards

was poorly designed, an adversary could easily learn the necessary information, thereby circumventing any

security the PIN might have offered.

We first note that the PIN is sent from the smartcard to the terminal in cleartext. As a result, anyone

who knows the protocol and wishes to make their own administrator card could use any PIN of their choice.

Even if the attacker does not know the protocol but has access to an existing administrator card and wants

to make a copy, the adversary could guess the PIN in just a few trials if the adversary realizes that the PIN is

included as part of a short cleartext message sent from the card. More specifically, rather than try all 10000

possibilities for the PIN, the adversary could try all 4-byte consecutive substrings of the cleartext message.

4 Election configurations and election data

In election systems, protecting the integrity and privacy of critical data (e.g., votes, configurations, ballot

definitions) is undeniably important. We investigated how the Diebold system manipulates such data, and

found considerable problems. There are two main vectors for accessing and attacking the voting system’s

data: via physical access to the device storing the data, or via man-in-the-middle attacks as the data is

transported over some network. The latter assumes that the systems are connected to a network, which is

possible though may be precluded by election procedures in some jurisdictions. Attacks via physical access

to memory can be quite powerful, and can be mounted easily by insiders. The network attacks, which can

also be quite powerful, can also be mounted by insiders as well as sophisticated outsiders.

DATA STORAGE OVERVIEW. Each voting terminal has two distinct types of internal data storage. A main

(or system) storage area contains the terminal’s operating system, program executables, static data files such

as fonts, and system configuration information, as well as backup copies of dynamic data files such as the

voting records and audit logs. Each terminal also contains a removable flash memory storage device that is

used to store the primary copies of these dynamic data files. When the terminal is running a standard copy

of Windows (e.g., Windows 2000) the removable storage area is the first floppy drive; when the terminal is

running Windows CE, the removable storage area is a removable storage card. Storing the dynamic data on

two distinct devices is advantageous for both reliability and non-malleability: if either of the two storage

mediums fails, data can still be recovered from the copy, although reconciling differences between these

media may be difficult.

Unfortunately, in Windows CE, the existence of the removable storage device is not enforced properly.

11

Page 11 of 23

Page 12 of 23

Unlike other versions of Windows, removable storage cards are mounted as subdirectories under CE. When

the voting software wants to know if a storage card is inserted, it simply checks to see if the Storage

Card subdirectory exists in the filesystem’s root directory. While this is the default name for a mounted

storage device, it is also a perfectly legitimate directory name for a directory in the main storage area. Thus,

if such a directory exists, the terminal can be fooled into using the same storage device for all of the data.2

This would reduce the amount of redundancy in the voting system and would increase the chances that a

hardware failure could cause recorded votes to be lost.

NETWORK OVERVIEW. The Diebold voting machines cannot work in isolation. They must be able to

both receive a ballot definition file as input and report voting results as output. As described in Section 2,

there are essentially two ways to load a voting terminal with an initial election configuration: via some

removable media, such as a flash memory card, or over a network connection. In the latter case, the voting

terminal could either be plugged directly into the Internet, could be connected to an isolated local network,

or could use a dialup connection (the dial-up connection could be to a local ISP, or directly to the election

authority’s modem banks). Diebold apparently gives their customers a variety of configuration options;

electronic networks are not necessary for the operation of the system. After the election is over, election

results can be sent to a back-end post-processing server over the network (again, possibly through a dial-
up connection). When results are reported this way, it is not clear whether these network-reported results

become the official results, or just the preliminary results (the official results being computed after the

memory cards are removed from all the voting terminals and collected and tabulated at a central location).

We also observe that, even in jurisdictions where voting terminals are never connected to a network or

phone line, the physical transportation of the flash memory cards from the voting terminal to the central

tabulating system is really just a “sneaker net.” Such physical card transportation must be robust against

real-world analogies of network man-in-the-middle attacks. Any flaws in the policies and procedures used to

protect the chain of custody could lead to opportunities for these cards to be read or written by an adversary.

Consequently, even if no electronic computer network is used, we still view network attacks as critical in

the design of a voting system.

4.1 Tampering with the system configuration

The majority of the system configuration information for each terminal is stored in the Windows registry

under HKEY_LOCAL_MACHINE\Software\Global Election Systems\AccuVote-TS4 . This

includes both identification information such as the terminal’s serial number and more traditional configu-
ration information such as the COM port to which the smartcard reader is attached. All of the configuration

information is stored in the clear, without any form of integrity protection. Thus, all an adversary must do is

modify the system registry to trick a given voting terminal into effectively impersonating any other voting

terminal. It is unclear how the tabulating authority would deal with results from two different voting termi-
nals with the same voting ID; at the very least, human intervention to resolve the conflict would probably be

required.

The Federal Election Commission draft standard [11] requires each terminal to keep track of the total

number of votes that have ever been cast on it — the “Protective Counter.” This counter is used to provide

yet another method for ensuring that the number of votes cast on each terminal is correct. However, as the

following code from Utilities/machine.cpp shows, the counter is simply stored as an integer in the

file system.bin in the terminal’s system directory (error handling code has been removed for clarity):

long GetProtectedCounter()

2This situation can be easily corrected by checking for the FILE ATTRIBUTE TEMPORARY attribute on the directory as de-
scribed in http://msdn.microsoft.com/library/en-us/wcefiles/htm/_wcesdk_Accessing_Files_on_

Other_Storage_Media.asp.

12

Page 12 of 23

Page 13 of 23

{

DWORD protectedCounter = 0;

CString filename = ::GetSysDir();

filename += _T(”system.bin”);

CFile file;

file.Open(filename, CFile::modeRead | CFile::modeCreate | CFile::modeNoTruncate);

file.Read(&protectedCounter, sizeof(protectedCounter));

file.Close();

return protectedCounter;

}

We believe that the Diebold system violates the FEC requirements by storing the protected counter in a

simple, mutable file. By modifying this counter, an adversary could cast doubt on an election by creating a

discrepancy between the number of votes cast on a given terminal and the number of votes that are tallied in

the election. While the current method of implementing the counter is totally insecure, even a cryptographic

checksum would not be enough to protect the counter; an adversary with the ability to modify and view

the counter would still be able to roll it back to a previous state. In fact, the only solution that would work

would be to implement the protective counter in a tamper-resistant hardware token, but doing so would

require physical modifications to existing hardware.

4.2 Tampering with ballot definitions

The “ballot definition” for each election (election.edb) contains everything from the background color

of the screen and information about the candidates and issues on the ballot to the PPP username and pass-
word to use when reporting the results, if reporting the results over a dial-up connection. This data is neither

encrypted nor checksummed (cryptographically or otherwise).

If uninterrupted physical access is ever available to the voting terminal after the ballot definition has

been loaded, perhaps the night before an election, using a janitor’s master keys to the building, then it would

be possible for an adversary to tamper with the voting terminals’ ballot definition file or to even tamper with

the voting software itself. Protections such as physical locks or tamper-evident seals may somewhat allay

these concerns, but we would prefer designs that can be robust even against physical tampering.

On a potentially much larger scale, if the voting terminals download the ballot definition over a network

connection, then an adversary could tamper with the ballot definition file en-route from the back-end server

to the voting terminal; of course, additional poll-worker procedures could be put in place to check the

contents of the file after downloading, but we prefer a technological solution. With respect to modifying the

file as it is sent over a network, we point out that the adversary need not be an election insider; the adversary

could, for example, be someone working at the local ISP. If the adversary knows the structure of the ballot

definition, then the adversary can intercept and modify the ballot definition while it is being transmitted.

Even if the adversary does not know the precise structure of the ballot definition, many of the fields inside

are easy to identify and change, including the candidates’ names, which appear as plain ASCII text.

Because no cryptographic techniques are in place to guard the integrity of the ballot definition file, an

attacker could add, remove, or change issues on the ballot, and thereby confuse the result of the election.

In the system, different voters can be presented with different ballots depending on their party affiliations

(see CBallotRelSet::Open(), which adds different issues to the ballot depending on the voter’s m_

VGroup1 and m_VGroup2 CVoterInfo fields). If an attacker changes the party affiliations of the

candidates, then he may succeed in forcing the voters to view and vote on erroneous ballots.3 More subtle

3As
an example of what might happen if the party affiliations were listed
incorrectly, we note that, according to a news story at

http://www.gcn.com/vol19_no33/news/3307-1.html, in the 2000 New Mexico presidential election, over 65,000

votes were incorrectly counted because a worker accidentally had the party affiliations wrong. (We are not claiming this worker

had malicious intent, nor are we implying that this error had an effect on the results of the election.)

13

Page 13 of 23

Page 14 of 23

attacks are also possible. By simply changing the order of the candidates as they appear in the ballot

definition, the results file will change accordingly. However, the candidate information itself is not stored

in the results file, which merely tracks that candidate 1 got so many votes and candidate 2 got so many

other votes. If an attacker reordered the candidates on the ballot definition, voters would unwittingly cast

their ballots for the wrong candidate. Ballot reordering attacks would be particularly effective in polling

locations known to have more voters of one party than another. (In Section 4.3 and Section 4.5 we consider

other ways of tampering with the election results.)

4.3 Impersonating legitimate voting terminals

Consider voting terminals that are configured to upload voting totals to some back-end tabulating author-
ity after an election. An adversary able to pose as a legitimate voting terminal to the tabulating authority

could obviously cause (at least temporary) damage by reporting false vote counts to the tabulating sys-
tem. If the voting terminals use a normal Internet connection, then an adversary with the ability to sniff

the connection of a legitimate terminal could learn enough information (e.g., the IP address of the back-
end server) to be able to impersonate a legitimate terminal. If the terminals use a dialup connection, then

the adversary would either need to be able to sniff a legitimate dialup connection to learn the appropriate

information (e.g., the dial-up PPP number, login, and password), or must garner that information in an-
other way. The PPP phone number, username, password, and IP address of the back-end server are stored in

the registry HKEY_LOCAL_MACHINE\Software\Global Election Systems\AccuVote-TS4\

TransferParams, thus making it easily accessible to an insider working at the polling station. By study-
ing the configuration of the ballot definition files, we learned that the definition files also store the terminal’s

voting center ID, PPP dial-in number, username, password and the IP address of the back-end server (these

are parsed into a CElectionHeaderItem in TSElection\TSElectionObj.cpp). The ballot def-
inition files thus provide another vector for an adversary to learn almost all of the information necessary

to impersonate a real voting terminal over a dialup connection (the adversary would also have to create a

voting terminal ID, although the ID may or may not be checked for legitimacy by the back-end server).

4.4 Key management and other cryptographic issues with the vote and audit records

Unlike the other data stored on the voting terminal, both the vote records and the audit logs are encrypted

and checksummed before being written to the storage device. Unfortunately, neither the encrypting nor

the checksumming is done with established, secure techniques. This section summarizes the issues with

Diebold’s use of cryptography in protecting the vote records and audit logs, and then return to consequences

of Diebold’s poor choices in subsequent subsections. (Recall that we have already discussed the lack of

cryptography in other potions of the system.)

KEY MANAGEMENT. All of the data on a storage device is encrypted using a single, hardcoded DES [22]

key:

#define DESKEY ((des_key*)”F2654hD4″)

Note that this value is not a hex representation of a key, nor does it appear to be randomly generated. Instead,

the bytes in the string “F2654hD4” are fed directly into the DES key scheduler. It is well-known that hard-
coding keys into a program’s source code is a bad idea: if the same compiled program image is used on every

voting terminal, an attacker with access to the source code, or even to a single program image, could learn

the key and thus read and modify voting and auditing records. The case with the Diebold system is even

worse: from the CVS logs, we see this particular key has been used without change since December 1998,

when the CVS tree for AccuVote-TS version 3 began, and we assume that the key was in use much before

14

Page 14 of 23

Page 15 of 23

that. Although Jones reports that the vendor may have been aware of the key management problems in their

code since at least 1997 [16, 17], our findings show that the design flaw was never addressed. The SAIC

analysis of Diebold’s system [27] agrees that Diebold needs to redesign their cryptography architecture. The

most appropriate solution will likely involve the use of hardware cryptographic coprocessors.

(In a similar fashion, Diebold’s voter, administrator, and ender cards use a hardcoded 8-byte password

ED 0A ED 0A ED 0A ED 0A (hexadecimal) to authenticate the voting terminals to the smartcards, transmitted

in cleartext. The smartcards are discussed in Section 3.)

“ENCRYPTION.” Even if proper key management were to be implemented, however, many problems would

still remain. First, DES keys can be recovered by brute force in a very short time period [12]. DES should

be replaced with either triple-DES [26] or, preferably, AES [8]. Second, DES is being used in CBC mode

which requires a random initialization vector to ensure its security. The implementation here always uses

zero for its IV. This is illustrated by the call to DesCBCEncrypt in TSElection/RecordFile.cpp;

since the second to last argument is NULL, DesCBCEncrypt will use the all-zero IV.

DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize,

DESKEY, NULL, DES_ENCRYPT);

To correctly implement CBC mode, a source of “strong” random numbers must be used to generate a fresh

IV for each encryption [2]. Suitably strong random numbers can be derived from many different sources,

ranging from custom hardware to accumulated observations of user behavior.

“MESSAGE AUTHENTICATION.” Before being encrypted, a 16-bit cyclic redundancy check (CRC) of the

plaintext data is computed. This CRC is then stored along with the ciphertext in the file and verified when-
ever the data is decrypted and read. This process in handled by the ReadRecord and WriteRecord

functions in TSElection/RecordFile.cpp. Since the CRC is an unkeyed, public function, it does

not provide any meaningful integrity protection for the data. In fact, by storing it in an unencrypted form, the

purpose of encrypting the data in the first place (leaking no information about the contents of the plaintext)

is undermined. Standard industry practice would be to first encrypt the data to be stored and then to compute

a keyed cryptographic checksum (such as HMAC-SHA1 [1]) of the ciphertext [3, 19]. This cryptographic

checksum could then be used to detect any tampering with the plaintext. Note also that each entry has a

timestamp, which can be used to detect reordering, although sequence numbers should also be added to

detect record deletion.

4.5 Tampering with election results and linking voters with their votes

A likely attack target are the voting records themselves. When stored on the device, the voting records are

“encrypted” as described in Section 4.4. If the votes are transmitted to a back-end authority over a network

connection, as appears to be the case in at least some areas, no cryptography is used: the votes are sent in

cleartext. In particular, CTransferResultsDlg::OnTransfer() writes ballot results to an instance

of CDL2Archive, which then writes the votes in cleartext to a socket without any cryptographic checksum.

If the network connection is via a cable modem or a dedicated connection, then the adversary could be an

employee at the local ISP. If the voting terminals use a dialup connection directly to the tabulating authority’s

network, then the risk of such an attack is less, although still not inconsequential. A sophisticated adversary,

e.g., an employee of the local phone company, could tap the phone line and intercept the communication.

TAMPERING WITH ELECTION RESULTS. In Section 4.2 we showed that an adversary could alter election

results by modifying ballot definition files, and in Section 4.3 we showed that an adversary could inject fake

votes to a back-end tabulating authority by impersonating a legitimate voting terminal. Here we suggest

another way to modify the election result: modify the voting records file stored on the device. Because

of the poor cryptography described in Section 4.4, an attacker with access to this file would be able to

15

Page 15 of 23

Page 16 of 23

generate or change as many votes as he or she pleased. Furthermore, the adversary’s modified votes would

be indistinguishable from the true votes cast on the terminal. The attack described here is more advantageous

to an adversary than the attacks in Section 4.2 and Section 4.3 because it leaves no evidence that an attack

was ever mounted (whereas the attacks in Section 4.2 and Section 4.3 could be discovered but not necessarily

corrected as part of a post-election auditing phase).

If the votes are sent to the back-end authority over a network, then there is another vector for an adversary

to modify the election results. Specifically, an adversary with the ability to tamper with the channel could

introduce new votes or modify existing votes. Such an attacker could, for example, decrease one candidate’s

vote count by some number while increasing another’s candidate’s count by the same number. Of course,

to introduce controlled changes such as these to the votes, the attacker would benefit from some knowledge

of the structure of the protocol used between the terminals and the back-end server. This form of tampering

might later be detected by comparing the memory storage cards to data transmitted across the networks,

although the memory storage cards themselves might also be subject to tampering. (We briefly comment

that these network attacks could be largely circumvented with the use of standard cryptographic tools, such

as SSL/TLS.)

LINKING VOTERS WITH THEIR VOTES. From analyzing the code, we learned that each vote is written

sequentially to the file recording the votes. This fact provides an easy mechanism for an attacker, such

as a poll worker with access to the voting records, to link voters with their votes. A poll worker could

surreptitiously track the order in which voters use the voting terminals. Later, in collaboration with other

attackers who might intercept the “encrypted” voting records, the exact voting record of each voter could be

reconstructed.

If the results are transmitted over a network, as is the case in at least some jurisdictions, then physical

access to the voting results is not even necessary. Recall that, when transmitted over the network, the votes

are sent in unencrypted, cleartext form.

“RANDOMIZED” SERIAL NUMBERS. While the voter’s identity is not stored with the votes, each vote is

given a serial number in order to “randomize” the votes after they are uploaded to the back-end tabulating

authority. As we noted above, randomizing the order of votes after they are uploaded to the the tabulating

authority does not prevent the possibility of linking voters to their votes. Nevertheless, it appears that

the designers wanted to use a cryptographically secure pseudorandom number generator to generate serial

numbers for some post-processing purposes. Unfortunately, the pseudorandom number generator they chose

to use (a linear congruential generator) is not cryptographically secure. Moreover, the generator is seeded

with static information about the voting terminal and the election.

// LCG - Linear Conguential Generator - used to generate ballot serial numbers

// A psuedo-random-sequence generator

// (per Applied Cryptography, by Bruce Schneier, Wiley, 1996)

#define LCG_MULTIPLIER 1366

#define LCG_INCREMENTOR 150889

#define LCG_PERIOD 714025

static inline int lcgGenerator(int lastSN)

{

return ::mod(((lastSN * LCG_MULTIPLIER) + LCG_INCREMENTOR), LCG_PERIOD);

}

It is interesting to note that the code’s authors apparently decided to use an linear congruential generator

because it appeared in Applied Cryptography [26] even though in the same work it is advised that such

generators should not be used for cryptographic purposes.

16

Page 16 of 23

Page 17 of 23

4.6 Audit logs

Each entry in a plaintext audit log is simply a timestamped, informational text string. There appears to be no

clear pattern for what is logged and what is not. The whole audit log is encrypted using the insecure method

described in Section 4.4. An adversary with access to the audit log file could easily change its contents.

At the time that the logging occurs, the log can also be printed to an attached printer. If the printer is

unplugged, off, or malfunctioning, no record will be stored elsewhere to indicate that the failure occurred.

The following code from TSElection/Audit.cpp demonstrates that the designers failed to consider

these issues:

if (m_Print && print) {

CPrinter printer;

// If failed to open printer then just return.

CString name = ::GetPrinterPort();

if (name.Find(_T(”\\”)) != -1)

name = GetParentDir(name) + _T(”audit.log”);

if (!printer.Open(name, ::GetPrintReverse(), FALSE))

::TSMessageBox(_T(”Failed to open printer for logging”));

else {

[ do the printing ]

}

}

If the cable attaching the printer to the terminal is exposed, an attacker could create discrepancies between

the printed log and the log stored on the terminal by unplugging the printer (or, by simply cutting the cable).

4.7 Attacking the start of an election

Although good election processes would dictate installing the ballot definition files well before the start of

the election, we can imagine scenarios in which the election officials must reinstall ballot files shortly before

the start of an election, and do not have time to distribute the definition files manually.4

One option for the election officials would be to download the files over the Internet. In addition to the

problems we have outlined, we caution against relying on such an approach, as an adversary could mount

a traditional Internet denial-of-service attack against the election management’s server and thereby prevent

the voting terminals from acquiring their ballot definition files in time for the election. Even a general idea

of the range of Internet addresses used by the election administration would be sufficient for an attacker to

target a large-scale distributed denial of service (DDoS) attack.

Of course, we acknowledge that there are other ways to postpone the start of an election at a voting

location that do not depend on Internet DDoS attacks (e.g., flat tires for all poll workers for a given precinct,

or other acts of real-world vandalism). Unlike such traditional attacks, however, (1) the network-based attack

is relatively easy for anyone with knowledge of the election system’s network topology to accomplish; (2)

this attack can be performed on a very large scale, as the central distribution point(s) for ballot definitions

becomes an effective single point of failure; and (3) the attacker can be physically located anywhere in

the Internet-connected world, complicating efforts to apprehend the attacker. Such attacks could prevent or

delay the start of an election at all voting locations in a state. We note that this attack is not restricted to the

system we analyzed; it is applicable to any system that downloads its ballot definition files using the Internet

or otherwise relies upon the Internet.

4

In recent elections, we have seen cases where politicians passed away or withdrew from the race very close to the election day.

17

Page 17 of 23

Page 18 of 23

5 Software engineering

When creating a secure system, getting the design right is only part of the battle. The design must then be

securely implemented. We now examine the coding practices and implementation style used to create the

voting system. This type of analysis can offer insights into future versions of the code. For example, if a

current implementation has followed good implementation practices but is simply incomplete, one would be

more inclined to believe that future, more complete versions of the code would be of a similar high quality.

Of course, the opposite is also true, perhaps even more so: it is very difficult to produce a secure system by

building on an insecure foundation.

Of course, reading the source code to a product gives only an incomplete view into the actions and

intentions of the developers who created that code. Regardless, we can see the overall software design, we

can read the comments in the code, and, thanks to the CVS repository, we can even look at earlier versions

of the code and read the developers’ commentary as they committed their changes to the archive.

5.1 Code legacy

Inside cvs.tar we found multiple CVS archives. Two of the archives, AccuTouch and AVTSCE, im-
plement full voting terminals. The AccuTouch code, corresponding to AccuVote-TS version 3, dates from

December 1998 to August 2001 and is copyrighted by “Global Election Systems, Inc.,” while the AVTSCE

code, corresponding to the AccuVote-TS version 4 system, dates from October 2000 to April 2002 and is

copyrighted by “Diebold Election Systems, Inc.” (Diebold acquired Global Election Systems in September

2001.5

) Although the AccuTouch tree is not an immediate ancestor of the AVTSCE tree (from the CVS

logs, the AVTSCE tree is actually an import of another AccuTouch-CE tree that we do not have), the

AccuTouch and AVTSCE trees are related, sharing a similar overall design and a few identical files. From

the comments, some of the code, such as the functions to compute CRCs and DES, date back to 1996 and

a company later acquired by Global Election Systems called “I-Mark Systems.” We have already remarked

(Section 4.4) that the same DES key has been hardcoded into the system since at least the beginning of the

AccuTouch tree.

5.2 Coding style

While the system is implemented in an unsafe language6

(C++), the code reflects an awareness of avoiding

such common hazards as buffer overflows. Most string operations already use their safe equivalents, and

there are comments, e.g., should really use snprintf, reminding the developers to change oth-
ers. While we are not prepared to claim that there are no exploitable buffer overflows in the current code,

there are at the very least no glaringly obvious ones. Of course, a better solution would have been to write

the entire system in a safe language, such as Java or Cyclone [15]. In such a language we would be able

to prove that large classes of attacks, including buffer overflows and type-confusion attacks, are impossible

assuming a correct implementation of the compiler and runtime system.

Overall, the code is rather unevenly commented. While most files have a description of their over-
all function, the meanings of individual functions, their arguments, and the algorithms within are more

often than not undocumented. An example of a complex and completely undocumented function is the

CBallotRelSet::Open function from TSElection/TSElectionSet.cpp as shown in Figure 2.

This block of code contains two nested loops, four complex conditionals, and five debugging assertions, but

no comments that explain its purpose. Ascertaining the meaning of even a small part of this code is a huge

undertaking. For example, what does it mean for vgroup->KeyId() == -1? That the ID is simply

5http://dallas.bizjournals.com/dallas/stories/2001/09/10/daily2.html

6Here we mean language safety in the technical sense: no primitive operation in any program ever misinterprets data.

18

Page 18 of 23

Page 19 of 23

void CBallotRelSet::Open(const CDistrict* district, const CBaseunit* baseunit,

const CVGroup* vgroup1, const CVGroup* vgroup2)

{

ASSERT(m_pDB != NULL);

ASSERT(m_pDB->IsOpen());

ASSERT(GetSize() == 0);

ASSERT(district != NULL);

ASSERT(baseunit != NULL);

if (district->KeyId() == -1) {

Open(baseunit, vgroup1);

} else {

const CDistrictItem* pDistrictItem = m_pDB->Find(*district);

if (pDistrictItem != NULL) {

const CBaseunitKeyTable& baseunitTable = pDistrictItem->m_BaseunitKeyTable;

int count = baseunitTable.GetSize();

for (int i = 0; i < count; i++) {

const CBaseunit& curBaseunit = baseunitTable.GetAt(i);

if (baseunit->KeyId() == -1 || *baseunit == curBaseunit) {

const CBallotRelationshipItem* pBalRelItem = NULL;

while ((pBalRelItem = m_pDB->FindNextBalRel(curBaseunit, pBalRelItem))){

if (!vgroup1 || vgroup1->KeyId() == -1 ||

(*vgroup1 == pBalRelItem->m_VGroup1 && !vgroup2) ||

(vgroup2 && *vgroup2 == pBalRelItem->m_VGroup2 &&

*vgroup1 == pBalRelItem->m_VGroup1))

Add(pBalRelItem);

}

}

}

m_CurIndex = 0;

m_Open = TRUE;

}

}

}

Figure 2: The function CBallotRelSet::Open function from

TSElection/TSElectionSet.cpp. This complex function is completely undocumented.

undefined? Or perhaps that the group should be ignored? Such poorly documented code impairs the ability

of both internal developers and external security evaluator to assess whether the code is functioning properly

or might lead to a security issue.

5.3 Coding process

An important point to consider is how code is added to the system. From the project’s CVS logs, we can see

that most recent code updates are in response to specific bugs that needed to be fixed. There are, however,

no references to tracking numbers from a bug database or any other indication that such fixes have been

vetted through any change-control process. Indeed, each of the programmers7

seem to have completely

autonomous authority to commit to any module in the project. The only evidence that we have found that

the code undergoes any sort of review comes from a single log comment: “Modify code to avoid multiple

exit points to meet Wyle requirements.” This refers to Wyle Labs, one of the independent testing authorities

charged with certifying that voting machines have met FEC guidelines.

Virtually any serious software engineering endeavor will have extensive design documents that specify

how the system functions, with detailed descriptions of all aspects of the system, ranging from the user

interfaces through the algorithms and software architecture used at a low level. We found no such documents

in the CVS archive, and we also found no references to any such documents in the source code, despite

references to algorithms textbooks and other external sources.

There are also pieces of the voting system that come from third parties. Most obviously, a flaw in the

operating system, Windows CE, could expose the system to attack since the OS controls memory manage-

7Through web searches, we have matched each programmer’s CVS user names with their likely identities and so can conclude

that they are not group accounts.

19

Page 19 of 23

Page 20 of 23

ment and all of the device’s I/O needs. In addition, an audio library called fmod is used.8 While the source

to fmod is available with commercial licenses, unless this code is fully audited it might contain a backdoor

or an exploitable buffer overflow. Since both the operating system and fmod can access the memory of the

voting program, both must be considered part of the trusted computing base (TCB) as a security vulnera-
bility in either could compromise the security of the voting program itself. The voting terminal’s hardware

boot instructions should likewise be considered part of the TCB.

Due to the lack of comments, the legacy nature of the code, and the use of third-party code and operating

systems, we believe that any sort of comprehensive, top-to-bottom code review would be nearly impossible.

Not only does this increase the chances that bugs exist in the code, but it also implies that any of the coders

could insert a malicious backdoor into the system without necessarily being caught. The current design

deficiencies provide enough other attack vectors, however, that such an explicit backdoor is not required to

successfully attack the system. Regardless, even if the design problems are eventually rectified, the problems

with the coding process may well remain intact.

Since the initial version of this paper was made available on the Internet, Diebold has apparently “de-
veloped, documented, and implemented a change control process” [27]. The details of this revised process

have not been made available to the public, so we are unable to comment on their effectiveness.

5.4 Code completeness and correctness

While the code we studied implements a full system, the implementors have included extensive comments on

the changes that would be necessary before the system should be considered complete. It is unclear whether

the programmers actually intended to go back and remedy all of these issues as many of the comments

existed, unchanged, for months, while other modifications took place around them. Of course, while the

AVTSCE code we examined appears to have been the current codebase in April 2002, we know nothing

about subsequent changes to the code. (Modification dates and locations are easily visible from the CVS

logs.) These comments come in a number of varieties. For illustrative purposes, we have chosen to show a

few such comments from the subsystem that plays audio prompts to visually-impaired voters.

• Notes on code reorganization:

/* Okay, I don’t like this one bit. Its really tough to tell where m AudioPlayer

should live. […] A reorganization might be in order here. */

• Notes on parts of code that need cleaning up:

/* This is a bit of a hack for now. […] Calling from the timer message

appears to work. Solution is to always do a 1ms wait between audio clips. */

• Notes on bugs that need fixing:

/* need to work on exception *caused by audio*. I think they will currently

result in double-fault. */

There are, however, no comments that would suggest that the design will radically change from a security

perspective. None of the security issues that have been discussed in this paper are pointed out or marked for

correction. In fact, the only evidence at all that a redesign might at one point have been considered comes

from outside the code: the Crypto++ library9

is included in another CVS archive in cvs.tar. However,

the library was added in September 2000, before the start of the AVTSCE AccuVote-TS version 4 tree, and

appears to have never been used. (The subsequent SAIC [27] and RABA [24] analyses report that many

of the problems we identify are still applicable to recent versions of the AccuVote-TS system, implying

8http://www.fmod.org/

9http://www.eskimo.com/ ̃weidai/cryptlib.html

20

Page 20 of 23

Page 21 of 23

that, at least up to the version that SAIC and RABA analyzed, there has not been any radical change to the

AccuVote-TS system.)

6 Conclusions

Using publicly available source code, we performed an analysis of the April 2002 snapshot of Diebold’s

AccuVote-TS 4.3.1 electronic voting system. We found significant security flaws: voters can trivially cast

multiple ballots with no built-in traceability, administrative functions can be performed by regular voters,

and the threats posed by insiders such as poll workers, software developers, and janitors is even greater.

Based on our analysis of the development environment, including change logs and comments, we believe

that an appropriate level of programming discipline for a project such as this was not maintained. In fact,

there appears to have been little quality control in the process.

For quite some time, voting equipment vendors have maintained that their systems are secure, and that

the closed-source nature makes them even more secure. Our glimpse into the code of such a system reveals

that there is little difference in the way code is developed for voting machines relative to other commercial

endeavors. In fact, we believe that an open process would result in more careful development, as more

scientists, software engineers, political activists, and others who value their democracy would be paying

attention to the quality of the software that is used for their elections. (Of course, open source would not

solve all of the problems with electronic elections. It is still important to verify somehow that the binary

program images running in the machine correspond to the source code and that the compilers used on the

source code are non-malicious. However, open source is a good start.) Such open design processes have

proven successful in projects ranging from very focused efforts, such as specifying the Advanced Encryption

Standard (AES) [23], through very large and complex systems such as maintaining the Linux operating

system. Australia is currently using an open source voting system10

.

Alternatively, security models such as the voter-verified audit trail allow for electronic voting systems

that produce a paper trail that can be seen and verified by a voter. In such a system, the correctness burden

on the voting terminal’s code is significantly less as voters can see and verify a physical object that describes

their vote. Even if, for whatever reason, the machines cannot name the winner of an election, then the paper

ballots can be recounted, either mechanically or manually, to gain progressively more accurate election

results. Voter-verifiable audit trails are required in some U.S. states, and major DRE vendors have made

public statements that they would support such features if their customers required it. The EVM project11 is

an ambitious attempt to create an open-source voting system with a voter-verifiable audit trail — a laudable

goal.

The model where individual vendors write proprietary code to run our elections appears to be unreliable,

and if we do not change the process of designing our voting systems, we will have no confidence that our

election results will reflect the will of the electorate. We owe it to ourselves and to our future to have robust,

well-designed election systems to preserve the bedrock of our democracy.

Acknowledgments

We thank Cindy Cohn, David Dill, Badri Natarajan, Jason Schultz, Tracy Volz, David Wagner, and Richard

Wiebe for their suggestions and advice. We also thank the state of Maryland for hiring SAIC and RABA

and the state of Ohio for hiring Compuware to independently validate our findings.

10http://www.elections.act.gov.au/EVACS.html

11http://evm2003.sourceforge.net

21

Page 21 of 23

Page 22 of 23

References

[1] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In

N. Koblitz, editor, Advances in Cryptology – CRYPTO ’96, volume 1109 of Lecture Notes in Computer

Science, pages 1–15. Springer-Verlag, Berlin Germany, Aug. 1996.

[2] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric en-
cryption. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science, pages

394–403. IEEE Computer Society Press, 1997.

[3] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis

of the generic composition paradigm. In T. Okamoto, editor, Advances in Cryptology – ASIACRYPT

2000, volume 1976 of Lecture Notes in Computer Science, pages 531–545. Springer-Verlag, Berlin

Germany, Dec. 2000.

[4] California Internet Voting Task Force. A Report on the Feasibility of Internet Voting, Jan. 2000. http:

//www.ss.ca.gov/executive/ivote/.

[5] Voting: What Is; What Could Be, July 2001. http://www.vote.caltech.edu/Reports/.

[6] D. Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security and Privacy, 2(1):38–

47, 2004.

[7] Compuware Corporation. Direct Recording Electronic (DRE) Technical Security Assessment Report,

Nov. 2003. http://www.sos.state.oh.us/sos/hava/files/compuware.pdf.

[8] J. Daemen and V. Rijmen. The Design of Rijndael: AES–The Advanced Encryption Standard. Spring-
er-Verlag, Berlin Germany, 2002.

[9] Diebold Election Systems. AVTSCE source tree, 2003. http://users.actrix.co.nz/

dolly/Vol2/cvs.tar.

12

[10] D. L. Dill, R. Mercuri, P. G. Neumann, and D. S. Wallach. Frequently Asked Questions about DRE

Voting Systems, Feb. 2003. http://www.verifiedvoting.org/drefaq.asp.

[11] Federal Election Commission. Voting System Standards, 2001. http://fecweb1.fec.gov/

pages/vss/vss.html.

[12] J. Gilmore, editor. Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design.

O’Reilly, July 1998.

[13] D. Gritzalis, editor. Secure Electronic Voting. Springer-Verlag, Berlin Germany, 2003.

[14] B. Harris. Black Box Voting: Vote Tampering in the 21st Century. Elon House/Plan Nine, July 2003.

[15] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C.

In USENIX Annual Technical Conference, June 2002.

[16] D. W. Jones. Problems with Voting Systems and the Applicable Standards, May 2001. Testimony

before the U.S. House of Representatives’ Committee on Science, http://www.cs.uiowa.edu/

̃jones/voting/congress.html.

12The cvs.tar file has been removed from this website.

22

Page 22 of 23

Page 23 of 23

[17] D. W. Jones. The Case of the Diebold FTP Site, July 2003. http://www.cs.uiowa.edu/

̃jones/voting/dieboldftp.html.

[18] A. Kerckhoffs. La Cryptographie Militaire. Libraire Militaire de L. Baudoin & Cie, Paris, 1883.

[19] H. Krawczyk. The order of encryption and authentication for protecting communications (or: How

secure is SSL?). In J. Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture

Notes in Computer Science, pages 310–331. Springer-Verlag, Berlin Germany, 2001.

[20] R. Mercuri. Electronic Vote Tabulation Checks and Balances. PhD thesis, University of Pennsylvania,

Philadelphia, PA, Oct. 2000.

[21] National Science Foundation. Report on the National Workshop on Internet Voting: Issues

and Research Agenda, Mar. 2001. http://news.findlaw.com/cnn/docs/voting/

nsfe-voterprt.pdf.

[22] NBS. Data encryption standard, January 1977. Federal Information Processing Standards Publication

46.

[23] J. Nechvatal, E. Barker, L. Bassham, W. Burr, M. Dworkin, J. Foti, and E. Roback. Report on the

Development of the Advanced Encryption Standard (AES), Oct. 2000.

[24] RABA Innovative Solution Cell. Trusted Agent Report: Diebold AccuVote-TS Voting System, Jan.

2004. http://www.raba.com/press/TA_Report_AccuVote.pdf.

[25] A. D. Rubin. Security considerations for remote electronic voting. Communications of the ACM,

45(12):39–44, Dec. 2002. http://avirubin.com/e-voting.security.html.

[26] B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley &

Sons, New York, second edition, 1996.

[27] Science Applications International Corporation. Risk Assessment Report: Diebold AccuVote-TS Voting

System and Processes, Sept. 2003. http://www.dbm.maryland.gov/SBE.

23

Page 23 of 23

Page 23 of 23

comments (0)
12/24/16
2088 SUN 25 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://bestanimations.com/Holidays/Christmas/Christmas.html http://www.moddb.com/…/miscellaneous-p/images/relatable-post http://indiatoday.intoday.in/…/demonetisation…/1/842292.html Indian cashless transaction is all about controlling others nothing else, once the govt. http://www.ndtv.com/…/amid-cash-crunch-a-mysterious-5-000-c… Amid Cash Crunch, A Mysterious ‘5,000 Crore’-Influx In Poll-Bound Uttar Pradesh http://indiatoday.intoday.in/…/rss-uttar-prad…/1/841172.html http://nationalinterest.org/…/washington-watching-the-5-dea… http://www.assam123.com/america-enlisted-rss-one-biggest-t…/ http://www.dailymail.co.uk/…/One-village-one-one-crematoriu… Rakshasa Swayam Sevaks (RSS) is a non-entity which do not believe in our Modern Constitution but in a stealth, shadowy discriminating hindutva cult rashtra.
Filed under: General
Posted by: site admin @ 11:43 pm



2088 SUN 25 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.

http://bestanimations.com/Holidays/Christmas/Christmas.html

http://www.moddb.com/…/miscellaneous-p/images/relatable-post

http://indiatoday.intoday.in/…/demonetisation…/1/842292.html

Indian cashless transaction is all about controlling others nothing else, once
the govt.

http://www.ndtv.com/…/amid-cash-crunch-a-mysterious-5-000-c…

Amid Cash Crunch, A Mysterious ‘5,000 Crore’-Influx In Poll-Bound Uttar Pradesh

http://indiatoday.intoday.in/…/rss-uttar-prad…/1/841172.html

http://nationalinterest.org/…/washington-watching-the-5-dea…

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

http://www.dailymail.co.uk/…/One-village-one-one-crematoriu…


Rakshasa Swayam Sevaks (RSS) is a non-entity which do not believe in
our Modern Constitution but in a stealth, shadowy discriminating
hindutva cult rashtra.


http://bestanimations.com/Holidays/Christmas/Christmas.html

merry christmas gif images

http://www.moddb.com/…/miscellaneous-p/images/relatable-post

http://indiatoday.intoday.in/…/demonetisation…/1/842292.html

Indian


cashless transaction is all about controlling others nothing else, once
the govt. has the ability to do so….they will also have the ability
to switch off the software, if that be the case how will people have
access to their own money….vary valid point…….again if a charge is
fixed to people to make payment….people will not have the ability to
opt out of this operation…..basically people will be helpless to use
their own money……

HR

Through lottery, satta and
gambling into the mix of your scemes bjp. Also Through bhang, ganja and
desi alcohol into the mix. Make half zombie people full zombies. Don’t
stop till you create a full blown dystopia.


View the Mod DB Miscellaneous-P image Relatable Post
moddb.com




http://www.ndtv.com/…/amid-cash-crunch-a-mysterious-5-000-c…

Amid Cash Crunch, A Mysterious ‘5,000 Crore’-Influx In Poll-Bound Uttar Pradesh


When asked for the source of the information, the BJP said it’s based
on stories in local newspapers in the past few days, coinciding with
Murderer of democratic institutions (Modi)’s high decibel campaign in
Uttar Pradesh.

When NDTV checked
with the RBI, the spokesperson clarified that the bank does not release
any information on how much cash it distributes to states.

At a
State Bank of India branch in Kaudia village, two hours from Gorakhpur
in East UP, women queuing outside the bank told us they have been there
since 4 am. We met them at around noon, 8 hours later, and they had
barely moved forward.

One of them claims to being mistreated by
the bank staff. “The manager pushed me yesterday and grabbed my throat,”
said one of the women.

Soon, a trunk of cash appeared at the
bank branch. Heavily locked, it was dragged inside the bank’s chained
gate. It remains unclear whether this is a part of the supposed
election-time influx of new currency.

That seemed of little concern to the crowd as they surged forward, desperate to get a handful of their own hard-earned cash.


It
is late in the evening when Kamlesh Paswan, the BJP lawmaker from
Bansgaon in eastern Uttar Pradesh walks to an ATM queue in his
constituency. Here, his…
ndtv.com

http://indiatoday.intoday.in/…/rss-uttar-prad…/1/841172.html


http://nationalinterest.org/…/washington-watching-the-5-dea…

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

http://www.dailymail.co.uk/…/One-village-one-one-crematoriu…


Rakshasa Swayam Sevaks (RSS) is a non-entity which do not believe in
our Modern Constitution but in a stealth, shadowy discriminating
hindutva cult rashtra. Their leaders are not elected in a democratic
manner but are selected among the inner circle of just 1% intolerant,
shooting, lynching, lunatic, mentally retarded, cannibal psychopath
chitpawan brahmins who believe in brahmins as 1st rate athmas,
kshatriyas as 2nd rate, vysias as 3rd rate, shudhras as 4th rate souls
and the aboriginal panchamas (SC/STs0 have no soul, so that they cand
commit any crime on them. But the Buddha never believed in any soul. He
said all are equal. Hence Babasaheb returned back with millions of
people back to their original home Buddhism. According to the Architect
of the Modern Constitution Dr BR Ambedkar, irrespect of caste, religion,
creed and colour anyone can acquire education and not just the brahmins
as per manuvad, Anyone can rule this country unlike the kashatrias as
per manu. Anyone can do trade and business unlike vysias as per manuvad.
As mer manu women has no right like the men. But the modern
constitution made provisions for women even to become rulers. Ex Indira
gandhi, Jayalilita, Mamata Banerji etc., But for Dr Ambedkar they would
have not been recognised. Irrespect of caste and religion Devegowda
etc., would have not become the PM of this country.

This is intolerated by RSS which is opposed to reservation.

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

RSS is one of the Biggest Terrorist Organisations in the World. They are
Mad Horrorists threat group - shadowy, stealth and discriminatory group
trying to establish hindutva cult.

New Delhi: A US-based risk management and consulting company has put the
Rashtriya Swayamsevak Sangh (RSS) because RSS is killing so many people
and bombing and cutting of people and using suicide bombing techniques
and raping and honor killing women … it all happened in Gujrat and
happening in parts of the country.. Go get a life and become a Hindu
mr…. What is it? the one who have at least common sense, do u think he
or she become hindu? do u think that? Most of the people in the world
becoming muslim without any pressure, force or demand… think about
that…. See that RSS gentleman who studied about islam to oppose them and
became a muslim…. use your common sense and refrain from your bad
thoughts and paths.�They will have the end.. Rss have to be banned in
india with its.. hindhuthuva branches.. in south tamilnadu.. this rss
and hindhutva terrorist and Horrorist gang made problem to the people
who celebrating new year of 2015 night..

Increasing threats to the democratic-secular Indian polity from the Hindutva
organizations - a concise document on the anti-national game-plan of the
RSS.

Hence this technological game of 1% Chitpawan RSS plan has to be defeated by
strengthening the 99% intellectuals by exposing the fradulent EVMs as
done by 80 democracies of the world in the larger interest of Sarvajan
Hitaye Sarvajan Sukhaye i.e., for the peace, happiness and welfare of
all societies including SC/STs/ OBCs/ Minorities and the poor brahmins
and baniyas for distributing the wealth of this country among all
sections of the society as enshrined in the Constitution by making the
Supreme Court to pass orders to replace all fradulent EVMs and till such
time to scrap all elections conducted by these fradulent EVMs and then
to conduct elections with tamper proof voting system to save democracy,
equality, fraternity and liberty.

RSS means Rakshasa Swayam Sevaks in a non -entity undemocratic organisation
with all its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth
Jiyadha Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin
Venomous Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic.,
that become active during all elections for the greed of power for
Murderer of democratic instituitions (Modi) who is just a meant time
stooge of the 1% intolerant, violent, militant, shooting, lynching,
lunatic, mentally retarded cannibal chitpawan brahmin psychopaths who
always keep heckling and giggling like mad people thinking that they are
great achievers.Murderer of democratic institutions (Modi) and all its
associate avathars are shani and peda of the nation which is eclipsing
the development and progress as enshrined in the modern Constitution
whose architect is Dr BR Ambedkar.

After gobbling the MASTER KEY by tampering the fraud EVMs for Murderer of
democratic institutions (Modi) remotely controlled by RSS meaning
Rakshasa Swayam Sevaks, a non -entity undemocratic organisation with all
its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth Jiyadha
Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin Venomous
Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic., that become
active during all elections for the greed of power for Murderer of
democratic instituitions (Modi) who is just a meant time stooge of the
1% intolerant, violent, militant, shooting, lynching, lunatic, mentally
retarded cannibal chitpawan brahmin psychopaths who always keep heckling
and giggling like mad people thinking that they are great achievers.

They are Shani and Pedal of the nation trying to bury the
Techno-Politico-Socio Transformation and Economic Emancipation Movement
and the teachings of the Awaken One with Awareness without knowing that
they are seeds that keep sprouting as Bodhi Trees.

If all the fraud EVMs are replaced by paper ballots they will not even get 1% of the votes.

Only Ms Mayawati’s BSP which got majority of the seats in UP Panchayat
Elections with these paper ballots will the not only become the CM of UP
but also the next PM of Prabuddha Bharath.

RSS’s Mohan Bhagwat,Bhaiyyaji Joshi and 41 regional pracharaks are all drop
outs including Mohan Agarwal.Also Ram Lal and Ram Madhav,Rajnath Singh
and Amit Shahlike doubtful education of Murderer of democratic
institutions (Modi).

Caste by caste, BSP fields ‘bhaichara coordinators’

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the reserved seats in
eastern UP, central UP and Bundelkhand, and MLA Ramvir Upadhyay the
reserved seats of western UP.

The BSP has fielded some of its most prominent non-SC/ST leaders to
reach out to the communities they represent. Ahead of the UP elections,
the BSP has assigned specific regions to these bhaichara coordinators.

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the
reserved seats in eastern UP, central UP and Bundelkhand, and MLA Ramvir
Upadhyay the reserved seats of western UP. Misra addressed a rally in
Gorakhpur’s Khajani Sunday, with BSP candidates from seven reserved
seats attending. Statewide, Misra will be assisted by other Brahmin
leaders including his son-in-law Paresh and former MLC Gopal Narain
Mishra.

For Muslims, the BSP has chosen party general secretary Naseemuddin
Siddiqui for western UP where he is addressing meetings, Rajya Sabha MP
Munquad Ali for Varanasi, Allahabad and Mirzapur divisions, and Naushad
Ali for Bundelkhand, and Athar Khan in Faizabad and Devipatan.

Among OBC leaders, state BSP chief Ram Achal Rajbhar and former
Speaker Sukhdeo Rajbhar have begun addressing sammelans in eastern UP,
while former MLC R S Kushwaha is trying to attract Kushwahas in central
UP. Pratap Singh Baghel is wooing the Gaderiya (Pal) community in Agra
region, former minister Lalji Verma addressing Kurmis in eastern UP and
Terai, and former MP R K Singh Patel is in Bundelkhand and Allahabad.

Former minister Jaivir Singh will work among Thakurs in western UP,
former MLA Jitendra Singh Babloo has been addressing sammelans in
Faizabad and Basti, and Rasra MLA Umashankar Singh in Azamgarh.

http://news.webindia123.com/…/A…/India/20100828/1575461.html
Demonetisation: Continuous cash crunch can adversely impact BJP’s prospects in Uttar Pradesh polls, believes RSS
With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the RSS believed it could adversely impact the chances of
BJP to win.

Soon after Murderer of democratic institutions
(Modi)’s announcement of demonetisation, the banks and ATMs witnessed
long queues of people waiting to either withdraw lower denomination of
banknotes or to exchange their high-value currencies with it.


With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the Rakshasa Swayamsevak Sangh (RSS) believed it could
adversely impact the chances of Bahuth Jiyadha Psychopaths (BJP) to win.
They have reportedly suggested senior functionaries of the Sangh and
the BJP that either cash inflow should be increased at the earliest or
the Uttar Pradesh elections
The 5 Deadliest Terrorist Groups on the Planet
“Like it or not, terrorism will continue to be a problem for the United
States, its allies, and the rest of the international community. “
nationalinterest.org


RSS
is all set to enter the Uttar Pradesh Assembly elections battleground
with special focus on reaching out to the Dalit communities to ensure
their votes.
indiatoday.intoday.in

LikeShow More Reactions
Comment

comments (0)
ELECTRONC VOTING MACHINE
Filed under: General
Posted by: site admin @ 6:31 pm

https://drive.google.com/file/d/0B3FeaMu_1EQyOWZYS2w0eUkwcnM/view

Page
1
/
9

Page 1 of 9

ELECTRONC VOTING MACHINE

Group No. 3

Pooja Nagle (07d04003)<npooja@ee.iitb.ac.in>

Neha Agarwal(07011023)< neha.ag@ee.iitb.ac.in >

Supervisor : PC Pandey

Abstract

The project is aimed to make an unsupervised Electronic Voting Machine, with no controls

required from the polling officer. It will be used to cast votes for multiple elections taking

place simultaneously. Each valid voter is provided with a unique voter ID and a pass code by

the election committee to be kept securely, which is used for the voter identification and

validation during vote casting. There is no restriction on the number of candidates standing

for a particular election. It will tally the votes and also have the facility of recording of actual

votes using real-time clock for time stamping of the votes, which will only be read accessible.

1. Introduction

We are fascinated by the fact that the World’s Largest Democracy implements elections

electronically, while on the contrary it is discouraged by the western countries even now.

When we did a comprehensive we came around following facts which are not a part of Indian

EVM’s driving as motivation for us to implement them in our design.

1. Election Transparency: all the processes of handling and counting ballots to be

completely open to public view. Nothing to be hidden or secret – except, of course, each

individual’s voting choices.

2. Trust of the voter in the EVM registering the vote : We plan to implement voter verifiable

paper record (vvpr) to which voter can look up instantly and decide on whether the vote he

casted is registered correctly in the system increasing the reliability of the system.

We have made a module which interfaces with the voter and directs to the procedure of

voting. The Liquid Crystal Display unit provides the voter friendly interface guiding through

the procedure of voting. The keypad is used to enter the details and other actions to be taken

by the voter, which are integrated with the display unit. We learnt a lot many aspects of

design and especially SD card interfacing is the most interesting part. Also the product can be

used for several types of elections not only just the State or Assembly Elections, discussed in

later sections.

2. Design Approach

Product Design

Flow Diagram: How voting will take place:

FRONT PANEL

Display Unit Keypad Unit

BACK PANEL

Sealed Slot for Memory CARD I and CARD II

Polling Officer sets up the

machine for voting. Now on

voting will be unsupervised.

Voter enters

A

Page 1 of 9

Page 2 of 9

no

yes

no yes

If VVPR

is implemented

3. Hardware Design

The hardware required for this design mainly needs to interface various blocks with each

other in synchronisation. These are as follows:

Reads the instructions

displayed on the screen.

The machine prompts for

the Voter ID and Pass code

Display the Eligible election List

Wait for voter to choose for the

Election to vote for

If the ID &

pass code

match &

voter hasn’t

voted?

Register the vote

Print out the VVPR

if correct

and verified

by voter

number of

attempts

>3?

Logout the Voter

Display Error Message

B

B

A

Page 2 of 9

Page 3 of 9

3.1 Memory Storage Components

We require a memory which is easy and fast in read write and easily detachable from the

system whenever required, without any changes to the internal circuitry. Memory

requirement is also high, as it stores a large database of the voters and other details.

Therefore, we decided to go for SD Cards. There are two sd cards in the proposed machine:

Card I: It is a Read Write Card that will have data from the Election Commission, serially

transferred to the card by the PC:

 Voter Details: Voter ID, Pass code, Election Eligibility.

 Candidate Details: Candidate Name, Party, ID, votes casted in favor,( symbol in case of

graphics display).

–Read Only: Voter details section

–R/W: No. of votes casted in the favour of a particular candidate will be updated during

voting.

Card II: It will have the stamped vote details, exactly as they are casted by the voters. Data

already written will be freeze, to keep details intact and non-modifiable at any point of time.

This card can be used in case of any legal concerns regarding the mismatch of the expected

and actual results, or if some malpractice is suspected in the tallying process.

3.2 Microcontroller

It will control the interfacing between various blocks as shown above in the machine. It has

the voting software programmed in it. We have chosen the Atmega 32 for our design. It has a

serial interface, two wire link interface, which are required for SD Card and RTC interfacing

respectively. Our system requires a uC with low computational speed, since they happen only

at the time votes are casted and that too are not prolonged, making us choose Atmega-32.

Initially, we used Atmega16, but due to larger RAM requirements of the software we moved

onto Atmega32.We have left many pins of uC unused, this is for further use of these port pins

to implement future works like biological unit, printer etc. Also on the same line we shifted

from 8bit to 4bit LCD interfacing.

3.3 Output Display Unit: LCD

This is the output unit of the machine. Voter Interface will be provided here. It displays all

the relevant details about the current election and voter can act accordingly and view the

options out here. We have implemented it on the 16X2 display currently since the display

items were not complex as we didn’t have symbol for a candidate in present machine.

3.4 Input Unit: Keypad

This is the input unit of the machine which takes various instructions from the voters, while

voting and also in configuring of the EVM before elections. The voter enters the details asked

for identification via voter ID and pass code, and moves further on to the process of voting.

Voter ID & Pass code will be in the form of numbers so as to remove any issues related

languages, and cultures. Other 4 keys will be as: arrow keys, enter key. This will be specified

on the hardware.

3.5 Real-Time Clock (RTC)

It is used for time stamping of votes on the SD Card II. It readily gives current time and date

whenever needed. Battery is needed for Real time clock so that in spite of power failure the

clock runs. Also there will less burden on the power supply. But we propose to implement it

in next stage of our design.

Page 3 of 9

Page 4 of 9

4. Software Design

The software will be programmed in the microcontroller. This will determine how casted

votes are handled by the system. The interfacing between various blocks is also integrated

with this. Also there will be some encryption for the Voter ID numbers which will be printed

on the Paper Record which we have proposed as extension. The software is being

implemented in 4 steps (4.1-4.4).

4.1 Validation of Voter

Voter is validated by checking the entered password from the corresponding voterid’s

passcode entered in voter.txt file.

4.2 Checking the status of vote

Checking the voter status: It first checks if the voter has voted for central elections by

searching for the voterID in the file centl.txt.

If no, he is asked to vote. If yes, we check if user is eligible for state election happening.

If the voter is not eligible, he is logged out.

If eligible, similar procedure as of central election is carried out.

4.3 Vote Registration

The list of candidates standing for election under consideration is displayed along with the

candidateID and the voter is asked for the candidateID he wish to vote for. The corresponding

count in ccand.txt gets incremented by one, thereby giving the count of votes received by a

particular candidate. Same procedure is followed for state elections as well.

4.4 Time stamping of vote

Time stamping of vote is done to avoid bogus voting and track them. The vote casted by a

voter gets registered at mini SD, in the file centl.txt. Details of the vote casted are given in

description of centl.txt file

4.5 File Structure

4.5.1 Card-I (micro SD)

a).Voter.txt – This file has the attributes of the voter namely voterid, voter passcode, voter

name and his state of eligibility. All the attributes of one voter are separated by a ‘|’ character

and each voter record comes in next line.

The file ends with a ~ character.

For eg. – 1|9|assam|ram means voterid is 1, passcode is 9, voter state is assam and name is

ram.

b). Cand.txt – Contains the list of candidates standing for central elections. Each row

corresponds to one candidate and has the candidateID, candidate name and number of votes

casted for the candidate.

c). Scand.txt – Same as cand.txt but for state elections.

d). Sdet.txt – This stores the name of state in which elections are happening.

4.5.2 Card-II (miniSD)

a). Centl.txt – Stores the vote casted for central elections. Format in which it gets stored is:

voterID|candidateID|time at which vote casted|date at which vote casted*

Each vote is separated by a *, and the end of file is marked by ~.

b). State.txt – Same for state elections.

Page 4 of 9

Page 5 of 9

4.6 Assumptions and Constraints of file storage

1. VoterID and candidateID should start from one and be consecutive integers.

2. VoterID and passcode can be of maximum 19 characters.

3. CandidateID of 2 characters, candidate name is 30 characters and vote casted is 5

characters.

4. The record of each candidate in cand.txt and scand.txt is occupied fully. That is, if a

candidate name is of 10 characters only, still 30 characters should be full. Rest 20 are written

by a dummy character, say $. Similar is for all fields in this file. This is done since for

updating a file from mid, we need to know the exact character position from where the vote

count should be updated.

5. No votes for a candidate has to be represented by a 0.

5. Block Wise Testing

5.1 Secure Digital Card

 Micro SD Card: 2GB

 Mini SD Card: 2GBB

 Serial Clock Frequency (SCK): 0.5 MHz

 Protocol – Interfaced with Atmega16 through the SPI peripheral. The card is acting as

slave and uC as master.

SD card is interfaced with the atmega16 using FAT32 filesystem. Two pins are used as chip

select for selecting between the cards and hence the communication is done independently

between them. Since two cards were used, MISO, MOSI and SCK pins of uC are multiplexed

to both the cards. Communication is done block wise at a time and each block size is 512

bytes. The resistors at these pins are provided to match the current specifications of SDcard.

SDcard runs on a supply voltage of 2.7-3.6V, we have used a fixed voltage regulator of

3.3V(LM1117).

5.2 Keypad

We have used the logic of scanning the rows and columns of the 4X4 matrix keypad by

pulling rows low one by one and then checking the corresponding column press for that low

row. If a key in that row is presses then a column intersecting with that row will be low,

hence key detection was done. Also we introduced a delay of 20us in order to check that

Page 5 of 9

Page 6 of 9

really a key was pressed and hence again took the input for that key. The program flow

diagram is as follows:

 Select a 8bit Port for attaching keypad

 Set 4 bits for row connection: output pin configuration

 Set remaining 4 for column connection: input pin configuration

 Initialize output pins as all 1’s

 Run a loop in which each row is pulled down at a time

 Check for column and wait for key de-bouncing time and then again read the input pins.

 Wait for input port to settle

 Then according to the read value assign the symbol to that key using a switch case.

5.3 LCD Interfacing

 16X2 Hitachi HD44780

LCD is interfaced in 4 bit mode, that is we have used only 6 pins of uC:

4: data line (DB7-DB4)

2: control pins RS(register select) and E(enable)

We only write data onto LCD. Instead of 8bit mode 4bit was chosen since our application is

not high speed and delays due to the introduction of multiplexing data line twice, doesn’t

affect the system speed pertaining to our requirement. Its important to note down the

sequence of instructions to be followed, else the 4bit implementation won’t give correct

results. The program flow diagram is as follows:

 There’s an initialization sequence to be followed mentioned in the datasheet, as a 8 bit

interface to set the LCD in 4 bit interfacing, done in init_lcd() function.

 Define 2 functions for writing data and command words by selecting data and instruction

register respectively.

 Sequence of instruction to be followed is:

1. Put the word to be written in the respective register on data lines.

2. Select the data/instruction register to be written in.

3. Strobe the enable line.

Repeat this for lower nibble of the 8bit word.

 Also define a function for selecting the position on the LCD to be written, move_to(x,y).

This function writes the DDRAM address to position the cursor. As mentioned in datasheet

for 16X2, 2 line display address are as follows.

5.4 Real Time Clock

Chip used: Maxim DS 1307

Protocol: Serial interface using Two-Wire interface using Inter-Integrated Circuit(I

2C)

multi-master serial bus.

RTC interfaced with LCD.

Specifications of communication:

Page 6 of 9

Page 7 of 9

RTC

 uC Frequency : 1MHz

 Serial Clock Frequency (SCL): 28KHz (calculated from data sheet).

 Serial Data Line: SDA

Currently RTC resets on each power shut down since there is no back battery put into the

system.

6. Test Results and Discussions

The blocks tested are running successfully:

 Serial communication with the PC from the uC is implemented successfully (serial port

used). This was performed in 3 steps- character by character mirroring, buffer

transmission, modify the received buffer and then transmit. We observed this

transmission on the DSO as well to verify whether the serial communication is working

perfectly or not.

 MicroSD card interfaced with uC and following steps were executed.

1) A single block was read/write/deleted from the card.

2) Card was formatted in FAT32 and then the files were read/write/deleted from the uC.

 LM317 was used first which is a variable regulator due to ease of access. It did work out

for while we used only one card in the circuit. But on introduction of second card in the

system, loading occurred and the supply voltage of regulator was not within the range

2.7-3.6, though it was supposed to be at 3.3V(set voltage).

Due to this, one microSD card was blown. Hence, to account for the huge sensitivity of

microSD, we moved on to LM1117, for using this. These variations were removed by the

fixed voltage regulator LM1117.

 Before writing the EVM software, card to card communication was tested, as a

prerequisite step.

 Software issues :- “voter.txt” is not taken by the avr compiler and hence this was passed

character by character as ‘v’,’o’,’t’,’e’,’r’ .

 When we implemented the writing of data from one card to another, via the uC, we

encountered the problem of RAM flow. Each block is of 512 bytes and we required two

thereby leading to >1K of RAM. This caused RAM overflow of Atmega16 and problems

like main reset were encountered. Hence we switched to Atmega32, our final processor of

the EVM.

Page 7 of 9

Page 8 of 9

7. Future Plans

1. Facility to provide printer extension in the machine, so that voter can be sure of his

vote casted after seeing it on a hard copy. This will help to track the malfunctioning of

EVM and have a backup of votes in that case.

Voter Verifiable Paper Record (VVPR): (if implemented)

It will have following details on it:

1. Candidate name for which voter voted

2. Encrypted Voter ID

We propose to have this paper record behind a glass shield so that voter doesn’t

tamper with it.

2. Graphics/touch screen implementation for display unit.

3. Facility of increased font size for poor eyesight voters.

4. Biometric Voter Identification.

5. LAN connectivity of the machine.

8. References

1. Datasheets: Atmega16,32, DS1307, LCD: Hitachi HD44780, max232, voltage

regulator 7805, Low drop out linear regulator 1117

2. Web sources :

http://www.dharmanitech.com/,

http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html

http://www.tiresias.org/research/guidelines/evoting_projects.htm#australia

3. Comprehensive Study: Documents in pdf format as follows

a) FAQ’s: Indian EVM

Published by: Election Commission of India

b) Electronic Voting Machines from Bharat Electronics Limited, India

c) Facts About Electronic Elections: www.VotersUnite.Org

d) Paper: On Voting Machine Design for Verification and Testability

Authors: Cynthia Sturton, SusmitJha, SanjitA.Seshia, DavidWagner

e) Report: Electronic voting – challenges and opportunities

Published by: Ministry of Local Government and Regional Development, Norway

Page 8 of 9

Page 9 of 9

9. Appendix

9A Schematic Developed

9B Cost Estimation

Components Qty Cost(Rs.)

Mini SD 1 450

Micro SD 1 300

Card Holder 2 100

Atmega32 1 170

LM 1117 1 100

LCD 16X2 1 100

Relimate Buses 2 50

RTC Battery + Holder 1 40

RTC DS1307 1 30

Max232 1 18

Keypad 4X4 1 16

7805 1 6

Total 1380

Page 9 of 9

Page 1 of 9

http://bestanimations.com/Holidays/Thankyou-01-june.gif

comments (0)
12/23/16
2087 Sat 24 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. http://indianexpress.com/…/uttar-pradesh-opppsition-forces…/ Uttar Pradesh: Opppsition forces adjournment over ‘poor’ law and order http://indiatoday.intoday.in/…/modi-demonetis…/1/841741.html Approaching deadline: What happens after Murderer of democratic institutions(Mod’s 50-day promise to eradicate black money from India https://drive.google.com/file/d/0B3FeaMu_1EQyZ2pTNmd4cjQ3anM/vie Electronic Voting Systems: the Good, the Bad, and the Stupid
Filed under: General
Posted by: site admin @ 9:48 pm



2087 Sat 24 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.

http://indianexpress.com/…/uttar-pradesh-opppsition-forces…/

Uttar Pradesh: Opppsition forces adjournment over ‘poor’ law and order

http://indiatoday.intoday.in/…/modi-demonetis…/1/841741.html


Approaching deadline: What happens after Murderer of democratic
institutions(Mod’s 50-day promise to eradicate black money from India

https://drive.google.com/file/d/0B3FeaMu_1EQyZ2pTNmd4cjQ3anM/vie


Electronic Voting Systems: the Good, the Bad, and the Stupid


http://www.ambedkar.org/gifimages/voteforBSP.gif

http://www.ambedkar.org/gifimages/voteforBSP.gif


http://www.ambedkar.org/gifimages/voteforBSP.gif

http://indianexpress.com/…/uttar-pradesh-opppsition-forces…/

Uttar Pradesh: Opppsition forces adjournment over ‘poor’ law and order


BSP members demanded that the Chairman immediately initiate a
discussion on law and order arguing that the situation in the state had
worsened. Chairman Ramesh Yadav asked BSP members to raise their issues
during Zero Hour but, when members did not relent, he adjourned the
House.

When the House resumed, BSP members sought adjournment for
discussion on the alleged murder of one Nasir Khan in Meerut on
December 9. After a reply from Leader of the House Ahmed Hasan, the
chairman rejected the adjournment and directed the government for
necessary action. However, BSP members again demanded a discussion on
the matter. Meanwhile, SP member Shatrudra Prakash raised a point of
order over Siddiqui’s speech, to which BSP members objected, and trooped
into the well and raised slogans. The chairman then adjourned the House
upto 3.30 pm.

When the house met again, it was adjourned sine die.



http://www.india.com/…/uttar-pradesh-governments-assent-to…/

Mayawati slams Akhilesh Yadav, says Uttar Pradesh government’s assent to include 17 castes in Schedule Caste mere drama


UP Cabinet’s assent for inclusion of 17 OBCs in SC list is a mere drama
played just before the Assembly elections in the state, Mayawati said,
adding this decision is both unfortunate and condemnable, aimed at
deceiving these castes.

Lucknow,
Dec 22: BSP supremo Mayawati on Thursday terming the Akhilesh Yadav
government’s assent to include 17 Other Backward Castes in the SC list
as a “mere drama” said the decision is both “unfortunate and
condemnable” and aimed at deceiving these communities. “After having
neglected all the backward castes barring one in the past five years of
its rule, the SP government is out to mislead them in the same vein as
was done by the then Mulayam Singh Yadav government,” she said in a
statement.

UP Cabinet’s assent for inclusion of 17 OBCs in SC
list is a mere drama played just before the Assembly elections in the
state, Mayawati said, adding this decision is both unfortunate and
condemnable, aimed at deceiving these castes. This decision is against
the law as it is only the Central government which can include any caste
in the SC list, she said, adding after Mulayam government’s decision on
this issue, these castes were left in the lurch for they then belonged
neither in the OBC nor in the SC list.

She claimed that it was
the BSP government that succeeded the Mulayam Singh Yadav government
which reverted the decision bringing the castes back in the backward
list and sent a proposal to the Centre for inclusion only on condition
of increasing the quota of the SC. This decision has been taken in
perhaps the last Cabinet meeting of this government, Mayawati remarked. A
Cabinet meeting presided over by Chief Minister Akhilesh Yadav this
morning cleared the proposal to include Kahar, Kashyap, Kewat, Nishad,
Bind, Bhar, Prajapati, Rajbhar, Batham, Gaur, Tura, Majhi, Mallah,
Kumhar, Dheemar and Machua sub-castes in the Scheduled Caste categor


http://indiatoday.intoday.in/…/modi-demonetis…/1/841741.html


Approaching deadline: What happens after Murderer of democratic
institutions(Mod’s 50-day promise to eradicate black money from India


Deaths and scarcity of new notes among other inconveniences faced by
people were reported following the demonetisation move. After 50 days of
note ban, what will become of India is what we all have been thinking
about.

The hands of the clock ticking showed it was 8 in the
evening. The stage was set and people were glued to their television
sets, reminding a scene from the past when Chitrahaar on Doordarshan
vacated roads.

Instead of old Bollywood songs, Modi appeared and
made an announcement. In five minutes, the world’s largest democracy was
running blind. Once a legal tender, Rs 500 and Rs 1,000 notes, which
made up 86 per cent of India’s cash economy, were rendered impotent.
Cutting the long story short, Modi asked for 50 days to transform our
nation into a corruption-free economy.

Along with a bureaucrat –
Hasmukh Adhia — who served as Modi’s principal secretary when Modi was
Gujarat’s chief minister, and with a special team of trusted
researchers, Modi came out with a plan to demonetise Rs 500 and Rs 1,000
notes to bring out black money from the ’shadow economy’ of the
country.

The move drew global attention. The demonetisation
drive was condemned by even more. Banks started to slog, cash counters
and ATM queues clogged up with people, all reaching for an epilogue,
which was to come after 50 days since November 8, 2016, when Modi’s
demonetisation drive was put in the first gear.

Amid countless
media reports — reports of people losing their lives standing in long
queues because of Modi’s QUEUE INDIA MOVEMENT bank employees dying due
to work overload, income tax raids seizing close to Rs 230 crore in new
currency, the bane — was a question. ‘What happens after 50 days?’

Modi under note ban ordered a withdrawal of more than 2,200 crore notes of Rs 500 and Rs 1,000 denominations, as per estimates.


Out of Rs 16 lakh crore, which was part of our cash-based economy, a
staggering 86 per cent of the cash in our country, which is Rs 14.18
lakh crore worth of notes, was discontinued. This cash includes both the
legitimate money of taxpayers, and cash with black money hoarders.


The residual currency amounted to Rs 2.2 lakh crore, which was the
remaining 14 per cent of the cash-based economy out of 86 per cent.


After the withdrawal of old notes from the country, RBI started to
print new notes of Rs 500 and Rs 2,000. An amount equal to Rs 1.5 lakh
crore worth of new notes was printed which supplemented the Rs 2.2 lakh
crore of the residual currency (other than Rs 500 and Rs 1,000 notes)
already in circulation.

A November 25, 2016 research report by
Credit Suisse suggests that new notes worth only Rs 1.5 lakh crore have
come into circulation so far.

According to another media report,
for RBI, it could take several months to fill the hole left behind, by
the withdrawal of notes worth Rs 14.18 lakh crore.

“To meet the
new currency demand, industry estimates indicate that the RBI has
already been able to print Rs 3 lakh crore worth of new currency.
However, these notes being high value and with remaining currency which
is less that 15 per cent of the total currency, they are unable to
provide enough liquidity to transact,” an Indian Express said.


According to an IndiaToday business expert, to fill the gap in the
economy, 3.5 billion notes of Rs 2,000 were to be printed, for which it
takes close to three months. Out of that, 1.5 billion Rs 2,000 notes
have been printed.

For Rs 500 notes, 16 billion pieces were to be
printed for the hole in the economy to be filled, and out of that, 7
billion notes worth Rs 500 have been printed.

Taking into
consideration the withdrawal limits till December 30, once the
limitations receive relaxation, the demand for new currency will go up.


“The requirement of notes could be higher if normal demand for currency
picks up as and when the government relaxes withdrawal limits and more
ATMs become operational,” the Credit Suisse report said.

WHAT HAPPENS AFTER 50 DAYS - HAPPY NEW YEAR


Experts are of the view that the pace at which Reserve Bank of India is
working, the situation can continue to be the same, up until March or
April of 2017.

“It is possible that the circulation normalises
before January 2017 but for that the presses would need to operate at
more than 150 per cent capacity utilisation, which might be physically
improbables¦,” the Credit Suisse report said.

According to an
Indian Express report, ICICI Securities estimates, that the cash crunch
might go on for longer than promised, even if Modi works at its 100 per
cent capacity to fill the void, and the same report also suggests that
‘normalcy might not be restored until March of 2017′.

DEMONETISATION HURTING WHERE IT HURTS THE MOST


In the past, countless reports have stated the misery of farmers in
India. With prices in a free-fall due to demonetisation, small farmers
have seen their produce suffer, as many failed to get a legitimate price
for the same.

The cash crunch compelled many farmers and farm
traders to experience the scarcity of cash, which led to a chaos in the
business and trade.

In December 2016, Chhattisgarh farmers
crushed their produce under trucks after getting 50 paise a kilo for
their yield. In another IndiaToday report, onion farmers dumped their
produce when they received a mere 50 paise a kilo for their onions.


Modi’s demonetisation drive started with crackdown against black money
hoarders, which soon turned into action against terrorism, which later
was termed an initiative towards making India a cashless economy.

This particular move gave e-commerce a spike in their business.


On the other hand, many have been speculating that India is not yet
ready for a cashless future where poor internet penetration and
networking infrastructure will hold India back, as a majority of the
people still don’t posses debit cards or credits cards in the country.


India’s cyber security is a big issue as in the past. And that’s just
social media under threat and not how big the impact of rogue hacking
will be, if it comes to online transactions, especially in a nation
where rural population has no clue of online payments whatsoever.


The stats and figures in the story give a close idea of what has been
up with the economy of India post Modi’s demonetisation drive.

There have been several incidents which prove that India’s currency-ban decision has made people suffer.


The move has received serious criticism with the latest coming from
Chief Executive of Forbes who called Modi’s demonetisation drive an
‘immoral theft of people’s property’.


Narendra
Modi on November 8 announced a nationwide currency ban. Asking for 50
days to transform our country, now the date is near which will decide
the fate of the…
indiatoday.intoday.in

http://nationalinterest.org/…/washington-watching-the-5-dea…

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

http://www.dailymail.co.uk/…/One-village-one-one-crematoriu…


Rakshasa Swayam Sevaks (RSS) is a non-entity which do not believe in
our Modern Constitution but in a stealth, shadowy discriminating
hindutva cult rashtra. Their leaders are not elected in a democratic
manner but are selected among the inner circle of just 1% intolerant,
shooting, lynching, lunatic, mentally retarded, cannibal psychopath
chitpawan brahmins who believe in brahmins as 1st rate athmas,
kshatriyas as 2nd rate, vysias as 3rd rate, shudhras as 4th rate souls
and the aboriginal panchamas (SC/STs0 have no soul, so that they cand
commit any crime on them. But the Buddha never believed in any soul. He
said all are equal. Hence Babasaheb returned back with millions of
people back to their original home Buddhism. According to the Architect
of the Modern Constitution Dr BR Ambedkar, irrespect of caste,
religion, creed and colour anyone can acquire education and not just the
brahmins as per manuvad, Anyone can rule this country unlike the
kashatrias as per manu. Anyone can do trade and business unlike vysias
as per manuvad. As mer manu women has no right like the men. But the
modern constitution made provisions for women even to become rulers. Ex
Indira gandhi, Jayalilita, Mamata Banerji etc., But for Dr Ambedkar they
would have not been recognised. Irrespect of caste and religion
Devegowda etc., would have not become the PM of this country.

This is intolerated by RSS which is opposed to reservation.

http://www.assam123.com/america-enlisted-rss-one-biggest-t…/

RSS is one of the Biggest Terrorist Organisations in the World. They are
Mad Horrorists threat group - shadowy, stealth and discriminatory group
trying to establish hindutva cult.

New Delhi: A US-based risk management and consulting company has put the
Rashtriya Swayamsevak Sangh (RSS) because RSS is killing so many people
and bombing and cutting of people and using suicide bombing techniques
and raping and honor killing women … it all happened in Gujrat and
happening in parts of the country.. Go get a life and become a Hindu
mr…. What is it? the one who have at least common sense, do u think he
or she become hindu? do u think that? Most of the people in the world
becoming muslim without any pressure, force or demand… think about
that…. See that RSS gentleman who studied about islam to oppose them and
became a muslim…. use your common sense and refrain from your bad
thoughts and paths.�They will have the end.. Rss have to be banned in
india with its.. hindhuthuva branches.. in south tamilnadu.. this rss
and hindhutva terrorist and Horrorist gang made problem to the people
who celebrating new year of 2015 night..

Increasing threats to the democratic-secular Indian polity from the Hindutva
organizations - a concise document on the anti-national game-plan of the
RSS.

Hence this technological game of 1% Chitpawan RSS plan has to be defeated by
strengthening the 99% intellectuals by exposing the fradulent EVMs as
done by 80 democracies of the world in the larger interest of Sarvajan
Hitaye Sarvajan Sukhaye i.e., for the peace, happiness and welfare of
all societies including SC/STs/ OBCs/ Minorities and the poor brahmins
and baniyas for distributing the wealth of this country among all
sections of the society as enshrined in the Constitution by making the
Supreme Court to pass orders to replace all fradulent EVMs and till such
time to scrap all elections conducted by these fradulent EVMs and then
to conduct elections with tamper proof voting system to save democracy,
equality, fraternity and liberty.

RSS means Rakshasa Swayam Sevaks in a non -entity undemocratic organisation
with all its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth
Jiyadha Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin
Venomous Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic.,
that become active during all elections for the greed of power for
Murderer of democratic instituitions (Modi) who is just a meant time
stooge of the 1% intolerant, violent, militant, shooting, lynching,
lunatic, mentally retarded cannibal chitpawan brahmin psychopaths who
always keep heckling and giggling like mad people thinking that they are
great achievers.Murderer of democratic institutions (Modi) and all its
associate avathars are shani and peda of the nation which is eclipsing
the development and progress as enshrined in the modern Constitution
whose architect is Dr BR Ambedkar.

After gobbling the MASTER KEY by tampering the fraud EVMs for Murderer of
democratic institutions (Modi) remotely controlled by RSS meaning
Rakshasa Swayam Sevaks, a non -entity undemocratic organisation with all
its 40 avathars VHP (Visha Hindutva Psychopaths), BJP (Bahuth Jiyadha
Psychopaths), BMS (Bhramin Masdoor Sangh), ABVP (All Brahmin Venomous
Psychopaths), Bhajan Dal, Terrorist Sanstha Sangatan, eic., that become
active during all elections for the greed of power for Murderer of
democratic instituitions (Modi) who is just a meant time stooge of the
1% intolerant, violent, militant, shooting, lynching, lunatic, mentally
retarded cannibal chitpawan brahmin psychopaths who always keep heckling
and giggling like mad people thinking that they are great achievers.

They are Shani and Pedal of the nation trying to bury the
Techno-Politico-Socio Transformation and Economic Emancipation Movement
and the teachings of the Awaken One with Awareness without knowing that
they are seeds that keep sprouting as Bodhi Trees.

If all the fraud EVMs are replaced by paper ballots they will not even get 1% of the votes.

Only Ms Mayawati’s BSP which got majority of the seats in UP Panchayat
Elections with these paper ballots will the not only become the CM of UP
but also the next PM of Prabuddha Bharath.

RSS’s Mohan Bhagwat,Bhaiyyaji Joshi and 41 regional pracharaks are all drop
outs including Mohan Agarwal.Also Ram Lal and Ram Madhav,Rajnath Singh
and Amit Shahlike doubtful education of Murderer of democratic
institutions (Modi).

Caste by caste, BSP fields ‘bhaichara coordinators’

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the reserved seats in
eastern UP, central UP and Bundelkhand, and MLA Ramvir Upadhyay the
reserved seats of western UP.

The BSP has fielded some of its most prominent non-SC/ST leaders to
reach out to the communities they represent. Ahead of the UP elections,
the BSP has assigned specific regions to these bhaichara coordinators.

Satish Chandra Misra, the BSP’s Brahmin face, has been assigned the
reserved seats in eastern UP, central UP and Bundelkhand, and MLA Ramvir
Upadhyay the reserved seats of western UP. Misra addressed a rally in
Gorakhpur’s Khajani Sunday, with BSP candidates from seven reserved
seats attending. Statewide, Misra will be assisted by other Brahmin
leaders including his son-in-law Paresh and former MLC Gopal Narain
Mishra.

For Muslims, the BSP has chosen party general secretary Naseemuddin
Siddiqui for western UP where he is addressing meetings, Rajya Sabha MP
Munquad Ali for Varanasi, Allahabad and Mirzapur divisions, and Naushad
Ali for Bundelkhand, and Athar Khan in Faizabad and Devipatan.

Among OBC leaders, state BSP chief Ram Achal Rajbhar and former
Speaker Sukhdeo Rajbhar have begun addressing sammelans in eastern UP,
while former MLC R S Kushwaha is trying to attract Kushwahas in central
UP. Pratap Singh Baghel is wooing the Gaderiya (Pal) community in Agra
region, former minister Lalji Verma addressing Kurmis in eastern UP and
Terai, and former MP R K Singh Patel is in Bundelkhand and Allahabad.

Former minister Jaivir Singh will work among Thakurs in western UP,
former MLA Jitendra Singh Babloo has been addressing sammelans in
Faizabad and Basti, and Rasra MLA Umashankar Singh in Azamgarh.

http://news.webindia123.com/…/A…/India/20100828/1575461.html
Demonetisation: Continuous cash crunch can adversely impact BJP’s prospects in Uttar Pradesh polls, believes RSS
With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the RSS believed it could adversely impact the chances of
BJP to win.

Soon after Murderer of democratic institutions
(Modi)’s announcement of demonetisation, the banks and ATMs witnessed
long queues of people waiting to either withdraw lower denomination of
banknotes or to exchange their high-value currencies with it.


With the gradual shifting of common people from supporting the
demonetisation to criticising it taking note of the continuous cash
crunch even over a month of its announcement, several units and
affiliates of the Rakshasa Swayamsevak Sangh (RSS) believed it could
adversely impact the chances of Bahuth Jiyadha Psychopaths (BJP) to win.
They have reportedly suggested senior functionaries of the Sangh and
the BJP that either cash inflow should be increased at the earliest or
the Uttar Pradesh elections


“Like
it or not, terrorism will continue to be a problem for the United
States, its allies, and the rest of the international community. “
nationalinterest.org

https://drive.google.com/file/d/0B3FeaMu_1EQyZ2pTNmd4cjQ3anM/vie



Electronic Voting Systems: the Good, the Bad, and the Stupid


Page 1 of 11

Electronic Voting Systems: the Good, the Bad, and the Stupid

Barbara Simons

“Those who cast the votes decide nothing; those who count the votes decide everything.”

Joseph Stalin

“We always pray for large margins.” Theresa LePore, designer of the “butterfly” ballot.

As a result of Florida 2000, some people concluded that paper ballots simply couldn’t be

counted1

, even though businesses, banks, racetracks, lottery systems, and other entities in

our society count and deal with paper all the time. Instead, paperless computerized

voting systems (Direct Recording Electronic or DREs) were touted as the solution to “the

Florida problem.” Replacing hanging chads with 21st century technology, proponents

claimed, would result in accurate election counts and machines that would be impossible

to rig. Furthermore, with nothing to hand-count and no drawn-out recounts,

computerized voting systems could report results shortly after the polls close. Many

election officials loved the idea, believing the new machines would be cheaper and more

reliable than the old systems. Also, the lack of recounts meant that they could go home

early on Election Day. Vendor enthusiasm was enhanced by the almost $4 billion of US

government money that was promised in the Help America Vote Act (HAVA), passed in

2002. Yet now, two years after the passage of HAVA, voter verifiable paper trails are

being demanded by numerous public interest groups, computing professionals, and

members of Congress. Where did things go wrong?

Electronic voting machine software is proprietary, the certification testing process is both

secret and incomplete, and the test results are secret. The tests check only for

requirements in the Federal Election Commission (FEC) guidelines. To top things off,

Commercial Off The Shelf software (COTS) contained in voting systems is not examined

in any of the testing, simply because FEC guidelines don’t require it.

For years, prominent computer security experts have been arguing that paperless DRE

machines present major security problems, including buggy software and the risk of

malicious code affecting the outcome of an election. But the warnings of experts such as

Rebecca Mercuri (http://www.notablesoftware.com/evote.html) and Peter Neumann

(http://www.csl.sri.com/users/neumann/neumann.html#5) were largely unheeded by

election officials and the public until David Dill created a petition

1

The most outspoken advocate of paperless DREs is Jim Dickson, Vice-President of the

American Association of People with Disabilities. According to the NY Times, the

AAPD received $26,000 from vendors this year. (The National Federation for the Blind

received a million dollars from Diebold in settlement of a lawsuit). The League of

Women Voters also lobbied on behalf of paperless DREs. However, the national office

retracted its support of DREs when the members revolted at the recent LWV convention.


https://drive.google.com/file/d/0B3FeaMu_1EQyZ2pTNmd4cjQ3anM/view


Electronic Voting Systems: the Good, the Bad, and the Stupid

https://drive.google.com/file/d/0B3FeaMu_1EQyZ2pTNmd4cjQ3anM/view

Page
1
/
11

Page 1 of 11

Electronic Voting Systems: the Good, the Bad, and the Stupid

Barbara Simons

“Those who cast the votes decide nothing; those who count the votes decide everything.”

Joseph Stalin

“We always pray for large margins.” Theresa LePore, designer of the “butterfly” ballot.

As a result of Florida 2000, some people concluded that paper ballots simply couldn’t be

counted1

, even though businesses, banks, racetracks, lottery systems, and other entities in

our society count and deal with paper all the time. Instead, paperless computerized

voting systems (Direct Recording Electronic or DREs) were touted as the solution to “the

Florida problem.” Replacing hanging chads with 21st century technology, proponents

claimed, would result in accurate election counts and machines that would be impossible

to rig. Furthermore, with nothing to hand-count and no drawn-out recounts,

computerized voting systems could report results shortly after the polls close. Many

election officials loved the idea, believing the new machines would be cheaper and more

reliable than the old systems. Also, the lack of recounts meant that they could go home

early on Election Day. Vendor enthusiasm was enhanced by the almost $4 billion of US

government money that was promised in the Help America Vote Act (HAVA), passed in

2002. Yet now, two years after the passage of HAVA, voter verifiable paper trails are

being demanded by numerous public interest groups, computing professionals, and

members of Congress. Where did things go wrong?

Electronic voting machine software is proprietary, the certification testing process is both

secret and incomplete, and the test results are secret. The tests check only for

requirements in the Federal Election Commission (FEC) guidelines. To top things off,

Commercial Off The Shelf software (COTS) contained in voting systems is not examined

in any of the testing, simply because FEC guidelines don’t require it.

For years, prominent computer security experts have been arguing that paperless DRE

machines present major security problems, including buggy software and the risk of

malicious code affecting the outcome of an election. But the warnings of experts such as

Rebecca Mercuri (http://www.notablesoftware.com/evote.html) and Peter Neumann

(http://www.csl.sri.com/users/neumann/neumann.html#5) were largely unheeded by

election officials and the public until David Dill created a petition

1

The most outspoken advocate of paperless DREs is Jim Dickson, Vice-President of the

American Association of People with Disabilities. According to the NY Times, the

AAPD received $26,000 from vendors this year. (The National Federation for the Blind

received a million dollars from Diebold in settlement of a lawsuit). The League of

Women Voters also lobbied on behalf of paperless DREs. However, the national office

retracted its support of DREs when the members revolted at the recent LWV convention.

Page 1 of 11
Page 2 of 11

(http://www.verifiedvoting.org/index.asp) calling for voter verifiable audit trails for

voting systems. The core idea behind the Dill petition is that the voters should be able to

verify that their ballots have been correctly recorded; also, it should be possible to

conduct a meaningful recount.2

A few horror stories

Because of the secrecy surrounding almost every aspect of e-voting – along with a lack of

public national incident reporting – independent computing technologists can provide

only limited analyses of problems relating to hardware, software, testing, security, and

human factors. Nonetheless, evidence of these problems is widespread and varied. A

few representative examples follow.

In January 2004 a special election was held in Broward County, Florida. Only one

contest was included on the ballot. Yet, of the 10,844 votes cast on ES&S (Election

Systems & Software) paperless touch screen voting machines, 134 were … for no one at

all. Since the winning candidate won by only 12 votes, people understandably wondered

what had become of those 134 votes; there was no way of telling if some had been lost by

the computer. The mayor of Broward is now calling for paper ballots.

In November 2003 in Boone County, Indiana over 144,000 votes were cast even though

Boone County contains fewer than 19,000 registered voters. And, of those, only 5,532

actually voted. The county clerk stated that the problem was caused by a “glitch in the

software.” Updated results then were obtained that were consistent with the number of

people who had actually voted, and the public was reassured that the new electronic tally

was accurate. Still, because the county used paperless MicroVote (an Indiana company)

DREs, it was impossible to verify independently that the updated results were indeed

correct.

When the polls opened in Hinds County, Mississippi in November 2003, voters arrived to

find the WINvote DREs at the polls were down. Worse yet, there were no paper ballots

available. By mid-morning, some machines were still down. Voters complained about

waiting in long lines and of having to complete makeshift paper ballots – some being

nothing more than scraps of paper – without adequate privacy. At 8 p.m., there were still

voters standing in line. One report claimed the machines had overheated. Subsequently,

the Mississippi State Senate declared the results in that district invalid and scheduled a

new election. Had paper ballots been made available to voters, the machine related

problems could have been bypassed.

Diebold – a case study in incompetence

2

To avoid the risk that the machine prints the correct result but stores an incorrect result

in computer memory, some number of paper ballots randomly selected should be

manually recounted as a check on the machines.

Page 2 of 11
Page 3 of 11

Diebold, which has been manufacturing ATMs for years and is one of the major DRE

vendors, has become the poster child of all that is wrong with DREs. Diebold’s

involvement with voting machines received significant national press when the CEO of

Diebold, Walden O’Dell, stated in an August 14, 2003 letter to Central Ohio Republicans

that he was “committed to helping Ohio deliver its electoral votes to the President next

year.”

However, the PR problem triggered by O’Dell’s statement pales in comparison to the

technical incompetence of Diebold uncovered when Bev Harris

(http://www.scoop.co.nz/mason/stories/HL0302/S00036.htm) announced in February,

2003 that she had discovered Diebold voting machine software on an open FTP website.

Computer science professors Avi Rubin and Dan Wallach, and their students Tadayoshi

Kohno and Adam Stubblefield, subsequently analyzed some of that software and

published a security analysis in a paper that is sometimes referred to as the “Hopkins

paper” (http://avirubin.com/vote/analysis/index.html). One of the more shocking

revelations was that Diebold used a single DES key (F2654hD4) to encrypt all of the data

on a storage device. Consequently, an attacker with access to the source code would

have the ability to modify voting and auditing records. Perhaps even more surprising,

Diebold had been warned in 1997 about their sloppy key management by Douglas Jones,

a professor of computer science at the University of Iowa and a member of the Iowa

Board of Examiners for Voting Machines and Electronic Voting Equipment:

[N]either the technical staff nor salespeople at Global Election Systems

[purchased by Diebold in 2001] understood cryptographic security. They were

happy to assert that they used the Federally approved Data Encryption Standard,

but nobody seemed to understand key management, in fact, the lead programmer

to whom my question was forwarded, by cell-phone, found the phrase key

management to be unfamiliar and he needed explanation. On continued

questioning, it became apparent that there was only one key used, company wide,

for all of their voting products. The implication was that this key was hard-coded

into their source code!3

Because of the security issues raised in the Hopkins paper, the State of Maryland, which

had just committed to purchasing Diebold DREs, commissioned a study of Diebold

machines by Science Applications International Corporation (SAIC). The SAIC report

(http://www.dbm.maryland.gov/DBM%20Taxonomy/Technology/Policies%20&%20Pub

lications/State%20Voting%20System%20Report/stateVotingSystemReport.html) is a

very fast read, since only about 1/3 of it was made public – the rest was redacted.4

But

even the limited amount of information that was released in the report is quite damning.

For example, the report states that the Diebold system is so complicated that even if all of

3

Doug Jones provides an excellent overview of the Diebold story at

http://www.cs.uiowa.edu/~jones/voting/dieboldftp.html. 4

According to Frank Schugar, project manager for SAIC, the report was redacted by

Maryland, not by SAIC. The Electronic Privacy Information Center has submitted a

public records request to obtain the full unredacted version.

Page 3 of 11
Page 4 of 11

the problems were fixed, there still could be security risks because of poorly trained

election officials.

Section 5 of the report, which “provides the risk assessment findings, including a

discussion of the SBE security requirements, threats to the implementation of the

AccuVote-TS, likelihood of exploitation of the threat, vulnerabilities, and mitigation

strategies and recommendations for improving the security posture” is completely

redacted.5

Even the name of the operating system being used is redacted (page 17): “The voting

terminal is an embedded device running Microsoft Windows [redacted] as its operating

system.” However, we know from internal Diebold emails that were posted on the web

that Diebold was running Windows CE 3.0.

Why, one might ask, would anyone feel the need to redact the name of the Windows

operating system being used by Diebold? A likely explanation is that Windows CE is a

modular OS tool kit that allows different operating systems to be assembled for different

embedded applications. Yet, the certification process treats Windows CE as being

equivalent to a non-modified operating system, which means that the actual code is never

examined.

In spite of the fact that even the redacted version of the SAIC report was very critical of

Diebold and supported the Hopkins report on most issues, both the State of Maryland and

Diebold claimed that the SAIC report vindicated the purchase of Diebold machines.

In November 2003, the Maryland Department of Legislative Services commissioned yet

another study of Diebold machines by RABA Technologies

(http://www.raba.com/text/press/TA_Report_AccuVote.pdf). The Trusted Agent report,

released in January 2004, based on a “red team” effort to hack Diebold voting systems,

revealed physical security problems such as the use of identical keys on security panels

covering PCMCIA and other sockets on the machines – as well as locks that could be

picked in a few seconds.

Unfortunately, when DRE vendors discuss the virtues of DREs to election officials, they

gloss over security issues related to short- and long-term storage of the machines, as well

as machine access control before and after elections.

Meanwhile, the State of Ohio, which had been considering the purchase of Diebold DREs

for the entire state6

, hired Compuware to test hardware and software,and InfoSentry to

conduct a security assessment. The Compuware study uncovered yet another hardwired

password, this time involving the supervisor’s card, used to start up each voting machine

on Election Day as well as to terminate the voting process at the end of the day. When

5

The description of Section 5 is on p. 2. It probably was supposed to have been redacted,

since the title of Section 5 is redacted in the Table of Contents.

6

Diebold is headquartered in Ohio.

Page 4 of 11
Page 5 of 11

the card is inserted into the DRE, the election official must enter the same password or

PIN7

that is hardwired into the card - but not into the voting software. Consequently,

someone who is able to obtain a supervisor’s card, or who manages to create a fake card

with a different password, would be able to conduct a denial of service attack by

prematurely halting the voting machines, thereby denying some voters the opportunity to

vote.

ES&S – a software bug prevents audits

An intriguing link had existed for a long time between Diebold and ES&S, another major

voting machine vendor, and had generated a great deal of criticism. Until very recently,

Bob Urosevich was the CEO of Diebold Election Systems (O’Dell is the CEO of the

parent Diebold company), and his brother Todd had been the vice-president of ES&S8

.

Together, DREs and optical scan voting systems manufactured by Diebold and ES&S

will count somewhere between two-thirds and 80% of the ballots in the November

election.9

There is also a connection between ES&S and Sen. Chuck Hagel

(http://www.csd.cq.com/senate_mem/s0531.html ). Until two weeks before he

announced his candidacy for the Senate in 1996, Sen. Hagel had been the CEO of

American Information Systems, Inc., a fact not mentioned in Hagel’s 1996 campaign

financial disclosure statements. AIS, founded by the Urosevich brothers, subsequently

purchased another company and become ES&S. AIS was used to count many of the

votes that elected Sen. Hagel to the Senate in 1996, the first Republican to have been

elected from Nebraska in twenty-four years. Hagel’s 2002 Democratic opponent, Charlie

Matulka, claims that Hagel owned 35% of ES&S, when ES&S machines were used to

count the votes in the 2002 Senate race.

More recently ES&S has been in the news, because a software bug had corrupted the

audit log and vote image report in ES&S machines used in Miami-Dade and many other

parts of the country. 10 An internal memo written in June 2003 by Orlando Suarez,

division manager of the county’s enterprise Technology Services Department and

obtained through a public records request made by the Miami-Dade Election Reform

Coalition, describes a discrepancy in the internal auditing mechanism of the ES&S

machines. Suarez stated that the software bug(s) make the audit reports “unusable for the

purpose that we were considering (audit an election, recount an election and if necessary,

use these reports to certify an election).” This information was not made public until it

7

The Compuware study discovered that the pin was 1111.

8

Whether they left their positions because of criticism from groups concerned about

collusion or for some other reasons is not known to this author.

9

See the attachments in http://www.electiondataservices.com/EDSInc_DREoverview.pdf

for a detailed breakdown by machine type.

10 For a detailed discussion of the ES&S bug, see

http://www.cs.uiowa.edu/~jones/voting/miami.pdf

Page 5 of 11
Page 6 of 11

was announced by the Coalition in April 2004, almost a year after the initial memo was

written.

The event log contained results for some nonexistent machines, and it also failed to report

all the results for the machines that were in operation. According to Doug Jones, there

were actually two bugs. One - triggered by a low battery condition - caused corruption in

the event log; the second caused the election management system to misread the

machine’s serial number in the face of this corruption. While the vote count was not

impacted, the problems uncovered are symptomatic of the kinds of anomalies that are not

tested for under the certification process, discussed below.11

On July 27, 2004 the Miami-Dade Election Reform Coalition announced that audit data

they had requested revealed that computer crashes had deleted all the election results

from the September 2002 gubernatorial race in Miami-Dade, as well as from several

more recent municipal elections. It appeared that no back-ups had been made, leading to

speculation that the loss of the ballot images could be a violation of Florida law regarding

the retention of ballots.12 After spending a few embarrassing days trying to explain how

election officials could have lost critical voting records, Miami-Dade County elections

supervisor Constance Kaplan announced on July 30 that her secretary had located a

computer disk containing the missing data in the conference room next to her office.13

In an interesting footnote to the Miami-Dade story, Florida Secretary of State defended

the paperless touch screen voting machines against criticism that she likened to

conspiracy theories by saying, “The touch-screen machines are not computers. You’d

have to go machine by machine, all over the state [to rig an election].”

How did such flawed machines become certified?

The first FEC standard for electronic voting machines, issued in 1990, was replaced in

2002 (http://www.fec.gov/pages/vssfinal/vss.html). Many voting systems in use today

were certified to the 1990 standards.

11 Quoting Jones, “As of midsummer, the state of Florida has approved a fix to the two

bugs that caused this problem, and in the pre-election testing conducted on August 13, the

event records were extracted from compact flash cards showed correct reports of low

battery conditions without any corruption of serial numbers. Curiously, it was a member

of the Miami-Dade coalition who found this evidence as she went over printouts of the

event logs generated from the compact flash cards.”

12 Amazingly, Miami-Dade officials chose to ignore a memo sent before the crashes

occurred in which Cathy Jackson of the county’s Audit and Management Services

Department warned of the lack of back-up and suggested burning all data to CD ROMs

after each election.

13 Quoting Jones, “The disk was a CD-R in a file folder. The county had only begun

making archival CD-R copies of the data after the county Audit and Management

Department suggested that they do so that summer. Apparently, although this was being

done, there was as yet no institutional memory of where these disks were being put.”

Page 6 of 11
Page 7 of 11

Machines are tested and certified by three private companies - Ciber, Wyle, and SysTest

– which are referred to as Independent Testing Authorities (ITAs). The ITAs themselves

are certified by the National Association of State Election Directors, but are not subjected

to any government oversight. Individual states may have additional requirements that are

certified by the ITAs. Vendors pay for all testing.

One of the bizarre aspects of the certification process is that distinguishes between

“firmware” and “software”, with “firmware” being defined as the software that runs in

the voting machines in the precinct, while “software” is used to refer to the code utilized

by the election management system. Wyle certifies only firmware, and Cyber certifies

only software. SysTest certifies the entire system.

Rather than checking the software for security flaws and attacking the software to see if it

can be compromised, the ITAs limit their tests strictly to items specifically required by

the FEC standards. Particularly prominent among these are control flow requirements,

with Do-While (False) constructs and intentional exceptions used as GoTos being

explicitly prohibited. The 2002 FEC standards also call for “effective password

management,” but the phrase is not defined. We can infer from the Diebold results,

however, that no one is checking to see if encryption keys have been hardwired into the

code. The testing also fails to check for exceptions, and there are no provisions for the

inspection of COTS code.

States typically are provided with only a one-page certificate saying that the software

satisfied the FEC standards. By contrast, vendors are given detailed test results. Some

states request the test results, but results have been provided only when the states or

election officials sign non-disclosure agreements. Not only should test results all be

made public, but there also should be a central data depository that collects all test results

and problem incidents from voting machines - much as is done for airplanes - so that the

government and election officials can check to make sure that all known problems have

been rectified.

Then there is the matter of ballot definition files (BDF). These files contain the

candidates and issues information for each election. Because BDFs tend to be difficult for

election officials to write, they frequently are prepared by the vendors. Whether the

BDFs are prepared by the vendor or by someone local, they can’t be produced until the

candidates and issues have all been decided.

Although critical to elections, BDFs are never independently inspected by an ITA. While

properly conducted pre-election testing should uncover errors in BDFs, such testing is not

routine in many jurisdictions, where state laws merely require that the tests include

casting at least one vote for each candidate in each race on the ballot, using each ballot

style in use in the jurisdiction. In Miami-Dade County, for example, there were 222

distinct ballot styles in the August 2004 primary.14

14 Private communication with Doug Jones.

Page 7 of 11
Page 8 of 11

When errors in BDFs do occur – leading, for example, to votes for one candidate being

credited to a different candidate – they can be detected with optical scan voting systems,

because anomalous computer-reported results can be discovered through manually

recounts of paper ballots. 15 With paperless DREs, however, there is no way to perform

such a recount.

Malicious code

While many obvious software bugs have been inferred or uncovered, to my knowledge

no clearly malicious code has been detected in voting machine software, though some

software bugs have behaved as if they were malicious. An obvious approach for dealing

with buggy or malicious code is the use of open, or at least public, source software.

Making software public would expose it to more eyes, thereby increasing the likelihood

of the bug detection. But there is still the risk that the software running on the voting

machines may not be identical to the software that was made public. Further, as we know

from Ken Thompson’s Turing Award speech “Reflections on Trusting Trust”

http://www.acm.org/classics/sep95/, it is possible to write a compiler that will insert

malicious code into object code.16

Even open source code can be vulnerable. A recent attempt to insert a two-lines-of-code

backdoor into Linux was caught by some observant programmers

http://kerneltrap.org/node/view/1584. But, the fact that this particular backdoor attempt

was stymied is no guarantee that some equally subtle future attempt will also be detected.

With inadequately tested secret code, one can only speculate about the likelihood that any

malicious code, especially code that is cleverly designed to resemble a software bug (e.g.

=, instead of ==), will go undetected.

Alternative models for voting design

Diebold, Sequoia, ES&S, and Hart InterCivic are the major manufacturers of paperless

DREs. Most DREs use touch screens as inputs, though Hart InterCivic uses a dial for

candidate selection. DREs also can be equipped with earphones and various devices,

typically hand-held, that allow voters with vision impairments to vote independently.

15 See http://www.votersunite.org/info/BallotProgramming.pdf for a detailed discussion

of BDFs.

16 Quoting Thompson, “You can’t trust code that you did not totally create yourself.

(Especially
code from companies that employ people like me.) No amount of source-
level verification or scrutiny will protect you from using untrusted
code. In demonstrating

the possibility of this kind of attack, I picked on the C compiler. I could have picked on

any program-handling program such as an assembler, a loader, or even hardware

microcode. As the level of program gets lower, these bugs will be harder and harder to

detect. A well installed microcode bug will be almost impossible to detect.”

Page 8 of 11
Page 9 of 11

DREs do not allow voters to select more candidates than allowed (overvotes) and alert

voters to omitted votes (undervotes). They also allow voters to review their ballots

before submitting them (second chance voting).

DREs that produce voter verifiable paper ballots. AccuPoll and Avante produce DRE

voting systems that print out ballots that voters can check to ensure that an accurate paper

record of their votes exists. Avante also manufactures an optical scan model that prints

optical scan ballots that sighted voters can mark, as well as an “accessible” optical voting

system that allows vision-impaired voters to print out optical scan ballots marked to

reflect their choices.

Optical scan voting machines. Besides avoiding many of the security problems

associated with paperless DREs, optical scan (or mark sense) systems are also less

expensive. Typically these systems require the voter to mark his or her ballot, in much

the same way that students taking standardized tests make computer-readable marks by

using number 2 pencils to fill in ovals.

Precinct-based optical scan systems require the voter to “test” his or her ballot by

submitting it to the scanner and having the scanner notify the voter if the ballot contains

overvotes. The voter is also notified if the ballot is blank. Ideally, at the end of Election

Day all the ballots are initially tallied in the precinct, and the ballots, together with the

results, are sent to the tabulation center. 17

The same vendors that produce the majority of DREs – ES&S, Sequoia, and Diebold –

also produce the majority of optical scan voting systems.

Hybrid models. Ballot marking systems are a cross between DREs and optical scan

systems. One, made by Vogue Election Systems (VES) and currently marketed by

ES&S, offers a touch screen like a DRE. The voter inserts a blank optical scan ballot into

the machine and then proceeds as he or she would if interacting with a DRE. Once the

voter has entered all of his or her choices, the machine marks the optical scan ballot

accordingly, avoiding overvotes and raising alerts to undervotes in the process. This also

serves to eliminate any stray pencil marks that could otherwise confuse the scanner.

Attached headphones provide an option that allow blind voters to vote without assistance.

Another system, produced by Populex, includes a screen that operates with an attached

stylus. The system prints out a completed ballot once the voter has entered all of his or

her choices. For human perusal, the ballot uses numbers to represent voter choices, along

with a corresponding bar code for the optical scanner’s benefit. The system has attached

headphones that allow blind voters to vote independently, and, like the Vogue system, it

also avoids overvotes and warns about undervotes. For both systems headphones

17 The chance that ballot boxes or tabulation sheets will be illegally manipulated are

reduced if local results are posted locally.

Page 9 of 11
Page 10 of 11

attached to the scanner would make it possible for vision-impaired voters, as well as the

sighted, to verify their ballots.18

Because paperless DREs provide no audit trail, it is imperative that DRE software be free

of malicious code and potentially damaging bugs. By contrast with paperless DREs,

DREs that produce voter verfiable paper ballots, optical scan systems, and hybrid systems

do not have the hidden expense of a huge testing and security overhead.

Cryptographic voting systems. Both VoteHere (http://www.votehere.net/ ) and David

Chaum (http://www.seas.gwu.edu/~poorvi/Chaum/chaum.pdf) have developed voting

systems that provide an encrypted receipt that voters can use to verify that their ballots

has been accurately counted. Chaum’s system is not currently being manufactured. A

problem common to both systems is that they offer no way to conduct a recount should it

be determined that a ballot tabulation problem has occurred, although individual ballots

can be corrected. Also, neither scheme is particularly easy for voters to understand.

Open source. The Open Voting Consortium (OVC)

(http://www.openvotingconsortium.org/) is a non-profit group of software engineers and

computer scientists working to build an open source voting system that will run on PC

hardware and produce a voter-verifiable paper ballot. They also hope to provide a

general for interoperable open source voting software. Their system is currently under

development.

Prudent precautionary measures for DREs

Because paperless DREs provide no audit trail, it’s imperative that they be extensively

tested before, during, and after each election. DREs must also be securely stored between

elections, as well as at polling sites before and during Election Day.

DREs should be extensively tested before, during, and after every election. Similarly, all

ballot definition files should be scrupulously tested — with all test results (not just results

from BDF tests) not only made public but also archived in a central repository. There

should also be a national repository of DRE problems, just as is done with aircraft.

Finally, paper ballots should be made available at every polling location that uses DREs,

both as backup in the case of failures of the DREs and to provide voters with the option

of voter-verifiable paper ballots,

None of these steps can ensure that DRE software is free of malicious code and

potentially damaging bugs. The best we can do is to attempt to reduce the risks

associated with these machines.

Conclusion

18 This option is not currently available.

Page 10 of 11
Page 11 of 11

The issue of e-voting should have been primarily a technological issue - one involving

computer security, human factors, reliability, and efficiency. Instead, because of the vast

sums of money involved, e-voting has been heavily politicized.

Election officials were told that DREs in the long run would be cheaper than alternative

voting systems. They were told that DREs had been extensively tested and that the

certification process guaranteed that the machines were reliable and secure. No mention

was made of the significant costs of testing and of secure storage of DREs; no mention

was made of the inadequacy of the testing and certification processes, to say nothing of

the difficulty of creating bug-free software.

Technologists are attempting to educate election officials, policy makers, and the public

about the risks of paperless DREs. It is critical for the continued existence of democracy

throughout the world that we succeed.

Acknowledgments.

Thanks to Dan Wallach, Tracy Volz, Laura Gould, Lynn Landes, Ellen Theisen, Rebecca

Mercuri, and Doug Jones for their very useful comments.

Page 11 of 11

comments (0)
12/22/16
2086 Fri 23 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF) https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. https://www.facebook.com/notes/hindustani-sher-aryan/indian-black-money-deposited-in-swiss-banks-wikileaks-report/243424935724827 http://www.india.com/…/list-of-black-money-holders-in-swis…/
Filed under: General
Posted by: site admin @ 9:07 pm




2086 Fri 23 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n1/mode/2up


free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.


https://www.facebook.com/notes/hindustani-sher-aryan/indian-black-money-deposited-in-swiss-banks-wikileaks-report/243424935724827

http://www.india.com/…/list-of-black-money-holders-in-swis…/


Now the game is over for BJP (Bahuth Jiyadha Psychopaths) after the
Murderer of democratic institutions (Modi)’s demonitisation move.His
QUEUE INDIA MOVEMENT has killed over 100 poor people in queues.


The 1% intolerant, militant, shooting, mentally retarded, lunatic,
mentally retarded chitpawan brahmin Rakshasa Swayam Sevaks (RSS)
cannibal psychopaths claim that it was bali dhan for their stealth,
shadowy, discriminative hindutva cult nationalism.

BJP before
gobbling the Master Key by tampering the fraud EVMs were shouting that
lakhs of cores of black money from foriegn banks

will be brought back and deposit 15 lakhs in every country men and women’s account.


Now they forgot their slogan and new slogan is against the enemy of the
country who have harmed interests 99% sarvajan samaj
SC/STs/OBCs/Minorities/poor UCs of farmers, labourers, future of the
youth and aspirations of the aged who are unhappy.

BJP after
gobbling the Master key in the 2014 Lok Sabha after tampering the fraud
EVMs elections are dreaming repeating the feat in next UP assembly
elections.

Ms Mayawati’s BSP lost in the Lok Sabha elections
because these fraud EVMs. But it won in UP Panchayat elections which was
conducted with paper ballots.

The ex CJI Sadasivam had committed
a grave error of judgement by ordering the EVMs to be replaced in
phases as suggested by the ex

CEC Sampath because of the cost of Rs 1600 crore involving in replacing the entire EVMs.

Now present CEC says that the entire EVMs will be replaced in 2019.

But non of them ordered for using paper ballots as done in 80 democracies of the world till all the fraud EVMs were replaced.

While the wikileaked in crores

1. Amit Shah -568000

2. Rajnath singh -7800

3.Yedurapp -158000

4.Anantkumar - 82000

5.P.Chidabaram - 15040

6.Dighvijay singh - 28900

7. Ahmed Patel -9000

8. Smiti Irani-15000

9. Venkaiya Naidu -75000

10 Kapil Sibal - 28000

11. Suresh Kalmadi- 5900

12. Ashok Giloth - 220000

13.Vasundhara Raje. 76888

14. Shyam Kampli -582114

15. Mulayam Singh Yadav -19800

16. Hashwath Mehata - 135800

17. Ketan Parekh - 8200

18. Yedi Ramaswamy - 14500

19. Lalu Prasad Yadav 28900

20. J.M. sindia - 9000

21. Kalanidhi Maran - 15000

22. Uma Bharathi- 35000

23. General V.K.Singh - 5900

24. Raj Adipay -189008

The List of Top Black Money Holders in Swiss Bank From India.


Before it was estimated that $500 billion of illegal funds were
trashed in Switzerland by Indians but none of us knew that who were
behind the masks. Then in August 2011, wikileaks released its 1st list
of Top Black money holders from India. It was really too much shocking
to see the names of many prominent politicians in it.
This was the list of Top 20 people (amount in crores) :
1- Ashok Gehlot (220000)
2- Rahul Gandhi (158000)
3- Harshad Mehta (135800)
4- Sharad Pawar (82000)
5- Ashok Chavan (76888)
6- Harish Rawat (75000)
7- Sonia Gandhi (56800)
8- Muthuvel Karunanidhi (35000)
9- Digvijay Singh (28900)
10- Kapil Sibal (28000)
11- Rajeev Gandhi (19800)
12- Palaniappan Chidambaram (15040)
13- Jayaram Jaylalitha (15000)
14- Kalanithi Maran (15000)
15- HD Kumarswamy (14500)
16- Ahmed Patel (9000)
17- J M Scindia (9000)
18- Ketan Parekh (8200)
19- Andimuthu Raja (7800)
20- Suresh Kalmadi (5900)

http://www.thehindu.com/…/WikiLeaks-cab…/article13673210.ece

WikiLeaks cables “inspired” anti-corruption campaign in India

https://www.youtube.com/watch?v=Z94dHg0J4pU


Wikileaks has pushed into the open one of the dirtiest secrets in
Indian politics. The latest leaked cable threatens to take down big fish
in the Congress, the DMK and the MIM.

http://www.garudacreations.com/wikileaks-published-first-l…/

LIST OF 100 HSBC account holders from india


Is this black money or not ,we are not sure about it; may be it will be
legal money. we have to wait for official clearances.Today Indian
express published this list, they are not claiming as it is black
money,they just published it as the ” Top 100 HSBC account holders from
india”

1. UTTAMCHANDANI GOPALDAS WADHUMAL/family $54,573,535
2. MEHTA RIHAN HARSHAD/ family $53,631,788
3. THARANI MAHESH THIKAMDAS $40,615,288
4. GUPTA SHRAVAN $32,398,796
5. KOTHARI BHADRASHYAM HARSHAD/ family $31,555,874
6. SHAUNAK JITENDRA PARIKH/family $30,137,608
7. TANDON SANDEEP $26,838,488
8. AMBANI MUKESH DHIRUBHAI $26,654,991
9. AMBANI ANIL $26,654,991
10. KRISHNA BHAGWAN RAMCHAND $23,853,117
11. DOST PARIMAL PAL SINGH $21,110,345
12. GOYAL NARESH KUMAR $18,716,015
13. MEHTA RAVICHANDRA VADILAL $18,250,253
14. PATEL KANUBHAI ASHABHAI $16,059,129
15. SACHIV RAJESH MEHTA $12,341,074
16. ANURAG DALMIA/family $9,609,371
17. RAVICHANDRAN MEHTA BALKRISHNA $8,757,113
18. KUMUDCHANDRA SHANTILAL MEHTA/family $8,450,703
19. PATEL RAJESHKUMAR GOVINDLAL/family $6,908,661
20. HEMANT DHIRAJ $6,237,932
21. ANUP MEHTA/family $5,976,998
22. TANDON ANNU $5,728,042
23. SIDHARTH BURMAN $5,401,579
24. SALGOACAR DIPTI DATTARAJ $5,178,668
25. DABRIWALA SURBHIT/family $5,000,000
26. VAGHELA BALWANTKUMAR DULLABHAI $4,405,465
27. DILIPKUMAR DALPATLAL MEHTA $4,255,230
28. KULDIP & GURBACHAN SINGH DHINGRA $4,144,256
29. LAKHANI JAMNA THAKURDAS $4,123,673
30. RAJIV GUPTA $4,113,705
31. SAWHNEY ARMINDER SINGH $3,965,881
32. ISRANI LOVEEN GURUMUKHDAS $3,824,104
33. NATVARLAL BHIMBHAI DESAI/family $3,746,078
34. TULSIANI JAWAHARLAL GULABRAI/family $3,730,145
35. GUPTA RAJIV $3,545,416
36. JAISWAL LADLI PERSHAD $3,496,063
37. CARVAHLO ALOYSIUS JOSEPH $3,313,788
38. PRADIP BURMAN $3,199,875
39. TULSIANI SHAM GULABRAI/family $3,066,991
40. VITHALDAS JANAKI KISHORE $3,031,220
41. KUMAR VENU RAMAN $3,063,064
42. THAKKAR DILIP JAYANTILAL $2,989,534
43. TULSIANI PARTAB GULABRAI $2,901,435
44. ADENWALLA DHUN DORAB/family $2,863,271
45. BURMAN PRADIP $2,831,238
46. TULSIANI NARAINDAS GULBARI $2,818,300
47. DASOT PRAVEEN $2,801,634
48. PATEL LALITABEN CHIMANBHAI $2,741,488
49. CHATHA JOGINDER SINGH $2,732,838
50. SHYAM PRASAD MURARKA $2,546,516
51. DHURVENDRA PRAKASH GOEL $2,488,239
52. NANDA SURESH/family $2,303,713
53. GIDWANI ANAN NELUM $2,228,582
54. PRATAP CHHAGANLAL JOISHER/family $2,209,346
55. MEHTA DEVAUNSHI ANOOP $2,136,830
56. SHAW MOHAMMAD HASEEB/family $2,133,581
57. AHMED rizwan syed/family $2,125,644
58. VINITA SUNIL CHUGANI $2,085,158
59. SAWNEY BHUSHAN LAL $2,043,474
60. PARMINDER SINGH KALRA $2,042,180
61. CHOWDHURY RATAN SINGH $1,987,504
62. DHIRANI VIKRAM $1,915,148
63. NANDA SARDARILAL MATHRADAS $1,824,849
64. WILKINSON MARTHA $1,824,717
65. SAHNEY DEVINDER SINGH $1,763,835
66. TANEJA DHARAM VIR $1,748,541
67. DHINDSA KOMAL $1,597,425
68. CHATWANI TRIKAMJI/family $1,594,114
69. PITTIE MADHUSUDANLAL NARAYANLAL $1,462,594
70. BHARDWAJ ANIL $1,435,781
71. DIPENDU BAPALAL SHAH $1,362,441
72. BHARTIA ALOK $1,349,044
73. SINGH SHUBHA SUNIL $1,348,983
74. DANSINGHANI SHEWAK JIVATSING/family $1,267,743
75. KUMAR DAVINDER/family $1,231,088
76. JASDANWALLA ARSHAD HUSAIN ADAMSI/family $1,229,723
77. JHAVERI HARISH SHANTICHAND/ family $1,191,144
78. SINGHVI GANPAT $1,194,388
79. MILAN MEHTA/family $1,153,957
80. TUKSIANI ASHOK GULABRAI $1,140,890
81. MODI KRISHAN KUMAR $1,139,967
82. GARODIA BISHWANATH $1,071,858
83. JAGASIA ANURADHA ANIL $1,039,648
84. VITHALDAS KISHORE/family $1,020,028
85. CHANDRASHEKAR KADIRVELU BABU/family $1,007,357
86. GALANI DIPAK VARANDMA/family $940,191
87. SAWHNEY ARUN RAVINDRANATH $914,698
88. MERWAH CHANDER MOHAN $909,309
89. PATEL ATUL THAKORBHAI $813,295
90. NATHANI KUMAR SATURGUN $751,747
91. SATHE SUBHASH/family $749,370
92. SHAH ANIL PANNALAL/family $742,187
93. MADHIOK ROMESH $719,559
94. BHAVEN PREMATLAL JHAVERI $717,654
95. KINARIWALA KALPESH HARSHAD $713,340
96. GOKAL BHAVESH RAVINDRA $699,184
97. LAMBA SANJIV $644,923
98. SHOBHA BHARAT KUMAR ASHER $641,387
99. KATHORIA RAKESH KUMAR $589,753
100. BHANSALI ALKESH PRATAP CHANDRA $579,609

SOURCE INDIAN EXPRESS


Murderer of democratic institutions (Modi) of Bahuth Jiyadha
Psychopaths (BJP) said that all the black money will be recovered and Rs
15 lakhs will be deposited in the entire citizens accounts of this
country. The whole world is watching whether it will be done before 31
December 2016.


Vaibhav Hindustani-Sher Aryan published a note.

Indian Black Money in Swiss Bank List

 

WikiLeaks posted in the website that –

Indian
money in Swiss Banks is more than any other nationality. The list
regarding their names, amount and other details is as per the list
herebelow. The major share is from India. The source of income is from
project hedge, illegal share in s…

Continue reading
https://drive.google.com/file/d/0B3FeaMu_1EQyUVE0VzhxWU5kVlU/view


Page
321
/
324

Page 1 of 324

Building Reliable Voting Machine Software

Ka-Ping Yee

B. A. Sc. (University of Waterloo) 1998

A dissertation submitted to the Graduate Division

of the University of California, Berkeley

in partial fulfillment of the requirements for the degree of

Doctor of Philosophy

in

Computer Science

Committee in charge:

Professor David Wagner, Co-chair

Professor Marti Hearst, Co-chair

Professor Henry Brady

Professor Joseph Hellerstein

Fall 2007

Page 1 of 324
Page 2 of 324

The dissertation of Ka-Ping Yee is approved.

Professor David Wagner (Co-chair) Date

Professor Marti Hearst (Co-chair) Date

Professor Henry Brady Date

Professor Joseph Hellerstein Date

University of California, Berkeley

Fall 2007

Page 2 of 324
Page 3 of 324

Building Reliable Voting Machine Software

Copyright © 2007

Ka-Ping Yee

Permission is granted to copy, distribute, and/or modify this document under the terms

of the GNU Free Documentation License, version 1.2 or any later version published by the

Free Software Foundation, with no Invariant Sections, no Front-Cover Texts, and no

Back-Cover Texts. A copy of the license is included in the appendix entitled GNU Free

Documentation License.

Page 3 of 324
Page 4 of 324

Abstract

Building Reliable Voting Machine Software

Ka-Ping Yee

Doctor of Philosophy in Computer Science

University of California, Berkeley

Professor David Wagner, Co-chair

Professor Marti Hearst, Co-chair

I examine the question of how to design election-related software, with particular

attention to the threat of insider attacks, and propose the goal of simplifying the software

in electronic voting machines. I apply a technique called prerendering to reduce the

security-critical, voting-specific software by a factor of 10 to 100 while supporting similar

or better usability and accessibility, compared to today’s voting machines. Smaller and

simpler software generally contributes to easier verification and higher confidence.

I demonstrate and validate the prerendering approach by presenting Pvote, a

vote-entry program that allows a high degree of freedom in the design of the user

interface and supports synchronized audio and video, touchscreen input, and input

devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of

Python code; thus, it directly addresses the conflict between flexibility and reliability that

underlies much of the current controversy over electronic voting. A security review of

Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial

code review. The analysis and design methods I used, including the prerendering

technique, are also applicable to other high-assurance software.

Professor David Wagner

Professor Marti Hearst

1

Page 4 of 324
Page 5 of 324

This dissertation is dedicated to those who work to run

elections everywhere in the world: registrars, officers,

pollworkers, clerks, judges, scrutineers, observers, and

everyone else involved in the process. You carry out the

mechanisms that make democracy work; this research is

devoted to helping you make democracy work better.

i

Page 5 of 324
Page 6 of 324

Preface

The democracy upon which our modern society is built

ultimately depends on a system that collects and counts votes.

For many voters in the United States and other countries, nearly

every part of that system relies on computer software in some

way. If you had to design that software, how would you do it?

This dissertation offers an exploration of that question and

a proposed answer: create the simplest possible voting machine

software. I use a technique called prerendering to reduce the

critical voting-specific software by a factor of 10 to 100 while

supporting similar or better accessibility and usability,

compared to today’s machines. Central to this dissertation is

the story of Pvote, the program I developed to realize this goal.

The first reason to simplify software is the threat of an

insider attack. The challenge is to prevent not just inadvertent

flaws, but flaws intentionally crafted by programmers who

stand to gain from subverting their own software. The only way

to meet this challenge is to require simpler software.

The second reason is that much of the controversy over

electronic voting stems from a conflict between flexibility and

reliability. Computers offer the promise of broader and more

effective access to voting, but computer programs are more

complicated and fragile than hand-counted paper ballots.

Simplifying the voting machine software mitigates this dilemma.

The problem of electronic voting is illustrative of the

challenges of building reliable software in general. In particular,

I report on insights from the Pvote work about managing the

complexity of high-assurance software and about reviewing

software for correctness without assuming trust in its author.

Both are relevant to the prevention of insider attacks, which are

a thorny and long-standing problem in software security.

ii

Page 6 of 324
Page 7 of 324

This dissertation is intended for several audiences:

• Election staff, policymakers, and activists: If you run

elections or influence how elections are conducted, I hope

to make you aware of the perils of complexity in software

(Chapters 1 and 9), and to calibrate your tolerance for

complexity in election software by demonstrating how much

it can be simplified. I also hope to contribute to your

understanding of the tradeoffs among various choices of

voting equipment and verification methods (Chapter 3).

• Engineers: If you build software, you may be able to achieve

greater confidence in it using the analysis, design, and

review strategies presented here (Chapters 2, 3, and 8) . If

you develop voting machines, you can apply the

prerendering strategy to create more reliable software

(Chapter 4), use ideas from Pvote’s design and

implementation (Chapters 5, 6, and 7), or use the Pvote code

as a basis for your own software (Appendices A and B).

• Researchers: If you investigate software reliability or

security, you may be interested in assurance trees (Chapter

2), a way of structuring assurance claims during software

design, prerendering (Chapter 4) as a strategy for reducing

the trusted code base of a system, or derivation maps

(Chapter 9) for understanding sources of vulnerability to

insiders and the effects of shifting complexity among

components. The Pvote review experience (Chapter 8 and

Appendix E) motivates research challenges in the design of

programming languages, development environments, and

reviewing tools to support adversarial code review.

• Designers: If you practice visual design or interaction

design, you may be interested to learn how prerendering

(Chapter 4), the main software approach presented here, can

offer you unprecedented freedom in designing electronic

ballots and new opportunities for advancing democracy

through the power of design.

Preface iii

Page 7 of 324
Page 8 of 324

Contributions

This is a quick guide to the main contributions of this work and

where to find them.

1. A set of correctness properties for voting software derived as

an assurance tree (page 24).

2. An assurance chart comparing types of voting systems

according to the verification mechanisms available to voters

at each step of the voting process (page 56).

3. User interface prerendering, a technique for reducing the

complexity of critical software components (page 57).

4. Pvote’s ballot definition file format, a platform-independent

format for describing the ballot and the voting user interface

in a prerendered user interface voting system (page 121).

5. The software design of Pvote, a vote-entry program with

support for a wide range of ballot designs and voters with

disabilities (page 127).

6. A set of desirable properties of programming languages to

support adversarial code review (page 149).

7. Lessons learned from the Pvote security review, the first

open adversarial code review of voting software designed

for minimal complexity and high assurance (page 153).

8. Derivation mapping, a method of diagramming the

provenance of a security-critical artifact to identify sources

of vulnerability to insider attacks (page 161).

9. A security argument for the use of high-level programming

languages in high-assurance software (page 173).

10. Proof by construction (the implementation of Pvote) that a

fully featured user interface for voting can be implemented

in 460 lines of Python (page 217).

11. A security analysis and a set of assurance arguments for

Pvote, which are given in a separate document [92].

iv

Page 8 of 324
Page 9 of 324

Acknowledgements

I have been extremely lucky to have David Wagner and Marti

Hearst as my advisors. They supervised and supported this

work, and provided me with guidance and insight during my

career as a graduate student. They removed obstacles and

sought out opportunities for me. Their responsiveness and

detailed feedback have been fantastic. I also thank Henry Brady

and Joe Hellerstein, who served on my committee and went out

of their way to review this dissertation on a short time frame.

Steve Bellovin suggested the idea of prerendering, which

sparked this work. Candy Lopez of the Contra Costa County

Elections Department patiently showed me how real elections

are run. Scott Luebking and Noel Runyan helped me understand

the accessibility issues surrounding voting. Matt Bishop, Ian

Goldberg, Tadayoshi Kohno, Mark Miller, Dan Sandler, and Dan

Wallach generously volunteered many, many hours of their time

to serve as expert reviewers in the Pvote security review. Joseph

Hall has been a wonderful resource on election policy.

Debra Bowen and David Wagner created and gave me the

rare opportunity to review the source code of a widely used

commercial voting system in the California Top-to-Bottom

Review. It was a privilege to work with my collaborators on that

project: Matt Blaze, Arel Cordero, Sophie Engle, Chris Karlof,

Naveen Sastry, Micah Sherr, and Till Stegers.

Public attention to electronic voting did not appear

overnight; it is the result of a long history of hard work by

civic-minded heroes such as David Dill (founder of the Verified

Voting Foundation), Avi Rubin (director of ACCURATE), and

many others. Their efforts are a big part of what has made

research like mine possible. This work was funded by the

National Science Foundation, through ACCURATE.

v

Page 9 of 324
Page 10 of 324

Mark Miller, Jonathan Shapiro, and Marc Stiegler sparked my

interest in computer security and have deeply shaped my

understanding of it through many years of fruitful collaboration

and shared wisdom. I am exceptionally fortunate to have met

and worked with them.

Scott Kim’s dissertation inspired the page design of this

dissertation. La Shana Porlaris of the EECS Department saved

me from crisis time and again; her help and calm advice were

invaluable.

I am especially grateful to Lisa Friedman for her support

during the writing of this dissertation, and to my parents, for a

lifetime of devotion to me and my education.

vi

Page 10 of 324
Page 11 of 324

Contents

Preface ii

Contributions iv

Acknowledgements v

Contents x

1 Voting 1

What makes the voting problem so hard? 2

How does an election work? 6

Why use computers for elections? 9

How did electronic voting become controversial? 11

Why does software correctness matter? 14

2 Correctness 16

What constitutes a democratic election? 17

What does it mean for a voting system to be correct? 19

How does correctness relate to safety? 20

What is the tree of assurance goals for an election? 24

What does it mean for a voting system to be secure? 30

3 Verification 33

How do we gain confidence in election results? 34

How can we verify the computerized parts of an election? 36

What kind of election data can be published? 39

What makes software hard to verify? 41

In what ways are today’s voting systems verifiable? 44

What is the minimum software that needs to be verified? 48

What other alternatives for verification are possible? 52

vii

Page 11 of 324
Page 12 of 324

4 Prerendering 57

How can we make vote-entry software easier to verify? 58

What is prerendering? 59

Why put the entire user interface in the ballot definition? 60

How would a voting computer use a prerendered ballot? 62

What is gained by publishing the ballot definition? 63

What are the advantages of prerendering? 65

How can prerendering be applied to other software? 66

How are votes recorded anonymously? 67

5 Ptouch: the touchscreen prototype 69

Overview 70

Ballot definition format 71

Software design 80

Implementation 83

Evaluation 88

Shortcomings 93

6 Accessibility 96

Why was a second prototype needed? 97

What is Pvote’s approach to accessibility? 98

How are alternative input devices handled? 99

How does blindness affect interface navigation? 100

How do blind users stay oriented within an interface? 101

How do blind users keep track of what is selected? 102

How do blind users get feedback on their actions? 103

How are vision-impaired users accommodated? 104

7 Pvote: the multimodal prototype 105

Overview 106

Goals 107

Design principles 110

Differences between Pvote and Ptouch 114

Ballot definition format 121

Software design 127

Implementation 132

Evaluation 133

viii

Page 12 of 324
Page 13 of 324

8 Security review 136

How was Pvote’s security evaluated? 137

What were Pvote’s security claims? 139

How was Pthin defined? 143

What flaws did the reviewers find? 145

What improvements did the reviewers suggest? 146

Did the reviewers find the inserted bugs? 148

What ideas did reviewers have on programming languages? 149

What ideas did reviewers have on conducting reviews? 151

What lessons were learned from the review? 153

9 Complexity 156

Does prerendering actually eliminate complexity? 157

What is achieved by shifting complexity? 158

Why do software reviews assume trust in compilers? 160

How far back can the derivation of a program be traced? 161

What affects the tolerance of complexity in a component? 164

How does Pvote reallocate complexity? 167

What is gained by using interpreted languages? 173

10 Related work 174

Do any other voting systems use prerendering? 175

What other voting proposals reduce reliance on software? 176

What are “frog” voting systems? 177

Do frogs solve the electronic voting problem? 178

What is “software independence” (SI)? 179

Does SI make software reliability irrelevant? 181

What is end-to-end (E2E) verification? 186

Does E2E verification make software reliability irrelevant? 187

What are other approaches to high-assurance software? 188

Conclusion 191

Bibliography 193

A Ptouch source code 204

main.py 205

ix

Page 13 of 324
Page 14 of 324

Ballot.py 206

Navigator.py 210

Video.py 214

Recorder.py 215

B Pvote source code 217

main.py 218

Ballot.py 220

verifier.py 224

Navigator.py 228

Audio.py 233

Video.py 235

Printer.py 236

C Sample Pvote ballot definition 237

D Sample Pvote ballot designs 267

E Pvote security review findings 272

Correctness 273

Consensus recommendations 278

Inconclusive recommendations 282

Observations 284

Open issues 288

Bug insertion 296

Review process 300

Post-review survey 304

GNU Free Documentation License 306

x

Page 14 of 324
Page 15 of 324

1 Voting

What makes the voting problem so hard? 2

How does an election work? 6

Why use computers for elections? 9

How did electronic voting become controversial? 11

Why does software correctness matter? 14

1

Page 15 of 324
Page 16 of 324

What makes the voting problem so hard?

When I say the “voting problem,” I’m referring specifically to the

system that collects and counts votes. There are many other

parts of the election process that I’m not going to address in

this dissertation, such as voter registration, electoral systems,

and election campaigning. The collection and counting of votes

has been particularly controversial in the United States due to

problems with electronic voting in recent elections.

One of the great things about doing election-related

research is that just about everyone immediately understands

why it’s important. In my experience, whenever elections are

the topic of conversation, people have a lot to say about their

opinions on the matter. It’s encouraging to see that so many

people care deeply about democracy.

In conversations about the voting problem, there seem to be

four ideas in particular that come up all the time. It’s not

unusual to think that running a fair election ought to be a

straightforward task—after all, in some sense, it’s just counting.

To give you a taste of why the voting problem is not as easy as it

might seem, let’s begin by examining these four suggestions.

Banking machines work fine, so voting machines should be

no problem. On the surface, banking machines and voting

machines seem similar: users walk up and make selections on a

touchscreen to carry out a transaction. One of the largest

vendors, Diebold Inc., even produces both kinds of machines.

But the incentives and risks are very different.

Banking machines have money inside—the bank’s money. If

money goes missing, you can bet the bank will find out right

away and be strongly motivated to fix the problem. If the bank

machine incorrectly gives out too much cash, the bank loses

money; if it gives out too little, the bank will be dealing with

irate customers. Everything about the bank transaction is

recorded, from the entries in your bank statement to the video

recorded by the camera in most bank machines. That’s because

Voting 2

Page 16 of 324
Page 17 of 324

the bank has a strong incentive to audit that money and track

where it goes. If the machine makes mistakes, the bank loses—

either they expend time and money correcting your problem, or

you will probably leave and take your business to another bank.

With voting machines, it’s another story altogether. Voting

machines aren’t supposed to record video or keep any record

that associates you with your votes, because your ballot is

supposed to be secret. You don’t receive any tangible

confirmation that your vote was counted, so you can’t find out

if there’s a problem. Anybody can stand to gain by causing

votes to be miscounted—a voter, pollworker, election

administrator, or voting machine programmer—and the

consequences are much harder to reverse. Correcting an error

in your bank balance is straightforward, but the only way to fix

an improperly counted election is to do an expensive manual

recount or run the whole election again. And if you’re unhappy

with the way your vote was handled, you can’t easily choose to

vote on a competitor’s machine.

Give each voter a printed receipt, just like we do for any

other transaction. The surface comparison between voting and

a financial transaction also leads many people to suggest that

receipts are the answer. But the purpose of a receipt is quite

different from what is needed to ensure an accurate election.

When you buy something, the receipt confirms that you

paid for it. If there turns out to be a problem with the product,

you can use the receipt to get your money back or to get the

defective product exchanged.

When talking about a receipt from a voting machine, what

most people have in mind is a printed record of the choices you

made, just like a receipt from a cash register. If you took home

such a receipt, what would you do with it? There’s nothing to

refund, and you can’t use a receipt to get an exchange on a

defective politician. The receipt could record the choices you

made, but the receipt alone doesn’t assure that those choices

were counted in the final result. In fact, if the receipt

constitutes proof of which choices you made, it can be sold—

Voting 3

Page 17 of 324
Page 18 of 324

defeating the whole point of the secret ballot, which is to avoid

the corruption that vote-buying campaigns can cause.

A truly useful voting “receipt” would do exactly the

opposite: it would not reveal which choices you made but would

let you confirm that your choices were counted. Although these

two requirements sound paradoxical, researchers have invented

a variety of schemes that achieve them through the clever use

of cryptography. However, a key weakness of the schemes

proposed so far is that they rely on advanced mathematics, with

a counting process that would be a mystery to all but a tiny

minority of voters. This would run counter to the democratic

principle of transparent elections. Researchers are continuing

to search for simpler verification schemes that can be

understood by an acceptably large fraction of the public.

If we can trust computers to fly airplanes, we can trust

computers to run elections. The comparison between airplanes

and elections misses at least three key differences.

First, the visibility of failure is different. An airplane cannot

secretly fail to fly. When an airplane crashes, it makes

headlines; everybody knows. A forensic investigation takes

place, and if the crash is due to a manufacturing defect, the

airplane manufacturer may be sued for millions of dollars. But

an election system can produce incorrect results without any

obvious signs of failure. Therefore, we require something more

from election system software than what we require from

airplane software. A successful election system must not only

work correctly; it must also allow the public to verify that it

worked correctly.

Second, the target audience is different. Commercial

airplanes are designed to be flown by pilots with expert

training, but voting machines have to be set up by pollworkers

and operated by the general public. Our trust in airplanes is a

combination of trust in the equipment and trust in the pilots

who operate it. Whereas pilots have to log hundreds of hours of

flight time to get a license, pollworkers are often hired on a

temporary basis with only an afternoon or a day of training.

Voting 4

Page 18 of 324
Page 19 of 324

Third, security violations affect the perpetrators differently.

Pilots and flight attendants are strongly motivated to uphold

security procedures because their own lives could be at risk. A

rogue voter or pollworker, on the other hand, would have more

to gain and less to lose by surreptitiously changing the outcome

of an election.

Count the ballots by hand—it works for the Canadians.

Ballots are considerably longer and more complicated in the

United States than in many other countries. Whereas there is

just one contest in a Canadian federal election (each voter

selects a Member of Parliament), ballots in the United States can

contain dozens of contests. For example, a typical ballot1

for the

November 2004 general election in Orange County, California

contained 7 offices and 16 referenda, for a total of 23 contests

that would have to be tallied by hand. Ballots in Chicago, Illinois

that year2 were even longer: ten pages of selections, consisting

of 15 elected offices, confirmations of 74 sitting judges, and

one referendum—a total of 90 contests. When you appreciate

the scale of the task, it becomes easier to understand why many

people are motivated to automate the process with computers.

Hand-counting paper ballots is by no means impossible, but it

would be considerably more expensive and time-consuming in

the United States than in other countries with simpler ballots.

∗ ∗ ∗

In summary, voting is especially challenging because:

• All involved parties can gain by corrupting an election.

• Results can be incorrect without an obvious failure.

• Democracy demands verifiability, not just correctness.

• Voter privacy and election transparency are in conflict.

• Elections must be accessible and usable by the public.

• Ballots in the United States are long and complex.

1The example here is Orange County’s ballot type SB019 from November 2004, available in NIST’s collection

of sample ballots at http://vote.nist.gov/ballots.htm.

2 This refers to the “Code 9” ballot style in Cook County, Illinois (also available in NIST’s collection), used in

Ward 19, Precincts 28, 43(R), 48, 50(R), and 66, as well as precincts in Wards 21 and 34.

Voting 5

Page 19 of 324
Page 20 of 324

How does an election work?

Running an election is a tremendous organizational task. In the

end, it does come down to counting, but it’s what’s being

counted that makes it such a challenge. Election administrators

are, in effect, trying to take a fair and accurate measurement of

the preferences of the entire population—a controlled

experiment on a grand scale. As any psychologist will tell you,

performing experimental measurements on human subjects is

fraught with logistic pitfalls and sources of error. But elections

are worse: virtually everybody has an incentive to actively bias

the measurement toward their own preferred outcome. Thus,

elections involve a security element as well, unlike most

scientific measurements.

As if that weren’t enough, a typical election in the United

States is not just one opinion poll but many different polls

conducted on the same day—for federal, state, and local elected

offices, as well as state and local referenda—and each poll has

to be localized to a specific region. Each contest appears on

some ballots but not others, resulting in different combinations

of contests on different ballots. Each combination is called a

ballot style. Because there are so many kinds of districts (such

as congressional districts, state assembly districts,

municipalities, hospital districts, and school districts), and

district boundaries of each kind often run through districts of

other kinds, there can be over a hundred different ballot styles

in a single county. There can also be multiple ballot styles at

one polling place, if it serves voters on both sides of a district

boundary, or if there are different ballots for voters of different

political parties.

Process. Here is a simplified breakdown of the election process,

setting aside voter registration and considering only the

collection and counting of votes. The events before, during, and

after actual voting make up the three stages of the process:

preparation, polling, and counting.

Voting 6

Page 20 of 324
Page 21 of 324

• Preparation. Before any votes can be cast, election officials

must prepare the ballots. Election officials map out all the

different kinds of political districts, assemble the contests

that are relevant to each political district, compose the

contests into ballot styles, and determine which ballot styles

go to which polling places.

• Polling. At polling places, pollworkers sign in each voter and

make sure that each voter gets the correct style of ballot.

Each voter makes their selections privately and casts a

ballot. Voters may also have the option of voting by mail or

participating in “early voting” by showing up in person at a

special polling place before election day.

• Counting. The records of cast votes are counted, either at

the polling places or at a central election office. If counting

initially occurs at polling places, the counts are then

transmitted to the central office for tallying. The votes for

each contest are extracted from all the ballots on which that

contest appears, and tallied to produce a result.

Equipment. The preceding description is intentionally

ambiguous about whether paper or electronic voting is used,

because the same three stages take place regardless of the type

of equipment.

If paper ballots are used, a layout is prepared for each ballot

style, usually designed on a computer. Election administrators

estimate how many ballots of each style will be needed so that

an adequate number can be printed for distribution to polling

places. After being marked, paper ballots can be counted by

hand or scanned on machines (called optical scanning

machines). The scanning can take place at the polls (precinct

count optical scanning), where each voter feeds their ballot

through a scanning machine into a ballot box, or it can take

place at a central office, where all the paper ballots are gathered

and scanned in high-speed machines after polls close (central

count optical scanning).

An alternative to paper ballots is to make selections on an

electronic voting machine that directly records the selections in

Voting 7

Page 21 of 324
Page 22 of 324

computer memory. These machines are called direct recording

electronic (DRE) machines. In this case, preparing ballots

consists of producing ballot definition files on electronic media

(such as memory cards or cartridges) to be placed in voting

machines. The ballot definition determines what will be

displayed to the voter. (Machines for scanning paper ballots

also require ballot definitions that specify how the marks on the

paper should be counted.) Some DRE machines also print a

voter-verified paper audit trail (VVPAT)—a paper record of the

voter’s selections that is shown to the voter for confirmation,

but kept sealed inside the machine to enable later recounts.

∗ ∗ ∗

To sum up, there are three broad categories of elections in

terms of how machines are used:

1. Vote on paper; count by hand.

2. Vote on paper; count by machine.

3. Vote on machine; count by machine.

(3a. The voting machine may also produce a paper record.)

Voting 8

Page 22 of 324
Page 23 of 324

Why use computers for elections?

As the preceding description makes clear, all three stages of the

election process involve complex and detail-oriented work.

Preparation involves managing information about all the

different contests, candidates, and ballot styles. Polling involves

distributing this information and collecting results from all the

polling places. Counting involves consolidating all the votes for

each candidate in each contest across all the ballots and ballot

styles. With so many contests on the ballot, computers can

make this process much easier.

It’s not surprising that election administrators have looked

to computers for help with elections. Computers are used to

great benefit in automating a broad range of complex and

repetitive tasks and for recordkeeping functions throughout all

kinds of government agencies. Running an election involves

organizing and processing a lot of information, such as ballot

descriptions and vote tallies, and databases are effective tools

for managing this information.

The appeal of computers goes beyond their potential to

increase the speed and accuracy of the count. Computerized

vote-entry machines have much greater flexibility than paper

ballots in the method of presenting contests and choices to

voters. They can walk voters through the voting process,

provide more detailed instructions, and prevent overvotes. They

eliminate the possibility of ambiguous or improperly scanned

marks on paper. They can offer a larger selection of languages.

They can point out contests that a voter may have missed

before finalizing the marked ballot. They can even read the

names of candidates aloud, in headphones, for voters who have

trouble reading or voters who are blind. Some voters have

physical disabilities that prevent them from using pencil and

paper. Computerized vote-entry machines allow people to vote

using a variety of input devices, such as large buttons, foot

pedals, head-controlled switches, or switches controlled by air

pressure (“sip-and-puff” devices).

Voting 9

Page 23 of 324
Page 24 of 324

All of these things become possible when the voting process

is conducted by an interactive computer program instead of an

inert piece of paper. There appears to be a substantial rate of

voter errors when voting on paper ballots— in a Rice University

study of paper ballots [24], over 11% of the 126 ballots collected

contained at least one error. A friendlier and richer voting

interface offered by a computer might help voters avoid making

mistakes. Furthermore, the principle of equal rights demands

that we provide a way for disabled citizens to cast their votes

privately and independently.

∗ ∗ ∗

In short, computers can offer several advantages:

• Computers can help manage election-related data.

• Computers can count and tally votes faster.

• Counting by computer avoids human counting errors.

• Computers can offer a richer user interface to voters,

potentially improving accessibility and voter accuracy.

Depending on how computers are used in an election, some or

all of these advantages may apply.

1. Vote on paper; count by hand.

2. Vote on paper; count by machine.

3. Vote on machine; count by machine.

enrich voting

user interface

reduce

counting error

speed up

counting

manage

election data

For this type of election: Computers could be used to:

Figure 1.1. Advantages that computers could potentially offer for elections.

Voting 10

Page 24 of 324
Page 25 of 324

How did electronic voting become

controversial?

In November 2000, Florida’s confusing “butterfly ballot” and

heavily disputed punch-card recounts [2, 85] brought highly

public embarrassment to the United States election system. The

election system suffered widespread criticism on many fronts,

particularly for using an outdated counting mechanism.

Determined to avoid repeating this fiasco, policymakers and

election administrators looked to new technology for a solution.

The result was a growing wave of interest in electronic voting,

which many hoped would eliminate the ambiguity of punch

cards and provide fast, accurate counts.

Two years later, the U. S. Congress passed the Help America

Vote Act (HAVA) [78], authorizing hundreds of millions of

dollars to be spent on new voting machines. Disability

organizations were optimistic about the new requirement for

“at least one direct recording electronic voting system or other

voting system equipped for individuals with disabilities at each

polling place.” But computer scientists warned against a hasty

switch to electronic voting, citing damage to the transparency

and reliability of elections. Though electronic voting machines

were already in use in some localities (more than 10% of

registered voters used them in 2000 [22]), their adoption surged

after HAVA passed in 2002.

In early 2003, election activist Bev Harris made a startling

discovery [32]. She used Google to search for “Global Election

Systems”—the old name of the company that was acquired by

Diebold and renamed “Diebold Election Systems.” Diebold

Election Systems is one of the heavyweights of the United States

election systems industry; its touchscreen voting machine, the

AccuVote-TS, was the leading DRE machine used in the 2004

United States election [22]. By following the links from her

search results, Harris found a completely unprotected Internet

site containing a large collection of company files, including the

source code for the AccuVote-TS.

Voting 11

Page 25 of 324
Page 26 of 324

Researchers at Johns Hopkins University and Rice University

examined this source code and published a landmark

report [43] in May 2004, detailing their discovery of “significant

and wide-reaching security vulnerabilities.” They discovered

that voters could vote multiple times and perform

administrative functions; they found that cryptography was

both misused and missing where it should have been used; and

they expressed a lack of confidence in the quality of the

software in general, concluding that it was “far below even the

most minimal security standards applicable in other contexts.”

Their findings starkly contradicted Diebold’s public claims that

its system was “state-of-the-art,” “reliable,” “accurate,” and

“secure” [20].

The state of Maryland then commissioned reviews of the

same system from two other agencies: Science Applications

International Corporation (SAIC) and RABA Technologies. The

SAIC report [72], released in September 2003, confirmed that

the system was “at high risk of compromise,” and the RABA

report [64], released in January 2004, agreed that the “general

lack of security awareness, as reflected in the Diebold code, is a

valid and troubling revelation.”

In the 2004 U. S. general election, over 30% of voters cast

their votes on electronic voting machines [22]. Voters called in

thousands of reports of machine problems, including total

breakdowns, incorrectly displayed ballots, premarked choices

on the ballot, incorrectly recorded votes, undesired cancellation

of ballots or selections, and nonfunctioning or incorrect

audio [82].

Since 2004, further investigations have continued to tear

down the façade of confidence in the security of voting

machines, the claims of vendors, and the testing regime under

which the machines were certified. Media story after media

story reported on conflicts of interest, regulatory failures, and

newly exposed technical vulnerabilities in all the major voting

systems, not just Diebold’s.

In the summer of 2007, the California Secretary of State

conducted a “top-to-bottom review” of the voting systems used

Voting 12

Page 26 of 324
Page 27 of 324

in California, in which I had the opportunity to participate as a

reviewer. This was the broadest review of voting system source

code to date; the review included source code for DRE machines

and optical scan machines from each of three major vendors

(Diebold Election Systems, Sequoia Voting Systems, and Hart

InterCivic), as well as the election management software

responsible for ballot preparation and tallying. However, the

review teams only had five weeks to examine the source code.

Despite the short time frame, they found serious and pervasive

security problems in every system reviewed [7, 12, 35]. The

software was not written defensively; security measures were

inadequate, misapplied, or poorly implemented; the presence of

numerous elementary mistakes suggested that thorough testing

had not been done. In particular, every system was found

vulnerable to catastrophic viral attacks: the compromise of a

single machine during one election could affect results

throughout the jurisdiction and potentially affect the results of

future elections.

As of this writing, it has become clear that we cannot trust

our elections to the electronic voting machines of today’s

leading vendors. Whether we will ever be able to trust them

remains an open question. There is not yet a clear consensus on

what standards a voting machine should reasonably be

expected to meet. It is also by no means obvious that any set of

feasible technical requirements would yield a voting machine

worthy of our trust— it might simply be beyond the state of the

art to create a sufficiently reliable and economical electronic

voting machine. The point of this work is to make progress

toward a better design, so as to bring us closer to

understanding what is possible and to inform our standards

and expectations for these machines.

Voting 13

Page 27 of 324
Page 28 of 324

Why does software correctness matter?

Switching from mechanical to electronic voting machines is a

bigger step than it might seem at first. Today’s electronic voting

machines are not just electrically-powered devices performing

the same function as their mechanical predecessors, the way

electric light bulbs replaced oil-burning lanterns. Electronic

voting machines contain general-purpose digital computers,

which makes them fundamentally different and capable of

much more than the special-purpose machines they replace. It

would really be more accurate to call them “voting computers,”

as they are called in the Netherlands.

Just like any other general-purpose computer, a voting

computer can be programmed to do anything—count votes,

miscount votes, lie to voters, play games, or even attack other

computers. To prove the point, a Dutch group called “Wij

vertrouwen stemcomputers niet” (“We do not trust voting

computers”) reprogrammed the Nedap ES3B, their nation’s

leading voting computer, to play a passable game of chess [31].

Consequently, the types of attacks that are possible against

voting computers are also fundamentally different than those

possible against mechanical voting machines. Tampering with a

lever machine can cause it to lose some votes or stop working

entirely. Tampering with a computer can cause it to actively

engage in sophisticated schemes to deceive voters and

pollworkers, behave in different ways at different times or

under different circumstances, and even subvert or conspire

with other computers.

The behaviour of a general-purpose computer is determined

entirely by its software. Assuring the correctness of software

has been a major unsolved problem in computer science

research for decades. Computer scientists have been able to

prove some aspects of correctness for small programs, but all

will readily acknowledge that nobody knows a general method

for proving software programs to be correct. The software

developed in industry tends to be larger and more complex

Voting 14

Page 28 of 324
Page 29 of 324

than can be analyzed by the best known techniques, while the

programming languages and tools used in industry generally

lag behind the state of the art in research.

Mistakes in software can remain latent for years, even when

the code is publicly disclosed and inspected by motivated

programmers. For example, OpenSSH is a popular program for

secure login. Its developers have declared security to be their

number one goal [17], and they have gained a reputation for

security practices more rigorous than most. Nonetheless,

security flaws were discovered in OpenSSH in 2003 that had

been present since its first release in 1999, and had survived

intensive software audits by the OpenSSH team.

The problem is exacerbated by the possibility of insider

attacks: what if someone involved in writing the voting software

wants to bias the election? As far as anyone knows, the flaws in

OpenSSH were inadvertent mistakes, so intentional flaws can

probably be made even harder to find. (Chapter 8 offers some

anecdotal evidence that detecting purposely hidden software

flaws can be extremely difficult.) Reviewing the voting software

is not just a matter of looking for code that seems intended to

change votes or tallies. Any flaw that lets an attacker infiltrate

the machine is a serious problem, since that flaw can then be

exploited to reprogram the machine to do anything. So, a

malicious programmer of voting machine software doesn’t have

to write suspicious-looking vote-altering code; he or she only

needs to leave an innocent-looking security weakness. When a

security weakness is found, there’s no way to tell whether it is

an intentional backdoor or an inadvertent mistake—as long as

someone knows the flaw, it can be exploited. If any flaw can be

an attack, we need voting software to be essentially flawless.

All of this explains why this dissertation focuses on

software correctness. There are people who have many years of

experience managing election personnel and running

paper-based elections. There are people who know how to build

reliable machines and reliable computer hardware. But the part

that no one fully understands yet is how to get the software

right.

Voting 15

Page 29 of 324
Page 30 of 324

2 Correctness

What constitutes a democratic election? 17

What does it mean for a voting system to be correct? 19

How does correctness relate to safety? 20

What is the tree of assurance goals for an election? 24

What does it mean for a voting system to be secure? 30

16

Page 30 of 324
Page 31 of 324

What constitutes a democratic election?

The democratic ideal of a legitimate election requires that the

results reflect an unbiased poll of the voters—accurate

according to what each voter intended, and fair in that each

eligible voter has equal and unhindered opportunity to

influence the outcome. These two basic goals can be broken

down according to the mechanics of how elections are run.

Accuracy. By “accurate,” I mean that the data about voter

preferences is accurately gathered and combined to produce the

final result. To make this happen, each ballot has to be

processed correctly at the three stages of voting:

• Correct ballot: Each voter should be presented a ballot with

complete and accurate information on the contests for

which they are eligible to vote.

• Cast as intended: Each voter’s recorded vote should match

what the voter intended to cast.

• Counted as cast: The calculation that decides the outcome

should accurately incorporate every recorded vote and no

extraneous votes.

Fairness. By “fair,” I mean that eligible voters (and only eligible

voters) are free to vote as they please, without bias. We can look

at this from two angles: how the sample of voters is drawn from

the population, and how the opinions of the voters are

measured.

• Unbiased sampling: Votes should come from a fair sample

of the population of eligible voters.

• Unbiased measurement: Each vote should be a fair

measurement of a voter’s preference.

Each of these two aspects of fairness can be elaborated in

further detail. In modern democracies, fair sampling is upheld

through measures aimed at offering equal access to the polls,

and also through the principle of “one person, one vote.”

Correctness 17

Page 31 of 324
Page 32 of 324

• Unbiased sampling is achieved by ensuring:

Authorized voters: Only voters that are eligible for a

contest should be permitted to vote on it.

One ballot per voter: No voter may cast more than one

ballot.

Equal suffrage: Every voter eligible for a contest should

have an equitable opportunity to vote on it.

An unbiased measurement depends on eliminating influence

from external pressures as well as influence from the

presentation of the ballot itself.

• Unbiased measurement is achieved by ensuring:

Secret ballot: No voter’s choices should be exposed by

the voting system or demonstrable by the voter to

others, lest votes be influenced by social pressure,

bribery, threats, or other means.

Equal choice: Every option in a contest should have an

equitable opportunity to receive votes.

Democracy also demands a further virtue: since power is

derived from the consent of the governed, the election process

itself must be accountable to the people. The manner in which

all of the above goals are achieved should be verifiable, so that

members of the public can assure for themselves that the

election is accurate and fair. The verifiability of the election is

not listed among the above goals because it is a “meta-goal,”

like a layer on top of all the other goals.

A widely preferred avenue for achieving verifiability is

through transparency—exposing the election process to public

scrutiny. However, verification can also take place through the

investment of trust in independent experts or inspectors (or

suitably balanced committees thereof), or through

cryptographic means, in which a calculation provides

mathematical evidence of the property to be verified.

Correctness 18

Page 32 of 324
Page 33 of 324

What does it mean for a voting system to be

correct?

In order to be confident that an election is democratic, we

would want to have assurance of all of the goals just

mentioned. But these goals are for the election as a whole,

including all the people, processes, and technology involved.

When we talk about a particular piece of equipment, such as a

voting machine, we have to choose a specific set of subgoals

that it is responsible for. For example, a voting machine cannot,

by itself, guarantee that each voter only votes once. However, if

the machine requires something like an access card in order to

cast each ballot, this feature in combination with a suitably

controlled process for handing out access cards, carried out by

competent, trustworthy pollworkers, can effectively limit each

voter to casting just one ballot.

Every goal is achieved through some combination of human

processes and technology. This dissertation is primarily

concerned with the technological part of an election—the

equipment and software involved in collecting and counting

votes, which I am calling the “voting system” for short. To say

that the voting system works correctly means that it fulfills the

responsibilities that have been assigned to it. Only after we’ve

decided on this assignment of responsibilities is it meaningful

to say whether it is correct. As the access card example

illustrates, it is usually necessary to subdivide goals in some

detail in order to separate out subgoals that technology can

address.

Correctness 19

Page 33 of 324
Page 34 of 324

How does correctness relate to safety?

Engineers have been designing safety-critical systems for many

years, so it’s instructive to examine the research and practice in

methodologies for developing these systems.

Analysis. One of the most common analysis techniques for

safety-critical systems is fault tree analysis [83]. Fault tree

analysis is a way of identifying all the ways that a particular

failure can occur. To perform fault tree analysis, one begins

with a root node that represents the undesired event (the fault);

then one identifies all the events or situations that could cause

that undesired event, and each one becomes a child of the root

node. Each node can be further refined by adding children that

identify possible causes. For example, a few nodes in a fault tree

for a fire extinguisher might look like this:

fire extinguisher

fails to deploy

pin is stuck in

handle

insufficient pressure

in tank

gas has leaked out

of the tank

fire extinguisher has

been previously used

Figure 2.1. A small portion of a fault tree for a fire extinguisher.

Fault trees are known in the computer security world as

threat trees [3] or attack trees [70]. An attack tree lays out all

the possible ways that an attacker might come to violate a

specific security restriction. In an attack tree, the top node is

the attacker’s ultimate goal. The children of a node specify

various ways that an attacker can achieve the goal. For example,

if the ultimate goal is to break open a safe, an attacker could do

Correctness 20

Page 34 of 324
Page 35 of 324

so by obtaining the combination or by drilling open the safe.

Part of the attack tree might look like this:

open the safe

drill the safe obtain the

combination

manipulate the safe bribe someone who

knows the combination

Figure 2.2. A small portion of an attack tree for an attacker who wants to break into a safe.

In the above examples, any one of the children of a node is

sufficient to lead to the parent; the relationship among siblings

is a disjunction (OR). Fault trees and attack trees can also

specify conjunctions (AND) and other logical relationships. The

nodes can be labelled with numbers to indicate the probability

of an event or the cost of a step in an attack.

Design. Fault trees and attack trees are used to analyze existing

systems to identify their weaknesses. But when one is designing

a system, the goal is to establish the system’s worthiness.

In the safety-critical literature, a written justification of a

system’s safety is called a safety case [87]. Safety cases are

required by many safety standards. A safety case is often a very

large document, as it incorporates all the arguments and

supporting evidence for the safety of each element of the

system. The development of the safety case can take up a large

fraction of the effort in designing a safety-critical system.

Hence, significant research efforts have been directed toward

ways of organizing and maintaining safety cases.

Like fault trees, safety cases are also typically structured in

a top-down approach based on successive refinement. The

technique that is probably the most prominent in the research

Correctness 21

Page 35 of 324
Page 36 of 324

literature is the Goal Structuring Notation [41], which elaborates

on a basic tree-like organization of goals by allowing nodes of

several different types: goals, strategies, justifications,

assumptions, and so on. Here is an example of a section of a

safety case for a microwave oven diagrammed in Goal

Structuring Notation:

microwave is

acceptably safe

argument that

radiation

emission levels

are safe

emission levels are

safe when door is

closed

emission levels are

safe when door is

open

results of

radiation

testing

argument that

door interlock

deactivates

emitter

. . .

. . .

Figure 2.3. Part of a safety case for a microwave oven in Goal Structuring Notation.

Voting systems. A safety case would be appropriate for

justifying why we should place our confidence in a voting

system. Ideally, certification of any voting system for

deployment would require the manufacturer to provide a

convincing and clearly structured safety case.

The hierarchy of goals for a democratic election form the

Correctness 22

Page 36 of 324
Page 37 of 324

starting point for such a safety case. The process of dividing

goals into subgoals produces a tree of assurance goals for a

system, which I’ll call an assurance tree. (An assurance tree

could be considered a simplified instance of Goal Structuring

Notation in which all the nodes are correctness goals.) When an

assurance tree is fully elaborated, the leaves of the tree are

individual responsibilities that can be assigned to specific

people and specific devices.

The process of refining the general goals into specific

subgoals is a type of design activity. Different solutions will

subdivide the main goals differently and assign responsibilities

for the subgoals differently. For example, access cards are one

possible way to keep voters from voting multiple times, but of

course they are not the only way. It is a design choice to

implement “one ballot per voter” in terms of the two parts:

“pollworkers give one access card to each eligible voter” and

“the voting machine allows each access card to be used just

once to cast a ballot.” Making these design choices and refining

the goals at every level eventually leads to a set of specific

technical requirements for the voting system.

In an assurance tree, the children of each node indicate

what requirements have to be upheld in order for the parent

goal to be upheld. The final result of refining the tree is an

assignment of specific responsibilities to various parts of the

system—for example, a set of tasks to be carried out by

humans and a set of tasks to be carried out by computers—

such that all the assurance goals are upheld. The tree captures

the design of the system as well as the security assumptions

that the designer made.

Correctness 23

Page 37 of 324
Page 38 of 324

What is the tree of assurance goals for an

election?

The requirements that were presented earlier can be refined one

step further without specifying a particular voting system

design. First I’ll explain each subgoal, then present the whole

tree, which can form a basis for the safety case of any election.

Accuracy: correct ballot. In order for a voter to receive a

correct ballot, the correct ballot has to exist for that voter and it

must contain the correct instructions and choices for the

election. The voter then has to be given the right kind of ballot,

and the voter has to receive it without alteration.

Accuracy: cast as intended. The voter’s vote is properly

recorded if the ballot indicates what the voter wanted and is

cast when the voter is ready. Choices should be selected if and

only if the voter makes them, and the voter should be free to

mark the ballot in any manner that is valid. (When paper is

used, the voter can also cast an invalid ballot; then the ballot is

not counted. When electronic machines are used, the machine

usually prohibits the voter from marking the ballot in an invalid

manner.) To further ensure that the cast ballot matched the

voter intent, the voter should get accurate feedback about what

is currently selected, and should be able to make changes or

corrections before casting the ballot.

Accuracy: counted as cast. For the count to be correct, there

must be no extra or missing votes, and the votes that are

counted must be exactly as voters indicated them on their cast

ballots.

Fairness: authorized voters. I use the term voting session for

the interval that begins with a voter entering a protected area of

the polling place such as a voting booth, and ends when the

voter walks away, either having cast or failed to cast a ballot. In

Correctness 24

Page 38 of 324
Page 39 of 324

a typical election, voter authorization consists of controlling

access to voting sessions and ensuring that there is no other

way to cast a ballot except in a voting session.

Fairness: one ballot per voter. Limiting each voter to one cast

ballot is also achieved by controlling access to voting sessions.

In practice, each voter is authorized for one voting session at a

time. If a voter wants to try again, a pollworker either destroys

the ballot or determines that the voter did not already cast a

ballot, and then authorizes another voting session.

Fairness: equal suffrage. There are three steps to casting a

ballot. First the voter has to get to a polling station. Then, at the

polling station, the voter has to be allowed to begin a voting

session. Then, in the voting session, the voter has to

successfully cast the ballot. Equal suffrage demands that voters

have reasonable access and be free of discrimination at all of

these stages.

Another way that a voter can be disenfranchised is to make

an error. It is infeasible to demand that there be no errors at all,

but fairness requires that errors not be biased against any

particular group of voters. The controversy over the 2006 race

for Florida’s Congressional District 13 highlighted the

significance of biased error. Different voters saw different ballot

layouts, and post-election analysis [29] has suggested that the

particular layout used in Sarasota County caused a large

fraction of voters to skip the congressional race by mistake.

Fairness: secret ballot. The election system should not itself

violate the voter’s privacy. But it’s a tougher task to prevent

coercion. Voters’ susceptibility to influence may not be based in

reality: as long as voters believe they will profit or suffer by

voting a certain way, the belief is sufficient to influence their

votes. For example, an attacker could claim to have insider

access that allows him to identify which voters voted for a

particular candidate and punish them. Whether or not the

attacker has such insider access, or whether discovering voters’

Correctness 25

Page 39 of 324
Page 40 of 324

identities is even possible, the fear of punishment could be

enough to sway votes. Different kinds of voting systems will

lend differing degrees of plausibility to such claims—for

example, some voters might be easily persuaded that someone

could violate their privacy via computerized vote records, but

they might find it harder to see how such a violation would be

possible with hand-counted paper ballots.

The formal definitions of coercion-resistance in the research

literature [18, 38, 60] require that voters be unable to prove to a

vote-buyer that they voted a certain way. But the issue is more

nuanced than that. A vote-buyer doesn’t need solid proof, just

evidence sufficiently plausible that offering a reward for it will

influence the vote.

For example, consider an election system in which voters

receive receipts indicating how they voted, but could also forge

such receipts. One might think that such an election system is

coercion-resistant, since it isn’t worthwhile for a vote-buyer to

buy something that can be forged. But resistance to coercion

also depends on the cost of producing a forgery: if forgeries

require enough effort that a significant number of voters will

vote as directed by the vote-buyer instead of carrying out the

forgery, the vote-buyer will succeed at influencing the election.

Therefore, the secret ballot goal includes the requirement that

voters not be given any plausible evidence (not just hard proof)

of their votes that could be sold to an external party.

Fairness: equal choice. Since the goal is to avoid bias among

the options within a contest, it would not do for some of the

options to be shown one way to some voters and a different way

(say, in red, or in larger print) to others.

It would be ideal to avoid all bias among options presented

on the same ballot, but this is not possible: some option has to

be presented first, and there is a well-documented bias toward

the first item [46]. The next best thing is to change the order of

presentation from ballot to ballot such that there is a uniform

distribution of bias towards all the options, when the ballots are

considered in aggregate.

Correctness 26

Page 40 of 324
Page 41 of 324

There is a more subtle kind of bias that also should be

avoided: a bias relative to the voter’s preferred choice. Imagine,

for example, a contest with three options A, B, and C. Suppose

the ballot design causes half the voters who intend to mark A to

mistakenly mark B, half of those who want B to mark C, and

half of those who want C to mark A. Such a ballot is not biased

toward any particular option, but it is still clearly unfair: B

could win an election in which most voters intended to vote for

A. So there is also a requirement for a uniform distribution of

errors with respect to the voter’s intended choice.

∗ ∗ ∗

Gathering all the requirements just mentioned gives us the

following high-level assurance tree for elections.

Accuracy

• Correct ballot

G1. For every voter, there exists a ballot style containing

the complete set of contests in which that voter is

eligible to vote.

G2. On every ballot, all the information is complete and

accurate, including instructions, contests, and

options.

G3. In every voting session, the correct choice of ballot

style is presented to the voter.

G4. Every ballot is presented to the voter as the ballot

designer intended.

• Cast as intended

G5. At the start of every voting session, no choices are

selected.

G6. The voter’s selections change only in accordance

with the voter’s intentions.

G7. The voter receives accurate feedback about which

choices are selected.

G8. The voter can achieve any combination of selections

that is allowable to cast, and no others.

Correctness 27

Page 41 of 324
Page 42 of 324

G9. The voter has adequate opportunity to review the

ballot and make changes before casting it.

G10. The ballot is cast when and only when the voter

intends to cast it.

• Counted as cast

G11. Every selection recorded on a ballot cast by a voter is

counted.

G12. No extra ballots or selections are added to the count.

G13. The selections on the ballots are not altered between

the time they are cast and the time they are counted.

G14. The tally is a correct count of the voters’ selections.

Fairness

• Unbiased sampling

Authorized voters

G15. Only authorized voters can begin voting

sessions.

G16. Only in voting sessions can ballots be cast.

One ballot per voter

G17. No voting session allows more than one ballot to

be cast.

G18. Each voter is allowed at most one voting session

in which a ballot was cast.

Equal suffrage

G19. Every voter has reasonable, non-discriminatory

access to a polling station they can use.

G20. Every voter can begin a voting session within a

reasonable, non-discriminatory waiting time.

G21. Every voting session provides a reasonable,

non-discriminatory opportunity to cast a ballot.

G22. For every voter that is eligible to vote in a

particular contest, there is a uniform likelihood

of voter error on that contest.

• Unbiased measurement

Secret ballot

G23. The processing of voter choices does not expose

how any particular voter voted.

Correctness 28

Page 42 of 324
Page 43 of 324

G24. Voters are not provided any way to give plausible

evidence of how they voted to an external party.

Equal choice

G25. Within each contest, all the options are

presented in the same manner on each ballot

and across all ballots.

G26. For each contest, the voters are presented with

ballots that, in aggregate, yield a uniform

distribution of bias in favour of each option.

G27. For each contest, the voters are presented with

ballots that, in aggregate, yield a uniform

frequency of voting errors across the voters that

intend to vote for each option.

G28. In each contest, for each option, voters intending

to vote for that option are presented with ballots

that, in aggregate, yield a uniform distribution of

voting errors in favour of every other option.

Correctness 29

Page 43 of 324
Page 44 of 324

What does it mean for a voting system to be

secure?

A voting system is secure if it can be relied upon to produce the

correct results in the face of determined attempts to corrupt

the outcome. Thus, security and correctness are closely related:

security is just correctness in an adversarial context. The

intentional violation of any subgoal in the assurance tree would

constitute a security breach.

Since this dissertation is focused on the software security

questions surrounding electronic voting machines, let’s separate

out the goals that rely on software from those that don’t.

Of the goals in the assurance tree, these are normally addressed

by humans in the preparation and conduct of the election:

G1. For every voter, there exists a ballot style containing the

complete set of contests in which that voter is eligible to

vote.

G2. On every ballot, all the information is complete and

accurate, including instructions, contests, and options.

G18. Each voter is allowed at most one voting session in

which a ballot was cast.

G19. Every voter has reasonable, non-discriminatory access to

a polling station they can use.

The following goals are addressed through good ballot design.

They could be violated by voting machine software that displays

the ballot incorrectly or lacks the ability to display ballots in a

fair manner. However, as long as the voting machine presents

the ballot as the ballot designers intended (which is goal G4), we

can consider these goals the responsibility of ballot designers:

G22. For every voter that is eligible to vote in a particular

contest, there is a uniform likelihood of voter error on

that contest.

G25. Within each contest, all the options are presented in the

same manner on each ballot and across all ballots.

Correctness 30

Page 44 of 324
Page 45 of 324

G26. For each contest, the voters are presented with ballots

that, in aggregate, yield a uniform distribution of bias in

favour of each option.

G27. For each contest, the voters are presented with ballots

that, in aggregate, yield a uniform frequency of voting

errors across the voters that intend to vote for each

option.

G28. In each contest, for each option, voters intending to vote

for that option are presented with ballots that, in

aggregate, yield a uniform distribution of voting errors

in favour of every other option.

The following goals could be addressed almost entirely by

election-day procedures, or through a combination of such

procedures and proper software behaviour, depending on how

the voting system is designed:

G15. Only authorized voters can begin voting sessions.

G16. Only in voting sessions can ballots be cast.

The proposed designs in this dissertation assume that the

above two goals are upheld by human procedures. For G15,

election workers ensure that only authorized voters are

permitted physical access to voting machines. And for G16,

election workers should provide no other way to cast ballots

outside of the officially approved procedures.

The remaining goals are those that necessarily depend on the

correctness of the voting machine software implementation:

G3. In every voting session, the correct choice of ballot style

is presented to the voter.

G4. Every ballot is presented to the voter as the ballot

designer intended.

G5. At the start of every voting session, no choices are

selected.

G6. The voter’s selections change only in accordance with

the voter’s intentions.

G7. The voter receives accurate feedback about which

choices are selected.

Correctness 31

Page 45 of 324
Page 46 of 324

G8. The voter can achieve any combination of selections that

is allowable to cast, and no others.

G9. The voter has adequate opportunity to review the ballot

and make changes before casting it.

G10. The ballot is cast when and only when the voter intends

to cast it.

G11. Every selection recorded on a ballot cast by a voter is

counted.

G12. No extra ballots or selections are added to the count.

G13. The selections on the ballots are not altered between the

time they are cast and the time they are counted.

G14. The tally is a correct count of the voters’ selections.

G17. No voting session allows more than one ballot to be cast.

G20. Every voter can begin a voting session within a

reasonable, non-discriminatory waiting time.

G21. Every voting session provides a reasonable,

non-discriminatory opportunity to cast a ballot.

G23. The processing of voter choices does not expose how

any particular voter voted.

G24. Voters are not provided any way to give plausible

evidence of how they voted to an external party.

G3 and G20 depend on election-day procedures as well as the

voting machine software. For G3, typically a pollworker is

responsible for selecting the correct ballot style for each voter,

and the voting machine must correctly use the ballot style

indicated by the pollworker. For G20, the polling station needs

to serve voters efficiently and fairly, but also the voting

machines should be available and ready to serve voters and

should not freeze up or crash. G23 and G24 depend on the

overall design of the voting system, including the human

procedures, as well as the correct functioning of the voting

machine software.

Security issues with voting machine software usually have to do

with upholding and enforcing the 17 goals in this last list.

These 17 goals are the focus of my efforts to achieve and verify

software correctness.

Correctness 32

Page 46 of 324
Page 47 of 324

3 Verification

How do we gain confidence in election results? 34

How can we verify the computerized parts of an election? 36

What kind of election data can be published? 39

What makes software hard to verify? 41

In what ways are today’s voting systems verifiable? 44

What is the minimum software that needs to be verified? 48

What other alternatives for verification are possible? 52

33

Page 47 of 324
Page 48 of 324

How do we gain confidence in election results?

An election consists of many steps, each of which processes

information such as ballot and candidate data, voter

information, and records of cast votes. At the most basic level,

each step takes some input and produces some output.

Confidence in the ultimate result—the output of the last step in

the chain—depends on confidence that each step was correctly

performed. The choice of the type of voting system determines

which steps are carried out by people and which by computers.

Earlier we described the election process in terms of three

stages: preparation, polling, and counting. With respect to

establishing confidence in a voting system, these stages can be

broken down further into the nine steps shown at the left, which

include transmission as well as processing of information.

design

ballots

present

ballots

count

votes

tally

subtotals

distribute

ballots

mark or

enter votes

collect

votes

transmit

subtotals

Preparation

Polling

Counting

cast

votes

The preparation stage consists of events prior to the

opening of polls, which includes not only designing the ballots

but also distributing them to polling places. This production

and distribution takes place for both paper ballots and

electronic ballot definition files.

The polling stage involves presenting the ballots to voters,

who make selections and cast the ballots. For sighted voters

reading paper ballots, presentation of the ballot is a trivial step,

but for electronic voting computers the fidelity of the

presentation is a real issue.

In many elections, counting occurs in two parts: votes are

first counted at polling places, then the counts are centrally

tallied to yield the final results. This stage includes the

transmission of votes to the person or machine that counts

them. The distinction between local and central counting is

important because the local counting process often takes place

in public, whereas the aggregation of results and central tallying

does not.

For a step that transforms information from one form to

another, confidence comes from ensuring that it produced the

correct output for the input it was given. For a step that

Verification 34

Page 48 of 324
Page 49 of 324

transports information from one place to another, confidence

comes from ensuring that the integrity of the information was

preserved.

Because of the way I’ve defined the three accuracy goals

(correct ballot, cast as intended, and counted as cast), they differ

slightly from the three chronological stages: getting the correct

ballot to the voter includes the presentation step at the polls.

The following figure shows which steps correspond to the three

accuracy goals. Under each step is the name of a subgoal for

that step.

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots count

votes

collect

votes tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

Preparation Polling Counting

Figure 3.1. The nine steps in the election process and their corresponding integrity and

correctness goals.

Verification 35

Page 49 of 324
Page 50 of 324

How can we verify the computerized parts of

an election?

Suppose that a particular information processing step in an

election is carried out by a computer. As I mentioned in

Chapter 1, the computer’s behaviour is completely controlled by

its software. Let’s say the software program responsible for this

step takes some input x and produces some output y. For

example, if this is the vote-tallying step, x could be a collection

of electronic vote records and y could be the election totals.

input

x

output

y program

Figure 3.2. For some particular processing step in an election, a software program takes

the input x and produces the output y.

If you want to check that the program produced the correct

result, you have two main choices:

1. Software verification. You can examine the program itself

and confirm that it works the way you expected. Depending

on the assumptions you make, this may include manual

inspection of the source code, automated analysis, or formal

mathematical proofs. Once you have confirmed that the

program does exactly what it’s supposed to do in every

possible circumstance, you can be confident that this

particular output, y, is correct.

2. Result verification. You can take the input x and figure out

what the corresponding output should be. If the actual

output y matches the expected output, then you know it’s

correct. To do this, you need records of both x and y, as well

as some way to independently repeat the operation—

perhaps you have another program that you trust, or

perhaps you can work out the expected output by hand.

Verification 36

Page 50 of 324
Page 51 of 324

There is also a variant of result verification:

2a. Indirect result verification. Some schemes allow you to

establish confidence without repeating the entire operation.

For example, given information derived from x and y, you

might have a way to mathematically check their consistency.

Or, you might be allowed to choose parts of x and y to

check, enabling you to establish a high probability of a

correct result.

Software verification has the advantage that it only needs to be

done once on a given program to establish confidence in all the

output it will ever produce. Result verification has to be

repeated each time the program produces new output.

However, there are three major factors weighing in favour of

result verification.

Programs change. The apparent advantage of doing software

verification only once becomes less compelling when you

consider that software changes all the time. Features are added;

bugs are discovered and fixed; demands change. In particular,

election software is subject to election law, which differs from

state to state in the United States. Whenever legislation gets

passed, election software may have to be updated to satisfy new

requirements. Any change would invalidate previous reviews or

proofs of correctness and require the software to be verified

over again.

Software verification requires disclosure. Disclosure of

software code often faces legal, financial, or political barriers.

Voting machine companies have resisted public disclosure of

their source code on the grounds that it could help a motivated

attacker, and they claim that copyright and trade secret

protection are necessary to support a sustainable, profitable

business. [34] Disclosing code would certainly increase the

transparency of an election and improve the accountability of

the testing process. But having ways to check the correctness of

an election without depending on disclosure of all the code

would allow the election to sidestep this disclosure dispute. The

Verification 37

Page 51 of 324
Page 52 of 324

democratic process is healthier if private interests have fewer

opportunities and fewer plausible incentives to prevent the

public from verifying an election.

Software verification is much harder. As a later section of this

chapter will explain (page 41), the behaviour of software can be

extremely difficult to analyze. Software review by human

experts is expensive, time-consuming, and prone to error. The

only way to be truly sure is to construct a mathematical proof,

but it is well beyond the state of the art to do this for programs

the size of typical computer applications. When such proofs are

constructed, they often aim to prove things about a simplified

model of the program rather than the program itself.

Unfortunately, a mathematical proof can only prove that a

program satisfies a formal specification of what it’s supposed

to do. The proof only establishes that the program is correct if

the specification accurately expresses what it means to be

correct—and such specifications are themselves complex and

tricky to write.

Verification 38

Page 52 of 324
Page 53 of 324

What kind of election data can be published?

There is an inherent tension between voter privacy and the

desire for verifiable elections. As argued earlier in this chapter,

verifying results is preferable to verifying software. But public

verification of results depends on publishing election data.

Suppose there is some data made available to the public to

enable verification. This might include partial or complete

information about ballots, votes, and results, or something

derived from such data. Each published piece of data (let’s call

it a record) might be identifiable as corresponding to a

particular voter, or it might not. And each record might contain

sufficient information to reveal votes, or it might not. These two

features are independent: for example, a published record could

indicate a vote for a particular candidate, yet not be associated

with any particular voter.

For voters to be able to check that their own ballot was

correctly received (i.e., cast as intended), they need to be able to

look up their own ballots. To do this, they need some kind of

public record of their ballot that is identifiable.

For voters to be able to confirm the tally by directly

performing their own recount, they have to be able to see the

votes. To do this, they need public records that reveal votes.

Published records that are identifiable and reveal votes

would enable the public to verify everything, at the expense of

voter privacy. Imagine an election in which every ballot is

published online and uniquely associated with the voter who

cast it. Any voter could look up their ballot online to confirm

that it is correct as published, and anyone could count the

published ballots to confirm the tally. In such a system,

software correctness would be irrelevant—software could be

used at any stage of the process and there would be no need to

verify it, because the entire election can be checked by result

verification. But in such an election, voters could also easily sell

their votes—for example, they could tell a vote-buyer where to

find their ballots online.

Verification 39

Page 53 of 324
Page 54 of 324

∗ ∗ ∗

In summary:

• Public confirmation that ballots are cast as intended

requires public records that are identifiable.

• Public confirmation of the tally by direct recount requires

public records that are vote-revealing.

• If any public records are identifiable and vote-revealing,

they enable bribery and coercion.

This suggests two possible kinds of public records:

1. Anonymous records that do reveal votes.

2. Identifiable records that don’t reveal votes.

Several proposals for voting systems, including those proposed

in this dissertation, publish records of the first kind. These

records enable direct result verification of the tally. Later in this

chapter, I’ll discuss end-to-end cryptographic voting systems, in

which both kinds of records are published, and an additional

verification step confirms the correspondence between the two.

Verification 40

Page 54 of 324
Page 55 of 324

What makes software hard to verify?

Most software is hard to verify because it is complex.

Here are some of the main reasons why complexity in

software is more difficult to manage than complexity in a

physical machine.

Number of components. The number of parts in a physical

machine is limited by the costs of manufacturing, but there is

no such limit on software. A software program costs the same

to distribute—virtually nothing—whether it contains ten

components or a million components. It is easier to add

complexity to a software program than to a physical device, and

removing code often has a higher risk of breaking the program

than adding new code. Requirements change and customers ask

for more features; in response, software tends to grow

boundlessly during the course of development, unless there are

determined and persistent efforts to keep it small.

Software programs also often incorporate large ready-made

packages of components written by others, to save the effort of

writing code from scratch. Even if only a small part of a

package’s functionality is used, it is easier to include the entire

package than to separate the parts that are used from those

that are not. These pressures lead to software applications with

millions of lines of code and thousands of interacting

components.

Complex interconnections. There are likely to be more

connections between the parts of a software program than

those of a physical machine. Whereas a machine part can only

interact with other parts near it, there is no limit on the number

of other parts that a software component can depend on. For

example, it is common for a single component to be relied upon

by thousands of other components.

These connections are also harder to see in software. The

way that a machine part affects other parts is usually clear from

Verification 41

Page 55 of 324
Page 56 of 324

direct physical inspection. But finding all the other software

components that depend upon a given software component can

be a difficult task.

Far-reaching effects. Because software components can be so

deeply interconnected, a small change in one part can affect

another part that is far away, affect parts written by different

people, or have wide-ranging effects on the behaviour of the

whole program. The software engineering practices of

modularity (dividing up a program into distinct modules) and

encapsulation (protecting each module from outside

interference) aim to limit these kinds of effects, but software

programs nonetheless tend to be more sensitive to change than

physical machines.

Nonlinearity. The power of general-purpose computers derives

from their ability to make decisions. With software, a tiny

change in input can yield a completely different outcome; for

example, a program can decide to behave one way when the

result of a calculation turns out to be zero and another way

when it is nonzero. This means that similar situations cannot be

assumed to yield similar behaviour. This nonlinear nature

makes it hard to predict how software will behave and hard to

test software thoroughly. Mechanical devices can be nonlinear

too, but software tends to be pervasively nonlinear.

∗ ∗ ∗

One of the most serious threats that is currently poorly

addressed in voting systems is the insider threat from software

developers. Intentionally placed bugs or backdoors are hard to

detect even when software is carefully audited [5]. The

persistent failure of the federal testing process to detect major

security flaws [21, 37] and the continuing revelations of security

vulnerabilities in certified voting systems [33, 43, 64, 84, 88]

suggest that voting software has not been audited anywhere

near enough to defend against this threat.

Verification 42

Page 56 of 324
Page 57 of 324

The complexity of software is what makes it difficult to be

sure: sure that the software will behave as expected, that it will

produce the correct results, and that it will resist determined

attempts to subvert the outcome of an election. Software

complexity is the ultimate enemy of reliable computer-based

elections.

There are two ways to fight this enemy: design the system

so less of the software needs to be verified, and simplify the

software that needs to be verified. Both can be applied together.

Verification 43

Page 57 of 324
Page 58 of 324

In what ways are today’s voting systems

verifiable?

Different voting systems offer different ways for voters to gain

confidence that the election results are correct. We can compare

systems by looking at what mechanism for assurance is

provided, if any, at each step of the process.

The two kinds of voting technology most commonly used in

the United States are optical scan systems and direct recording

electronic (DRE) systems.

Optical scan voting. When an election is conducted by optical

scan, paper ballots are prepared and printed before polls open.

Voters mark the ballots by hand and deposit them into a ballot

box. There are two variants of optical scan voting: the scanning

can take place at individual precincts or at a central election

office.

Although software is usually involved in preparing the

ballots, voters and candidates can verify for themselves the

sample ballots published before polling. Voters can also bring

sample ballots to the polling place and compare them with the

blank ballots they receive. This is an example of avoiding

software verification, which is possible because the results of

the preparation stage are public.

We know the ballot is presented exactly as prepared,

because the voter directly reads the printed paper. There is no

recording device to misrecord the voter’s marks; the voter is

responsible for clearly marking the paper to be counted. The

election relies on the physical durability of paper for the

integrity of printed ballots and recorded votes.

A precinct-based

optical scanner.

When scanning takes place at individual precincts, the

ballots pass through a scanning machine on their way into the

ballot box. After polls close, each machine prints out its counts

on a paper tape. If the paper tapes are posted immediately for

public viewing, then no one has to trust the software that does

the tallying. The final election report will contain both the

Verification 44

Page 58 of 324
Page 59 of 324

counts in each precinct and the overall totals. Anyone can

confirm that the locally posted results are correctly included in

the election report, and anyone can confirm that the overall

totals were calculated properly.

When scanning is performed centrally, voters can’t perform

the same check on the tally step. They have to trust election

personnel to safely transport the ballots from the polls to the

central office and to enter the results from the central scanner

into the software that tallies them (known as the election

management system, or EMS).

Figure 3.3 summarizes the mechanisms by which any

individual voter can ensure the validity of each step in this

process. (I’ll call this an assurance chart.)

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

published sample ballots paper

ballot box

in public view

results posted

at each

precinct

subtotals and

totals posted

online

precinct

optical scan

central

optical scan

election administrators recount ballots

scanner

personnel personnel

ballot box

in public view EMS

EMS

scanner

Figure 3.3. Assurance chart for elections with hand-marked, optically scanned ballots.

The starbursts mark mechanisms that voters have to accept

on faith—they have to trust software they can’t see or people

they don’t know. For precinct-based scanning, voters have to

trust the software that controls the optical scanner. For central

scanning, the voters also have to trust the personnel who collect

the ballots and convey counts from the scanner to the EMS.

They also have to trust the EMS itself, since they have no way to

independently check that the totals were added up correctly.

Paper ballots provide a useful backup record, as they can be

recounted by hand or by machine. The same stack of ballots can

even be counted multiple times, and the counts from different

people or different machines can be compared to improve

Verification 45

Page 59 of 324
Page 60 of 324

confidence. In Figure 3.3, recounts are shown as a secondary

assurance mechanism, below the three boxes on the right. They

are shown as secondary because ordinary voters cannot conduct

or order recounts; only election administrators can do so.

DRE voting. Figure 3.4 shows what voters have to trust for each

step of an election process with a DRE voting system. There are

two possibilities here as well: the results from DRE machines

might be reported at each precinct, or they might be reported

only by the central election office.

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

DRE with

precinct-level

reporting

DRE with

central

reporting

individual voters check VVPATs; effective only if recounted election administrators recount VVPATs

personnel

personnel

personnel personnel

counts posted

at each

precinct

subtotals and

totals posted

online

DRE

DRE

DRE

DRE

EMS

EMS

EMS

EMS

Figure 3.4. Assurance chart for elections with direct recording electronic (DRE) voting.

When DRE machines are used, voters don’t get to see a

sample of the ballot definition in the machine, in the same way

that a sample ballot is a direct preview of what will be used on

election day. At best, voters might get images of the screens

displayed by the DRE, printed on paper. But, in general, they

don’t get to test-drive a DRE with the ballot definition they will

be using, and they can’t check whether their machines have

received the correct ballot definitions. Voters have to trust the

EMS, which produces the ballot definition files, the personnel

that operated the EMS, and the personnel that loaded the ballot

definitions into the DRE machines.

A DRE voting machine.

The DRE machines are responsible for presenting the

choices to the voter and recording the voter’s selections. For

these steps the voter is forced to trust that the DRE software is

correct. For the counting stage, voters have to trust either the

Verification 46

Page 60 of 324
Page 61 of 324

software in the DRE that counts and reports results locally, or

the software in the EMS that counts and tallies the results

centrally, along with the personnel that convey the information

to the EMS.

As a backup verification mechanism, some DRE machines

print voter-verified paper audit trails (VVPATs). This is a paper

tape that shows the voter’s selections for viewing and

confirmation by the voter. Printed VVPATs are retained by the

machine so that they can later be recounted if a recount is

deemed necessary. However, voter inspection of VVPATs is not

as strong a backup as voter inspection of paper ballots; in the

case of VVPATs, the thing being inspected is not what is

normally counted. With DRE machines, the results are derived

from the electronic records, not the VVPATs that voters see; the

VVPATs are only relevant if election officials decide to conduct a

recount.

A DRE with a VVPAT

printer (at lower right).

There are also good reasons to believe that voters are

unlikely to catch discrepancies on VVPATs. In a study by

Everett [25], voters using a mock DRE were shown a review

screen with selections different from what they had chosen, and

68% of voters failed to notice the changes. It seems likely that

even more voters would miss discrepancies on the VVPAT,

which is generally smaller than the screen and shown off to the

side of the machine.

As Figure 3.4 makes obvious, DRE voting systems depend

heavily on software. Because so little information is typically

published about these programs and their inputs and outputs,

trusting the outcome of such an election often requires trusting

virtually every piece of software in the system—software for

designing ballots, software that produces ballot definitions,

voting machine software, software that tallies votes, and all the

operating systems, compilers, editors, and other tools that were

used to produce these programs.

It doesn’t have to be this way. By publishing information

about the software and the data processed by that software, it’s

possible to reduce what voters have to accept on faith in order

to trust the validity of the election result.

Verification 47

Page 61 of 324
Page 62 of 324

What is the minimum software that needs to

be verified?

The degree to which software verification is avoidable depends

on a critical decision: how do voters indicate their votes—on

paper or on a computer? Of all the steps in the process, this one

is special because it must take place in private.

A big part of the present controversy over electronic voting

machines is a conflict about the user interface presented to

voters. Proponents of the machines point to the real benefits

that computers could offer in improved usability and

accessibility. For people with certain disabilities, voting

computers may be the only way to vote privately and

independently. Whether these advantages are enough to

outweigh the loss of a tangible, directly marked ballot is a

complicated question, and I argue for neither side of that issue

here. But an important factor in deciding whether vote entry

should occur on paper or on a computer is the feasibility of

ensuring the integrity of votes in either case.

Each of the two cases has its own answer to “what is the

minimum software that needs to be verified?”

Case 1: The paper option. If voters directly mark paper ballots,

the answer is “nothing.” To avoid all software verification, just

publicly count the ballots by hand right after the polls close.

Sample ballots, mailed out before polls open, let voters check

that the real ballots are printed correctly. There is no software

involved in marking and casting votes, only paper. And if the

results of the hand count are posted immediately at the polling

place, then no one has to trust the software that does the

tallying.

So, in a voting system where paper ballots are hand-marked

and hand-counted at the polls, any step that uses software can

be publicly checked by direct result verification. As with any

paper ballot system, the ballots are available to be recounted

later if necessary.

Verification 48

Page 62 of 324
Page 63 of 324

Figure 3.5 summarizes the preceding analysis in an

assurance chart.

published sample ballots

hand-marked,

hand-counted

paper ballots

paper ballot box

in public view

multiple

counters in

public view

counts posted

at each

precinct

subtotals and

totals posted

online

election administrators recount ballots

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

Figure 3.5. Assurance chart for an election with hand-marked, hand-counted ballots.

Case 2. Entering votes by computer. In this case, the answer is

“just the vote-entry software.” Here’s why.

The “mark or enter votes” step, central to the voter

experience, also turns out to be critical in terms of verification.

This step cannot be publicly verified by result verification.

Result verification requires a complete record of inputs and

outputs. But one of the inputs to this step is the input from

individual voters, which must be kept private due to the

principle of the secret ballot. Moreover, if the ballot is

presented to the voter by a computer, the voter’s input is

subject to influence by the computer.

Therefore, if choices are presented or selected on a

computer, software verification is unavoidable. However, the

secret ballot is the only privacy requirement that elections have

to uphold. Recorded votes can be published as long as they

cannot be associated with any particular voter. The only part of

the process that needs to be secret—and thus the only part

for which software verification is really necessary—is from

the private interaction with an individual voter up until the

moment the voter’s votes are recorded in anonymous form.

That interval is the critical interval during which private

information gets turned into publishable information. All the

inputs and outputs for other steps can be published, so

everything else can be checked by result verification.

Verification 49

Page 63 of 324
Page 64 of 324

It follows that the way to minimize software verification is

to make that critical interval as short and simple as possible:

use software to present the ballot, accept selections from

voters, and record the votes in anonymous form, then publish

the anonymous votes immediately when polls close. The

preparation that takes place before the election produces a

ballot definition file for the voting machine. If this file is also

published, no one needs to verify the ballot preparation

software either. Figure 3.6 gives the assurance chart for this

case.

anonymous vote

records posted

at each precinct

published

ballot

definition

DRE with

published

vote records

personnel DRE anonymous vote records posted online

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

Figure 3.6. Assurance chart for a DRE-based election with published ballot definition and

published, anonymous vote records.

In the ballot distribution step, voters have to assume that

election personnel have properly distributed the ballot

definitions and loaded them into the machines; they have no

way to check this for themselves. And in the ballot presentation

and vote recording steps, voters still have to trust the software

in the DRE machine.

Practical example. Here’s one way that an election with

computerized voting but minimal software verification could be

carried out in practice.

The software for the voting computer would be written to

run on a free computing platform, and finalized and published

far in advance of the election so that everyone has time to

inspect it and test it. The ballot definition files for the election

would be published on government websites, also far enough in

advance that members of the public have time to examine them

Verification 50

Page 64 of 324
Page 65 of 324

before the polls open. Anyone would be able to download a

ballot definition and run the voting computer software on their

own computer to see exactly what will be shown to voters on

election day. This provides a chance to detect omitted races,

misspelled candidate names, layout errors, and other ballot

errors. Thus, the published ballot definition file serves a similar

purpose to the paper sample ballot typically mailed to voters

before an election.

When a polling place stops accepting new votes at the end

of the day, each machine should contain a vote file containing

all of its anonymously recorded votes. At this point, every

machine would print out a cryptographic hash of its vote file;

observers can copy down (or photograph) the hashes. A

cryptographic hash is a number derived from the contents of a

file in such a way that it is easy to calculate the hash for a given

file, but difficult to produce a different file that yields the same

hash. Publishing the hash makes a public commitment to the

contents of the file. (The reason for using a hash is that it is less

cumbersome than printing out the entire vote file, but it serves

the same purpose.)

The anonymous vote files from every machine would then

be published online for all to see after the election. Anyone can

calculate the hashes of these files and compare them to the

hashes that were printed on election night, to verify that the

files are authentic and unaltered. And anyone can count the

votes in these files to confirm that the tallying is performed

correctly.

The consequence is that neither the ballot layout software

nor the vote tallying software would need to be verified. The

published ballot definitions, voting computer software, and

anonymous vote records would be sufficient to allow members

of the public to independently check the accuracy of the

election outcome.

Verification 51

Page 65 of 324
Page 66 of 324

What other alternatives for verification are

possible?

Electronic ballot markers and printers. An electronic ballot

marker (EBM) is a computer that marks a paper ballot [80, 81].

The voter inserts a paper ballot and makes selections on the

computer, and the EBM prints marks onto the ballot in the

appropriate positions. An electronic ballot printer (EBP) is a

computer that prints out a marked paper ballot. No ballot is

inserted; the voter makes selections on the computer, and the

EBP prints out a fresh paper ballot that indicates the voter’s

choices. In both cases, the voter then deposits the paper ballot

into a ballot box as usual.

EBMs and EBPs occupy a middle ground between optical

scan systems and DRE systems. They provide the flexibility of a

computerized user interface for voting, together with a durable

paper record that can be recounted later. Like a DRE machine,

an EBM or EBP relies on a ballot definition file to describe the

choices to present to the voter, and the proper recording of the

voter’s choices depends on the software running in the EBM or

EBP. But the voter now has the option of checking the printed

ballot before casting it, instead of having to trust this software.

And unlike the printed VVPAT produced by a DRE, this printed

ballot is always counted, so the voter’s check is more effective.

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

EBM/EBP with

precinct

optical scan

EBM/EBP with

central

optical scan

individual voters check paper ballots election administrators recount ballots

personnel

personnel EBM/EBP

EMS

ballot box

in public view

results posted

at each

precinct

subtotals and

totals posted

online

scanner

personnel personnel

ballot box

in public view EMS

EMS

scanner

Figure 3.7. Assurance chart for an election with electronically marked or printed, optically

scanned ballots.

Verification 52

Page 66 of 324
Page 67 of 324

The corresponding assurance chart, in Figure 3.7, has a left half

similar to that of a DRE system, and a right half similar to that

of an optical scan system.

End-to-end cryptographic voting. There are several proposed

voting systems that provide end-to-end cryptographic methods

for letting voters verify the election. “End-to-end” refers to the

ability of any individual voter to check that his or her ballot

survived from one end of the process straight through to the

other—from casting to the final result—without special access

from election officials.

Recall that earlier in this chapter, I described two possible

kinds of publishable records—anonymous vote-revealing

records, and identifiable but non-vote-revealing records.

End-to-end cryptographic schemes publish records of the

second kind as well as the first kind. Examples of these

schemes are Punchscan [26], Scratch & Vote [1], Prêt-à-Voter [13],

and VoteHere [54]. What they all have in common is that they

publish some information about each voter’s ballot: enough to

let the voter partially check the recorded ballot, but not enough

to reveal an actual vote so a voter can sell it. That is, indirect

result verification is used to ensure the integrity of individual

ballots. The partial records are set up in such a way that, with

enough voters checking this partial information, the likelihood

of an incorrectly posted ballot is nearly zero.

In addition to the partial ballots, actual vote records are

separately posted—but these votes have been shuffled so they

cannot be associated with particular voters. Anyone can count

the posted votes to check the tally. The shuffling is performed

using a system called a “mix net,” in which multiple parties

participate in the shuffling; no single party learns the total

shuffling order, and thus voter privacy is protected.

In these end-to-end cryptographic schemes, the election

authorities keep some secret information that enables them to

process the ballots into verifiable totals, and the ballots contain

serial numbers or cryptographic information as well. In all of

these schemes, there is a pre-election audit procedure that lets

Verification 53

Page 67 of 324
Page 68 of 324

voters ensure that this information is consistent and properly

formed. After the election, voters can also audit the shuffling

procedure to confirm that the posted partial ballots correspond

to the posted anonymous vote records, and thus to the tally.

The same mathematical techniques can be applied to votes

cast in any fashion (by hand-marked paper, by machine-marked

paper, or directly by machine). When hand-marked paper is

used, the election can completely escape dependence on

software. Figure 3.8 summarizes how assurance is provided in

this category of systems.

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

hand-marked

ballot with

end-to-end

verification

EBM/EBP with

end-to-end

verification

DRE with

end-to-end

verification

individual voters check paper ballots

individual voters check receipts

pre-election

public audit

pre-election

public audit

paper

voters’ receipts;

(partial or encrypted)

ballots posted online

post-election

public audit

anonymous vote records

posted online

pre-election

public audit

EMS

EMS

DRE

EBM/EBP

personnel

personnel

personnel

Figure 3.8. Assurance chart for elections with end-to-end cryptographic verification.

Non-cryptographic end-to-end schemes. Of special note are

ThreeBallot, VAV, and Twin [67], which provide end-to-end

verification without cryptography. These schemes publish all

the cast ballots, which anyone can recount to verify the tally. In

ThreeBallot and VAV, only some of the posted items are

identifiable. Each voter’s ballot is split into three parts; although

all the parts are posted, the voter gets a receipt for only one

part—and a single part isn’t enough to reveal how they voted.

In Twin, each voter gets a receipt for someone else’s ballot.

Thus, while the posted records can be matched with receipts,

they can’t be identified as belonging to any particular voter. The

Verification 54

Page 68 of 324
Page 69 of 324

assurance chart for all these schemes is similar to Figure 3.8,

except there is no need for a post-election cryptographic audit

because no encryption or shuffling has taken place.

Comparing voting systems. Figure 3.9 summarizes several

types of voting systems on a single chart for comparison.

For conventional paper-based systems, shown at the top,

any method of marking ballots (by hand, by EBM, or by EBP) can

be combined with any method of counting ballots (by hand

count, by precinct optical scan, or by central optical scan). Next

come the conventional electronic systems, based on DREs; then

the end-to-end cryptographic systems. Finally, at the bottom is

the DRE with its ballot definition and results published, as well

as a variant of the same scheme using an EBM or EBP instead.

The systems least dependent on software (all other concerns

aside) are the hand-marked, hand-counted paper ballots and the

hand-marked ballots with cryptographic verification.

If one chooses to exclude the systems with hand-marked

ballots (shaded in grey) from consideration, due to the potential

usability,
accessibility, and accuracy advantages of computer- based vote entry,
then the bottom two options in the “public- ballot electronic” category
are the least dependent on software.

A system based on a DRE with a published ballot definition and

published vote records will use the least amount of critical

software, but also requires voters to place great trust in that

software. A system based on an EBP with a published ballot

definition will be dependent on the optical scanner’s software

as well as the EBP software, but both software-dependent steps

are subject to paper-based checks. The choice between these

two options would depend on one’s confidence in the ability to

verify DRE software and one’s estimate of the likelihood that

significant errors will be caught by observant voters and

recounts.

All of the systems that involve entry of votes using any kind

of voting computer—DRE, EBM, or EBP—could stand to benefit

from easier verification of the software in that computer. This

is where we will turn our attention in the next chapter.

Verification 55

Page 69 of 324
Page 70 of 324

counting

correctness

count-to-tally

integrity

tallying

correctness

ballot-to-voter

integrity

vote recording

correctness

ballot

correctness

ballot-to-poll

integrity

design

ballots

mark or

enter votes

present

ballots

distribute

ballots

count

votes

collect

votes

tally

subtotals

transmit

subtotals

C O R R E C T B A L L O T C A S T A S I N T E N D E D C O U N T E D A S C A S T

vote-to-count

integrity

cast

votes

PUBLIC-BALLOT

ELECTRONIC

electronic

ballot printer

published

ballot

definition

anonymous vote

records posted

at each precinct

published

ballot

definition

direct

recording

electronic

anonymous vote records posted online

ballot box in

public view

counts posted

at each

precinct

subtotals and

totals posted

online

individual voters check paper ballots election administrators recount ballots

DRE

personnel

personnel

EBP scanner

hand-marked

paper ballot

END-TO-END

CRYPTOGRAPHIC

electronic

ballot marker

or printer

direct

recording

electronic

pre-election

public audit

pre-election

public audit

paper

voters’ receipts;

(partial or encrypted)

ballots posted online

post-election

public audit

anonymous vote records

posted online

pre-election

public audit

individual voters check paper ballots

individual voters check receipts

EMS

EMS

DRE

EBM/EBP

personnel

personnel

personnel

personnel

personnel

personnel personnel

direct

recording

electronic

precinct

reporting

central

reporting

counts posted

at each

precinct

subtotals and

totals posted

online

CONVENTIONAL

ELECTRONIC

individual voters check VVPATs; effective only if recounted election administrators recount VVPATs

DRE

DRE

DRE

DRE

EMS

EMS

EMS

EMS

hand-marked

paper ballot

scanner

personnel personnel

personnel

EBM/EBP

published sample ballots paper

electronic

ballot marker

or printer

ballot box in

public view

ballot box in

public view

multiple

counters in

public view counts posted

at each

precinct

subtotals and

totals posted

online

precinct

hand

counting

precinct

optical

scanning

central

optical

scanning

individual voters check paper ballots

CONVENTIONAL

PAPER-BASED

election administrators recount ballots

personnel

EMS

EMS

EMS

scanner

Figure 3.9. Summary of assurance mechanisms for various types of voting systems.

Verification 56

Page 70 of 324
Page 71 of 324

4 Prerendering

How can we make vote-entry software easier to verify? 58

What is prerendering? 59

Why put the entire user interface in the ballot definition? 60

How would a voting computer use a prerendered ballot? 62

What is gained by publishing the ballot definition? 63

What are the advantages of prerendering? 65

How can prerendering be applied to other software? 66

How are votes recorded anonymously? 67

57

Page 71 of 324
Page 72 of 324

How can we make vote-entry software easier

to verify?

For vote-entry software to be easier to verify, we have to make it

simpler. The vote-entry software can be simpler if we give it

less work to do and shift its responsibilities elsewhere: either

earlier, to the preparation stage, or later, to the counting stage.

Shifting responsibilities to the preparation stage is a

significant design challenge, but it leads to a dramatic

simplification of the vote-entry software. Most of this chapter is

devoted to prerendering, the technique that makes this

possible. Shifting responsibilities to the counting stage means

that the vote-entry software should recording votes

anonymously with as little processing as possible; this is

comparatively straightforward to do and will be discussed in

the last section of this chapter.

I developed two prototypes of voting machine software to

find out just how small a practical vote-entry program could be.

They are called Ptouch and Pvote, described in Chapters 5 and 7

respectively.

Prerendering 58

Page 72 of 324
Page 73 of 324

What is prerendering?

In a typical voting computer, much of the software code is

responsible for generating the user interface for the voter. This

includes the code for arranging the layout of elements on the

screen, drawing text in a variety of typefaces and languages,

drawing buttons, boxes, icons, and so on. In a voting computer

with audio features, this also includes code for manipulating or

synthesizing sound. (Some voting computers, such as the

Avante Vote-Trakker [11], contain speech synthesis software.)

The user interface is generated in real time—the visual display

and audio are produced (“rendered”) as the voter interacts with

the machine.

Prerendering the ballot. The software in the voting computer

could be considerably simplified by moving all this rendering

work into the preparation stage—prerendering the interface

before election day.1 Both Ptouch and Pvote realize this idea.

Today’s DRE machines use a ballot definition that contains

only essential data about the ballot: the names of the offices,

the names of the candidates running for each office, and so on.

But the ballot definition could be expanded to describe the user

interface as well. For a visual interface, this would include

images of the screen with the layout already performed, buttons

already placed, and text already drawn. For an audio interface,

this would include prerecorded sound clips. Everything

presented to the user would be prepared ahead of time, so that

all the software complexity associated with rendering can be

taken out of the voting computer.

The ballot definition could specify not just appearance but

also behaviour—the locations where images will appear, the

transitions from screen to screen, the user actions that will

trigger these transitions, and so on. This is exactly the case for

both Ptouch and Pvote: the ballot definition is a high-level

description of the entire user interface for voting.

1

It was Steve Bellovin who prompted my line of research by suggesting prerendering for voting machines.

Prerendering 59

Page 73 of 324
Page 74 of 324

Why put the entire user interface in the ballot

definition?

Including a complete description of the user interface in the

ballot definition, rather than just a set of images, yields several

benefits.

Less code in the voting computer. Some of the software in a

typical voting computer handles user interface logic. User

interface logic tells the computer how to respond to any given

user action—for example, to select a candidate when you touch

the candidate’s name, or to go to the next page when you press

a “Next Page” button. Putting a description of this logic in the

ballot definition means the voting computer needs less code for

interface logic, just as putting images in the ballot definition

means less code for rendering the display.

More thorough public review. If the ballot definition

completely describes the user interface, one can review the

behaviour of the user interface by examining it. The user

interface becomes a separately verifiable artifact.

Compared to the vote-entry software, the ballot definition is

more likely to be accessible for inspection by the public, for two

reasons. First, there may be fewer legal and political barriers to

publishing the ballot definition than the software source code.

Second, the ballot definition is a high-level description, which

makes it easier to examine than a computer program written in

a general-purpose programming language. The result is that

more of the voting process is reviewable by non-programmers:

both the appearance and the behaviour of the ballot can be

inspected without looking at source code for the voting

computer.

A more complete public record. The ballot definition file, like

any other election information, should be archived and should

become part of the public record of the election. It contributes

Prerendering 60

Page 74 of 324
Page 75 of 324

to making the election a reproducible experiment. In the event

of a later investigation, a ballot definition with a complete

description of the interface makes it easier to reconstruct the

voter experience. Such reconstruction could help investigators

evaluate hypotheses about sources of bias or voter error, for

example.

Better division of expertise. Separating the user interface

definition from the voting machine software mitigates the

conflict between accessibility (which requires design flexibility)

and security (which requires software simplicity). Instead of

playing tug-of-war over the vote-entry software, experts can

work independently on what they do best—design can be left to

designers, and software security to security experts. Experts in

human factors, accessibility, and graphic design can create

better ballots themselves, without relying on programmers to

implement their designs in code, and without requiring

co-operation from voting machine companies. Programmers of

the vote-entry software can focus on making the software

secure and reliable without affecting the user interface.

Software stability. Regulations that govern ballots can change

from election to election and differ from jurisdiction to

jurisdiction. Different jurisdictions may prefer to present their

ballots differently. Designs will change as we discover better

ways to create fair and understandable ballots.

Putting the user interface description in the ballot definition

provides the flexibility to handle future changes without having

to change the vote-entry software. This means more resources

can be devoted toward ensuring that the vote-entry software is

correct and secure. It’s difficult to complete a rigourous

certification process when voting software changes as

frequently as it does today, with new versions released every

year or two.

Prerendering 61

Page 75 of 324
Page 76 of 324

How would a voting computer use a

prerendered ballot?

In a prerendered-ballot system, the ballot definition is like a

small program—a program in an extremely simple language,

with limited capabilities. All it can do is present a sequence of

images and/or audio clips and accept the user’s selections.

The voting computer simply carries out the program. Thus,

the vote-entry software is a virtual machine (VM): it abstracts

away the details of the computer hardware and its input and

output devices. The job of the VM is to respond to user input by

displaying images or playing sound clips as prescribed by the

ballot definition, keep track of the user’s selections, and record

the user’s selections anonymously.

Implementing the VM for a variety of different hardware

platforms would enable all of them to use the same formats for

ballot definitions and recorded votes—just as other VMs like

the Python VM and the Java VM allow a single program to run

on different kinds of computers. There can even be multiple

implementations of the VM written separately by different

people, and as long as they follow a standard ballot definition

format, the same ballot definition will work on all of them. For

example, there are multiple independently-written Python VMs

out there, but most Python programs will run unchanged on all

of them.

My hypothesis was that the implementation of the voting

VM can be made considerably smaller, simpler, and easier to

verify than the software in today’s DRE machines. This

dissertation presents Ptouch and Pvote as confirmation of this

hypothesis.

Prerendering 62

Page 76 of 324
Page 77 of 324

What is gained by publishing the ballot

definition?

The published ballot definition serves the role of an electronic

sample ballot, analogous to a sample ballot in a paper election.

Standardizing the file format of the ballot definition and

implementing the VM for personal computers enables voters to

try out the ballot in advance with exactly the same user

interface that they will see at the polls. This could be used for

training voters as well as testing the ballot.

Verifying the accuracy and fairness of the user interface is

critical, because the user interface of any voting machine is in a

position to mislead or otherwise influence voters and hence

bias the collected votes. The published electronic sample ballot

gives the election a verifiable user interface, which can be

examined by all voters, members of the disabled community,

usability experts, and accessibility experts. Anyone could

conduct their own user tests of ballots, independent of the

voting machine company or the election authority.

Today, less commonly used ballot designs, such as ballots

for voters with disabilities or ballots in alternate languages,

receive significantly less attention, as only the election office

can compose and check electronic ballots. A rather alarming

example of this lack of attention occurred at the June 2006

primary election in Santa Clara County, where pollworkers

discovered that there was no “continue” button on one of the

Chinese screens [40], which made it impossible to cast the

Chinese version of the ballot. A published ballot definition

would have increased the chances of catching such an error

before the election. Publishing an electronic sample ballot helps

to level the playing field for members of minority communities

and empowers them to play a role in ensuring that the

electronic ballot serves them fairly.

Visualizing the ballot definition. Running the ballot definition

in a live test might show that the ballot appears to behave

Prerendering 63

Page 77 of 324
Page 78 of 324

correctly, but it wouldn’t be a sure way to test the complete

behaviour of the ballot. It would be infeasible to test every

possible sequence of inputs. To be certain that the ballot

contains no hidden behaviour or incorrect behaviour triggered

by rare combinations of inputs, one would have to examine the

ballot definition file itself.

In the future, a software tool could be developed to facilitate

such examination. The tool would transform an electronic

sample ballot into a human-readable format that completely

describes the user interface. One possible visualization would

be a flowchart-like diagram that illustrates the steps of the user

interface with the prerendered screen images. Anyone would be

able to download the electronic sample ballot, use the program

to produce a diagram, print it out, and examine it. This would

make possible a new level of assurance: the electronic voting UI

could be verified even by non-programmers. The hardcopy of

the UI visualization could also be archived in the records of the

election. The visualization alone should be sufficient to

reconstruct the interface that voters used at the polls.

Prerendering 64

Page 78 of 324
Page 79 of 324

What are the advantages of prerendering?

In summary, prerendering the user interface (UI) yields these

benefits:

• The critical software is smaller and simpler, facilitating its

verification.

• The critical software changes less frequently, so each release

can be tested and audited more thoroughly.

• The user interface can be designed by designers, not

programmers.

• The conflict between human factors and security is

mitigated; usability and accessibility can be improved

without affecting software security.

• The conflict between transparency and proprietary interests

is mitigated because less code has to be disclosed in order

to evaluate the security of the voting machine.

• The user interface is subject to broader public review, since

it can be separately published and tested by anyone (not

just those who have election equipment).

Standardizing the ballot definition format also yields benefits in

interoperability, in addition to the benefits mentioned so far in

this chapter.2 A standardized format for describing the user

interface allows election officials to mix and match components

from different vendors, leading to increased purchasing power

and better product quality, and enabling independently

manufactured components to be tested against each other.

2Thanks to David Jefferson for bringing the importance of interoperability to my attention.

Prerendering 65

Page 79 of 324
Page 80 of 324

How can prerendering be applied to other

software?

The prerendering technique can be applied to any kind of

software to make verification easier. Applying this technique

consists of the following steps:

1. Define a user interface specification language with a set of

features that are limited and chosen to suit the intended

purpose.

2. Implement a virtual machine that interprets the

specification language and presents the user interface it

describes.

3. Create user interface designs using the specification

language, and publish them for inspection.

Particularly suitable application areas for this technique are

those in which a general-purpose computer is used for a

specialized purpose, the user interface (UI) is likely to change

periodically, and high reliability must be maintained despite

changes in the UI. Aside from voting machines, other examples

include bank machines, vending machines, and airport check-in

kiosks. The user interaction required to operate these kinds of

machines is usually limited to a small set of actions, such as

selecting from menus and typing in numbers or short pieces of

text. This makes it possible to design a simple language for

specifying the UI.

In each case, the transaction-handling software can be

written once and reviewed thoroughly to ensure its correctness

and security. In a voting machine, the transaction-handling

software is the part that records the votes; in a bank machine,

for instance, this would be the software that communicates

transactions to the bank and dispenses cash. The UI can then be

easily changed without affecting that critical software—for

example, when a bank wants to offer new functionality, a

vending machine updates its list of available products, or an

airline wants to change the look of its brand.

Prerendering 66

Page 80 of 324
Page 81 of 324

How are votes recorded anonymously?

In the correctness goals listed in Chapter 2, I identified two

components of upholding the secret ballot:

• Voter privacy: The processing of voter choices does not

expose how any particular voter voted.

• Coercion prevention: Voters are not provided any way to

present plausible evidence of how they voted to an external

party.

Voter privacy. To protect voter privacy, ballots should be

stored without any identifying information. The ballots should

also be stored in an order independent of the order in which

they were cast, so that someone who observes the sequence of

voters entering the polling place cannot correlate the sequence

of voters with the sequence of stored ballots.

One common method of doing this is to store the vote

records in random order, effectively shuffling them as ballots

would be shuffled in a real ballot box. Voter privacy depends on

the quality of the randomization performed; if the shuffling is

predictable, then voter privacy can be compromised.

Unfortunately, it’s hard to make a computer behave in a truly

random way. In fact, independent source code analysis of two

leading voting machines (Diebold [12] and Sequoia [7])

discovered flaws in the randomization schemes used for just

this purpose. Even worse, randomness is not a quality that can

be practically tested, because it is impossible to prove that any

behaviour really is random. For example, given a list of

numbers, there is simply no way to tell whether the numbers

were chosen at random.

A simpler way to avoid revealing the casting order is to sort

the vote records according to their contents. (Naor and

Teague [49] observed that sorting a list of elements gives them a

history-independent representation.) It doesn’t matter how the

records are placed in order, as long as it’s consistent. For

example, if there is just one contest with candidates Andrew,

Prerendering 67

Page 81 of 324
Page 82 of 324

Barbara, and Chris, you could sort the ballots alphabetically by

which candidate was selected. Regardless of the casting order,

the sorted order will always be the same. Because this method

is simple to program and completely obscures the casting order

in a verifiable way, this is the method that Ptouch uses.

Coercion prevention. To prevent coercion, voters must not be

allowed to put identifying marks on their ballots. In one

possible coercion scenario, the coercing party gives each voter a

unique secret phrase to enter as a write-in candidate. For

example, suppose Ted tells Alice to vote for Carol for President

with “moldy explosion” as write-in for Dogcatcher, and also tells

Bob to vote for Carol for President with “wrinkled tourbus” as

write-in for Dogcatcher. Then the recorded ballots are no longer

publishable because they would enable Ted to confirm, and thus

buy, Alice’s and Bob’s votes.

One way to resolve this problem is to store each of the

voter’s selections as a separate item instead of the entire ballot

as a unit. There has been precedent for such a scheme in some

paper elections in Switzerland [15], where the ballots are

perforated so that they can be separated into strips, one for

each contest, before being counted. If an individual voter’s

selections cannot be associated with each other, then the voter

cannot use a specially marked selection to identify the rest of

their ballot.

Storing the ballot in parts might not satisfy election

standards that are based around the handling of complete

ballot images. For example, the 2005 Voluntary Voting System

Guidelines in the United States [80] require DRE machines to

“record and retain redundant copies of the original ballot

image,” where a ballot image is “an electronic record of all votes

cast by the voter, including undervotes” (Section 2.1.2). One way

to satisfy this requirement would be to store ballots in both

ways: as complete images for non-public auditing, and in

separated form for publishing.

Prerendering 68

Page 82 of 324
Page 83 of 324

5 Ptouch

the touchscreen prototype

Overview 70

Ballot definition format 71

Software design 80

Implementation 83

Evaluation 88

Shortcomings 93

69

Page 83 of 324
Page 84 of 324

Overview

This chapter describes Ptouch [90], the first prototype

vote-entry program I developed, which is designed for a

touchscreen voting machine. It provides only a visual interface;

the goal was to handle the most common types of elections for

fully sighted voters. (Pvote, the second prototype, adds support

for most voters with disabilities and for less common types of

contests and ballots, at the cost of increased software

complexity.)

Ptouch handles contests in which voters can choose one or

multiple options (up to a fixed limit) from a list of options, and

also allows voters to vote for write-in candidates. This is

sufficient to indicate anything that could be expressed by

selecting bubbles or arrows on an optically scanned ballot.

The format of the ballot definition forms the core of the

design, since it dictates how ballots are designed, displayed,

and voted upon. Thus, I’ll start by describing the ballot

definition format in detail, then proceed to the software itself,

which is a VM for displaying ballots in this format.

Ptouch 70

Page 84 of 324
Page 85 of 324

Ballot definition format

The ballot definition is divided into two parts—the ballot model

and the image library—corresponding to the medium- independent and medium-specific information about the voting

user interface (see below). The ballot model specifies the

interaction sequence, while the image library specifies the

appearance.

Separating the ballot model from the image library reduces

the cost and effort of validating changes to the ballot. Replacing

the image library is sufficient to adjust the layout or visual style

of the ballot, change the display resolution, or translate the

interface into another language, all without altering the ballot

model. For these kinds of changes, only the new image library

needs to be validated, not the entire ballot definition.

Comparing two image libraries (for example, to check a

language translation) is easier than checking the correctness of

a ballot model.

ballot model

contest page

int max_sels

int max_chars

subpage

target

int action

int page_i

int contest_i

subtarget

int action option

int contest_i

write-in

int contest_i

review

int contest_i

image library

int width

int height

layout

background

sprite

int width

int height

byte[] pixels

subtarget

int left

int top

int width

int height

int width

int height

byte[] pixels

Figure 5.1. The Ptouch ballot definition data structure. Stacked boxes represent arrays.

Ptouch 71

Page 85 of 324
Page 86 of 324

ballot model

page

contest

int max_sels

int max_chars

subpage

target

int action

int page_i

int contest_i

subtarget

int action

option

int contest_i

write-in

int contest_i

review

int contest_i

Ballot model. The ballot model consists of an array of contests,

an array of pages, and an array of subpages.

A contest is a question being put to the voters, such as a

referendum on an issue or the election of a candidate (or

several candidates) to a position. Each contest has an integer

parameter max sels specifying the maximum number of

selections that a voter may choose (usually 1, but possibly more

in contests that allow choosing multiple candidates) and an

integer parameter max chars specifying the maximum number

of characters that can be entered for a write-in option.

The page is the basic unit of presentation. For example, a single

page might display some instructions, a description of a

contest, or a list of available options. At any given moment, one

of the pages is the current page. The user interface begins on

the first page in the array of pages. When it transitions to the

last page, the ballot is cast with the user’s current selections.

Associated with each page are arrays of targets, options,

reviews, and write-ins, and any of these can be activated by the

user. In a touchscreen interface, these elements correspond to

rectangular areas of the screen that are activated by touches.

• A target is a user-triggered transition to another page. In a

touchscreen interface, a target appears as a button that the

user can press. Optionally, a target can also trigger one of

the following actions:

• Clear all the selections in a particular contest.

• Clear all the selections in the entire ballot.

• An option is an option that the user can choose in a

particular contest. For example, a contest for President

would have one option for each of the eligible candidates; a

referendum contest would typically have one option for

“Yes” and one option for “No.” Each option belongs to

exactly one page, though there may be options on different

pages that belong to the same contest—for example, if the

contest has too many options to fit on one page. Activating

an option toggles it between a selected state and an

Ptouch 72

Page 86 of 324
Page 87 of 324

option (slot 4)

background image

write-in (slot 5)

write-in (slot 27)

write-in characters (slots 6–26)

write-in characters (slots 28–48)

target
(slot 0) target (slot 1) target (slot 2) target (slot 3) Figure 5.2. A
selection page with two options currently selected, and its layout.

Ptouch 73

Page 87 of 324
Page 88 of 324

unselected state. In a touchscreen interface, an option

appears as a labelled box that changes appearance to show

whether it is selected.

• A write-in is a write-in option. It can be in a selected or

unselected state, just like a regular option; when selected, it

also has an associated list of entered characters. When a

write-in is activated, it triggers a jump to a subpage where

the voter can type in the text of the write-in selection.

• A review displays the current selections in a particular

contest. Activating a review has no effect, though targets

can overlap reviews. In a touchscreen interface, a review

appears as a screen area (or multiple screen areas) filled in

with the option (or options) currently selected in its

associated contest. For example, a confirmation page could

summarize the voter’s selections by presenting reviews for

several contests.

A subpage is a temporary page for entering a write-in. A

subpage is like a subroutine call, but only one level deep—the

only possible transition is back to the current page. In a

touchscreen interface, a subpage provides a text field and an

on-screen keyboard for the voter to type in the name of a

write-in candidate. The number of subpages is determined by

the contests: there is one subpage for each contest that

contains a write-in. A subpage contains an array of subtargets.

• A subtarget triggers one of these actions:

• APPEND a particular character to the text field.

• APPEND2: if the text field is not empty, then append a

particular character to the text field.

• DELETE the last character.

• CLEAR all the characters.

• ACCEPT the write-in text and return.

• CANCEL the write-in text and return.

If the write-in text already contains max chars characters,

activating an APPEND or APPEND2 subtarget has no effect. If the

write-in text is empty, activating an APPEND2 or ACCEPT

subtarget has no effect. If the subpage is exited by an ACCEPT

Ptouch 74

Page 88 of 324
Page 89 of 324

background image

CANCEL subtarget (slot 2) ACCEPT subtarget (slot 3)

CLEAR

subtarget (slot 0) write-in characters (slots 33–53)

APPEND subtargets (slots 4–31)

DELETE

subtarget (slot 1)

APPEND2

subtarget (slot 32)

character sprites cursor sprite

Figure 5.3. A write-in subpage with a few characters entered, and its layout.

Ptouch 75

Page 89 of 324
Page 90 of 324

subtarget, the write-in option becomes selected and acquires

the contents of the text field. If the subpage is exited by a

CANCEL subtarget, the write-in option becomes unselected and

empty. Thus, it is not possible for a write-in to contain text yet

remain unselected.

Because an ACCEPT subtarget only works when there is

write-in text present, a write-in cannot be simultaneously empty

and selected. The purpose of APPEND2 is to prevent a write-in

from appearing empty and yet being selected. For example, if

the keyboard’s “space” button is an APPEND2 subtarget, then the

write-in text cannot consist of only spaces.

image library

int width

int height

layout

background

sprite

int width

int height

byte[] pixels

subtarget

int left

int top

int width

int height

int width

int height

byte[] pixels

Image library. The image library consists of an array of layouts

and an array of sprites, and also specifies the screen dimensions

in pixels.

A layout consists of a background image and an array of

slots. Each page or subpage corresponds to exactly one layout,

and vice versa. A slot is a rectangular region of the screen where

a sprite can be pasted or where a touch will have an effect.

A sprite is an image smaller than the screen size that is

meant to be pasted into a slot on a background image. The

array of sprites contains images of options and write-ins in

their selected states, images of characters that for use in a

write-in, and the image of the text entry cursor shown while

entering a write-in. To keep the DRE software simple, all images

are stored uncompressed with 3 bytes per pixel.

In a layout corresponding to a page, the slots correspond to

the targets, options, write-ins, and reviews for that page. Each

target has one slot, specifying the touch region that activates

the target; the image of the target button (or other widget) is

part of the background image. Each option has one slot, which

specifies both its touch region and also the position for pasting

the sprite showing the option in its selected state. The image of

the unselected option is part of the background image, and

when the option is selected, the sprite is pasted over it. Each

write-in also has a sprite for its selected state, which would

typically look like a selected option but with space provided for

Ptouch 76

Page 90 of 324
Page 91 of 324

the write-in text. A write-in has one slot for its touch region and

for pasting the selected write-in sprite, and max chars more

slots specifying the positions where the entered characters are

to be pasted. Each review has max sels groups of slots (for

displaying up to max sels options selected by the voter). In

each group of slots, there is one slot for pasting the selected

option sprite and max chars slots for displaying the write-in

text if a write-in is selected.

In the layout corresponding to a subpage, the slots

correspond to the subtargets and character slots for the page.

Each subtarget has one slot, the touch region that activates it.

Additionally there are max chars slots specifying the positions

where the entered characters are to be pasted.

page

target

int action

int page_i

int contest_i

option

int contest_i

write-in

int contest_i

review

int contest_i

Referential integrity. To simplify verification, the ballot format

minimizes its use of pointers and other kinds of references.

There are only two kinds of references in these data structures:

• Targets refer to the page they transition to. This is

necessary to allow for multiple outgoing and incoming

transitions to and from each page.

• Targets, options, write-ins, and reviews refer to contests.

This is necessary to allow options, write-ins, and reviews to

be freely arranged among the pages, so there can be

multiple contests on a single page or multiple pages for a

single contest.

These references are stored as integer array indices in the ballot

definition because it is simpler to verify that an index is in range

than to verify that a pointer is valid. All other associations

between elements of the ballot definition are implied through

structural correspondence. For instance, if there are p pages

and q subpages, then there are exactly p + q layouts in the

layout array, where the first p are for pages and the last q are

for subpages. This use of corresponding array indices avoids

the need for pages or layouts to contain pointers to each other.

Similarly, the meanings of the slots are determined by their

order in the slot array. The slot array for a page contains, in

Ptouch 77

Page 91 of 324
Page 92 of 324

order, one slot for each target, then one slot for each option,

then 1 + max chars slots for each write-in, then

max sels × (1 + max chars) slots for each review. The slot

array for a subpage contains one slot for each subtarget

followed by max chars slots for the entered text.

The sprite array contains one sprite for each option and

write-in, in the order they appear among the pages, followed by,

for each subpage, a character sprite for each APPEND or APPEND2

subtarget and one cursor image sprite.

Well-formedness and validity. There are many possible ways in

which one might consider a particular ballot definition to be

acceptable; I’ll point out two important ones here. I’ll use the

term well-formed to mean that a ballot definition satisfies the

assumptions made by the virtual machine implementation. I’ll

use the term valid to mean that a ballot definition represents an

acceptable user interface for voting according to the standards

of a given jursidiction.

Because the ballot definition must be well-formed in order for

the VM to read it and operate safely and correctly, a verifier in

the voting machine checks for well-formedness before accepting

a ballot definition. To be well-formed, a ballot definition must

meet the following conditions:

• There is at least one page and one contest.

• There is one subpage for each contest that has a write-in.

• There is one layout for each page or subpage.

• Every index referring to a page or contest is in bounds for

its respective array.

• Every target or subtarget has a valid action.

• Every layout contains the correct number of slots to match

its page or subpage, as described in the preceding section.

• All background images match the screen size.

• All slots fit entirely within the screen bounds.

• All option slots, write-in slots, review slots, option sprites,

and write-in sprites associated with the same contest have

the same size.

Ptouch 78

Page 92 of 324
Page 93 of 324

• All character slots, character sprites, and cursor sprites

associated with the same contest have the same size.

• The image library contains the correct number of sprites to

match the ballot model, as described in the preceding

section.

Validity, on the other hand, does not have a single definition

because it depends on election regulations that can vary by

locality. The following are some examples of conditions for

validity that are likely to be common, as they prevent some

obvious pitfalls and potential sources of confusion in the user

interface:

• Target, option, write-in, and review slots do not overlap each

other, except that target slots may overlap review slots.

• Character slots do not overlap each other and fit inside their

corresponding write-in or review slot.

• Character slots in write-ins and reviews are arranged in the

same relative positions as the character slots on the

corresponding subpages.

• The user is never trapped in a subgraph of pages, except

after arriving on the last page.

• The last page has no target, option, write-in, or review slots.

• There exists some transition path from the first page to

every other page.

• Every subpage contains an ACCEPT subtarget, a CANCEL

subtarget, and at least one APPEND subtarget.

• Every path that leads to the last page passes through pages

that contain reviews for all the contests (thus ensuring that

the voter has the opportunity to review all selections before

casting the ballot).

Ballot definition files would be produced by ballot design

software, such as an interactive tool for laying out and

specifying the appearance of a ballot. Such a tool could offer

guidance on the usability or accessibility of the design, enforce

validity conditions appropriate for a particular jurisdiction, or

give notification when validity conditions are not met.

Ptouch 79

Page 93 of 324
Page 94 of 324

Software design

The Ptouch virtual machine (VM) is composed of four software

modules: the navigator, the video driver, the event loop, and the

vote recorder (see the figure below). This separation does not in

itself prevent attacks, as the corruption of any module still has

the potential to corrupt the outcome of the election. However,

separating the software into modules is a design choice

intended to facilitate verification. It is easier to audit and test

each module separately when there are limited responsibilities

for each module and limited communication between modules.

The navigator walks through the pages in the ballot model,

always starting on the first page. It keeps track of the current

page, the user’s current selections, the current subpage (if any),

and the entered characters on the current subpage (if any). The

navigator responds to just one message:

• When told to activate a slot, the navigator takes the action

for the corresponding target or subtarget, toggles the

corresponding option, or transitions to the subpage for the

corresponding write-in.

The navigator issues three kinds of messages to other modules:

• It tells the video driver to goto a layout upon transition to a

page or subpage. The message specifies the layout index.

LEGEND

one-way data flow

image library

navigator vote

recorder

video

driver frame buffer

paste(sprite_i, slot_i)

goto(layout_i) write(selections)

touch sensor event loop x, y

locate(x, y) slot_i

activate(slot_i) storage device

ballot

definition

hardware

device

software

module

ballot model

Figure 5.4. Block diagram of the Ptouch VM. The arguments layout i, sprite i, slot i,

x, and y are integers; selections is an array of arrays of lists of integers.

Ptouch 80

Page 94 of 324
Page 95 of 324

• It tells the video driver to paste sprites into slots as

necessary to display options, write-ins, reviews, and write-in

text. The message specifies the sprite index and slot index.

• It tells the vote recorder to write the selections when the

ballot is cast (when transitioning to the last page). The

message contains an array of max sels selections for each

contest. Each selection is a list of integers: for a selected

option this is a single integer, the index of the selected

sprite; for a write-in, this is the index of the selected sprite

followed by the indices of the entered character sprites.

The video driver has only one piece of state: it keeps track of

which layout is the current layout. It interprets the slot index in

a paste command in the context of the current layout. The

video driver handles three kinds of messages:

• When told to goto a layout, the video driver copies the

background image into the frame buffer and remembers the

given layout index.

• When told to paste a sprite into a slot, the video driver

copies the sprite into the frame buffer at the position

specified by the slot.

• When told to locate a given point by its co-ordinates, the

video driver looks through the slots in the current layout

and returns the index of the first slot that contains the

point, or a failure code. (When slots overlap, targets take

precedence because they come first in the slot array.)

LEGEND

one-way data flow

image library

navigator vote

recorder

video

driver frame buffer

paste(sprite_i, slot_i)

goto(layout_i) write(selections)

touch sensor event loop x, y

locate(x, y) slot_i

activate(slot_i) storage device

ballot

definition

hardware

device

software

module

ballot model

Figure 5.4. Block diagram of the Ptouch VM. The arguments layout i, sprite i, slot i,

x, and y are integers; selections is an array of arrays of lists of integers.

Ptouch 81

Page 95 of 324
Page 96 of 324

The event loop receives touch events from the screen’s touch

sensor. The software assumes that when the user touches the

screen, the sensor reports (x, y) coordinates in the same

coordinate space used for displaying images. Upon receiving a

touch event, the event loop asks the video driver to locate the

corresponding slot, then passes the slot number on to the

navigator in an activate message.

The vote recorder records the voter’s selections in non-volatile

storage upon receiving a write message from the navigator.

The votes are recorded using a tamper-evident,

history-independent, subliminal-free storage method. Molnar,

Kohno, Sastry, and Wagner have proposed several schemes with

these properties [48] for storing ballots on a programmable

read-only memory (PROM). Each stored selection includes or

indicates its associated ballot definition so that the meaning of

the selections is apparent from the storage contents.

LEGEND

one-way data flow

image library

navigator vote

recorder

video

driver frame buffer

paste(sprite_i, slot_i)

goto(layout_i) write(selections)

touch sensor event loop x, y

locate(x, y) slot_i

activate(slot_i) storage device

ballot

definition

hardware

device

software

module

ballot model

Figure 5.4. Block diagram of the Ptouch VM. The arguments layout i, sprite i, slot i,

x, and y are integers; selections is an array of arrays of lists of integers.

Ptouch 82

Page 96 of 324
Page 97 of 324

Implementation

Ptouch is implemented in Python [63], and it runs on Linux,

MacOS, or Windows. Ptouch uses Pygame [62], an open-source

multimedia library for Python, to handle graphics and mouse

input. It runs on a commodity PC using the video display and

the mouse to simulate a touchscreen device (a mouse click at a

particular location is interpreted as a screen touch).

Ptouch reads the ballot definition from a file named ballot

and writes vote records to a file named votes. The ballot file

represents read-only media and is opened read-only; the votes

file represents a PROM. Each time the program runs, it casts at

most one ballot, then enters a terminal state.

Ptouch models the procedures that would take place in a

real election as follows. Creating an empty votes file

corresponds to opening the polls at the beginning of election

day with a blank PROM. Restarting the program corresponds to

activating the voting machine for a single voter. I have assumed

that only the pollworker has the ability to restart the machine,

so pollworkers can ensure that each voter only votes once.

Setting the votes file read-only corresponds to closing the polls

and removing the PROM.

The source code for Ptouch is available in Appendix A. The

source code is also available online, together with an example of

a ballot definition file in the Ptouch ballot format, at

http://pvote.org/.

Ballot definition. A separate Python module, not shown in

Figure 5.4, reads the ballot file, verifies all the conditions

necessary to determine that it is well-formed, and deserializes it

to objects in memory. All integers in the file are stored as

4-byte unsigned integers; images are uncompressed with 3

bytes for each pixel (corresponding to the red, green, and blue

components of its colour).

Ptouch does not include any user interface for selecting

which ballot definition to use; instead, it assumes that the

Ptouch 83

Page 97 of 324
Page 98 of 324

appropriate ballot file will be present when the program

starts. Different ballot files can be used for different runs.

Note that the selection of a ballot definition can be divided

into two parts: choices that have to be authorized by the

pollworker (such as choosing which precinct’s ballot to use) and

choices that the voter is allowed to make (such as choosing a

preferred language). The former type of choice can be

implemented by having the pollworker select the ballot file.

The latter type of choice can be implemented either by having

the pollworker select a ballot definition file at the voter’s

request, or by combining multiple ballots into a single ballot

definition. For example, a ballot could support both English and

French by including all the pages for an English ballot and all

the pages for a French ballot, with a starting page to let the user

choose between them.

How the pollworker’s selection would be implemented in

hardware remains an open question. One possibility would be

for the ballot definitions to be stored on individual

write-protected memory cards; to support voting for multiple

precincts, a pollworker would insert the appropriate precinct’s

ballot definition card to activate the voting machine for a single

voting session. Alternatively, all the ballot definitions could be

stored on the machine in advance, and the pollworker would

use some other means to choose one when starting each new

voting session. In either case, Ptouch models this step simply as

having the authorized choice of ballot file be present when

the program starts.

Vote storage. The votes file is used to simulate a PROM, a

solid-state storage device initially filled with 1 bits; writing to a

PROM can change 1 bits to 0 bits, but never the reverse. The

vote recorder writes to the file in a manner consistent with this

property.

Ptouch stores the ballots using a copyover list [48], because

it is history-independent, simple to implement, and does not

depend on a random number generator. A copyover list is a list

of items stored in sorted order; each time items are added to

Ptouch 84

Page 98 of 324
Page 99 of 324

new sorted list

maximum space that could have been used to store all

preceding lists, regardless of order in which votes were cast

4. recording complete:

old sorted list new sorted list

3. erasing old list in progress:

old sorted list new sorted list

2. writing new list in progress:

erased (all zeroes) old sorted list unused (all ones)

1. before recording:

first flag indicates start of valid list of vote records

Figure 5.5. Storing votes in a copyover list. The list is always written in sorted order and

the amount of erased space preceding the list is independent of the size of previous lists,

so that no information is revealed about the order in which votes were cast. On a PROM,

changing a bit from 1 to 0 is an irreversible operation.

the list, a new copy of the entire list is written in sorted order

and the old copy is erased by overwriting it with zeroes.

Because the items are sorted according to their content, the list

does not reveal the order in which the items were added. A

copyover list uses O(n2

) space in the number of items, but

previous analysis [48] shows that only a modest and

inexpensive amount of storage would be required to handle all

the votes that could be expected to be cast on one machine in

one day.

The items in the copyover list are the individual selections

within each contest from all the voters. Each item consists of

the SHA-1 hash [52] of the ballot definition, the integer index of

the contest, and the integer index of the selected option sprite.

For a write-in selection, this is followed by the indices of the

selected character sprites. All integers are stored as 4-byte

unsigned integers. The individual selections are stored as

separate items so that the votes file can be published without

letting voters mark their ballots to prove how they voted, as

explained in Section 4.

Because the items in the list can vary in length, the size of

the list depends on the contents of the selections. If the new list

Ptouch 85

Page 99 of 324
Page 100 of 324

were stored immediately after the old list, the size of the erased

space would reveal something about the size of the old list and

hence about the sequence of votes. (For example, if two

selections are stored, one with a short write-in and one with a

long write-in, then the size of the erased space reveals which

one was cast first. Casting the long one first would yield a

larger erased space than if they were cast in the opposite order.)

Therefore, one should always erase the maximum amount of

space that would have been required, regardless of the order in

which the selections were added to the list.

A flag value is stored at the beginning of each list, and the

list is encoded so that it cannot contain the flag value. The first

occurrence of the flag in the file is considered to signal the start

of the current list of votes. After the new list is written, erasing

the flag in front of the old list commits to the new list, as

shown in Figure 5.5. This commitment is atomic, because

changing even one bit invalidates the flag.

Interpreting recorded votes. For a stored selection to have a

well-defined meaning, it must be somehow associated with a

ballot definition. Here are four possible ways to do this:

1. Store an entire copy of the ballot definition with each

selection.

2. Assume a pre-established global mapping of identifiers to

ballot definitions; store an identifier with each selection.

3. Store a cryptographic hash of the ballot definition with each

selection.

4. Store an array of ballot definitions, then store an array

index with each selection.

The first scheme is simple, but uses a lot of storage space.

At a resolution of 1024 by 768 pixels, a full-screen image

occupies about 2.4 megabytes; a typical ballot definition is on

the order of 10 to 100 megabytes. Storing a few hundred votes

would require gigabytes of space.

The second scheme uses very little space, but depends on

management of a global namespace of ballot definition

identifiers, which might be brittle and error-prone. If a vote

Ptouch 86

Page 100 of 324
Page 101 of 324

record says that it belongs to ballot definition #34 and there is a

disagreement about which ballot definition was #34, the vote

record becomes meaningless.

Ptouch uses the third scheme because it uses only a small

amount of space, and as long as the hash function is collision- resistant, there can be no ambiguity about which ballot

definition is associated with each vote record. As long as you

can obtain a copy of the ballot definition, you can ascertain the

true meaning of a vote. Since we’ve already assumed that the

ballot definitions are published, this is not a serious problem.

The fourth scheme yields a vote record that is fully

self-contained. But in order to store all the definitions on

write-once storage, without revealing anything about the order

in which they were used, and without using very large amounts

of space, all the acceptable ballot definitions must be known in

advance. This scheme would make sense for a machine that

provides some way for the pollworker to select which ballot

definition to use.

If the list of acceptable ballot definitions is fixed in advance,

it would be possible to use just one storage device instead of

two. The storage medium would initially contain all the ballot

definitions; the machine would both read the ballot definitions

from it and append the vote records to it. In such an alternative

scheme, vote records could not become inadvertently separated

from their ballot definitions, but it might be more difficult to

provide a hardware-based guarantee that the ballot definitions

are never alterable.

Ptouch 87

Page 101 of 324
Page 102 of 324

Evaluation

Size. The entire implementation of Ptouch is 291 lines long, not

including comments and blank lines. The breakdown of module

sizes is as follows:

ballot definition loader and verifier 126 lines

event loop 13 lines

navigator 92 lines

video driver 22 lines

subtotal (user interface) 255 lines

vote recorder 38 lines

total 291 lines

Dependencies. Ptouch runs on Python version 2.3. It was

implemented with minimal dependencies so that the size of the

Python code would give a reasonable indication of the true

complexity of the program. It uses only one collection type, the

Python list. Although some lists change length while the

program is running, every list has an upper bound on its length

determined by the ballot definition, so an implementation

based on arrays could preallocate the necessary space.

The user interface modules import nothing from Python’s

standard library, and use only these built-in functions:

• open and read on the ballot definition file.

• ord to convert characters to integers.

• enumerate and range for iterating over lists.

• len and the remove method on lists.

The only Pygame drawing function that Ptouch uses is blit,

which copies a bitmap onto the screen. A few other Pygame

functions are used just to initialize the graphics display.

The vote recording module uses Python’s built-in sha module

for computing the SHA-1 hash of the ballot definition, and also

the following built-in functions:

Ptouch 88

Page 102 of 324
Page 103 of 324

• open, read, write, seek, and tell on the vote storage file

to simulate access to a PROM.

• ord and chr to convert characters to integers.

• enumerate for iterating over lists.

• The sort method to sort the copyover list.

• len and max to find the longest item in the copyover list.

Functionality. The ballot definition format is capable of

supporting:

• both general and primary elections

• ballots in any language and any typeface

• voter instructions at any point in the process

• multiple contests on a single screen

• splitting a contest over multiple screens

• contests allowing more than one selection

• photographs or logos shown with candidates

• write-in text in any alphabetic language

• review of selections before casting the ballot

• jumping directly to specific contests or review screens

• regulations requiring voters to review their selections before

casting the ballot

• regulations restricting the number of times that voters may

review their selections

Because the implementation of write-ins assumes that each

character is selected with a single keypress on the touchscreen,

it can only support alphabetic languages; write-ins in

ideographic writing systems such as Chinese are not supported.

Ptouch does not provide administrative functions such as

viewing vote counts or changing configuration settings. It also

does not perform encryption; by design, there is no need to

encrypt the stored votes.

Separation of concerns. The Ptouch software is divided into

five modules that can be implemented and inspected

separately. Each module has a limited responsibility, which

makes it easier to audit and test.

Ptouch 89

Page 103 of 324
Page 104 of 324

The ballot definition loader is responsible for establishing

that the ballot definition is well-formed. If the loader is

implemented correctly, and if the other modules rely only on

the conditions of well-formedness, then the only possible kind

of software failure is a failure to load the ballot definition.

Successful completion of the loading and verification step

assures that software errors cannot occur during the voting

session.

It is easy to see by direct inspection of the source code that

all modules other than the event loop only react to messages

they receive. The event loop is the only module capable of

initiating messages, but it is also the smallest and easiest to

audit.

The video driver is a passive component, never sending any

messages at all. In particular, the video driver does not have the

authority to activate slots (that is, it cannot “press buttons” in

the interface), which reduces vulnerability to errors in its

implementation.

The navigator has access to only the ballot model and

cannot draw arbitrarily on the display. Because it cannot see the

image data, it cannot determine the semantics of the user’s

selections. Freezing the implementation of the VM before

choosing the order of candidates on the ballot would make it

difficult for even the author of the navigator to bias the vote for

or against a specific candidate. Also, the only input to the

navigator is a slot number, which is a small integer, so the

navigator can be subjected to exhaustive testing.

The voting machine has no non-volatile storage other than

the ballot definition and the cast vote storage. Because the

machine is restarted for each new voting session, and because

the ballot definition is read-only, the only state retained

between voting sessions is the vote storage. Furthermore, the

vote recorder module only receives messages and never sends

any messages to any other software module, so no information

in the vote storage can reach any of the other modules.

Consequently, the user interface seen by each voter is

determined only by the ballot definition and cannot reveal any

Ptouch 90

Page 104 of 324
Page 105 of 324

information about previous voting sessions. Also, this ensures

that all voters using the same ballot definition receive the same

voting experience.

Election rules. Election regulations concerning the ballot are

upheld either by the implementation of the navigator module or

by validating the ballot definition.

By design, Ptouch can only cast one ballot each time it runs.

It is easy to confirm by inspection of the navigator that the only

way to cast a ballot is to arrive at the last page and to see that

the last page is a terminal node in the ballot definition.

It is also straightforward to verify that overvoting is

impossible, because only the navigator can manipulate the

user’s selections, and there are only two places in the code

where an item is added to the selection list.

Other election process rules can be verified by examining

the ballot definition. For example, to ensure that the voter will

be notified of undervotes before casting the ballot, we would

check the graph of transitions among pages to see that the

voter must proceed through review pages before arriving at any

page that can cast the ballot.

Comparison. At only 291 lines of Python, the Ptouch code is

much smaller than the 31 000 lines of code in Diebold’s

AccuVote TS software.1

It may be slightly more appropriate to

compare the 255 lines of UI code with the AccuVote’s 14 000

lines of UI code—but neither comparison is entirely fair,

because Ptouch lacks some of the AccuVote’s functionality and

the two systems have different sets of dependencies.

Nonetheless, the correctness of Ptouch is certainly easier to

assure than the correctness of the AccuVote TS code. In general,

programs with less code tend to be easier to review, easier to

test, less likely to contain bugs, and less likely to crash.

One reason that there is less code is the choice of

programming language: Ptouch requires a Python interpreter,

whereas the AccuVote TS does not. On the other hand, the

1This is less than Kohno’s figure of 49 609 lines [43] because it excludes blank lines and comments.

Ptouch 91

Page 105 of 324
Page 106 of 324

AccuVote TS software depends on Microsoft Windows CE and

builds its user interface using the Microsoft Foundation Classes,

which are much larger and more complex that the blit

functionality that Ptouch uses from Pygame.

It is not unreasonable to consider running Python on voting

machines. Python is widely deployed and vetted and is

supported by an active developer community. Unlike Windows

CE and MFC, Python is a mature open source project,

distributed with an extensive suite of regression tests. As a data

point concerning Python’s size, note that Nokia has released a

small Python interpreter that runs on Nokia mobile phones [57].

The interpreter fits in a 504-kilobyte installation package, which

also includes over 40 Python library modules that Ptouch

doesn’t use.

Alternatively, the Python code could be translated into a

compiled language. Although Ptouch is written in a higher-level

language, it uses very few of Python’s library modules and

built-in functions, as described earlier in this section. It is

reasonable to expect that translating this code into a compiled

language would multiply its size by a factor of 3 or 4, but not by

100.

Despite its small size, the Ptouch code maintains clear

boundaries and minimal data flow among its five modules. As

described earlier in this section, many of the desired security

properties of the voting machine are straightforward to verify in

Ptouch, due to its design. The AccuVote TS code does not lend

itself to similarly easy analysis.

Ptouch 92

Page 106 of 324
Page 107 of 324

Shortcomings

Ptouch lacks several kinds of important functionality.

Accessibility. Ptouch only supports a touchscreen for both

input (receiving choices made by the voter) and output

(displaying information to the voter). Thus, it is not usable by

voters who are blind or voters who lack the motor control to

accurately touch buttons on the touchscreen.

Printing. Ptouch does not accommodate a printer, so it does not

produce any permanent paper records. In particular, there is no

voter-verifiable printed record of votes (VVPAT), a feature that is

currently required by law (either for elections or for purchase of

new equipment) in 16 U. S. states [23]. As of this writing, the

United States Congress is considering a bill [79] that would

make VVPATs a nationally required feature on all DRE machines.

Audit logging. Ptouch does not record any logs of its operation.

Audit logs can be of invaluable assistance to investigations in

the event of a dispute, evidence of tampering, or a software

error.

Straight-party voting. Some paper ballots offer a way to make a

single party selection that has the effect of voting for the

candidate of that party in every contest. As of this writing,

straight-party voting is used in 17 U. S. states [50], but Ptouch

does not support such a feature.

Complex voting rules. Some ballots have voting rules that

cross between selections or contests. For example, sometimes

primary elections for multiple parties are combined on a single

paper ballot, where the voter first indicates their choice of party

and then votes in the contests for that party’s primary. Ptouch

would not be able to present different contests depending on

the party selection that the voter made. As another example, a

Ptouch 93

Page 107 of 324
Page 108 of 324

ballot for a recall election would first let voters vote for or

against the recall itself, then offer a selection of replacement

candidates. Typically, it is only valid to vote for a replacement if

one has voted in favour of the recall. Ptouch cannot enforce this

kind of restriction.

Ranked and other election methods. Most single-winner

elections decide the victor by the plurality rule (also known as

“first past the post”), in which each voter votes for a single

candidate and the candidate with the most votes wins. Despite

its popularity, it is a poor method for electing a single winner

because it penalizes moderate candidates and often motivates

voters to misrepresent their preferences [44], locking in

polarized two-party control of the government. Of the many

election methods that have analyzed by social choice theorists,

it is one of the worst methods for electing a single winner.

One simple way to obtain a truer representation of voter

preferences is approval voting [9], in which each voter can vote

for as many candidates as they want. An approval election is

easily conducted with Ptouch by setting max sels equal to the

number of candidates.

Another election method that has been proposed is range

voting [74], in which voters assign scores to the candidates and

the candidate with the highest average or total score wins.

Range voting can be conducted with Ptouch by setting up a

ballot with a separate contest for each candidate. For example,

to allow scores from 0 to 10, the ballot can simply present

eleven choices, numbered 0 to 10, next to each candidate.

Several election methods involve ballots on which voters can

rank the candidates. The Schulze method [71] and the Tideman

method [77] belong to a family of methods called Condorcet

methods, which use ranked ballots to simulate all the possible

one-on-one match-ups among the candidates. With these

methods, voters are allowed to specify rankings that include

ties (i.e., they can assign the same rank to more than one

candidate). Another notable method, in which voters must

specify rankings without ties, simulates a series of runoff

Ptouch 94

Page 108 of 324
Page 109 of 324

elections in which the least popular candidates are successively

eliminated. This method is known as “preferential voting” or

the “alternative vote” in many countries around the world and

called “instant runoff” in the United States.

Ptouch does not provide a way for voters to rank their

choices. Also, because Pvote records each selection separately,

multiple selections cannot be combined to produce the effect of

a ranked ballot.

For example, some paper ballots implement ranking by

repeating the same list of options multiple times. San Francisco

uses a simplified variant of “instant runoff” in which voters

rank only their top three choices. On the ballot, the same list of

candidates appears in each of three columns; voters are

instructed to indicate their first choice in the first column,

second choice in the second column, and third choice in the

third column. This tactic would not work for Pvote because

Pvote would store the voter’s first, second, and third choices as

three separate selections, dissociated and scattered among all

the selections made by other voters.

Ptouch 95

Page 109 of 324
Page 110 of 324

6 Accessibility

Why was a second prototype needed? 97

What is Pvote’s approach to accessibility? 98

How are alternative input devices handled? 99

How does blindness affect interface navigation? 100

How do blind users stay oriented within an interface? 101

How do blind users keep track of what is selected? 102

How do blind users get feedback on their actions? 103

How are vision-impaired users accommodated? 104

96

Page 110 of 324
Page 111 of 324

Why was a second prototype needed?

Ptouch, the first prototype, demonstrates significant progress in

simplifying voting machine software, but it lacks several key

abilities, as explained at the end of the last chapter. It cannot

handle certain ballot features, it does not print a paper record,

and—most significantly— it supports only a touchscreen for

input and output. Such an interface can only be used

conveniently by voters who can see, who can read, and who

have sufficient fine motor ability to accurately select items on

the screen.

A major motivator for using electronic voting machines in

the first place is to meet the accessibility requirements dictated

by HAVA [78]. By failing to support more accessible voting

interfaces, Ptouch left open the question of just how much

software complexity is necessary to fulfill these machines’

ostensible reason for existing. The purpose of Pvote, the second

prototype, is to answer that question, and to show that better

verifiability can be achieved without sacrificing accessibility and

useful functionality.

Accessibility 97

Page 111 of 324
Page 112 of 324

What is Pvote’s approach to accessibility?

When I began working on accessibility support, I started to

create a special “accessible version” of the system just for blind

users, with a keypad for input, an audio-only interface, and no

visual display. Before long, however, it became apparent that a

universal design approach would be more fruitful.

Universal design [75] is the practice of designing artifacts

that are flexible enough to support a wide range of users with

and without disabilities, instead of separate artifacts or

assistive devices for specific disabilities. A unified solution

avoids stigmatizing people with disabilities, and the increased

flexibility often yields benefits for all users. Volume controls on

public telephones are an example of universal design: they help

everyone use the telephone more easily in a noisy environment,

not just those who are hard of hearing.

Pvote’s unified solution is a single user interface with

synchronized audio and video, rather than a visual interface for

sighted voters and a separate audio-only interface for blind

voters. The same information is presented concurrently in

audio and video; user input always yields both audio and visual

feedback. Voters without disabilities can also benefit from

audio confirmation of their choices [73].

Noel Runyan, an expert on accessible technologies,

recommended synchronized audio and video to me during the

early stages of this work. His recent report on voting

interfaces [69] also makes this recommendation. Although not

all of the electronic voting machines currently in use support

synchronized audio and video, such a requirement is present

both in the 2005 Voluntary Voting System Guidelines

(VVSG) [80] (item 3.2.2.1f) and in a draft of the next generation

of these guidelines [81] (item 3.3.2-D).

Accessibility 98

Page 112 of 324
Page 113 of 324

How are alternative input devices handled?

Pvote takes a universal design approach to input devices as well

as output devices. Its design is intended to support voting

hardware with both a touchscreen for input and an alternate

input device. The design assumes that the alternate input

device consists of a fixed number of momentary buttons and

sends a signal identifying a button whenever a button is

pressed. This is a useful input model because it allows a wide

range of devices to serve as the alternate device, including a

regular keyboard, a numeric keypad, a set of hardware buttons

designed for voting, or a sip-and-puff device. The voter can

decide whether to use the touchscreen or the alternate input

device, and can mix them freely.

This simple input model does not account for the timing of

button presses. For a person with severe physical disabilities

who can only operate one or two buttons, the length and timing

of button presses is an important way to convey information.

Although Pvote cannot distinguish between a short press and a

long press, these inputs could be translated in hardware to

separate signals. That is, from Pvote’s perspective there would

be two different buttons: the hardware would send one keycode

for a short press and a different keycode for a long press.

However, Pvote’s input model does not support autoscan, a

typical feature of “single-switch access” software. In an

autoscan interface, a cursor cycles through a list of choices at a

steady rate and the user activates the switch when the cursor

arrives at the desired choice.

A system with both multimodal input and multimodal

output is helpful not only for blind voters but also voters with

low vision, voters who are illiterate, voters with cognitive

disabilities, and voters with physical impairments that make it

hard to use a touchscreen, as well as voters with multiple

disabilities.

Accessibility 99

Page 113 of 324
Page 114 of 324

How does blindness affect interface

navigation?

With respect to voting user interfaces, the visual channel has

two advantages over audio. First, it can convey textual

information at a higher bandwidth: for most people, reading a

printed list of candidates’ names is faster than listening to them

spoken aloud. Second, a visual image can convey more

information at once without an explicit navigation mechanism:

although a screen full of text probably exceeds what a person

can hold in working memory, a sighted person can easily select

and gather information of interest just by looking around at

different parts of the screen.

A consequence of both of these properties is that audio-only

voting interfaces require smaller units of navigation than

video-only voting interfaces. Whereas an entire page can be

visually “current” to the voter, only a few words can be aurally

“current” at any given moment. For example, a visual interface

can present an entire list of candidates at once but an audio

interface must present the candidates one at a time. Therefore,

a multimodal interface should support the notion of the user’s

focus at two different levels of hierarchy, with audio

information at the finer-grained level. Pvote introduces states

within pages to serve this purpose.

Accessibility 100

Page 114 of 324
Page 115 of 324

How do blind users stay oriented within an

interface?

Visual information can be presented passively, whereas

presenting audio information requires continuous activity. Even

an inert display can convey visual information, whereas silence

conveys no audio information at all.

If a user is distracted while viewing static visual

information, then getting reoriented is just a matter of looking

over the information again. But if a user is distracted while

listening to audio, then getting reoriented requires that the

computer actively replay the audio. Therefore, an audio

interface needs fallback mechanisms to trigger reorientation.

The ballot definition needs to be able to specify a “Where am I?”

button that the user can press to recover context.

There also needs to be a way to provide reorienting

information after a period of inactivity, if the user is lost and

doesn’t know what button to press for help. The Pvote ballot

format has a timeout parameter for this purpose (see

Figure 7.2); the ballot definition can specify a transition to

another page or audio message to be played when the timeout

period expires with no user activity. The most recent draft of

the next version of the VVSG [81] includes requirements for a

“defined and documented inactivity time” (item 3.2.6.1-E) after

which the system alerts the user (item 3.2.6.1-F); Pvote’s timeout

functionality addresses these requirements.

Accessibility 101

Page 115 of 324
Page 116 of 324

How do blind users keep track of what is

selected?

At any given moment, the voting machine keeps track of the set

of current selections in each contest, which I’ll call the selection

state. Recall that in Ptouch, the selection state is displayed

visually by option areas, which display a particular option, with

one appearance if it is selected and another if it is not, and by

review areas, which list all the selected options in a specified

contest.

To communicate the selection state to a blind user, the

audio interface needs to be able to play audio messages that

vary depending on what is currently selected. Thus, a Pvote

ballot defines audio in terms of a sequence of audio segments,

where each segment can be constant or variable. A constant

segment always plays the same audio clip independent of the

selection state; a variable segment selects an audio clip to play

as a function of the current selection state. Constant and

variable segments are concatenated together to give the effect

of filling in blanks in spoken prose, yielding a verbal description

of the selection state.

Accessibility 102

Page 116 of 324
Page 117 of 324

How do blind users get feedback on their

actions?

Not every user action succeeds. For example, the user should

not be allowed to overvote. Ptouch enforced this rule, but

provided no particular feedback; an attempt to select an

additional candidate would simply have no effect when the

contest is already full. (I use “full” to mean that the maximum

allowed number of selections in the contest is selected, and

“empty” to mean that none of the options in the contest are

selected.)

In a visual interface this might be considered acceptable

behaviour, as the user can immediately see whether or not the

attempt to select had an effect: either the candidate’s name

takes on a selected appearance, or it doesn’t. But in an audio

interface, there is no such direct feedback without an audio

message describing what just happened. Therefore, to support

audio-only voters, the ballot definition needs to be able to

specify different audio messages depending on whether an

action succeeded or failed, and possibly also depending on the

reason for success or failure. The new condition structure in

Pvote’s ballot format makes this possible (see Figure 7.2).

Accessibility 103

Page 117 of 324
Page 118 of 324

How are vision-impaired users

accommodated?

A large-type mode and a high-contrast mode can be helpful for

users with a vision impairment. Both the 2005 VVSG [80] (items

3.3.2.1b and 3.3.2.1c) and the draft new guidelines [81] (items

3.2.5-E and 3.2.5-I) require electronic voting displays to be

capable of showing all information in at least two type sizes,

3.0–4.0 mm and 6.3–9.0 mm, and to have a high-contrast mode

with a contrast ratio of at least 6:1 (on current voting machines

this usually means a black-and-white mode).

Ptouch can already accommodate these requirements by

providing multiple prerendered versions of the ballot in a single

ballot definition file, together with buttons for selecting or

switching the desired presentation mode. For example, each

normal-type page could include a button for switching to the

large-type version of the same page. However, such a ballot

would contain duplicates of the contests and their options. In

terms of the ballot definition data structures, the large-type

contest and the normal-type contest for each office would be

distinct contests with distinct options. Ptouch’s electronic

records of votes would therefore reveal whether the voter

selected a large-type candidate or a normal-type candidate,

which could be considered a voter privacy violation.

Because Pvote has more flexible handling of user input, it is

possible to design ballots for Pvote that avoid this problem. A

single user action can trigger multiple effects in Pvote, so user

selection of any one option can be made to automatically select

all the corresponding variants in the other display modes (e.g.,

touching the button for Jane Smith in normal print also selects

Jane Smith in large print, Jane Smith in high contrast, etc.). The

results of making the same selections in different presentation

modes would then be indistiguishable.

Accessibility 104

Page 118 of 324
Page 119 of 324

7 Pvote

the multimodal prototype

Overview 106

Goals 107

Design principles 110

Differences between Pvote and Ptouch 114

Ballot definition format 121

Software design 127

Implementation 132

Evaluation 133

105

Page 119 of 324
Page 120 of 324

Overview

This chapter describes Pvote [91], the second prototype

vote-entry program I developed. Unlike Ptouch, Pvote offers

support for most voters with disabilities by providing

synchronized audio and video output, and also by accepting

input from buttons and other accessible input devices as well as

touchscreen input. In addition, Pvote handles several less

common ballot features that Ptouch does not support.

Pvote is intended for voting machines that are electronic

ballot printers; thus, both the ballot definition and the VM

software contain a component specifically to support ballot

printing. An implementation targeted for other types of voting

machines could substitute a different component for recording

the cast votes, such as the tamper-evident direct recording

mechanism in Ptouch.

Pvote 106

Page 120 of 324
Page 121 of 324

Goals

Pvote aims to achieve both functionality goals and security

goals. The set of supported ballot features and user interface

features is determined by the ballot definition format. Security

depends on the correct and verifiable implementation of the

Pvote program.

Functionality. Voting systems should be highly usable by voters

of all kinds, and their usability should be evaluated and

improved through user testing. However, user testing of

specific ballot designs is outside the scope of the present work.

The aim here is to design not a particular ballot, or even a

particular style of ballot, but a ballot definition format—one

flexible enough that usability and accessibility experts can use

it to create better and better ballots as our understanding of

voting human factors improves. As explained in Chapter 4, the

prerendering approach opens up the process so ballot design

can be done by expert ballot designers, not just voting machine

programmers.

If the ballot definition format is rich enough to replicate

what existing voting machines do, then the resulting voting

system will be capable of being at least as usable as today’s

voting systems. We can be assured of not having lost ground in

usability, while throwing open the door to future ballot designs

with better usability. Thus, the goals for the new ballot

definition format are described in terms of sufficient

functionality to match existing systems:

• It should be possible, with an appropriate ballot definition

and corresponding hardware, to produce a similar or better

user experience compared to existing electronic voting

systems, including those that support audio or

synchronized audio and video.

• It should be possible to define a reasonably usable

synchronized audio and video interface corresponding to a

real ballot.

comments (0)
Building Reliable Voting Machine Software https://drive.google.com/file/d/0B3FeaMu_1EQyUVE0VzhxWU5kVlU/view
Filed under: General
Posted by: site admin @ 8:13 pm

Building Reliable Voting Machine Software

 https://drive.google.com/file/d/0B3FeaMu_1EQyUVE0VzhxWU5kVlU/view

Pvote 107

Page 121 of 324
Page 122 of 324

• It should be possible to create a single ballot definition that

makes sense for a voter who can only hear the audio and

also makes sense for a voter who can only see the visual

display.

• It should be possible to implement most of the voting

features needed for real elections, such as multiple-selection

contests, write-ins, straight-party voting, eligibility for

contests dependent on selections in other contests,

restrictions on cross-endorsed candidates, and ranked

voting.

Security. As elaborated in Chapter 2, the essential task of a

voting system is to obtain an accurate and fair measurement of

the preferences of the electorate. Pvote aims to uphold the

security goals given on page 31 of that chapter:

G3. In every voting session, the correct choice of ballot style

is presented to the voter.

G4. Every ballot is presented to the voter as the ballot

designer intended.

G5. At the start of every voting session, no choices are

selected.

G6. The voter’s selections change only in accordance with

the voter’s intentions.

G7. The voter receives accurate feedback about which

choices are selected.

G8. The voter can achieve any combination of selections that

is allowable to cast, and no others.

G9. The voter has adequate opportunity to review the ballot

and make changes before casting it.

G10. The ballot is cast when and only when the voter intends

to cast it.

G11. Every selection recorded on a ballot cast by a voter is

counted.

G12. No extra ballots or selections are added to the count.

G13. The selections on the ballots are not altered between the

time they are cast and the time they are counted.

G14. The tally is a correct count of the voters’ selections.

Pvote 108

Page 122 of 324
Page 123 of 324

G17. No voting session allows more than one ballot to be cast.

G20. Every voter can begin a voting session within a

reasonable, non-discriminatory waiting time.

G21. Every voting session provides a reasonable,

non-discriminatory opportunity to cast a ballot.

G23. The processing of voter choices does not expose how

any particular voter voted.

G24. Voters are not provided any way to give plausible

evidence of how they voted to an external party.

With Pvote:

• G3 has to be upheld by the pollworker who selects the ballot

style for the voter.

• G4, G5, G6, G7, G8, G9, and G10 are upheld by verifying that

the ballot definition is properly designed and by verifying

that Pvote interprets the ballot definition correctly.

• G11, G12, and G13 are upheld by the physical procedures

for casting and handling the paper ballots printed by Pvote.

• G14 is upheld by the counting procedures for paper ballots.

• G17 is upheld by verifying that Pvote becomes inert

immediately after casting a ballot.

• G20 and G21 are upheld by verifying that Pvote does not

crash or become unresponsive during a voting session.

• G23 is upheld by ensuring that Pvote’s behaviour in each

voting session is independent of all previous sessions.

The security goal is that it must be possible (and preferably

easy) for reviewers to verify to their satisfaction that the system

guarantees the necessary correctness properties, without

relying on faith in the honesty or competence of the system’s

developers.

Pvote 109

Page 123 of 324
Page 124 of 324

Design principles

In the design for Pvote’s ballot definition format, I tried to

anticipate and support many kinds of functionality. Because the

design involved many trade-offs among interdependent factors,

I found that I had to choose some guiding principles to help

keep design decisions well grounded. These principles would

probably also be useful when taking the prerendering approach

to high assurance in other domains as well as voting. The next

few sections outline these principles, in order of decreasing

priority.

Work from a concrete use case. I found it helpful to examine a

specific paper ballot (in this case, a sample ballot from the

November 2006 election—Contra Costa County’s ballot style

167) and consider what would constitute an acceptable

corresponding electronic ballot. Any faithful translation of this

ballot into electronic form must present all of the information

on the paper ballot, enable a voter to navigate through the

ballot, keep the voter oriented as to their position in the ballot,

allow access to all available options, and keep the voter aware

of the current state of their selections. The electronic ballot

must achieve all of these things for voters using only the visual

display as well as voters using only the audio.

The paper ballot turned out to be invaluable for driving the

design process. It was often a good idea to refer back to the

paper ballot to work out exactly what should appear on the

screen, what audio should be played, and the appropriate

responses to all possible user inputs. The exercise of creating a

specific ballot definition file revealed which features had to be

supported by the ballot definition language and when it was

necessary to add more capabilities to the VM.

Minimize VM complexity. The ultimate goal of this work is to

facilitate the review of the software that has to be verified— in

this case, the VM. In general, the smaller and simpler the VM,

Pvote 110

Page 124 of 324
Page 125 of 324

the easier it is to verify. When faced with a design decision, I

would keep returning to this goal and choose whichever option

yielded a smaller or simpler VM. This principle was secondary

only to including the necessary functionality to implement a

real ballot, as described in the preceding section.

One consequence of this principle is that it is more

important to avoid redundancy in the VM code than to avoid

redundancy in the ballot data. For example, although the ballot

definition file is likely to contain images that are highly

compressible, they are not compressed, because that would

require additional decompression code in the VM. Security

reviews are expensive, but storage is cheap.

Maximize UI design flexibility. Other things being equal, it is

better for the ballot definition language to allow a wider range

of user interfaces to be specified. Giving more expressive power

to the ballot definition makes the VM less likely to have to

change to support new user interface designs. Since each

change invalidates previous software reviews, future-proofing

the VM yields real security benefits. Thus, when considering

design options that do not significantly differ in the complexity

of the VM or in the ability of the VM to enforce correctness

constraints, the preferred option is the one that leads to a larger

space of possible user interfaces.

One effective way to make the ballot definition language

more expressive is to embrace orthogonality in language

primitives. Replacing specialized high-level constructs with a

combination of more general-purpose primitives can be doubly

beneficial: the increased generality enables more possibilities to

be expressed, while the increased uniformity makes the

implementation in the VM more concise. For example, the new

ballot definition language has no special cases to distinguish,

say, review screens or write-in screens from other kinds of

screens; all of these are just pages, and information can be

freely arranged on each page.

The trade-off is that using lower-level constructs sometimes

makes the ballot definition more tedious to review. Switching to

Pvote 111

Page 125 of 324
Page 126 of 324

more general, lower-level constructs tends to be advantageous

if it gives the UI designer more flexibility without creating new

ways of violating correctness, and if the additional tediousness

of reviewing ballot definitions can be mitigated by automated

tools for reviewers.

Maximize UI review efficiency. In the prerendering paradigm,

assurance is derived from human review of the user interface

specification (which, in this application, is the ballot definition).

It’s impossible to eliminate the necessity of human involvement

in evaluating the correctness of the user interface—whether a

visual display or a spoken message is misleading is a judgement

that can only be made by a human reviewer.

However, design choices in the UI specification language can

affect the level of confidence with which a human reviewer’s

observations can be generalized across all of the situations a

user might encounter in using the voting interface. A

well-designed ballot definition language can give human

reviewers the leverage to draw broad conclusions from

manageable amounts of review and testing.

In any system with even a modest number of variables, the

number of states that the system can be in is likely to be so

large that a human reviewer cannot observe the user interface

in every possible state. But the ballot definition language can

defend the human reviewer from this combinatorial explosion

of states. The language can facilitate the creation of ballot

definitions for which observing a limited number of states (for

example, walking through the ballot making selections as in

typical pre-election testing) is sufficient for a reviewer to

accurately extrapolate the UI presentation of all the states the

system could come to be in.

For example, candidate’s names are spoken in the audio

interface in several contexts. When the voter selects Candidate

X, there should be an audio confirmation message such as

“Candidate X has been selected.” When the voter is reviewing

selections, the voter should hear a message such as “For

President, your current selection is Candidate X.”

Pvote 112

Page 126 of 324
Page 127 of 324

Suppose that these two messages were each independently

recorded as a single sound clip. In order to verify the

correctness of the audio, a human reviewer would have to listen

to each pair of messages to ensure that the candidate sounds

the same in each pair— it would not do for the selection

message to say “Candidate X” but for the review message to say

“Candidate Y.” In such a scheme, the number of messages to

review would be roughly the number of candidates times the

number of contexts in which they appear.

The reviewer’s work can be made substantially easier by

breaking up the messages into parts. The candidate’s name can

be recorded and stored once, then used for all the messages

that have to do with that candidate. The remaining part (in our

example, “has been selected”) can be recorded once and used

for all the selection messages across all candidates. The

consistent reuse of audio clips can be checked mechanically,

leaving the human reviewer with fewer audio clips to review

(roughly the number of candidates plus the number of contexts).

Pvote 113

Page 127 of 324
Page 128 of 324

Differences between Pvote and Ptouch

In order to support synchronized audio and video, Pvote’s

ballot definition format is substantially more complex than that

of Ptouch. Figure 7.1 presents a side-by-side comparison of the

ballot definition formats for Ptouch and Pvote. Only the main

part of the ballot definition, the ballot model, is shown.

The rest of this section describes some of the main

differences. In the terminology used here, a contest is a race or

a referendum put to the voters and an option is one of the

choices available in a contest. The options in a race are

candidates, whereas the options in a referendum are typically

“yes” and “no.” During voting, the selection state is the voter’s

current set of selections in all the contests. A contest is said to

be empty if none of its options are selected, and full if the

maximum allowed number of selections is selected. The

capacity of a contest is its maximum allowed number of

selections. To undervote in a contest is to leave the contest less

than full; to overvote in a contest is to exceed its capacity.

state

timeout action

int sprite_i

audio segment

binding

audio segment

intn timeout_page_i

int timeout_state_i

Pages contain states. Pvote adds states within pages to

represent a second level of focus, which is necessary to support

navigation for blind users. Because audio navigation units are

finer-grained, audio information is primarily specified at the

state level, whereas visual information is primarily specified at

the page level. All the states belonging to a page share the same

overall appearance and layout, though a part of the screen can

vary in appearance. Behaviours in response to user input can be

specified at either level; at the state level they apply to a single

state; at the page level they apply to all the states in the page.

For example, in a typical ballot layout, a single page

presents a list of candidates, and each state within that page

highlights one of the candidates. The user presses a button to

step through the candidates one at a time. In the state when a

particular candidate becomes the focus, the audio for the

candidate’s name is played and the candidate’s name is

Pvote 114

Page 128 of 324
Page 129 of 324

Pvote ballot definition format

ballot model

page

contest

int max_sels

int max_chars

ballot model

page

int timeout_ms

counter area

int group_i

int sprite_i

state

timeout action

int sprite_i

audio segment

binding

audio segment

group

int max_sels

int max_chars

int option_clips

option

int sprite_i

int clip_i

intn writein_group_i

subpage (write-in page)

subtarget

int action

binding

intn key

intn target_i

condition

audio segment

step

enum op

intn group_i

int option_i

intn next_page_i

int next_state_i

audio segment

condition

enum type

int clip_i

intn group_i

int option_i

condition

enum predicate

intn group_i

int option_i

bool invert

Ptouch ballot definition format

definitions of

substructures (small

dotted rectangles) used

in the Pvote format

intn timeout_page_i

int timeout_state_i

option area

int contest_i

write-in option area

int contest_i

option area

int group_i

int option_i

review area

int contest_i

review area

int group_i

intn cursor_sprite_i

target

int action

int page_i

int contest_i

binding

Figure 7.1. Comparison of Ptouch and Pvote ballot formats (only the ballot model is shown).

Pvote 115

Page 129 of 324
Page 130 of 324

highlighted in the list on the screen. Selecting the currently

highlighted candidate is a state-level behaviour, since the

selection operation is different in each state, whereas moving

on to the next contest is a page-level behaviour.

To help keep the user oriented, each state has a timeout

audio sequence and an optional timeout transition. The ballot

definition as a whole has a timeout parameter in milliseconds.

When there has been no audio playing and no user input for the

timeout period, the timeout audio sequence is automatically

played and the timeout transition takes place, if any.

binding

intn key

intn target_i

audio segment

intn next_page_i

int next_state_i

step

condition

User inputs can be mapped to arbitrary actions. In the Ptouch

format, the behaviours triggered by screen touches were

specialized according to the type of the touched screen region.

For example, option areas were hardcoded in the VM to react to

a touch by toggling whether the associated option was selected,

and write-in option areas were hardcoded to react to a touch by

jumping to an associated write-in page.

This direct binding between screen regions and actions is

inadequate for a multimodal design in several ways. First, direct

binding doesn’t make sense for input from hardware buttons:

there aren’t enough buttons to dedicate a button to each option.

Second, the multimodal design has to allow for a “Where am I?”

button, which could play many different audio messages

depending on the current system state.

Third, text entry in an audio-only interface is a nontrivial

design problem. Ptouch could afford to hardcode text entry

behaviour in the obvious way—a keyboard made of onscreen

buttons, where touching each button types a letter. But there is

no single obvious way to enter text in an audio-only interface.

For example, if the voting machine has space for a physical

keyboard, then each key should type a letter. If the machine

provides a button pad with “next”, “previous”, and “select”

buttons, then the buttons could be used to navigate forward and

backward through the alphabet to enter letters. The text entry

method is likely to vary widely depending on the hardware, so it

should be left up to the ballot definition to specify.

Pvote 116

Page 130 of 324
Page 131 of 324

For all these reasons, Pvote allows more flexible input

handling by adding a layer of indirection: a list of bindings

between input events and the actions they trigger.

step

enum op

intn group_i

int option_i

Actions are generalized to sequences of steps. With the

introduction of bindings, there had to be a new data structure

to represent the action triggered by an input event. An action is

represented as a list of steps, where each step performs a

selection operation (select an option, deselect an option,

deselect the last selected option in a contest, or clear a contest).

Actions with multiple steps are useful for straight-party voting

and for ballots containing multiple versions of the same

contests (e.g., large type and normal type). The list of steps is

embedded in the data structure for a binding.

audio segment

enum type

int clip_i

intn group_i

int option_i

condition

Audio sequences are attached to states and actions. Pvote can

play audio when switching into a new state or when an action is

triggered by user input. Also, when an action is triggered by

user input, any currently playing audio is interrupted.

In the ballot definition, an audio sequence contains a list of

audio segments, where each segment can be constant or

variable. There are four kinds of variable audio segments:

1. A segment that plays the name of a specific option.

2. A segment that plays the names of all the selected options

in a contest.

3. A segment that plays an audio clip chosen according to the

current number of selected options in a contest.

4. A segment that plays an audio clip chosen according to the

maximum number of selections a contest allows.

For example, to tell the voter which candidates are selected for

city council, an audio sequence might consist of two segments:

first a constant segment that says “Your selections for city

council are”, then a variable segment that lists the voter’s

selections in the city council contest. However, a constant

segment is often insufficient to produce a natural-sounding

description. If there is only one selection, the sentence should

Pvote 117

Page 131 of 324
Page 132 of 324

begin “Your selection for city council is”. The third type of

variable segment can be used to select the grammatically

correct sentence.

The first and fourth types don’t vary depending on the

selection state—any ballot that uses them can be defined just

as well in a ballot definition language without them. But their

presence allows more of the ballot definition to be kept the

same from election to election, reducing the work of verifying

the ballot definition.

condition

enum predicate

intn group_i

int option_i

bool invert

Actions and audio segments can be conditional. Because

Pvote’s behaviour in response to user input is no longer

hardcoded, the ballot definition needs a way to specify different

effects that will occur depending on the selection state. For

example, consider what should happen when the user touches

an option. If the option is already selected, then one possible

effect would be to deselect the option. If the option is not

selected, and its contest is not full, then the option should

become selected. And if the option is not selected but its

contest is full, then the selection should not change. Each of

these three cases also needs its own corresponding audio

message describing what happened.

To make this possible, each binding has an attached list of

conditions concerning the selection state. Each condition can

check whether a particular option is selected, a particular

contest is full, or a particular contest is empty. The binding is

triggerable only if all of its conditions are satisfied.

Conditions are also useful for constructing variable audio

sequences. A list of conditions is attached to each segment;

each segment is played or skipped depending on whether all of

its conditions were satisfied. Reusing conditions in this way

increases the flexibility of audio feedback while keeping the

implementation simple.

Groups replace contests and write-ins. A group is a container

of selectable options; it can represent a contest (with options

such as candidates) or a write-in entry field (where the options

Pvote 118

Page 132 of 324
Page 133 of 324

group

int max_sels

int max_chars

int option_clips

option

are the individual characters that can appear in the entry field).

The group data structure is used for both purposes because of

the functionality that is common between them:

• In both cases, the current selection for a group is a list of

options (even though a contest selection has set-like

semantics and a write-in selection has ordered sequence

semantics).

• In both cases, user actions add and remove options to and

from the selection (e.g., selecting candidates in a contest or

typing letters into a write-in field).

• Visual display of the selections in a group consists of

pasting the candidate images or the letter images into a

sequence of equal-sized spaces on the screen.

• Audio playback of the selections in a group consists of

playing each selection in order—reading off the list of

selected candidates or speaking the letters in a write-in field

one by one.

option

int sprite_i

int clip_i

intn writein_group_i

Options have their own data structure. In the Ptouch format,

every option area was assumed to represent a distinct option.

Thus, each option area only had to indicate which contest it

belonged to. The Ptouch structure did not list the options in

each contest; determining the number of options in a contest

required scanning the pages of the ballot definition and

counting the option areas associated with that contest.

In the Pvote format, information about each option—such

as its associated image and audio clip— is kept in an option

structure under the option’s group. The option areas refer to

these option structures. Bindings that select options, audio

segments that play option names, and conditions that examine

options can either refer to options directly or refer to option

areas, which themselves refer to options. This extra layer of

indirection yields two kinds of flexibility:

• The same option can be displayed in more than one place

on the ballot.

• Options can be rearranged by rearranging the references

from option areas to options.

Pvote 119

Page 133 of 324
Page 134 of 324

The rearrangement of options, also known as “candidate

rotation,” helps to reduce the bias inherent in displaying a

particular candidate first. Without the extra layer of indirection,

candidate rotation would be difficult to automate reliably

because there would be no distinction between a reference to an

option area and a reference to an option. This distinction is

important because indirect references to options via option

areas should change when options are shuffled, whereas direct

references to options should not change when options are

shuffled. When candidates are rotated, their screen position

and order of audio presentation should change, but the set of

candidates belonging to a party for a straight-party vote should

not change.

This design feature makes it easy to rotate candidates by a

simple manipulation of the ballot file. Rearranging the

references from option areas to options does not change the

option number assigned to each candidate. Thus, candidate

rotation has no effect on the way voter selections are recorded,

which helps to avoid the possibility of confusion in interpreting

recorded votes.

One could produce several rotated variants of a ballot

before the election and publish them all; it is straightforward to

verify that two ballot definition files represent the same ballot

except for reordering of the candidates. Alternatively, the voting

machine could even perform candidate rotation on the fly for

each voter, though the Pvote implementation does not do this.

Pvote 120

Page 134 of 324
Page 135 of 324

Ballot definition format

Figure 7.2 depicts the complete ballot definition format for

Pvote. Just as in Ptouch, the ballot definition describes a state

machine. Each state transition is triggered by a user action or

by an idle timeout. Executing a transition can cause options to

be selected or deselected. Audio feedback can be associated

with states and with transitions between states. The ballot

definition contains three main sections:

• Ballot model: structure of the ballot and interaction flow of

the user interface.

• Audio data: sound clips to play over the headphones.

• Video data: images to display on the screen, the locations at

which to display them, and locations of touch-sensitive

screen regions.

These three sections are separated so that each one can be

supplied to a distinct module of the VM with distinct

responsibilities. In addition, they can be separately updated—

for example, one can translate the audio interface into a

different language by recording audio clips for a new audio data

section while leaving the other sections unchanged.

In Pvote, which is written specifically for a text-based

electronic ballot printer, the ballot definition also includes a

fourth section, the text data, which contains textual descriptions

of the contests and candidates for the printer to print.

Audio data. The audio data section specifies the sample rate at

which all audio is to be played and provides an array of sound

clips. Other parts of the ballot definition refer to these clips by

supplying indices into this array. The audio clips are

uncompressed and monophonic, and each sample is a 16-bit

signed integer. The clips can contain recordings of actual

speech or of prerendered synthesized speech.

Video data. The video data section specifies the resolution of

the video screen and includes an array of layouts and an array

Pvote 121

Page 135 of 324
Page 136 of 324

ballot model

page

int timeout_ms

counter area

int group_i

int sprite_i

state

timeout action

int sprite_i

audio segment

binding

audio segment

group

int max_sels

int max_chars

int option_clips

option

int sprite_i

int clip_i

intn writein_group_i

binding

intn key

intn target_i

condition

audio segment

step

enum op

intn group_i

int option_i

intn next_page_i

int next_state_i

audio segment

condition

enum type

int clip_i

intn group_i

int option_i

condition

enum predicate

intn group_i

int option_i

bool invert

definitions of

substructures (small

dotted rectangles) used

in the ballot model

intn timeout_page_i

int timeout_state_i

option area

int group_i

int option_i

review area

int group_i

intn cursor_sprite_i

binding

text data

text group

str name

bool writein

str[] options

audio data

clip

sample[] samples

int sample_rate

video data

layout

target rectangle

int left

int top

int width

int height

screen image

int width

int height

pixel[width × height] pixels

int width

int height

slot rectangle

int left

int top

int width

int height

sprite image

int width

int height

pixel[width × height] pixels

Figure 7.2. The Pvote ballot definition data structure. Stacked boxes represent arrays. This

is the second line of the caption.

Pvote 122

Page 136 of 324
Page 137 of 324

of sprites. A sprite is an image, smaller than the size of the

entire screen, that will be pasted on the screen somewhere. A

layout consists of a full-screen image, an array of targets, and

an array of slots. A target is a rectangular region of the screen

where a touch will have an effect; a slot is a rectangular region

where a sprite can be pasted. Image data is stored

uncompressed, with 3 bytes per pixel (red, green, and blue

colour values).

group

int max_sels

int max_chars

int option_clips

option

int sprite_i

int clip_i

intn writein_group_i

Ballot model. The ballot model is the main specification of the

state machine. It contains an array of groups and an array of

pages. It also specifies an idle timeout in milliseconds.

Groups and options. A group is a set of choices from which the

voter makes selections. There are two kinds of groups: contest

groups and write-in groups. A contest group represents a race

in which the options are candidates or a referendum question

with options such as “yes” and “no”. A write-in group

represents the text entered in a write-in area within a contest, in

which the options are the characters used to spell out the name

of the write-in candidate. In the array of options within each

group, images and sound clips are specified to represent each

option by providing indices into the arrays of audio clips and

sprites. Within a contest group, an option can also specify that

it is a write-in option and identify the write-in group containing

its write-in text.

Each group specifies its capacity (the maximum number of

selections allowed in the group); for contest groups this

prevents overvotes, and for write-in groups this limits the

length of the entered text. All the write-in options within a

contest must have the same maximum length for text entry.

Pages and states. The page is the basic unit of visual

presentation; within each page is an array of states. The pages

correspond, one-to-one, to the layouts in the video data. At any

given moment, there is a current page and a current state. The

user interface always begins on page 0 in state 0; when the VM

Pvote 123

Page 137 of 324
Page 138 of 324

executes a transition to the last page in the array of pages, the

ballot is printed or cast with the voter’s current selections. In

addition to the array of states, each page contains arrays of

option areas, counter areas, review areas, and bindings.

state

timeout action

int sprite_i

audio segment

binding

audio segment

intn timeout_page_i

int timeout_state_i

The states in a page are states in the state machine of the

user interface. Each state specifies a sprite to be pasted over the

main page image while the state is current. (For example, a page

could show a list of several options, and the states within that

page could display a focus highlight that moves from option to

option. Each state would paste a focus highlight for its option

over the page image.) Each state also has an array of audio

segments to be played upon entering the state, and an array of

its own bindings.

A state can also specify audio segments to be played upon a

timeout and/or an automatic transition to another state upon a

timeout. A timeout occurs when the audio has stopped playing

and there has been no user activity for the timeout duration

specified in the ballot model.

page

counter area

int group_i

int sprite_i

option area

int group_i

int option_i

review area

int group_i

intn cursor_sprite_i

binding

state

An option area is a screen region where an option will be

displayed. Its fields identify the option that will appear there.

A counter area is a screen region that will indicate the

number of options currently selected in a contest; this enables

the interface to provide feedback on undervoting. A counter

area is associated with a group and points to an array of sprites.

The number of currently selected options in the group is used

as an index to select a sprite from the array to display.

A review area is a screen region where currently selected

options will be listed; it has a field to indicate the group whose

selections will be shown. The review area must provide enough

room for up to j options to be displayed, where j is the capacity

of the group. A review area can also specify a “cursor sprite” to

be displayed in the space for the next option when the group is

not full. This allows a review area for a write-in group to serve

as a text entry area, in which a cursor appears in the space

where the next character will be added.

The screen locations for pasting all these sprites (overlays

for states, options for option areas and review areas, and sprites

Pvote 124

Page 138 of 324
Page 139 of 324

for counter areas) are not given in the ballot model; they are

specified in the array of slots in the page’s corresponding layout.

Each state, option area, and counter area uses one slot. Each

review area uses j × (1 + k) slots, where j is the capacity of the

group and k is the capacity of write-ins for options in the group.

(A write-in group cannot itself contain write-in options; thus, for

a review area for a write-in group, k is zero.) Each block of 1 + k

slots is used to display a selected option: the option’s sprite

goes in the first slot, and if the option is a write-in, the

characters of the entered text go in the remaining k slots, which

are typically positioned within the first slot. If there are i

currently selected options in the group, option sprites appear in

the first i of the j blocks. If there is a cursor sprite, it is pasted

into the first slot of block i + 1 when the group is not full.

binding

intn key

intn target_i

condition

audio segment

step

enum op

intn group_i

int option_i

intn next_page_i

int next_state_i

enum predicate

intn group_i

int option_i

bool invert

Bindings. The lists of bindings in pages and states specify

behaviour in response to user input. Each binding consists of

three parts: stimulus, conditions, and response.

There are two kinds of stimuli: a keypress, which is

represented as an integer key code, and a screen touch, which is

translated into a target index by looking up the screen

coordinates of the touch point in the layout’s list of targets. A

binding can specify either a key code or a target index or both.

Each binding can have a list of associated conditions; the

binding applies only if all the conditions are satisfied. A

condition can test whether a particular group is empty or full or

whether a particular option is selected.

The response consists of three parts, all optional: selection

operations, audio feedback, and navigation. The selection

operations are specified as a series of steps, where a step selects

or deselects an option, appends a character to a write-in, deletes

the last character, or clears a group. The audio feedback is

given as an array of audio segments to play. Navigation is

specified as the index of a new page and state.

Bindings for the current state take precedence over bindings

for the current page. When the user provides a stimulus, at

most one binding is invoked: the bindings for the state and

Pvote 125

Page 139 of 324
Page 140 of 324

then the page are scanned in order, and the response is carried

out for the first binding that matches the stimulus and has all

its conditions satisfied.

audio segment

enum type

int clip_i

intn group_i

int option_i

condition

enum predicate

intn group_i

int option_i

bool invert

Audio segments. Audio feedback is specified as a list of

segments. A segment can play a fixed clip, the clip associated

with a specified option, all the clips associated with the options

that are selected in a specified group, or a clip chosen based on

the number of options that are selected in a specified group.

When a clip associated with an option is played, if the option is

a write-in option, the clip for each character in the contents of

the write-in field is also played. More than one clip can be

associated with an option (for example, each candidate could

have a short description and a long description).

At any given moment, at most one clip can be playing at a

time; there is a play queue for clips waiting to be played next.

Whenever a clip finishes playing, the next clip from the queue

immediately begins to play, until the queue is empty. Invoking a

binding always interrupts any currently playing clip and clears

the play queue. The audio segments for the binding, if any, are

queued first; if a state transition occurs, the audio segments for

the newly entered state are queued next.

Each segment has a list of conditions (the same as in a

binding) that must all be satisfied in order for the segment to be

queued; otherwise, the segment is skipped. The conditions are

evaluated when the segment list is being queued (i.e.,

immediately after carrying out the selection steps of a binding,

immediately after entering a new state, or when a timeout

occurs).

Pvote 126

Page 140 of 324
Page 141 of 324

Software design

The virtual machine is composed of five software modules: the

navigator, the audio driver, the video driver, the event loop, and

the vote recorder (Figure 7.3). Each component has limited

responsibilities, and there are limited data flows between

components. Two additional components not visible in

Figure 7.3 are the ballot loader, which deserializes the ballot

definition into memory, and the ballot verifier, which checks the

ballot definition. The loader and verifier complete their work

before the voting session begins (i.e., before any interaction

with the voter). The verifier is responsible for ensuring that the

ballot definition is sufficiently well-formed that the VM will not

crash or become unresponsive during the voting session.

The event loop maintains no state and handles all incoming

events, which are of four types:

• Keypresses: Upon receiving a keypress event, the event loop

sends a press message to the navigator.

video data

paste(sprite_i, slot_i)

goto(layout_i) navigator vote

recorder

video

driver frame buffer write(selections)

touch sensor x, y

locate(x, y)

slot_i

touch(target_i)

press(key)

timeout() storage device

or printer keypad event loop key

audio

driver headphones next()

play(clip_i)

stop()

audio data ballot model

LEGEND

one-way data flow

ballot

definition

hardware

device

software

module

start playing

audio finished set timer timer expired

Figure 7.3. Block diagram of the Pvote virtual machine. The five software modules in

bold generate and run the user interface. The arguments clip i, layout i, sprite i,

target i, key, x, and y are integers; selections is an array of arrays of integers.

Pvote 127

Page 141 of 324
Page 142 of 324

• Screen touches: Upon receiving a touch event, the event loop

sends a locate message to the video driver to translate the

touch coordinates into a target index, then passes this

target index to the navigator in a touch message.

• Audio notifications: Upon receiving notification that a

sound clip has finished playing, the event loop sends a next

message to the audio driver.

• Timer notifications: Upon receiving notification that the

timer has expired, if no sound clip is currently playing, the

event loop sends a timeout message to the navigator to

indicate that the ballot’s specified timeout has passed with

no activity.

Whenever it receives any event, the event loop reschedules a

timer notification event according to the timeout duration in

the ballot definition.

The navigator keeps track of the current page and state and the

current selections in each group, and has no other state. The

navigator responds to three messages:

• touch(target i): Find the first operative binding for the

video data

paste(sprite_i, slot_i)

goto(layout_i) navigator vote

recorder

video

driver frame buffer write(selections)

touch sensor x, y

locate(x, y)

slot_i

touch(target_i)

press(key)

timeout() storage device

or printer keypad event loop key

audio

driver headphones next()

play(clip_i)

stop()

audio data ballot model

LEGEND

one-way data flow

ballot

definition

hardware

device

software

module

start playing

audio finished set timer timer expired

Figure 7.3. Block diagram of the Pvote virtual machine. The five software modules in

bold generate and run the user interface. The arguments clip i, layout i, sprite i,

target i, key, x, and y are integers; selections is an array of arrays of integers.

Pvote 128

Page 142 of 324
Page 143 of 324

current state or page that matches the given target, and

invoke it.

• press(key): Find the first operative binding for the current

state or page that matches the given keypress, and invoke it.

• timeout(): Add the current state’s timeout audio segments

to the play queue, and follow the current state’s timeout

transition, if one is specified.

The navigator sends five messages to other modules:

• goto(layout i) is sent to the video driver upon transition

to a page. The layout index is the same as the page index

(the array of layouts in the video data parallels the array of

pages in the ballot model).

• paste(sprite i, slot i) is sent to the video driver to

paste sprites into slots as necessary for states, option areas,

counter areas, and review areas. sprite i is the index of a

sprite in the array of sprites in the video data; slot i is the

index of a slot in the current layout.

• play(clip i) is sent to the audio driver to queue a clip to

be played on the headphones. clip i is the index of an

audio clip in the array of clips in the audio data.

video data

paste(sprite_i, slot_i)

goto(layout_i) navigator vote

recorder

video

driver frame buffer write(selections)

touch sensor x, y

locate(x, y)

slot_i

touch(target_i)

press(key)

timeout() storage device

or printer keypad event loop key

audio

driver headphones next()

play(clip_i)

stop()

audio data ballot model

LEGEND

one-way data flow

ballot

definition

hardware

device

software

module

start playing

audio finished set timer timer expired

Figure 7.3. Block diagram of the Pvote virtual machine. The five software modules in

bold generate and run the user interface. The arguments clip i, layout i, sprite i,

target i, key, x, and y are integers; selections is an array of arrays of integers.

Pvote 129

Page 143 of 324
Page 144 of 324

• stop() is sent to the audio driver to stop the currently

playing clip.

• write(selections) is sent to the vote recorder to record

the user’s selections. selections is an array of arrays of

integers: one array for each group, listing the indices of the

selected options in that group.

The audio driver maintains a queue of audio clips to be played,

and has no other state. It responds to three messages:

• play(clip i): If nothing is currently playing, immediately

begin playing the specified clip; otherwise queue the

specified clip to be played.

• next(): If there are any clips waiting in the queue, start

playing the next one.

• stop(): Stop whatever is currently playing and clear the

queue.

The audio driver sends no messages to other modules, but

whenever it starts playing a clip, it schedules a notification

event for the event loop to receive when the clip finishes

playing. The audio driver also exposes a flag that the event loop

reads to check whether audio is currently being played.

video data

paste(sprite_i, slot_i)

goto(layout_i) navigator vote

recorder

video

driver frame buffer write(selections)

touch sensor x, y

locate(x, y)

slot_i

touch(target_i)

press(key)

timeout() storage device

or printer keypad event loop key

audio

driver headphones next()

play(clip_i)

stop()

audio data ballot model

LEGEND

one-way data flow

ballot

definition

hardware

device

software

module

start playing

audio finished set timer timer expired

Figure 7.3. Block diagram of the Pvote virtual machine. The five software modules in

bold generate and run the user interface. The arguments clip i, layout i, sprite i,

target i, key, x, and y are integers; selections is an array of arrays of integers.

Pvote 130

Page 144 of 324
Page 145 of 324

The video driver maintains just one piece of state, the index of

the current layout. It responds to three messages:

• goto(layout i): Copy the full-screen image for the given

layout into the video display’s frame buffer and remember

this as the current layout.

• paste(sprite i, slot i): Copy the given sprite into the

frame buffer at the position specified by the given slot in

the current layout.

• locate(x, y): Find and return the index of the first target

that contains the given point in the current layout’s list of

targets, or an error code if the point does not fall within any

target.

The video driver sends no messages to other modules.

The vote recorder maintains no state and responds to only one

message:

• write(selections): Record the voter’s selections.

The vote recorder records votes as appropriate for the type of

voting machine (e.g., printing a ballot, marking a ballot, or

directly recording votes in electronic storage).

video data

paste(sprite_i, slot_i)

goto(layout_i) navigator vote

recorder

video

driver frame buffer write(selections)

touch sensor x, y

locate(x, y)

slot_i

touch(target_i)

press(key)

timeout() storage device

or printer keypad event loop key

audio

driver headphones next()

play(clip_i)

stop()

audio data ballot model

LEGEND

one-way data flow

ballot

definition

hardware

device

software

module

start playing

audio finished set timer timer expired

Figure 7.3. Block diagram of the Pvote virtual machine. The five software modules in

bold generate and run the user interface. The arguments clip i, layout i, sprite i,

target i, key, x, and y are integers; selections is an array of arrays of integers.

Pvote 131

Page 145 of 324
Page 146 of 324

Implementation

Pvote is a Python [63] implementation of the design

described here. Pvote can run on Linux, MacOS, and Windows.

Graphics and sound are handled by Pygame [62], an

open-source multimedia library for Python. Touchscreen input

is simulated using the mouse, and hardware button input is

simulated using the keyboard.

Pvote is written to be deployed as an electronic ballot

printer. In Pvote, the vote recorder prints out a textual

description of the voter’s selections. Each time Pvote runs, it

prints at most one ballot (to standard output) and then enters a

terminal state. The source code for Pvote is included in

Appendix B. The code is also available online at

http://pvote.org/, together with a sample ballot definition

file in the Pvote format. The sample ballot definition is

described in detail in Appendix C.

Pvote 132

Page 146 of 324
Page 147 of 324

Evaluation

Size. The entire Pvote implementation is 460 lines long, not

counting comments and blank lines. The breakdown of module

sizes is as follows:

ballot loader 137 lines

ballot verifier 96 lines

subtotal (pre-voting) 233 lines

event loop 25 lines

navigator 120 lines

audio driver 35 lines

video driver 22 lines

subtotal (voting) 202 lines

vote recorder 25 lines

total 460 lines

Dependencies. Pvote is written in a small subset of Python 2.3,

called Pthin, which is specified in the Pvote Assurance

Document [92]. Pvote uses only one built-in collection type, the

Python list, and only the following built-in functions:

• open and read to read the ballot definition file.

• chr and ord to convert integers to/from characters.

• list to convert strings to lists of characters.

• enumerate and range to iterate over lists.

• len, append, remove, and pop to manipulate lists.

The ballot loader imports the built-in SHA module and uses it to

verify a SHA-1 hash of the ballot definition. The audio and

video driver use various Pygame functions: init and stop in

the audio mixer module, play on the Sound object, init and

set mode in the video display module, fromstring in the

image module for loading images, and blit on the Surface

object to paste images onto the screen. Aside from these, Pvote

imports no other library modules.

Pvote 133

Page 147 of 324
Page 148 of 324

File size. Pvote was tested with a sample ballot definition file

generated by a ballot compiler, also written in Python. The

ballot compiler takes a textual description of the contests and

options and produces the necessary images using the

open-source ReportLab toolkit [65] for drawing, text rendering,

and page layout. To construct the audio clips for the ballot

definition, the compiler uses the same textual description to

select fragments from a library of clips of recorded speech and

concatenates the fragments together as needed. The audio clips

in this sample ballot are recorded from live speech, which is

usually preferred over synthesized speech.1

The inclusion of screen images and audio recordings in the

ballot definition yields a large file. See Appendix C for details

on the sample ballot. It contains five contests: two are

single-selection races with six candidates each, one is a

multiple-selection race with five candidates, and two are

propositions. An audio description of about 100 words for each

proposition is included in the ballot. The result is a

69-megabyte ballot definition file, containing 17 pages at a

resolution of 1024 × 768 pixels and 8 minutes of audio

sampled at 22050 Hz. As a rough estimate, a ballot with 20 or

30 contests might occupy a few hundred megabytes.

File sizes this large might seem unwieldy in practice.

However, files can be compressed for transmission (bzip2

compresses this 69-megabyte ballot to 12.5 megabytes, which is

better than a factor of 5), and ballot definitions can be loaded

onto voting machines using inexpensive SD flash memory cards

(one-gigabyte SD cards can be purchased for about US$10).

Functionality. Pvote achieves the functionality goals that were

listed at the end of Chapter 6. Pvote can support a wide range

of features in the voting user interface, including multimodal

input and output and virtually complete flexibility in the style

of audio and visual presentation. Because Pvote uses

1The National Council on Disability wrote, “Voting systems that provide digitized human speech are

preferable to systems with synthesized speech because digitized speech is ‘more readily comprehensible’ and

more likely to contain the correct pronunciation of candidate names” [51].

Pvote 134

Page 148 of 324
Page 149 of 324

prerecorded audio and prerendered images, the ballot can be

presented in any language.

With its generalized actions and conditions, Pvote offers

much more flexibility in the handling of user input than Ptouch,

its touchscreen-only predecessor. Unlike Ptouch, Pvote can

handle straight-party voting, dependencies among contests

(e.g., in a recall election, voting for a replacement candidate

conditional on voting “yes” for recalling the incumbent), and

conditional navigation (e.g., displaying an undervote warning

page when the voter has not made any selections in a contest).

The ballot designer also has more freedom to define the

interaction for selection and text entry.

To get a rough sense of Pvote’s coverage of ballot design

features, I examined NIST’s collection of sample ballots [56],

consisting of 373 ballots from 40 U. S. states for elections from

1998 to 2006. The longest was a 2004 ballot from Chicago that

had 15 elected offices, 74 judicial confirmations, and one

referendum. The following table summarizes the features used

on these ballots. All these features, and hence all the ballots in

the collection, are supported by Pvote’s ballot definition format.

Ballot feature Ballots

Vote for 1 of n 373

Vote for up to k of n (k > 1) 195

Vote for an image (e.g., a state flag) 2

Vote yes/no (referendum, confirmation) 251

Ranked choice (up to 3 choices) 7

Write-in candidate 318

Straight-party vote 60

Cross-endorsed candidates 8

Multi-party primary 5

Party logos 21

The collection also includes ballots in Chinese, Ilokano,

Japanese, Korean, Spanish, and Vietnamese. Pvote can present

ballots in any language, though for write-in candidates voters

must spell out the name using an alphabetic language.

Pvote 135

Page 149 of 324
Page 150 of 324

8 Security review

How was Pvote’s security evaluated? 137

What were Pvote’s security claims? 139

How was Pthin defined? 143

What flaws did the reviewers find? 145

What improvements did the reviewers suggest? 146

Did the reviewers find the inserted bugs? 148

What ideas did reviewers have on programming languages? 149

What ideas did reviewers have on conducting reviews? 151

What lessons were learned from the review? 153

136

Page 150 of 324
Page 151 of 324

How was Pvote’s security evaluated?

My overall purpose in creating Pvote was to design and write

voting software whose security could be easily verified. To test

whether it had achieved this purpose, I invited several security

researchers to all-day meetings at the University of California,

Berkeley to review the Pvote design and source code. Reviewers

met from March 29 to March 31, 2007 and also on May 20, 2007.

David Wagner and I were on hand for all three days in March

to explain Pvote’s design, answer the reviewers’ questions, and

provide any assistance they requested in their investigation. On

May 20, I attended but David Wagner did not.

The reviewers examined and discussed Pvote for a total of

about 90 reviewer-hours over the four days of reviewing.

Participants. On March 29 and 30, these reviewers were

present:

• Matt Bishop, UC Davis

• Mark Miller, HP Labs

• Dan Sandler, Rice University

• Dan Wallach, Rice University

On March 31, these reviewers were present:

• Tadayoshi Kohno, University of Washington

• Mark Miller, HP Labs

• Dan Sandler, Rice University

On May 20, these reviewers were present:

• Ian Goldberg, University of Waterloo

• Tadayoshi Kohno, University of Washington

The assurance document. Before the review, I prepared a

77-page document to provide the reviewers with detailed

information about Pvote. This document [92] presents the ballot

definition format, the software design, and the source code of

Pvote itself. The source code is displayed with annotations

justifying the validity of each line, shown on the facing page

opposite each page of code.

Security review 137

Page 151 of 324
Page 152 of 324

Not all the reviewers had previous experience with the

Python programming language. To ensure that everyone had a

common understanding of the code, I had to provide a

definition of the language in which it was written. I chose to

define a small subset of Python called Pthin, containing just the

syntactic constructs and functions used by Pvote. With the

language semantics clearly specified, we could exclude flaws in

the language implementation from the security review, and

focus on Pvote itself.

The assurance document defined the scope of the review by

stating assumptions about how Pvote would be used and listing

the security properties that Pvote was supposed to uphold

under those conditions. These properties were drawn from the

assurance tree given in Chapter 2 and the security goals given

in Chapter 6. For each claimed security property, I gave an

assurance argument.

The review process. I spent most of the first day presenting

the software design of Pvote and walking the reviewers through

the implementation. For the rest of the first day and the second

day, the reviewers examined the software, mostly by hand, and

asked us questions. We discussed various aspects of Pvote,

voting security, and software reviewing in general.

By the end of the second day, David Wagner and I realized

that, because the reviewers had not found any bugs and we did

not know of any bugs in the code, we could not conclude

anything about how effective they were at finding bugs or

whether any bugs were actually present. Therefore, to motivate

the reviewers and observe their effectiveness at finding bugs,

we decided to intentionally insert some bugs into the code. On

the third and fourth days, we announced that the code

contained at least one bug, and asked the reviewers to find it.

On the fourth day we also asked the reviewers to try inserting

their own bugs, hoping this would motivate them to understand

the code in more depth.

Security review 138

Page 152 of 324
Page 153 of 324

What were Pvote’s security claims?

Pvote was evaluated against a set of responsibilities, under a set

of assumptions about how it is deployed for an election. Both of

these are listed below.

Since several possible vote-recording mechanisms can be

used with Pvote, I had to coin a generic term to refer to the

recording step. Thus, the term committed means that voter

selections are finalized as far as the machine is concerned—this

occurs on a DRE when votes are recorded, but on an EBM or EBP

when votes are printed. The following lists also use the term

voting session, which lasts from when a voting machine starts

interacting with a particular voter (e.g., when the first screen of

the voting user interface comes up) until the ballot is committed

or the voter abandons the machine. This does not include

per-voter initialization steps by pollworkers.

Assumptions. The reviewers were asked to assume that:

A1. The voting machine software (ostensibly Pvote) is

handed over for review before the election.

A2. The software that runs on the voting machines on

election day is exactly what was reviewed.

A3. Pvote is started once per voting session.

A4. Only authorized voters are allowed to carry out voting

sessions.

A5. Ballot definition files are published for review and

testing before the election.

A6. The correct ballot definition is selected and used for

each voting session.

A7. The ballot definitions used on election day are intact,

exactly as they were reviewed.

A8. The programming language implementation functions

correctly.

A9. The operating system and software libraries function

correctly.

A10. The voting machine hardware functions correctly.

Security review 139

Page 153 of 324
Page 154 of 324

Responsibilities. Under the above conditions, Pvote must:

R1. Never abort during a voting session. (For any given

ballot definition, Pvote should either (a) always reject it

as invalid and never start voting sessions, or (b) always

accept it as valid and never abort during any session

with that ballot definition.)

R2. Remain responsive during a voting session.

R3. Become inert after a ballot is committed.

R4. Display a completion screen when and only when a

ballot is committed, and continue to display this screen

until the next session begins.

R5. Exhibit behaviour in each session independent of any

previous sessions.

R6. Exhibit behaviour independent of which parts of buttons

are touched (all touch points within a target region

should be equivalent).

R7. Exhibit behaviour that is determined entirely by the

ballot definition and the stream of user input events and

their timing.

R8. Commit valid selections (no overvotes and no invalid

candidates or contests).

R9. Commit the ballot when and only when so requested by

the voter.

R10. Correctly and unambiguously commit the selections the

voter made.

R11. Present instructions, contests, and options as specified

by the ballot definition.

R12. Navigate among instructions, contests, and options as

specified by the ballot definition.

R13. Select and deselect options according to user actions as

specified by the ballot definition.

R14. Correctly indicate which options are selected, when

directed to do so by the ballot definition.

R15. Correctly indicate whether options are selected, when

directed to do so by the ballot definition.

R16. Correctly indicate how many options are selected, when

directed to do so by the ballot definition.

Security review 140

Page 154 of 324
Page 155 of 324

Examples of threats. The above set of assumptions placed

certain threats out of scope for the review, such as:

• Insiders among pollworkers. We assumed that pollworkers

would not give voters multiple sessions (A3), would not let

unauthorized people vote (A4), and would select the correct

ballot style for each voter (A6).

• Tampering with the software distribution. We assumed that

the voting machine software would not be altered between

review and use (A1, A2).

• Tampering with the ballot definition. We assumed that the

ballot definition would not be altered between review and

use (A5, A7).

• Tampering with cast vote records. We assumed that other

mechanisms would protect the integrity of paper or

electronic vote records produced by Pvote.

• Faulty or subverted non-voting-specific software. We

assumed that the software components that are not specific

to voting function correctly (A8, A9). The assurance

document describes the proper behaviour of the library

functions and operating system.

• Faulty or subverted hardware. The review focused only on

software (A10).

• Poor ballot design. It was specifically not claimed that using

Pvote would eliminate accessibility or usability problems,

even though testing with the published ballot definitions

might help reveal some of these problems in time to

address them.

The review focused on threats of the following four kinds:

• Voters. Voters can interact with Pvote using the touchscreen

and keypad. Is there any sequence of interactions that can

cause Pvote to violate voting rules (R3, R4, R8) or violate

voter privacy (R5)?

• Bugs. Can any valid ballot definition, in combination with

any sequence of user interactions, ever cause Pvote to

behave incorrectly (R1, R2, R6, R7, R8, R9, R10, R11, R12,

R13, R14, R15, R16)?

Security review 141

Page 155 of 324
Page 156 of 324

• Insiders among voting software suppliers. An insider might

modify Pvote to contain backdoors or hidden weaknesses

before being handed over for review and installation. Could

an attacker make effective changes that would go unnoticed

by reviewers and testers?

• Insiders among election officials. An insider might design or

alter a ballot definition to contain the wrong information or

bias the vote. Could an attacker subvert ballot definitions in

a way that would go unnoticed by reviewers and testers?

Insider threats were an area of particular attention because

Pvote was designed specifically to address the problem that

software is complex and hard to trust. One of the things I

hoped to learn from the review was the effect of Pvote’s novel

design approach on the difficulty of performing or detecting an

insider attack.

Security review 142

Page 156 of 324
Page 157 of 324

How was Pthin defined?

Pthin is a subset of the Python language; that is, all Pthin

programs are valid Python programs. The following is just an

overview of the Python features that are included in Pthin, for

readers familiar with Python. For a complete Pthin specification,

see the assurance document [92].

Features. In Pthin, values have types, but variables do not; any

variable can be assigned a value of any type. There is a unique

special value called None whose only supported operation is

comparison to None. Aside from this, there are six types of

values in Pthin:

• Integers are signed and unlimited in size.

• Strings contain 8-bit bytes.

• Lists have variable length and can contain values of any type

as elements.

• Functions may take arguments of any type and always return

a value (which is None if no value is explicitly returned).

• Classes contain method definitions; invoking a class (like a

function) instantiates an object.

• Objects are instances of classes. Each object has its own

public namespace of fields, accessed with a dot.

Pthin includes the following operators from Python:

• = for assignment to variables and object fields

• . for accessing object fields (as in x.y = 5)

• +, -, *, /, % for doing arithmetic on integers

• + for concatenating strings or lists

• [] for indexing strings and lists (as in x[3])

• [:] for slicing strings and lists (as in x[i:j])

• ==, !=, <, <=, >, >= for comparing integers

• ==, != for comparing strings and comparing to None

• and, or, not for Boolean operations (these accept operands

of any type and yield the integer values 0 or 1)

• in for testing if an element is in a list (as in a in b)

Security review 143

Page 157 of 324
Page 158 of 324

Pthin includes the following kinds of Python statements:

• print prints out a string

• assert causes a fatal error if a condition is not met

• if executes a block conditionally

• for iterates over the elements of a list

• while iterates on a condition

• import imports code from other modules

• class declares a class (but there is no inheritance in Pthin)

• def defines a function or a method

• return returns a value from a function

Pthin includes the following built-in Python functions:

• range(i) makes a list of the integers from 0 to i - 1

• chr(i) converts an integer to a one-byte string

• ord(s) converts the first byte of a string to an integer

• len(x) gets the length of a string or list

• list(s) breaks a string into a list of one-byte strings

• enumerate(l) turns a list l into a list of [i, x] pairs for

each element x and its index i

• open(s) opens a file for reading

Pthin lists support the append(), remove(), and pop()

methods from Python. Pthin includes list comprehension

expressions, of the form [x*x for x in range(5)], which

evaluate an expression once for each element of a list to yield a

new list containing all the results.

Properties. Pthin is a completely deterministic language, which

is of critical significance for reviewing and testing. There is no

access to clocks or sources of randomness. The only ways that

a Pthin program can be influenced by the outside world are by

reading from files and by receiving Pygame events.

The definition of Pthin eliminates some of the more

complex features of Python, such as inheritance and exception

handling. Exceptional conditions in Pthin cause fatal errors,

since they cannot be caught.

Security review 144

Page 158 of 324
Page 159 of 324

What flaws did the reviewers find?

The reviewers did not find any bugs in the original Pvote source

code. However, they did find some errors and omissions in the

assurance document. I will describe the most significant ones

here; all of the reviewers’ findings are explained in detail in

Appendix E.

Correctness claim for R1 (non-termination). Pvote is supposed

to “never abort during a voting session” (R1), and the assurance

document presents a supporting argument for this claim. The

presented argument is incomplete because it neglects to rule

out one way that Pvote could run out of memory. Nonetheless,

it is still possible to show that memory usage has an upper

limit; Appendix E provides the missing part of the argument.

Correctness claim for R9 (ballot casting). Pvote is supposed to

“commit the ballot when and only when so requested by the

voter” (R9). However, a ballot definition can direct Pvote to

automatically cast the ballot (by jumping to the last page) after

some amount of time has passed with no user activity, in

violation of this requirement. One of the assumptions is that

the ballot definition file must be checked before the election

(A5). To ensure that R9 is met, the pre-election check has to

ensure that no automatic transition goes to the last page.

Missing requirement for voter privacy. The assurance

document doesn’t state an explicit requirement for preserving

the voter’s privacy once his or her ballot has been committed.

Pvote is restarted afresh for each new voter (A3), but what about

the interval from when the voter walks away until the machine

is reset? A ballot definition that displays the voter’s selections

on the last page (i.e., after committing the ballot) might violate

the voter’s privacy. So the pre-election check must also prohibit

such ballot definitions; the assurance document neglected to

make this clear.

Security review 145

Page 159 of 324
Page 160 of 324

What improvements did the reviewers

suggest?

The following are the main recommendations on which all the

reviewers could agree; Appendix E lists all their suggestions in

more detail, including those that were less conclusive.

Assurance document. The reviewers recommended including a

detailed breakdown of all the properties to be verified about the

ballot definition, divided into three categories:

• properties checked by Pvote’s verifier,

• properties checked by other automated tools, and

• properties checked by humans.

This would address two of the three flaws mentioned in the last

section (the problem with the correctness claim for R9 and the

voter privacy concern about the last page).

The reviewers also recommended:

• adding a section that enumerates all causal connectivity

between Pvote and the outside world;

• stating explicit preconditions about the state of the audio

driver when the navigator’s timeout() method is called;

• mentioning that cursor sprites need to be checked to ensure

they can’t be confused with any option sprites or character

sprites; and

• cautioning that, if an exception occurs during a voting

session, Python will emit a stack trace that might reveal

something about the voter’s choices.

Pthin. The reviewers recommended these changes to Pthin, to

simplify the language and facilitate reviewing:

• prohibiting all unprintable characters except newline;

• prohibiting all identifiers containing double-underscores,

except init ;

• prohibiting nested class or function definitions; and

• prohibiting chained assignments of the form x = y = z.

Security review 146

Page 160 of 324
Page 161 of 324

Ballot definition format. The reviewers recommended:

• offering ballot definition analysis tools to help reviewers

check ballot definitions; (e.g., to ensure that all the pages

can be reached from the starting page, to ensure that option

areas don’t overlap each other, and so on);

• defining an alternate textual representation of the ballot

definition that is easier for humans to examine and edit,

and providing tools to translate between the text form and

the binary form;

• developing a translator that turns a ballot definition into a

set of HTML pages or a Flash animation so that voters can

preview the voting experience in a Web browser.

• renaming the int type to nat to make it clearer that no

negative numbers are allowed, only natural numbers;

• placing digital signatures on ballot definitions and having

Pvote check the signatures; and

• including the 8-byte file header in the input for computing

the hash that appears at the end of the file.

Implementation. The reviewers recommended several changes

to the Pvote code to improve its clarity and reviewability. Their

suggestions and comments are described in the presentation of

the code in Appendix B, as well as in Appendix E.

Security review 147

Page 161 of 324
Page 162 of 324

Did the reviewers find the inserted bugs?

David Wagner and I decided to insert three bugs into Pvote to

see if the reviewers would find them. We inserted what we

thought would be an “easy” bug, a “medium” bug, and a “hard

bug” to find, and chose each bug individually in such a way that

an insider could conceivably exploit the bug to influence the

results of an election. These bugs are detailed in Appendix E.

We decided to insert all of these bugs in a 100-line region of

a single file, lines 11 to 109 of Navigator.py, and told the

reviewers to look in this region. We did this both because the

navigator was the most interesting in terms of the program

logic and because we knew the reviewers would have limited

time. The new version of the code that we gave the reviewers

contained all three bugs, but we did not tell the reviewers how

many bugs there were.

Yoshi Kohno, Mark Miller, and Dan Sandler participated as

reviewers on the third day of the review. Dan was very familiar

with Python and found the “easy” and “medium” bugs quickly,

within about 70 minutes. Yoshi Kohno and Mark Miller found

the “easy” bug after about four hours of reviewing. None of the

reviewers found the “hard” bug.

Ian Goldberg and Yoshi Kohno participated as reviewers on

the fourth day of the review. Ian Goldberg also found the “easy”

bug within about two hours; none of the other bugs were found

on the fourth day.

The reviewers spent a total of about 20 reviewer-hours

focused on the task of finding the bugs in this 100-line section

of Navigator.py.

Security review 148

Page 162 of 324
Page 163 of 324

What ideas did reviewers have on

programming languages?

The effect of programming language design on adversarial code

review was a prominent topic of discussion. These are some of

the main issues we discussed.

Mistyped or confusing identifiers. There are a few common

ways that variable names and other identifiers can lead to

problems in a software review:

• In Python, misspelled identifiers can lead to errors while the

program is running.

• Identifiers that are too similar can confuse reviewers

(intentionally or unintentionally).

• The same name can be used to refer to different things in

different scopes.

We discussed several possible language restrictions that would

help avoid these problems, such as requiring variable

declarations, forbidding the shadowing of variables, forbidding

the use of a field and a variable with the same name (e.g.,

self.foo and foo) in the same context, or forbidding variables

with names that are too similar.

Language subsetting. Another way to reduce the burden on

reviewers would be to let programmers choose restricted

subsets of the language in which to write sections of the

program. For example, suppose the programmer could declare

that a particular function is written in a side-effect-free subset

of the language, and a static verification tool could check that

only allowed syntax is used. This restriction would make it

easier for reviewers to audit the function and understand other

functions that call it.

E [89] and Joe-E [45] are especially interesting examples of

modern languages that support language subsetting, since they

offer an extensible auditing feature that lets programmers

define their own subsets of the language.

Security review 149

Page 163 of 324
Page 164 of 324

Static types. Types can be a powerful mechanism for statically

checking program correctness. I chose to write Pvote in Python,

a language without static type-checking, because of Python’s

agility and conciseness. On the other hand, static verification

could have reduced some of the burden on reviewers at the cost

of a longer and harder-to-read program.

Mutability. If the programming language supported a way of

making variables immutable, this would be one fewer thing for

reviewers to worry about (for example, the ballot definition

could become immutable after it has been loaded and verified).

Security review 150

Page 164 of 324
Page 165 of 324

What ideas did reviewers have on conducting

reviews?

Looking at source code. One reviewer remarked that he was

much more effective at comprehending someone else’s code

when all the code was spread out on the wall in front of him, on

paper. He found this surprising because he had spent the last

20 years editing code on computer screens.

This suggested to me that there might be significant value to

keeping the code size below a threshold at which it is physically

possible to lay out all of the code in front of a single person.

Trust in the adversary. The reviewers mentioned that it was

difficult to maintain the requisite level of distrust in me as the

author of the code, especially when we were interacting directly.

On a few occasions, the reviewers found they were inclined to

make unjustified assumptions about the good intent or

competence of the author, and they later suggested that

preventing social interaction between the reviewers and the

author might make such reviews more effective.

Reviewer fatigue. The reviewers generally felt that the point

where a reviewer becomes tired of inspecting a piece of code

comes long before the code has been subjected to enough

scrutiny. This suggests that it might be more effective for code

to be reviewed by many reviewers each for a limited length of

time, rather than a single reviewer for an extended length of

time.

One-line change test. Mark Miller proposed a test for

determining the size of the TCB (trusted computing base) for a

particular security requirement—that is, the amount of code on

which that requirement relies. His test consists of a series of

trials with someone playing the role of the attacker. For each

trial, one line of the program is chosen at random and the

attacker is allowed to change just that line to do as much

Security review 151

Page 165 of 324
Page 166 of 324

damage as possible. The fraction of trials in which the attacker

succeeds in violating the security requirement yields an

estimate of the fraction of the program that constitutes the TCB

for that requirement. Looking at the degree of vulnerability in

these terms allowed us to talk about the potential value of a

particular design change to Pvote or Pthin.

The read-write review. Dan Sandler proposed a new type of

software review he called the “read-write review,” in which

reviewers are asked to insert their own bugs. He conjectured

that this process would:

• Motivate reviewers to find “hot spots” in the code that were

especially vulnerable to small changes, thereby leading

them to scrutinize places where malicious bugs were likely

to have been inserted.

• Force reviewers to modify and run the program with the

intention of producing a specific change in behaviour, thus

requiring them to develop a deeper understanding of how

the program works than they would get from merely

reading the code.

• Yield a program with known bugs that could then be passed

on to another group of reviewers to inspect. The existence

of the known bugs would motivate the next group, and the

fraction of those bugs they found could offer some measure

of their effectiveness.

On the fourth day of the review, I asked the reviewers to try

inserting their own bugs. Their experience led them to comment

that being required to insert bugs might actually reduce a

reviewer’s chances of finding bugs, because it would encourage

reviewers to stick to the parts of code they already understand

well, instead of diving deep into unfamiliar parts of the code.

Security review 152

Page 166 of 324
Page 167 of 324

What lessons were learned from the review?

Conducting software reviews.

• Intentionally inserting bugs motivates reviewers. The

bug-insertion experiment created a dramatic difference in

the review process. The reviewers became much more

focused and motivated once they knew there was at least

one bug to find, and the exercise became a lot more fun.

• Set goals. Ask the reviewers specific questions, if you want

answers. Initially I assumed that the main outcome of the

review would be an evaluation of the security and

correctness of Pvote, and that the reviewers would arrive at

some level of confidence that would raise or lower my level

of confidence in Pvote’s design and implementation.

However, the review produced much broader discussion at

many different levels: how to design programs to facilitate

review, how to choose programming languages (or restricted

subsets thereof) to facilitate review, and how to conduct

reviews to maximize bug-finding effectiveness.

• Static analysis, testing, and code review can make a good

combination. Each of these techniques alone has

weaknesses: static analysis cannot enforce high-level

requirements; testing cannot cover all possible inputs; and

code review is tedious and error-prone. But in combination,

they complement each other. Static analysis can reduce the

tedium of code review by giving reviewers powerful starting

assumptions. And testing—even cursory walkthroughs of

the software—can quickly rule out flaws that break

commonly used functionality. A bug that can get past both

static analysis and live testing is a bug that causes trouble

only in certain specific situations. It is likely to be nontrivial

to write a bug that only causes misbehavior in specific

situations, has a significant and intended effect on the

outcome, and yet doesn’t appear obviously unusual to a

code reviewer.

Security review 153

Page 167 of 324
Page 168 of 324

Writing software to be reviewed.

• Sometimes it is better to spell things out, even if it means

more code. Minimizing the number of lines of code was a

high priority for me when I wrote the Pvote code. Although

less code often means less work for reviewers, we

discovered a few examples of the opposite. Minimizing

complexity is not always the same as minimizing code.

• The choice of language or language subset is important. The

language in which you write code heavily determines the

amount of work that reviewers must do. The language

design dictates the assumptions that reviewers are allowed

to make. The choice of language also affects whether

reviewers have tools to help them examine and analyze code

more effectively.

Programming language design.

• Supporting adversarial review is a new goal for

programming languages. Adversarial code review has

demands that go beyond those of a typical code review.

When the authors of the code are potentially malicious, they

have a considerable home-turf advantage, as evidenced by

the ability of an inserted bug to evade 20 reviewer-hours

focused on just 100 lines of code.

• Help programmers restrict parts of a program to subsets of

the language. Sometimes more language power is needed,

sometimes less; sometimes different kinds of language

features are needed for different purposes. Allowing the

programmer to choose which subset of the language to use

for each purpose can dramatically reduce the range of

possible vulnerabilities that a reviewer has to consider.

• Support for local reasoning is essential to adversarial review.

When reviewers are trying to verify a particular

application-level property, they need ways to quickly rule

out most of the program from being relevant to the

assurance of that property. Any language feature that helps

them perform local reasoning, or that lets the programmer

create parts of the program where local reasoning is valid,

Security review 154

Page 168 of 324
Page 169 of 324

will make reviewing easier. Capability-style design is a

promising approach, since it leverages lexical scope to

support local reasoning [47].

Voting systems.

• Pvote probably has fewer accidental bugs than most voting

systems. With 20 reviewer-hours focused on 100 lines (12

reviewer-minutes per line) and 90 reviewer-hours in total on

the entire program, Pvote may be one of the most closely

inspected pieces of voting software in existence, in terms of

effort per line of code. (It would take ten person-years to

review 100 000 lines of code with this much effort per line.

Consider that most commercial voting systems contain

hundreds of thousands of lines of code— in some cases over

a million. Moreover, the complexity of code review probably

increases more than linearly in the size of the code.) Since

no bugs were found in the Pvote code, we can have some

confidence that it meets a higher standard of code quality

than the typical commercial voting system.

• Detecting malicious code in a code review is extremely

difficult. Pvote was designed specifically to be minimal and

written with code reviewing in mind. The reviewers had

access to detailed documentation, as well as an environment

that allowed them to modify and execute the program.

Despite these things, and the high effort expended per line,

an inserted bug went undetected. Though many of us

expected that finding bugs would be difficult, we were still

surprised by how hard it was.

• Commercial voting systems are reviewed nowhere near

enough to detect insider attacks. Since the Pvote source code

was probably reviewed more intensely than the source code

of commercial voting systems has been reviewed, and since

even this was insufficient to find a maliciously inserted bug,

we can conclude that commercial voting systems almost

certainly have not been subjected to the degree of review

that would be necessary to declare it free of maliciously

inserted bugs.

Security review 155

Page 169 of 324
Page 170 of 324

9 Complexity

Does prerendering actually eliminate complexity? 157

What is achieved by shifting complexity? 158

Why do software reviews assume trust in compilers? 160

How far back can the derivation of a program be traced? 161

What affects the tolerance of complexity in a component? 164

How does Pvote reallocate complexity? 167

What is gained by using interpreted languages? 173

156

Page 170 of 324
Page 171 of 324

Does prerendering actually eliminate

complexity?

A theme running throughout this work is the management of

complexity. The major unaddressed software threat is the

insider threat from programmers; our only defense against it is

assurance of software correctness. Complexity is the chief

enemy of assurance, but it cannot be completely avoided.

Prerendering the user interface is fundamentally a strategy for

mobilizing complexity. The designer of the ballot definition

language gains the freedom to move complexity that normally

resides in the voting machine among three components:

• the tool that generates the ballot definition file,

• the ballot definition file, and

• the VM in the voting machine.

The allocation of complexity among these parts depends on

design choices in the ballot definition language. For instance, in

Pvote, the task of laying out buttons on the screen is no longer

the job of the voting machine; it is in the ballot generation tool.

The logic that decides when to play which audio message is no

longer part of the voting machine; it is in the ballot definition.

Thus, prerendering does not, in itself, eliminate complexity;

rather, it enables a designer to reallocate complexity. It is

worthwhile to ask what this reallocation accomplishes. Does

shifting complexity in this way make a real difference, or is it

merely a shell game—a way of hiding complexity in

components that I’ve conveniently chosen to ignore?

Complexity 157

Page 171 of 324
Page 172 of 324

What is achieved by shifting complexity?

I argue that the reallocation of complexity does make a real

difference. It matters where complexity resides because

components differ in the way they are vulnerable, in the degree

to which they are vulnerable, and in the people to whom they

are vulnerable. Also, changing the allocation of complexity in a

system has a significant effect because of the dependency

relationships among the components.

To explain what I mean, I’ll focus on just one of these

relationships for a moment. The relationship I’m about to

describe happens to be particularly important to the security of

all software, not just voting machine software. When a software

program runs, the instructions that the computer carries out

are in an executable file. A compiler translates the source code

into the executable file. The following figure depicts this

relationship. The executable file is drawn as a larger box than

the source code because it is usually larger and more complex.

Typical compilers are enormously complex, so the compiler is

the largest of all.

source code compiler executable file

Figure 9.1. A compiler turns source code into an executable file. The sizes of the boxes

(very roughly) indicate relative complexity.

When software undergoes a security review, the reviewers

usually ask to look at the source code of the software, not the

actual executable files. Source code is certainly easier to review

than executable code. That’s why programming languages were

invented—so that humans would have something easier to deal

with than low-level machine instructions. But convenience is

not a reason for confidence.

Complexity 158

Page 172 of 324
Page 173 of 324

If a thorough review of the executable file discovers no

bugs, it directly offers (at least some) confidence that the

executable file is correct. But if a thorough review of the source

code discovers no bugs, it does not assure the correctness of

the executable file unless the compiler is also correct.

Generative relationships like this exist throughout software

systems. Whenever there is such a relationship, with an input, a

transform, and an output, reviewers have a choice: they can

inspect the output, or they can inspect the input and the

transform instead. But it is necessary to establish that both the

input and the transform are correct in order to establish that

the output is correct.

In this example, the burden of establishing confidence in

the executable is traded for the burden of establishing

confidence in both the source code and the compiler. But a

compiler is a massive piece of software—so why is this trade

considered a good idea? In particular, why do software reviews

typically skip inspection of the compiler? The next section

looks at this question.

Complexity 159

Page 173 of 324
Page 174 of 324

Why do software reviews assume trust in

compilers?

Maybe they shouldn’t. Not all computer scientists would agree

that it is safe to assume a trustworthy compiler. In a famous

essay on trust [76], Ken Thompson argued that compilers

cannot be trusted, and gave a compelling demonstration of how

to construct a deviously misbehaving compiler that would

compile programs (including itself) incorrectly.

Despite Thompson’s essay, much of current computer

security practice (and even research) implicitly makes this

assumption. One conceivable justification for this is that the

compiler has a general purpose— it is designed to compile all

sorts of programs—whereas the source code is written for a

specific application. Perhaps those who trust compilers believe

that the compiler is likely to be more mature and more

thoroughly tested than a newly written program. Or perhaps

they believe that, since the compiler is used to compile many

different kinds of programs, someone would notice if it made

compilation mistakes. Or perhaps—more depressingly—they

simply think there is no hope of ever verifying compilers.

My purpose here is not to argue that corrupting a compiler

in such a way would be impossible; clearly, as Thompson

showed, it can be done. I aim only to offer some basis for the

plausibility of the commonly held idea that corruption of a

software program through subversion of the compiler is more

difficult than directly corrupting the software’s source code.

In choosing to review source code, reviewers trade an

application-specific component with high complexity (the

executable) for a component that is highly complex but

general-purpose (the compiler), and a component that is

application-specific but less complex (the source code).

Complexity 160

Page 174 of 324
Page 175 of 324

How far back can the derivation of a program

be traced?

What happens if you keep tracing where each component came

from? The compiler is itself a piece of software; in Figure 9.1 it

is shown as a mysterious box. What is that box, exactly? Is it the

source code of the compiler or the executable file?

Actually, it is neither. The thing that actually performs the

transformation of source code into an executable file is a

running instance of the compiler. The transformation depicted

by the “compiler” box is a process, not a static entity. So the

following figure is a bit more accurate.

running

compiler

process

source code executable file

Figure 9.2. The middle box represents a compilation process, not a static piece of data.

The behaviour of that process is indeed derived from the

executable file of the compiler program, but that is not all.

Something has to turn that executable file (which is a static

piece of data) into a running process; let us call this thing the

operating platform on which it runs. The operating platform

consists of all the software and hardware that makes it possible

to run computer programs. It includes the operating system,

software libraries, CPU, memory, storage, and so on—which

makes it quite a bit bigger and more complex than the compiler.

running

compiler

process

operating

platform

compiler

executable Figure 9.3. An operating platform turns an executable file into a process.

Complexity 161

Page 175 of 324
Page 176 of 324

The compiler executable was also derived from source

code—the source code of the compiler—by an earlier

compilation process. This earlier compilation may have been

carried out by the same compiler or a different compiler.

Putting all these relationships together gives us a fuller picture

of how the executable program was derived.

compiler

source code

source code

running

compiler

process

executable file

operating

platform

compiler

executable

running

compiler

process

Figure 9.4. A small derivation map for a compiled program.

This diagram could continue indefinitely. The compiler

process at the top of the diagram was itself produced by

running a compiler executable on an operating platform, and

that executable was the output of a compiler, and so on in a

long chain of compilation steps running back through history.

Ultimately the chain ends at an executable program that was

created without the help of a compiler.

Malicious code that was introduced at any point in this

chain could affect the final executable file. The program could

be vulnerable to an insider attack that occurred many, many

steps earlier—this is the point Thompson made in his essay.

Complexity 162

Page 176 of 324
Page 177 of 324

There’s still more to the picture—what about the operating

platform? That, too, is constructed through a long chain of

dependencies. It consists of operating system software

compiled by a compiler, running on hardware produced by

manufacturing processes that are also controlled by software.

I call these diagrams derivation maps because they show

how a security-critical artifact is derived from other

components. Each arrow represents a step in a hierarchical

decomposition of the system. The purpose of this kind of

analysis is to identify sources of vulnerability to insider attacks.

Derivation maps can help you make an effective assurance

argument or analyze an assurance argument to tell whether it is

complete.

As a reviewer of the system, your challenge would be to cut

away these sources of vulnerability. Each arrow in the diagram

corresponds to a choice you could make: between reviewing the

component at the head of the arrow and reviewing the two

components at the tail and shaft of the arrow. Reviewing,

testing, or otherwise establishing confidence in a particular

component lets you ignore the arrowhead leading to it, and cut

away the part of the diagram behind that arrowhead.

You may have noticed that some of the boxes in these

diagrams have sharp corners and some have rounded corners.

The reason for this is to indicate the distinction I mentioned

earlier: general-purpose components have rounded corners,

whereas application-specific components have sharp corners.

This distinction is but one of many possible factors that could

affect the degree to which one is willing to tolerate software

complexity in a given component.

Complexity 163

Page 177 of 324
Page 178 of 324

What affects the tolerance of complexity in a

component?

Here are some of the ways in which you might evaluate a

component with respect to the detectability of insider

corruption. Classifying components according to these factors

could help you identify ways that a shift in complexity can

increase confidence.

• User choice. Are relying parties forced to use a particular

implementation of the component, or do they have the

freedom to choose their own? Shifting complexity from a

dictated component to a freely chosen component reduces

barriers to confidence. For example, anyone can choose or

write their own tools to deconstruct and analyze ballot

definition files. In contrast, voters cannot choose to vote on

any equipment they want; they must use the equipment

provided by election administrators.

• Disclosure. Is the component hidden or disclosed? The

wider the audience to whom the component is disclosed, the

harder it is for malicious code to go unnoticed. Components

that are undisclosed, or inherently undisclosable (such as

live running processes) are riskier because their correctness

cannot be externally verified. Shifting complexity to a

disclosed component reduces barriers to confidence.

• Number of developers. How many people have access to the

component during development? If the component is

authored by multiple people, corrupting it may require a

conspiracy rather than just an individual attacker. Shifting

complexity to a component with a larger development team

might reduce barriers to confidence.

• Specificity of purpose. Shifting complexity from

application-specific components to general-purpose

components sometimes reduces barriers to confidence.

Undetected bugs and backdoors may be less likely if the

component is widely used and used in a variety of

environments for a variety of purposes.

Complexity 164

Page 178 of 324
Page 179 of 324

• Testing. Shifting complexity to components that have been

thoroughly tested can reduce barriers to confidence, if the

testing parallels the intended use.

• Maturity. How mature is the component? A component that

has been stable, used, and developed for a long time has

had more time to have its problems found and fixed.

Shifting complexity to a more mature component could

reduce barriers to confidence.

• Release date. When was the component released, relative to

other components? Suppose, for example, that every time a

particular compiler development team releases a new

version of their compiler, the released version is reliably

and indelibly archived. And suppose it can be verified that

the compiler used to compile a particular program exactly

matches the one released and archived on a particular date

in the past. If the compiler was released before the program

was even conceived, it is harder to imagine how an insider

could have subverted the compiler to meaningfully

influence the outcome of the program.

• Reviewing resources. There may be more reviewers or better

reviewers available for certain types of components. For

example, it might be easier to gain confidence in a

component written in a more popular programming

language because there is a larger community of people

available who can understand and inspect the code.

Any of these factors could constitute a reason that shifting

complexity from one component to another helps achieve better

confidence.

While individual factors may not be enough to justify

confidence, they can have stronger effects when combined. For

example, even if a component has been tested thoroughly, there

is still the possibility that it was written specifically to evade

testing. But such evasion is likely to require some suspicious- looking code, which is less likely to escape notice if the code

also happens to be disclosed to the public.

Complexity 165

Page 179 of 324
Page 180 of 324

For a concrete example, consider Pvote. Suppose that Pvote

will be run on a voting machine using version 2.3.5 of the

Python interpreter, which was released in February 2005, before

I started my research work on electronic voting. Python 2.3.5 is

a mature open-source implementation of the language: it passes

an extensive suite of functional tests, it has been widely used all

over the world, and hundreds of programmers have contributed

to its development.

Pvote’s source code is also open to the public. If it were to

be used for a real election, chances are good that it would be

downloaded and examined by many people. Python is a

well-known programming language with a large community of

users who would be able to understand the Pvote code.

Given this context, how trustworthy is the Python

interpreter? There are two ways that misbehaviour of the

Python interpreter could be used in an insider attack:

• The Pvote program could be crafted to take advantage of a

latent bug in the interpreter. The interpreter bug would

have to be one that is not commonly triggered, since it

would have survived years of open-source development and

testing, as well as use with all kinds of Python programs. Yet

at the same time, the Pvote code that triggers this unusual

bug would also have to avoid looking out of the ordinary to

the many Python programmers who inspect Pvote.

• The interpreter could be crafted to misbehave when running

Pvote. To avoid detection in other contexts, the interpreter

bug would have to be specific to the Pvote code in some

way. But someone would have had to plant this bug in the

interpreter before Pvote was designed and developed. The

more specific the bug is to Pvote, the harder it is to see how

the attacker could have predicted Pvote’s implementation.

When it comes to software bugs, nothing is 100% certain. But

when many positive factors come together in a context like this,

they can constitute a basis for trust.

Complexity 166

Page 180 of 324
Page 181 of 324

How does Pvote reallocate complexity?

Figure 9.5 shows a derivation map for Pvote together with a

derivation map of a conventional electronic voting machine for

comparison. The ultimate product in each case is the user

experience of the voter using the voting machine, which is

determined by the voting machine software’s interpretation of

the ballot definition file. Both derivation maps omit the

derivation of the compiler and operating platform.

Although the relative differences in size in the diagram are

meant to roughly express relative differences in complexity,

they are not to scale. For example, there is actually about 100

times as much source code in conventional voting machine

software than there is in Pvote. Pvote is 460 lines of Python,

whereas the Diebold AccuVote-TSx and the Sequoia Edge (two

widely used touchscreen machines) run software consisting of

66 000 and 124 000 lines of code respectively [12, 7]. The

complexity of a C compiler is many times larger still.

When you compare the two derivation maps, the two main

complexity shifts are evident:

• Ballot definition. In Pvote, the ballot definition is more

complex and the running instance of the voting VM is less

complex than its counterpart in a conventional system, the

running instance of the voting software. Also, the ballot

definition is publicly disclosed.

• Python interpreter. In Pvote, the voting software runs on a

Python interpreter rather than directly on the voting

machine’s operating platform. The source code to the voting

VM is much smaller than that of the voting software in a

conventional system; on the other hand, Pvote introduces

the Python interpreter, a large additional component.

Whereas the source code and executable for the voting

machine software in a conventional system are

application-specific and secret, the source code and

executable for the Python interpreter used by Pvote are

general-purpose and publicly disclosed.

Complexity 167

Page 181 of 324
Page 182 of 324

running instance

of Python interpreter

voting

machine

source code

voting machine

executable file

running

compiler

process

voting machine

operating platform

running instance

of voting software

ballot definition

generator

electronic voting

user experience

Python

interpreter

source code

Python interpreter

executable file

running

compiler

process

voting machine

operating platform

running instance

of voting software

ballot definition

generator

electronic voting

user experience

voting VM

source code

ballot

definition

pre- rendered

ballot

definition

LEGEND

live process,

general-purpose

live process,

voting-specific

undisclosed,

voting-specific

disclosed,

voting-specific

undisclosed,

general-purpose

disclosed,

general-purpose

inspectability

generality

Shape indicates generality. Shading indicates inspectability.

Arrows indicate transformation.

Size indicates relative complexity.

input transform output

Conventional approach

(compiled code + runtime-generated user interface)

Pvote approach

(interpreted code + prerendered user interface)

Figure 9.5. Derivation maps of a conventional voting system and of Pvote.

Complexity 168

Page 182 of 324
Page 183 of 324

The effect of these architectural changes is to reduce the

complexity of the critical, voting-specific components—the

sharp-cornered boxes in the derivation map. Figure 9.5

highlights three factors about each component: complexity

(size), generality of purpose (round or sharp corners), and

disclosure (shading). In Pvote, the only voting-specific

components that have to be inspected to gain confidence in the

voting machine are the voting machine’s operating platform, the

voting VM source code, and the prerendered ballot definition,

and all three are disclosed.

Both changes are similar in character: in each case, a

high-level interpreted language is introduced. Pvote replaces C

with Python, and then replaces some of the Python code with a

specialized ballot definition language. And in each case, the

design of the high-level language dictates the balance of

complexity between a pair of components in the diagram.

The following figure focuses on the relevant two pairs of

components.

running instance

of voting VM

electronic voting

user experience

ballot

definition ballot

definition

language

Python language

running instance

of Python interpreter

voting VM

source code

Figure 9.6. The two trade-offs introduced by Python and the ballot definition language.

The two boxes on the left trade off complexity according to

how high-level the Python language is—that is, how much of

the behaviour of the voting machine is specified by the Python

interpreter as opposed to the source code it interprets. The

diagrams on the next page explore what it would be like to

move along the spectrum between using a low-level language

and using a high-level language.

Complexity 169

Page 183 of 324
Page 184 of 324

If the Python language were replaced with an extremely

low-level language, the diagram would look like this:

running instance

of voting VM

electronic voting

user experience

ballot

definition

voting VM

source code

running instance

of interpreter

Figure 9.7. Python is replaced with a very low-level interpreter.

In the ultimate extreme, the interpreter would disappear

and the input would no longer be source code; it would be an

executable file running directly on the operating platform.

If the Python language were replaced with a higher-level

language, the diagram would look like this:

running instance

of voting VM

electronic voting

user experience

ballot

definition

running instance

of interpreter

voting VM

source code

Figure 9.8. Python is replaced with a very high-level interpreter.

In the extreme, the input would disappear and the

interpreter would subsume all the duties of the voting machine

software— in effect, becoming the voting machine software.

The two extremes yield the same result: a specialized

executable file running on the operating platform—exactly the

situation of the conventional voting machine.

Complexity 170

Page 184 of 324
Page 185 of 324

The two boxes at the top right trade off complexity according to

the level of abstraction in the ballot definition language. With a

very low-level ballot definition language, the diagram would

look like this:

electronic voting

user experience

running instance

of Python interpreter

ballot

definition

running instance

of voting VM

voting VM

source code

Figure 9.9. A low-level ballot definition language means a larger ballot definition.

In the extreme case, the VM would shrink to nothing at all,

and the ballot definition would just be an executable file

running on the voting machine.

With a very high-level ballot definition language, you get the

following picture:

electronic voting

user experience

running instance

of Python interpreter

voting VM

source code

running instance

of voting VM

ballot

definition

Figure 9.10. A high-level ballot definition language means a smaller ballot definition.

This is pretty much what happens in a conventional voting

machine. Most of the voting user experience is defined by the

voting machine software; the ballot definition only contains

miminal information about the contests and candidates.

Complexity 171

Page 185 of 324
Page 186 of 324

The conventional voting machine approach is about as far

as it’s possible to go in the direction of a high-level ballot

definition language. That’s because there has to be a way to

configure the voting machine for the candidates and contests in

a particular election; if we went any further, a specialized

version of the voting machine software would have to be

released for each ballot style.

Compared to conventional voting machine software, Pvote

moves in the direction of a low-level ballot definition language.

Giving the ballot definition language more power is beneficial

because:

• it exposes more of the behaviour of the voting machine to

public review,

• it exposes more of the behaviour of the voting machine to

control by designers instead of programmers, and

• it allows the software in the voting machine to change less

often. (Recall that back in Chapter 6, I said that greater

generality in the ballot definition language helps to

future-proof the voting VM software.)

But why not go so far as to shift all the complexity to the ballot

definition, and eliminate the voting VM entirely? How do you

choose the best balance between a high-level or low-level ballot

definition, or between a high-level or low-level interpreted

language for the voting machine software? The next section

addresses these questions.

Complexity 172

Page 186 of 324
Page 187 of 324

What is gained by using interpreted languages?

The purpose of programming language design is to offer

high-level abstractions with which to express desired behaviour.

The interpreter implements and enforces those abstractions.

For example, the Python interpreter gives a guarantee of

memory safety: in general, a Python program cannot arbitrarily

corrupt memory. (There are extension modules designed

specifically to allow arbitrary memory access, but the Pthin

language definition excludes the use of such modules.) This

both simplifies code written in Python and allows a reviewer of

such code to make useful assumptions about its behaviour.

As another example, the ballot definition language contains

no concept of the current time and date, and in general, no way

to express behaviour that will be different at testing time than

on election day itself. This property is essential to the

effectiveness of “logic and accuracy testing,” in which behaviour

observed in live pre-election testing is assumed to reflect the

machine’s actual behaviour on election day. This restriction

significantly reduces the amount of code that has to be reviewed

to establish that the entire system has deterministic behaviour.

This is the answer to the question of balancing complexity

between an interpreter and the code it interprets. Shifting

complexity into a high-level programming language is useful

only insofar as the target language provides security-relevant

restrictions on what can be expressed. As long as a solid

assurance argument can be made for the interpreter, it’s a good

idea to make the interpreter responsible for abstractions that

enforce useful correctness properties. In Python’s case, the

argument is that Python is a general-purpose language; in the

ballot definition language’s case, the argument is that the voting

VM is small. My experience with Pvote suggests that restricted

domain-specific languages and languages that support

programming in restricted subsets are powerful tools for

verifiable secure system design.

Complexity 173

Page 187 of 324
Page 188 of 324

10 Related work

Do any other voting systems use prerendering? 175

What other voting proposals reduce reliance on software? 176

What are “frog” voting systems? 177

Do frogs solve the electronic voting problem? 178

What is “software independence” (SI)? 179

Does SI make software reliability irrelevant? 181

What is end-to-end (E2E) verification? 186

Does E2E verification make software reliability irrelevant? 187

What are other approaches to high-assurance software? 188

174

Page 188 of 324
Page 189 of 324

Do any other voting systems use

prerendering?

Yes, there is some precedent for using prerendered images in

electronic voting machines.

The Open Voting Consortium’s EVM2003 project [59, 58]

used a full-screen bitmap image for displaying an electronic

ballot.1 This use of a prerendered image was also motivated by

a desire for software simplicity.

The ES&S iVotronic supports the use of “bitmap ballots” for

displaying ballots in foreign languages [36].2 These ballots

contain graphical images for the candidate’s names and other

text, so that text in arbitrary languages can be shown.

To the best of my knowledge, Pvote is the first voting

system that uses a prepared description of the entire user

interface, including full-screen images, prerecorded audio, and a

specification of behaviour. This extension of the concept of

prerendering is significant for all the reasons identified in

Chapter 4: it further simplifies the software in the voting

computer, enables more thorough public review, creates a more

complete public record, gives designers control over ballot

design, and reduces the need to change the voting computer

software.

1According to David Mertz of the OVC, this idea was originally proposed for use in EVM2003 by Fred McLain.

2My thanks are due to Dan Wallach for mentioning this precedent to me.

Related work 175

Page 189 of 324
Page 190 of 324

What other voting proposals reduce reliance

on software?

Many voting researchers have recognized the difficulty of

testing and verifying software, and sought to reduce the

vulnerability of elections to software bugs or maliciously

crafted software. The prerendering approach is motivated by

the desire to reduce the size and complexity of the trusted base

on which the security of the voting system rests. In the

following sections, I’ll discuss other major proposals that share

the same motivation:

• The “frog” voting scheme

• “Software independence” (and a common implementation of

SI, the voter-verified paper audit trail)

• End-to-end verification schemes

Related work 176

Page 190 of 324
Page 191 of 324

What are “frog” voting systems?

In 2001, researchers from CalTech and MIT proposed a voting

procedure based on “frogs” [10]. They coined the term “frog” to

mean a small and cheap device, such as a memory card, that

permanently stores a single voter’s votes—the electronic

equivalent of an individual marked paper ballot.

The frog proposal separates the voting process into two

steps, vote selection and vote casting, each carried out with a

separate machine. The voter first selects their votes on the

vote-selection machine, which stores them on a frog. The voter

then puts the frog into the vote-casting machine, which displays

the contents of the frog for the voter to check, and upon

confirmation by the voter, casts the votes. The frog is kept as a

permanent record in case a recount is needed later.

The idea behind this proposal is to separate the more

complicated operation of selecting votes from the

security-sensitive operation of casting the votes. According to

the proposers, the trusted base of software is reduced because

responsibility for security now rests only on the simpler

vote-casting machine; the vote-selection machine will have “no

need for high security” [10].

Related work 177

Page 191 of 324
Page 192 of 324

Do frogs solve the electronic voting problem?

Not entirely. The central claim of the frog scheme—that it

excludes the vote-selection software from the trusted base—

relies on two significant assumptions:

• that voters will check their frogs carefully before casting

them, and

• that voters will know what to expect when the contents of

the frog are displayed.

Some voters may give the vote-casting machine only a cursory

glance, and most are likely to be influenced by confirmation

bias [55]. Thus, it is possible—perhaps even likely—that votes

recorded incorrectly by the vote-selection machine could go

unnoticed. The susceptibility of an election to incorrect

recording by the vote-selection machine also depends on how

election administrators respond when voters report problems,

and how many complaints are needed to trigger such response.

Even if voters do check the votes on their frogs carefully,

the vote-selection machine remains in a position to influence

voters during the selection process—thus violating the

principle that an election should be an unbiased measurement.

For example, the vote-selection machine could present the

candidates in a biased way. It could change the wording of a

ballot measure to make an option seem more appealing or even

invert the sense of the question, swapping the implications of

“yes” and “no”. It could even give misleading instructions to

voters, such as telling them to ignore the vote-casting machine

or to go to a different polling place to vote on certain contests.

The prerendered approach therefore targets a broader

security goal: to secure the entire voting user interface

including the vote selection process, in order to avoid bias in

the election’s measurement of the will of the electorate.

Prerendering the user interface does not rule out the possibility

of further partitioning the user interface into two steps as

proposed in the frog voting architecture.

Related work 178

Page 192 of 324
Page 193 of 324

What is “software independence” (SI)?

“Software independence” is a prominent concept in the next

version of U. S. federal standards for voting systems, the “2007

VVSG.” A draft of the 2007 VVSG [81] has been unanimously

adopted by the standards committee, but remains open for

public comment before adoption. Section 2.4 of that draft

introduces the term like this:

Software independence means that an undetected error or

fault in the voting system’s software is not capable of causing

an undetectable change in election results.

The draft declares that “All voting systems must be software

independent to conform to the VVSG.” The draft goes on to

explain the concept like this:

There are essentially two issues behind the concept of

software independence, one being that it must be possible to

audit voting systems to verify that ballots are being recorded

correctly, and the second being that testing software is so

difficult that audits of voting system correctness cannot rely

on the software itself being correct.

According to the draft:

• Hand-counted paper ballots and optically scanned paper

ballots are software independent, since they leave a paper

record that can later be recounted by hand to check that the

original counts are correct.

• DRE machines with a VVPAT feature are also software

independent, since the VVPAT records are on paper and can

also be recounted by hand.

• DRE machines without paper trails are not software

independent (even though some DREs offer a “recount”

function, this is carried out by just another software

program and so fails to be software independent).

Related work 179

Page 193 of 324
Page 194 of 324

The name and concept of “software independence” were

introduced in a white paper by Rivest and Wack [66] written for

the committee that was working on the VVSG. In addition to

giving a definition of “software independence” (essentially the

same as the one quoted above), this paper identified a

distinction between “strong software-independence” and “weak

software-independence.” A strongly software-independent

voting system is one for which changes in outcome due to

software errors are not only detectable but also correctable

without re-running the election. A weakly software-independent

voting system is one that has the detection property (i.e.,

satisfies the above definition of “software independence”)

without a recovery mechanism. Essentially, “strong software

independence” is “software independence” plus a recovery

mechanism.

Related work 180

Page 194 of 324
Page 195 of 324

Does SI make software reliability irrelevant?

No. Requiring all voting systems to provide a software- independent audit capability is certainly an important

improvement, but this alone is far from what would be

necessary to achieve confidence in a voting system.

To explain why, I need to go into a bit of detail about how

the term “software independence” is used in the VVSG draft.

The VVSG draft defines the term with one meaning and then

uses it with a second meaning—and unfortunately, neither of

these two meanings actually constitute independence from

software. There are three main problems with the VVSG

definition and the use of the name “software independence” for

the concept:

1. The VVSG definition does not describe systems that are

actually independent of software, just systems that are less

than totally dependent on software.

2. The meaning of the VVSG definition depends on detection

procedures that are unspecified.

3. The use of the term in the VVSG focuses on auditing the

counting of recorded votes, but elections can be influenced

in many ways other than miscounting or altering recorded

votes.

Less-than-total dependence is not independence. The initial

definition of “software independence” given in Section 2.4 of

the VVSG draft requires that software faults be “not capable of

causing an undetectable change” in the election outcome. If the

software can cause an undetectable change, then the election is

100% reliant upon the software to be correct. But as long as any

software-caused change is detectable in principle, no matter how

vanishingly small the probability of detection, the voting system

will meet the definition. Even a voting system that has only a

0.1% chance of error detection (and is thus, in a sense, 99.9%

dependent on software) would meet the VVSG definition of

“software independent.”

Related work 181

Page 195 of 324
Page 196 of 324

The detection procedures are unspecified. By using the word

“undetectable,” the VVSG definition presumes the existence of

some procedures by which errors could be detected. However, it

does not specify whether those procedures need to be realistic

or practical.

For example, the VVSG draft says that DRE machines

without paper trails fail to be “software independent.” Consider

for the sake of argument a DRE machine with no VVPAT that

stores vote records on a cassette tape (as old microcomputers

like the TRS-80 and Apple II used to do). In principle one could

stop the machine and examine the electronic records after each

ballot is cast, thereby detecting incorrectly recorded votes; this

examination would require some electronic equipment but

could be performed without software. Does such a DRE machine

therefore meet the definition, despite lacking a paper trail?

As another example, consider a DRE machine that produces

a paper audit trail with the vote information printed as a

barcode. Is it “software independent”? If recounts of the paper

audit trail are performed using a barcode scanner, then the

recount would depend on the software that processes the

barcodes. Yet, in principle, a human being with enough patience

could examine the stripes in the barcode, decode them by hand,

and thus conduct a software-independent audit. Whether this

machine meets the definition of “software independence”

depends on assumptions about what one uses to perform the

detection.

Further, what constitutes successful detection? In some

analyses of the probability of software fault detection, detection

by a single voter constitutes detection. But a complaint from a

single voter is unlikely to stop an election, cause machines to be

taken out of service, or launch an investigation. This is for good

reason: if election administrators made it their policy to take

any machine out of service based on a complaint from a single

voter, just a few dishonest voters could effectively shut down

polling stations and cause havoc on election day. Thus election

officials must choose some threshold of voter complaints they

deem necessary to trigger remedial action.

Related work 182

Page 196 of 324
Page 197 of 324

How should the proper threshold be determined? If the

threshold is too low, the election will be vulnerable to

fraudulent complaints. If the threshold is too high, the election

will be vulnerable to undetected faults. It may even be the case

that there is no acceptable threshold of voter complaints

because these two ranges of unacceptable thresholds overlap.

The likelihood of recovery from a software fault is intimately

dependent on the policies for response and escalation when

problems are reported.

It should be clear from the preceding analysis that software

independence is necessarily a property of an entire election

administration system, including policies and procedures as

well as technology. I propose the following definition:

True software independence (TSI) means there is a

negligible probability that an error or fault in the voting

system’s software will change the outcome of the election.

For clarity, I will use “VSI” to refer to the VVSG definition:

VVSG software independence (VSI) means an undetected

error or fault in the voting system’s software cannot cause

an undetectable change in the outcome of the election.

Although the definitions are similar, the difference between “a

negligible probability of change” and “no undetectable change”

is significant. The first describes something that can be

estimated and measured; the second does not, and depends on

unstated assumptions about what is detectable, what detection

procedures are performed, and what constitutes successful

detection.

“Strong software independence” (SSI) as defined by Rivest

and Wack [66] and TSI are both stronger versions of the VSI

concept, but they strengthen the concept in different ways. SSI

adds recovery to VSI, but a voting system can still meet SSI even

if the probability of detection and recovery is minimal. TSI

requires that the probability of detection and recovery be high.

Related work 183

Page 197 of 324
Page 198 of 324

Altering recorded votes is not the only way to influence an

election. Immediately after presenting the VSI definition, the

VVSG draft then explains the term “software independence”

with a different meaning: namely, the capability to audit the

counting of votes without relying on software. Here is the

relevant excerpt from the VVSG draft (emphasis added):

There are essentially two issues behind the concept of

software independence, one being that it must be possible to

audit voting systems to verify that ballots are being

recorded correctly, and the second being that testing

software is so difficult that audits of voting system

correctness cannot rely on the software itself being correct.

… [P]revious versions [of the VVSG] permitted voting systems

that are software dependent, that is, voting systems whose

audits must rely on the correctness of the software.

I will use the term “software-independent audit capability” to

refer to this concept:

A voting system has software-independent audit capability

(SIAC) if it provides a procedure for verifying that votes were

recorded and counted correctly without relying on the

correctness of any software.

SIAC has a narrower meaning than VSI, because it is only

concerned with the counting of votes after they are recorded.

Faulty voting machines can influence elections in many other

ways—for example, by presenting the candidates in a biased

fashion, omitting contests from the ballot, misleading the voter

with false instructions, printing incorrect paper audit trails, or

crashing and preventing voters from casting votes at all.

A DRE with a voter-verified paper audit trail (VVPAT) can

influence an election in all of these ways, and so it fails to be

TSI even though it has SIAC. All of these are ways that an

election would, in fact, depend on software, despite being called

“software independent” according to the VVSG draft.

Related work 184

Page 198 of 324
Page 199 of 324

It can even be argued that a DRE with a VVPAT fails to meet

the VSI definition, depending on the interpretation of the word

“undetectable.” Consider, for example, a DRE with a VVPAT,

which is programmed to occasionally skip a particular contest

on the first time through the ballot. The contest is only skipped

the first time through, and the contest is still printed on the

VVPAT as usual.

Imagine the typical voter’s experience with this machine.

After going through all the pages of the ballot, the voter might

or might not read the VVPAT carefully. The VVPAT will show

that no selection was made for the skipped contest; the voter

has no way to tell whether the software maliciously skipped the

contest, the voter missed a page due to double-tapping on the

“next page” button by mistake, or the voter just forgot to fill in

that contest. In any case, if the voter goes back and fills in the

missing vote, everything behaves normally.

A malicious DRE such as this can exert significant influence

on an election. Yet it leaves no evidence that would show that

the software is at fault; that is, no amount of forensic analysis

after the election would be able to establish that a contest was

unfairly skipped. The emphasis on auditing in the VVSG draft’s

use of the term “software independence” suggests that

recorded evidence is centrally important. If “undetectable” in

the VSI definition means “not detectable by examination of

recorded evidence,” then DREs with VVPATs fail to be VSI.

If DREs with VVPATs are VSI, it seems strange to define

“software independent” such that machines with software in a

position to mislead voters qualify as “software independent.”

Why software reliability still matters. Even if a voting system

qualifies as SIAC or even VSI according to the definitions I’ve

identified here, there are still many ways that the election can

be vulnerable to software faults—for example, crashing more

frequently for voters of a particular political party. If software

presents the ballot to the voter, then software is in a position to

mislead or otherwise influence the voter. Therefore, software

reliability and correctness remain vital to election integrity.

Related work 185

Page 199 of 324
Page 200 of 324

What is end-to-end (E2E) verification?

As mentioned in Chapter 3, “end-to-end verification” is the

name for a family of techniques that enable each individual

voter to verify that his or her votes were properly counted in

the final total. The main challenge of end-to-end verification is

to provide enough information for voters to perform this check,

yet not enough information for voters to sell their votes.

The general approach of E2E schemes is to publish a

complete but anonymous record of all the votes so that anyone

can check the count; where the schemes differ is in how they

assure voters that their individual votes are included in the

published record of votes.

• Some schemes publish a set of encrypted, identifiable vote

records in addition to the complete set of plaintext,

anonymous vote records. These include VoteHere [54],

Scratch & Vote [1], Prêt-à-Voter [13], and Punchscan [26].

Voters receive an encrypted record of their votes to take

home, which they can check against a published encrypted

record. Some other mathematical procedure is used to

verify that the two sets of vote records correspond.

• Some schemes give each voter a record with only partial

information about his or her votes to take home. The

information is enough to check against the published

records but insufficient as sellable evidence of his or her

votes. ThreeBallot [68] and VAV [67] fall into this category.

• Twin [67] is an unusual end-to-end scheme. In Twin, each

voter receives a receipt for a randomly selected other voter’s

ballot. Thus, while the posted records can be matched with

receipts, they can’t be identified as belonging to any

particular voter.

Related work 186

Page 200 of 324
Page 201 of 324

Does E2E verification make software reliability

irrelevant?

End-to-end verification schemes let voters ensure their votes are

counted without relying on software. Voters using an E2E voting

system have all the information they need to perform this check

themselves—unlike voters using a voting system with a VVPAT,

who must rely on election administrators to conduct a hand

count of the VVPATs in order for the paper record to matter.

Thus, E2E schemes provide the potential for stronger voter

verifiability, as long as voters are willing to carry out a more

involved procedure to verify their votes.

However, E2E schemes do not address the problems of

ballot presentation and crashing software. Purely paper-based

E2E schemes avoid the use of computers for vote entry, but may

limit access for voters with some kinds of disabilities. On the

other hand, if the ballot is presented by a computer or votes are

entered on a computer, the problems of reliable ballot

presentation and vote entry remain; it is these issues that

prerendering addresses. Programs like Pvote can provide the

reliable vote-entry functionality needed for computer-based E2E

voting systems.

Related work 187

Page 201 of 324
Page 202 of 324

What are other approaches to high-assurance

software?

Automated proof. The desire to prove software programs to be

correct has existed pretty much since programmable computers

were invented. As early as 1961, John von Neumann sought to

mathematically prove the correctness of computer

programs [30]. Since that time, researchers have investigated a

variety of ways to automatically construct a proof that a

program meets a formal specification.

• Verification conditions. In 1969, James King developed an

automatic program verifier [42] based on associating

verification conditions with execution paths through the

program. Each verification condition is the proposition that

if an initial predicate (i.e., a precondition) holds at the

beginning of the execution path, then a final predicate (i.e.,

a postcondition) will hold when the end of the execution

path is reached. The correctness of the entire program is

established by proving that all these verification conditions

hold, and showing that their paths can be chained together

to cover all possible execution paths from where the

program starts to where the program halts.

A modern example of this approach is Java Modelling

Language (JML). Programmers can embed JML annotations in

comments in Java code to specify assertions such as

invariants, preconditions, and postconditions. A static

checking tool called ESC/Java [27] can then analyze the

program and verify the consistency of these assertions.

• Weakest precondition methods. The weakest precondition

approach works in the opposite direction. It begins with the

desired postcondition and works backwards through the

program to determine the weakest precondition that would

be necessary to imply the postcondition.

• Abstract interpretation. Abstract interpretation [16] (also

known as symbolic execution) consists of executing the

statements of a program using an abstract representation of

Related work 188

Page 202 of 324
Page 203 of 324

the program’s state. That is, instead of giving concrete

values to variables, an abstract interpreter keeps track of an

expression representing each variable’s value in terms of

the input. These expressions evolve as variables are

manipulated, and may take on a disjunction of the values

produced by conditional branching. Proofs of properties

about these expressions are then used to establish the

correctness of the program.

• Model checking. In the model checking approach, software

engineers must first construct a model of their program

design or requirements in a formal modelling lamguage.

Then an automatic prover checks that the model meets a set

of desired properties, which also have to be specified in a

formal notation.

Each of the above techniques has to rely on an automated

theorem prover to show that symbolic logical statements about

the program imply the desired properties to be verified. One of

the earliest theorem provers used for checking programs was

the Boyer-Moore theorem prover, also known as NQTHM. A

review article by Boyer and Moore [8] reports that NQTHM has

been used to check large systems such as a microprocessor

design, an assembler, and a small operating system kernel.

ACL2 [39], the successor to NQTHM, is one of the best known

modern theorem provers. Simplify [19] is another well-known

automatic theorem prover that serves as the proving engine for

ESC/Java.

The prerendering technique does not compete with these

formal approaches; instead, it augments their power. All of the

above methods require a formal specification against which to

check the program and, in the case of model checking, a formal

model of the program itself. A formally verified program is only

as correct as the specification against which it was verified.

Creating such specifications and models correctly is a tricky

task. A smaller and simpler original program makes the

specifications, models, and resulting proofs less likely to

contain mistakes.

Related work 189

Page 203 of 324
Page 204 of 324

During the Pvote security review, we discussed the

possibility of translating Pvote into a language where there is

support for formal verification, and adding the necessary

annotations for preconditions and postconditions. The two

main options we talked about were Java (which has JML and

ESC/Java) and SPARK Ada [6], a commercially developed variant

of Ada specifically designed for high assurance and verification.

Proof-carrying code. In the proof-carrying code (PCC)

technique [53], the supplier of an application constructs a

formal proof that it satisfies a security policy, and includes this

proof (in encoded form) in the distributed application binary.

The host system on which the application will be run can then

check the proof for itself, without relying on any other trusted

parties, to ensure that the program is safe to run.

In the context of electronic voting, the PCC approach would

require the voting machine to run a proof checker. PCC proof

checkers have been built as small as 2 700 lines [4] (about 30%

of which are in C and the rest in Twelf, a logic specification

language), but this is still substantially larger than Pvote.

Formal code generation. Instead of applying machine analysis

to check the correctness of human-written code, an alternative

is to machine-generate code in such a way that the code must be

correct. This is the concept behind formal code generation [86].

A human-written specification still has to direct the machine

generation of code, but this specification could be written at a

higher level, in a declarative rather than a procedural manner.

Large-scale program analysis. Several tools have been

developed for analyzing large programs for bugs. These tools

make no attempt to prove correctness; they are mainly intended

to catch specific kinds of common errors that the programmer

may have missed. A recent example of such a project is Oink

(based on CQual++ [28]), which has been used to scan the

Debian Linux codebase for format string vulnerabilities [14].

Related work 190

Page 204 of 324
Page 205 of 324

Conclusion

In this dissertation, I’ve examined the problem of electronic

voting, starting from an analysis of the requirements for a

democratic election and the different kinds of voting systems

used in practice and proposed by researchers. This analysis led

me to focus on the correctness and simplicity of the software in

the voting computer, a challenge I’ve addressed through the

technique of user interface prerendering. This concept led to

two iterations of design and implementation, culminating in the

creation of Pvote, a vote-entry program that supports

synchronized audio and video, touchscreen input, and

accessible device input.

Pvote is implemented in just 460 lines of Python—a tiny

amount of code compared to existing voting machines such as

the Diebold AccuVote-TSx (66 000 lines of code) or the Sequoia

Edge (124 000 lines of code)—yet it allows a high degree of

flexibility in the design of the user interface. With Pvote, the

user interfaces of voting computers can finally be designed by

experts in information design, interaction design, and

accessibility instead of voting system programmers. The

security review of Pvote’s design and source code is reason for

optimism about Pvote’s correctness. Although the results

showed that Pvote was not reviewed enough to be positive that

it lacks flaws, the review also found no bugs in Pvote despite

intense scrutiny. Pvote validates the prerendered user interface

approach by demonstrating that it can meet both accessibility

and security goals.

The quest to create reliable voting machine software has

yielded some results that can be applied to high-assurance

software of other kinds. This work focused specifically on

defending against the insider attack, a long-standing and

191

Page 205 of 324
Page 206 of 324

difficult problem in computer security that has rarely been

addressed. User interface prerendering is an effective technique

whenever a general-purpose computer is used for a specialized

purpose and high reliability is required despite periodic

changes in the user interface. Derivation maps are helpful for

analyzing and mitigating potential sources of vulnerability to

insider attacks. The experience with the Pvote security review

yielded insights into language and design features that would

support the adversarial code review process, and redoubled my

respect for how difficult it can be to review code written by a

potential adversary. The review experience has convinced me

that small teams and short timeframes are inadequate for

adversarial review, and suggests that true confidence in voting

system software is likely to require source code disclosure to

the public or a large community of reviewers, for an extended

period of time before use in an election.

Will we ever create electronic voting machines are truly

worthy of trusting with our votes? I can’t predict whether we

will, but at least one thing is established: Pvote puts a stake in

the ground to show just how small voting machine software can

be. There is simply no good reason to rely on voting machine

software that’s hundreds of times larger.

Conclusion 192

Page 206 of 324
Page 207 of 324

Bibliography

[1] Ben Adida and Ronald L. Rivest (2006). Scratch & vote: self-contained paper-based

cryptographic voting. In Proceedings of the 5th ACM Workshop on Privacy in the

Electronic Society, pages 29–40. ACM Press.

[2] Alan Agresti and Brett Presnell (2002). Misvotes, Undervotes and Overvotes: The

2000 Presidential Election in Florida. Statistical Science, 17(4):436–440 (Voting and

Elections, November 2002). Institute of Mathematical Statistics.

[3] Edward G. Amoroso (1994). Fundamentals of Computer Security Technology.

Prentice Hall.

[4] Andrew W. Appel, Neophytos G. Michael, Aaron Stump, and Roberto Virga (2002).

A Trustworthy Proof Checker. Technical Report TR-648-02, Department of

Computer Science, Princeton University. Available at

http://www.cs.princeton.edu/research/techreps/TR-648-02.

[5] Jonathan Bannet, David W. Price, Algis Rudys, Justin Singer, and Dan S. Wallach

(2004). Hack-a-Vote: Security Issues with Electronic Voting Systems. IEEE Security &

Privacy, 2(1):32–37 (January/February 2004).

[6] John Barnes (1997). High Integrity Ada: The SPARK Approach. Addison-Wesley.

[7] Matt Blaze, Arel Cordero, Sophie Engle, Chris Karlof, Naveen Sastry, Micah Sherr,

Till Stegers, and Ka-Ping Yee (2007). Source Code Review of the Sequoia Voting

System. Available at http://www.sos.ca.gov/elections/voting_systems/

ttbr/sequoia-source-public-jul26.pdf.

[8] Robert S. Boyer and J. Strother Moore (1990). A Theorem Prover for a

Computational Logic. Lecture Notes in Computer Science, (449):1–15 (July 1990).

193

Page 207 of 324
Page 208 of 324

[9] Steven J. Brams and Peter C. Fishburn (1998). Approval Voting. The American

Political Science Review, 72(3):831–847 (September 1998).

[10] Shuki Bruck, David Jefferson, and Ronald L. Rivest (2001). A Modular Voting

Architecture (“Frogs”). Presented at the Workshop on Trustworthy Elections (WOTE

2001). Available at http://www.vote.caltech.edu/wote01/pdfs/amva.pdf

(retrieved on June 7, 2007).

[11] Darren Burton and Mark Uslan (2002). Cast a Vote by Yourself: A Review of

Accessible Voting Machines. AccessWorld, November 2002. Available at

http://www.afb.org/afbpress/pub.asp?docid=aw030603.

[12] Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David A. Wagner, Harlan

Yu, and William P. Zeller (2007). Source Code Review of the Diebold Voting System.

Available at http://www.sos.ca.gov/elections/voting_systems/ttbr/

diebold-source-public-jul29.pdf.

[13] David Chaum, Peter Ryan, and Steve A. Schneider (2004). A Practical,

Voter-verifiable Election Scheme. Technical Report CS-TR-880, School of

Computing Science, University of Newcastle upon Tyne, UK.

[14] Karl Chen and David A. Wagner (2007). Large-Scale Analysis of Format String

Vulnerabilities in Debian Linux. In Proceedings of the 2007 ACM SIGPLAN

Workshop on Programming Languages and Analysis for Security (PLAS 2007),

pages 75–84. ACM Press.

[15] Lillie Coney (2004). Statement Before the U. S. Election Assistance Commission,

Technical Guidelines Development Committee, September 22, 2004. Available at

http://vote.nist.gov/voting_statement.pdf (retrieved on December 4,

2007).

[16] Patrick Cousot and Radhia Cousot (1977). Abstract interpretation: A unified lattice

model for static analysis of programs by construction or approximation of

fixpoints. In Proceedings of the 4th Conference on Principles of Programming

Languages, pages 238–252. ACM Press.

[17] Theo de Raadt. OpenBSD Security. Available at

194

Page 208 of 324
Page 209 of 324

http://www.openbsd.org/security.html (retrieved on December 13, 2007).

[18] Stephanie Delaune, Steve Kremer, and Mark Ryan (2006). Coercion-resistance and

Receipt-freeness in Electronic Voting. In Proceedings of the 19th Computer Security

Foundations Workshop (CSFW). IEEE Computer Society Press.

[19] David Detlefs, Greg Nelson, and James B. Saxe (2003). Simplify: A Theorem Prover

for Program Checking. Technical Report 2003-148, Hewlett-Packard Labs. Available

at http://www.hpl.hp.com/techreports/2003/HPL-2003-148.html.

[20] Diebold Election Systems. Welcome to Diebold Election Systems.

http://www.dieboldes.com/ as of January 24, 2004. Archived copy available at

http://web.archive.org/web/20040209133249/www2.diebold.com/

dieboldes/default.htm.

[21] Christopher Drew (2007). U. S. Bars Lab From Testing Electronic Voting. New York

Times, January 4, 2007.

[22] Election Data Services (2004). Overview of Voting Equipment Usage in United

States, Direct Recording Electronic (DRE) Voting. Statement of Kimball Brace to the

United States Election Assistance Commission, May 5, 2004. Available at

http://www.electiondataservices.com/EDSInc_DREoverview.pdf.

[23] Election Reform Information Project (2007). Voter-Verified Paper Audit Trail

Legislation & Information. Available at

http://www.electionline.org/Default.aspx?tabid=290 (retrieved on

December 13, 2007).

[24] Sarah P. Everett, Michael D. Byrne, and Kristen K. Greene (2006). Measuring the

usability of paper ballots: Efficiency, effectiveness, and satisfaction. In Proceedings

of the Human Factors and Ergonomics Society 50th Annual Meeting. Human Factors

and Ergonomics Society.

[25] Sarah P. Everett (2007). The Usability of Electronic Voting Machines and How Votes

Can Be Changed Without Detection. Ph. D. dissertation, Department of Psychology,

Rice University. Available at

http://chil.rice.edu/alumni/petersos/EverettDissertation.pdf.

195

Page 209 of 324
Page 210 of 324

[26] Kevin Fisher, Richard Carback, and Alan T. Sherman (2006). Punchscan:

Introduction and System Definition of a High-Integrity Election System. In

Proceedings of the IAVoSS Workshop On Trustworthy Elections (WOTE 2006).

[27] Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe,

and Raymie Stata (2002). Extended static checking for Java. ACM SIGPLAN Notices,

37(5):234–245 (May 2002).

[28] Jeffrey S. Foster (2002). Type Qualifiers: Lightweight Specifications to Improve

Software Quality. Ph. D. dissertation, Computer Science Division, University of

California, Berkeley.

[29] Laurin Frisina, Michael C. Herron, James Honaker, and Jeffrey B. Lewis (2007).

Ballot Formats, Touchscreens, and Undervotes: A Study of the 2006 Midterm

Elections in Florida. Available at

http://www.dartmouth.edu/~herron/cd13.pdf (retrieved on June 7, 2007).

[30] H. Goldstine and John Von Neumann (1961). Planning and Coding Problems. In

A. H. Taub, editor, John Von Neumann Collected Works, number V, pages 80–152.

Pergamon Press.

[31] Rop Gonggrijp and Willem-Jan Hengeveld (2007). Studying the Nedap/Groenendaal

ES3B Voting Computer: A Computer Security Perspective. In Proceedings of the

USENIX/ACCURATE Electronic Voting Technology Workshop (EVT 2007). USENIX

Press.

[32] Bev Harris (2004). Black Box Voting: Ballot Tampering in the 21st Century. Talion

Publishing. Available at http://www.blackboxvoting.org/book.html.

[33] Harri Hursti (2006). Diebold TSx Evaluation: Critical Security Issues with Diebold

TSx, May 11, 2006. Available at

http://www.blackboxvoting.org/BBVtsxstudy.pdf (retrieved on June 7,

2007).

[34] Information Technology Association of America, Election Technology Council

(2006). Comments submitted on behalf of the ITAA ETC to the members of the

State of California Senate Committee on Elections, Reapportionment and

196

Page 210 of 324
Page 211 of 324

Constitutional Amendments, February 8, 2006. Archived at

http://web.archive.org/web/20060622084803/http://www.electiontech.

org/downloads/ITAA+ETC+CA+OSS+TESTIMONY+-+FINAL.pdf.

[35] Srinivas Inguva, Eric Rescorla, Hovav Shacham, and Dan S. Wallach (2007). Source

Code Review of the Hart InterCivic Voting System. Available at http://www.sos.

ca.gov/elections/voting_systems/ttbr/Hart-source-public.pdf.

[36] Douglas W. Jones (2004). Recommendations for the Conduct of Elections in

Miami-Dade County using the ES&S iVotronic System. Available at

http://www.cs.uiowa.edu/~jones/voting/miami.pdf (retrieved on December

13, 2007).

[37] Douglas W. Jones (2006). Connecting Work on Threat Analysis to the Real World.

Presented at Threat Analyses for Voting System Categories: A Workshop on Rating

Voting Methods (VSRW 2006). Available at

http://www.cs.uiowa.edu/~jones/voting/VSRW06.pdf (retrieved on

December 19, 2007).

[38] Ari Juels, Dario Catalano, and Markus Jakobsson (2005). Coercion-Resistant

Electronic Elections. In Proceedings of the 2005 ACM Workshop on Privacy in the

Electronic Society, pages ’61–70. ACM Press.

[39] Matt Kaufmann and J. Strother Moore (1996). ACL2: An Industrial Strength Version

of Nqthm. In Procedings of the Eleventh Annual Conference on Computer

Assurance, Systems Integrity, Software Safety, and Process Security, pages 23–34.

[40] Arthur Keller (2007). Experiences with Sequoia AVC Edge with VeriVote Printer as

Precinct Inspector in Santa Clara County.

[41] Tim P. Kelly (1998). Arguing Safety – A Systematic Approach to Managing Safety

Cases. Ph. D. dissertation, Department of Computer Science, University of York.

Available at http://www-users.cs.york.ac.uk/~tpk/tpkthesis.pdf.

[42] James C. King (1969). A program verifier. Ph. D. dissertation, Department of

Computer Science, Carnegie Mellon University.

197

Page 211 of 324
Page 212 of 324

[43] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach (2004).

Analysis of an Electronic Voting System. In Proceedings of the 2004 IEEE

Symposium on Security and Privacy. IEEE Computer Society Press.

[44] Samuel Merrill (1988). Making Multicandidate Elections More Democratic. Princeton

University Press.

[45] Adrian Mettler and David A. Wagner. Joe-E (open source software project).

Available at http://joe-e.org/.

[46] Joanne M. Miller and Jon A. Krosnick (1998). The Impact of Candidate Name Order

on Election Outcomes. Public Opinion Quarterly, 62(3):291–330.

[47] Mark S. Miller (2006). Robust Composition: Towards a Unified Approach to Access

Control and Concurrency Control. Ph. D. dissertation, Department of Computer

Science, Johns Hopkins University. Available at

http://erights.org/talks/thesis.

[48] David Molnar, Tadayoshi Kohno, Naveen Sastry, and David A. Wagner (2006).

Tamper-Evident, History-Independent, Subliminal-Free Data Structures on PROM

Storage -or- How to Store Ballots on a Voting Machine. In Proceedings of the 2006

IEEE Symposium on Security and Privacy. IEEE Computer Society Press.

[49] Moni Naor and Vanessa Teague (2001). Anti-persistence: History Independent Data

Structures. In Proceedings of the 33rd Annual ACM Symposium on the Theory of

Computing, pages 492–501. ACM Press.

[50] National Conference of State Legislatures. Straight Ticket Voting States (2007).

Available at

http://www.ncsl.org/programs/legismgt/elect/straight_ticket.htm

(retrieved on December 13, 2007).

[51] National Council on Disability (2006). NCD Statement: Voluntary Voting System

Guidelines. Available at

http://www.ncd.gov/newsroom/publications/2006/voluntary_voting.htm

(retrieved on December 13, 2007).

198

Page 212 of 324
Page 213 of 324

[52] National Institute of Standards and Technology (1995). FIPS 180-1: Secure Hash

Standard. Available at http://www.itl.nist.gov/fipspubs/fip180-1.htm

(retrieved on December 13, 2007).

[53] George C. Necula (1997). Proof-Carrying Code. In Proceedings of the 24th ACM

SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL

1997), pages 106–119. ACM Press.

[54] C. Andrew Neff and Jim Adler (2003). Verifiable e-voting. Available at

http://votehere.com/vhti/documentation/VH_VHTi_WhitePaper.pdf

(retrieved on December 13, 2007).

[55] Raymound S. Nickerson (1998). Confirmation Bias: A Ubiquitous Phenomenon in

Many Guises. Review of General Psychology, 2(2):175–220.

[56] Richard G. Niemi and NIST (2005). Sample State and Local Ballots. Available at

http://vote.nist.gov/ballots.htm (retrieved on December 13, 2007).

[57] Nokia Corporation. Python for Series 60 (open source software project). Available

at http://opensource.nokia.com/projects/pythonfors60.

[58] Open Voting Consortium. EVM2003 (open source software project). Available at

http://evm2003.sourceforge.net/.

[59] Open Voting Consortium (2007). Ballot Prerendering. Available at

http://www.openvotingconsortium.org/ballot-prerendering.html

(retrieved on December 18, 2007).

[60] Thea Peacock and Peter Ryan (2006). Coercion-resistance as Opacity in Voting

Systems. Technical Report CS-TR-959, School of Computing Science, University of

Newcastle upon Tyne, UK.

[61] Elliot Proebstel, Sean Riddle, Francis Hsu, Justin Cummins, Freddie Oakley, Tom

Stanionis, and Matt Bishop (2007). An Analysis of the Hart Intercivic DAU eSlate. In

Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (EVT

2007). USENIX Press.

199

Page 213 of 324
Page 214 of 324

[62] Pygame (open source software project). Available at http://pygame.org/.

[63] Python Software Foundation. Python (programming language). Available at

http://www.python.org/.

[64] RABA Technologies (2004). Trusted Agent Report: Diebold AccuVote-TS Voting

System, January 20, 2004. Available at

http://www.raba.com/press/TA_Report_AccuVote.pdf (retrieved on

December 19, 2007).

[65] ReportLab, Inc. ReportLab Toolkit (open source software project). Available at

http://www.reportlab.org/.

[66] Ronald L. Rivest and John P. Wack (2006). On the notion of “software

independence” in voting systems. Available at

http://vote.nist.gov/SI-in-voting.pdf (retrieved on December 5, 2007).

[67] Ronald L. Rivest and Warren D. Smith (2007). Three Voting Protocols: ThreeBallot,

VAV, and Twin. In Proceedings of the USENIX/ACCURATE Electronic Voting

Technology Workshop (EVT 2007). USENIX Press.

[68] Ronald L. Rivest (2006). The ThreeBallot Voting System. Available at http://

people.csail.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem.pdf

(retrieved on June 7, 2007).

[69] Noel H. Runyan (2007). Improving Access to Voting: A Report on the Technology

for Accessible Voting Systems. D ̄emos and Voter Action. Available at

http://demos.org/pubs/improving_access.pdf (retrieved on June 7, 2007).

[70] Bruce Schneier (1999). Attack Trees: Modeling security threats. Dr. Dobb’s Journal,

24(12):21–29 (December 1999).

[71] Markus Schulze (2003). A New Monotonic and Clone-Independent Single-Winner

Election Method. Voting Matters, (17):9–19 (October 2003).

[72] Science Applications International Corporation (2003). Risk Assessment Report:

Diebold AccuVote-TS Voting System and Processes, September 2, 2003. Available at

200

Page 214 of 324
Page 215 of 324

http://www.elections.state.md.us/pdf/risk_assessment_report.pdf

(retrieved on November 14, 2007).

[73] Ted Selker (2005). Voting Technology: Election Auditing is an End-to-End

Procedure. Science, 308(5730):1873–1874 (June 2005).

[74] Warren D. Smith (2000). Range Voting. Available at

http://math.temple.edu/~wds/homepage/rangevote.pdf (retrieved on

December 13, 2007).

[75] Molly F. Story (1998). Maximizing Usability: The Principles of Universal Design.

Assistive Technology, 10(1):4–12.

[76] Ken Thompson (1984). Reflections on Trusting Trust. Communications of the ACM,

27(8):761–763 (August 1984).

[77] T. Nicolaus Tideman (1987). Independence of Clones as a Criterion for Voting

Rules. Social Choice and Welfare, 4(3):185–206 (September 1987).

[78] United States: 107th Congress (2002). Help America Vote Act of 2002. Available at

http://www.fec.gov/hava/law_ext.txt.

[79] United States: 110th Congress (2007). H. R. 811: Voter Confidence and Increased

Accessibility Act of 2007. Available at

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.00811:.

[80] United States Election Assistance Commission (2005). 2005 Voluntary Voting

System Guidelines. Available at http://www.eac.gov/voting%20systems/

voluntary-voting-guidelines/2005-vvsg.

[81] United States Election Assistance Commission (2007). Draft 2007 Voluntary Voting

System Guidelines. Available at

http://www.eac.gov/files/vvsg/Final-TGDC-VVSG-08312007.pdf (retrieved

on November 17, 2007).

[82] Verified Voting Foundation (2004). Election 2004 E-Voting Incidents from the

Election Incident Reporting System. Available at

201

Page 215 of 324
Page 216 of 324

http://www.verifiedvotingfoundation.org/article.php?id=5331.

[83] William E. Vesely, F. F. Goldberg, N. H. Roberts, and D. F. Haasl (1981). Fault Tree

Handbook (NUREG-0492). United States Nuclear Regulatory Commission.

[84] David A. Wagner, David Jefferson, Matt Bishop, Chris Karlof, and Naveen Sastry

(2006). Security Analysis of the Diebold AccuBasic Interpreter, February 14, 2006.

Available at http://www.cs.berkeley.edu/~daw/papers/accubasic.pdf

(retrieved on June 7, 2007).

[85] Jonathan N. Wand, Kenneth W. Shotts, Jasjeet S. Sekhon, Jr. Walter R. Mebane,

Michael C. Herron, and Henry E. Brady (2001). The Butterfly Did It: The Aberrant

Vote for Buchanan in Palm Beach County, Florida. American Political Science

Review, 95(4):793–810 (December 2001).

[86] Michael W. Whalen and Mats P. E. Heimdahl (1999). On the Requirements of High

Integrity Code Generation. In Proceedings of the 4th IEEE International Symposium

on High-Assurance Systems Engineering. IEEE Computer Society Press.

[87] S. P. Wilson, Tim P. Kelly, and John A. McDermid (1996). Safety Case Development:

Current Practice, Future Prospects. In Safety and Reliability of Software-Based

Systems, page 135. Springer-Verlag New York.

[88] Alec Yasinsac, David A. Wagner, Matt Bishop, Ted Baker, Breno de Medeiros, Gary

Tyson, Michael Shamos, and Mike Burmester (2007). Software Review and Security

Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware. Florida

Department of State.

[89] Ka-Ping Yee and Mark Miller (2002). Auditors: An Extensible, Dynamic Code

Verification Mechanism. Available at

http://www.erights.org/elang/kernel/auditors/ (retrieved on December

13, 2007).

[90] Ka-Ping Yee (2006). Prerendered User Interfaces for Higher-Assurance Electronic

Voting. In Proceedings of the USENIX/ACCURATE Electronic Voting Technology

Workshop (EVT 2006). USENIX Press.

202

Page 216 of 324
Page 217 of 324

[91] Ka-Ping Yee (2007). Extending prerendered-interface voting software to support

accessibility and other ballot features. In Proceedings of the USENIX/ACCURATE

Electronic Voting Technology Workshop (EVT 2007). USENIX Press.

[92] Ka-Ping Yee (2007). Pvote Software Review Assurance Document. Technical Report

EECS-2007-40, Department of Electrical Engineering and Computer Sciences,

University of California, Berkeley, CA. Available at

http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-40.html.

[93] Ka-Ping Yee (2007). Report on the Pvote security review. Technical Report

EECS-2007-136, Department of Electrical Engineering and Computer Sciences,

University of California, Berkeley. Available at

http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-136.html.

203

Page 217 of 324
Page 218 of 324

A Ptouch source code

The following pages present the source code of Ptouch,

consisting of five modules:

• main.py

• Ballot.py

• Navigator.py

• Video.py

• Recorder.py

Each line of code is numbered and printed in monospaced type.

36 flags = [0 for c in m.contests]

Defining occurrences of classes, methods, and functions appear

in bold.

123 def getlist(ballot, stream, Class):

Lines marked with a triangle are entry points into a module,

called from other modules. Functions and methods without a

triangle are called only from within the same module.

. 45 def activate(self, slot i):

The code is broken into sections, with explanatory text in grey

preceding each section.

Explanatory text looks like this.

204

Page 218 of 324
Page 219 of 324

main.py

This is the main Ptouch program. It initializes the other software

components with the provided ballot definition file and then processes

incoming Pygame events in a non-terminating loop.

1 import Ballot, Navigator, Recorder, Video

2 from pygame import display, event, MOUSEBUTTONDOWN, KEYDOWN

The following lines load and verify the ballot definition, then instantiate

the other parts of Ptouch with their corresponding sections of the ballot

definition.

3 ballot = Ballot.Ballot(’ballot’)

4 video = Video.Video(ballot.imagelib)

5 recorder = Recorder.Recorder(ballot)

6 navigator = Navigator.Navigator(ballot.model, video, recorder)

This is the main event loop. The loop begins by updating the display to

match the framebuffer in memory, so that any display changes made

during the last iteration appear onscreen. The loop never exits.

7 while 1:

8 display.update()

On each iteration, one event is retrieved from Pygame’s event queue. The

only type of event Ptouch handles is a mouse click. The coordinates of

the mouse click are translated into a slot index. If the click corresponds

to a slot, it is passed to the navigator’s activate() method for further

handling.

9 e = event.wait()

10 if e.type == MOUSEBUTTONDOWN:

11 slot = video.locate(*e.pos)

12 if slot is not None:

13 navigator.activate(slot)

Ptouch source code 205

Page 219 of 324
Page 220 of 324

Ballot.py

The Ballot module defines the ballot definition data structure. The

main program instantiates a Ballot object to deserialize the ballot data

from a file stream and construct the ballot definition data structure. All

the other classes in this module represent parts of the ballot definition;

each one deserializes its contents from the stream passed to its

constructor.

1 class Ballot:

. 2 def init (self, filename):

3 self.data = open(filename).read()

4 stream = open(filename)

sprite n is a counter that keeps track of the next sprite index. Each

instance of the Option, Writein, Subpage, and Subtarget classes

contains a local field called sprite i that points to its associated sprite.

This field is set by the init method of the class, which picks up the

sprite index by accessing and incrementing the sprite n field of the

Ballot during loading. subpage n is a local counter of subpages that is

only used during verification after the ballot is loaded.

5 self.sprite n = subpage n = 0

6 self.model = m = Model(self, stream)

7 self.imagelib = il = Imagelib(self, stream)

8 assert stream.read(1) == ’’

At this point the ballot definition has been fully loaded into memory.

The rest of the init method verifies that the ballot definition is

well-formed. If it is not well-formed, the program should be aborted with

a fatal error to prevent the possibility that Ptouch will crash after

starting a voting session.

The following lines ensure that there is at least one page and one contest,

and that the arrays of layouts and sprites have the proper sizes.

9 assert m.pages and m.contests

10 assert len(m.pages) + len(m.subpages) == len(il.layouts)

11 assert len(il.sprites) == self.sprite n

items contains one list corresponding to each contest; it will collect all

the slots and sprites for the options in the contest. chars also contains

one line corresponding to each contest; it will collect all the slots and

sprites for the write-in characters in the contest. These lists will later be

checked to ensure that the sizes of all sprites match the sizes of the slots

into which they could be pasted.

12 items = [[] for c in m.contests]

13 chars = [[] for c in m.contests]

For each page, the targets, options, write-ins, and reviews are checked to

ensure their fields have valid values.

14 for i, p in enumerate(m.pages):

15 for t in p.targets:

16 assert t.action in [0, 1, 2]

17 assert 0 <= t.page i < len(m.pages)

18 for x in p.targets + p.options + p.writeins + p.reviews:

19 assert 0 <= x.contest i < len(m.contests)

Ptouch source code 206

Page 220 of 324
Page 221 of 324

The slot variable keeps track of the slot index during checking of the

slots associated with each page.

20 slots = il.layouts[i].slots

21 slot = len(p.targets)

The slots and sprites for all the option areas are gathered into the

appropriate arrays for later size checking.

22 for i, o in enumerate(p.options):

23 items[o.contest i] += [slots[slot + i], il.sprites[o.sprite i]]

The slots and sprites for all the write-ins are gathered into the

appropriate arrays for later size checking.

24 slot += len(p.options)

25 for w in p.writeins:

26 items[w.contest i] += [slots[slot], il.sprites[w.sprite i]]

27 max chars = m.contests[w.contest i].max chars

28 chars[w.contest i] += slots[slot + 1:slot + 1 + max chars]

29 slot += 1 + max chars

The slots and sprites for all the review areas are gathered into the

appropriate arrays for later size checking.

30 for r in p.reviews:

31 max chars = m.contests[r.contest i].max chars

32 for i in range(m.contests[r.contest i].max sels):

33 items[r.contest i] += [slots[slot]]

34 chars[r.contest i] += slots[slot + 1:slot + 1 + max chars]

35 slot += 1 + max chars

The flags array indicates which contests contain write-in options.

36 flags = [0 for c in m.contests]

37 for p in m.pages:

38 for w in p.writeins:

39 flags[w.contest i] = 1

For each contest with write-in options, the associated write-in subpage is

checked to ensure it has the right number of slots and all of its

subtargets have fields with valid values. The slots for write-in characters

are gathered into the appropriate arrays for later size checking. In this

loop, subpage n keeps track of the index of the associated subpage.

40 for i, c in enumerate(m.contests):

41 if flags[i]:

42 c.subpage i, subpage n = subpage n, subpage n + 1

43 p = m.subpages[c.subpage i]

44 slots = il.layouts[len(m.pages) + c.subpage i].slots

45 assert len(p.subtargets) + c.max chars == len(slots)

46 chars[i] += slots[len(p.subtargets):]

47 for t in p.subtargets:

48 assert t.action in [0, 1, 2, 3, 4, 5]

49 if t.action in [0, 1]:

50 chars[i] += [il.sprites[t.sprite i]]

51 chars[i] += [il.sprites[p.cursor i]]

The number of subpages in the ballot model should match the number of

contests with write-in options, which were counted in the preceding loop.

52 assert len(m.subpages) == subpage n

Ptouch source code 207

Page 221 of 324
Page 222 of 324

Each layout is checked to ensure that its background image matches the

screen size and all its slots are positioned within the screen bounds.

53 for l, b in [(l, l.background) for l in il.layouts]:

54 assert (b.width, b.height) == (il.width, il.height)

55 for slot in l.slots:

56 assert 0 <= slot.left < slot.left + slot.width < il.width

57 assert 0 <= slot.top < slot.top + slot.height < il.height

Finally, the sprites and slots that have been collected for each group are

checked to ensure they all have properly matching sizes.

58 for list in items + chars:

59 for x in list:

60 assert (x.width, x.height) == (list[0].width, list[0].height)

Each remaining class loads its contents from the stream in a constructor

that parallels its data structure. These constructors instantiate other

classes to read single components from the stream, call getlist() to

read a variable-length list of components from the stream, or call

getint() to deserialize an integer from the stream.

61 class Model:

62 def init (self, ballot, stream):

63 self.contests = getlist(ballot, stream, Contest)

64 self.pages = getlist(ballot, stream, Page)

65 self.subpages = getlist(ballot, stream, Subpage)

66 class Contest:

67 def init (self, ballot, stream):

68 self.max sels = getint(stream)

69 self.max chars = getint(stream)

70 class Page:

71 def init (self, ballot, stream):

72 self.targets = getlist(ballot, stream, Target)

73 self.options = getlist(ballot, stream, Option)

74 self.writeins = getlist(ballot, stream, Writein)

75 self.reviews = getlist(ballot, stream, Review)

76 class Target:

77 def init (self, ballot, stream):

78 self.action = getint(stream)

79 self.page i = getint(stream)

80 self.contest i = (self.action == 1 and [getint(stream)] or [0])[0]

81 class Option:

82 def init (self, ballot, stream):

83 self.contest i = getint(stream)

84 self.sprite i, ballot.sprite n = ballot.sprite n, ballot.sprite n + 1

85 class Writein:

86 def init (self, ballot, stream):

87 self.contest i = getint(stream)

88 self.sprite i, ballot.sprite n = ballot.sprite n, ballot.sprite n + 1

89 class Review:

90 def init (self, ballot, stream):

91 self.contest i = getint(stream)

Ptouch source code 208

Page 222 of 324
Page 223 of 324

92 class Subpage:

93 def init (self, ballot, stream):

94 self.subtargets = getlist(ballot, stream, Subtarget)

95 self.cursor i, ballot.sprite n = ballot.sprite n, ballot.sprite n + 1

96

97 class Subtarget:

98 def init (self, ballot, stream):

99 self.action = getint(stream)

100 if self.action in [0, 1]:

101 self.sprite i, ballot.sprite n = ballot.sprite n, ballot.sprite n + 1

102 class Imagelib:

103 def init (self, ballot, stream):

104 self.width = getint(stream)

105 self.height = getint(stream)

106 self.layouts = getlist(ballot, stream, Layout)

107 self.sprites = getlist(ballot, stream, Image)

108 class Layout:

109 def init (self, ballot, stream):

110 self.background = Image(ballot, stream)

111 self.slots = getlist(ballot, stream, Slot)

112 class Slot:

113 def init (self, ballot, stream):

114 self.left = getint(stream)

115 self.top = getint(stream)

116 self.width = getint(stream)

117 self.height = getint(stream)

An Image object contains the pixel data for an image, which resides in a

single Python string. In serialized form, the image’s width and height are

stored preceding the pixel data, which contains three bytes per pixel (one

byte each for the red, green, and blue components).

118 class Image:

119 def init (self, ballot, stream):

120 self.width = getint(stream)

121 self.height = getint(stream)

122 self.pixels = stream.read(self.width * self.height * 3)

The getlist() function reads a variable-length list of data structures

from the stream, all of a particular given class. In Python (and Pthin),

classes are first-class objects and can be passed as arguments. In

serialized form, the list is preceded by a 4-byte integer indicating how

many elements to read.

123 def getlist(ballot, stream, Class):

124 return [Class(ballot, stream) for i in range(getint(stream))]

The getint() function reads an unsigned 4-byte integer from the

stream, serialized with the most significant byte first.

125 def getint(stream):

126 bytes = [ord(char) for char in stream.read(4)]

127 return (bytes[0]<<24) + (bytes[1]<<16) + (bytes[2]<<8) + bytes[3]

Ptouch source code 209

Page 223 of 324
Page 224 of 324

Navigator.py

The navigator is initialized with access to the ballot model data

structure, the video driver, and the vote recording module. It saves these

references locally, initializes an empty selection state, and begins the

voting session by transitioning to page 0. The selections member

contains a list of selections for each contest. The elements of these lists

are themselves lists: an ordinary selected option is represented by a list

of a single integer, the option’s sprite index; a selected write-in option is

represented by a list containing the write-in option’s sprite index

followed by the indices of the character sprites entered for the write-in.

1 class Navigator:

. 2 def init (self, model, video, recorder):

3 self.model, self.video, self.recorder = model, video, recorder

4 self.selections = [[] for contest in model.contests]

5 self.goto(0)

6 self.update()

The goto() method transitions to a given page. If the transition goes to

the last page, the voter’s selections are recorded. Any page transition

clears the writein and chars members, which are set only when a

subpage is active (writein points to the current write-in object, and

chars contains the write-in characters entered so far).

7 def goto(self, page i):

8 if page i == len(self.model.pages) - 1:

9 self.recorder.write(self.selections)

10 self.page i, self.page = page i, self.model.pages[page i]

11 self.writein, self.chars = None, []

The update() method updates the video display based on the current

page and selections.

12 def update(self):

When the writein member is not None, this means the user is currently

on a subpage. The video driver is told to paste the subpage’s background

over the entire screen, then paste any entered characters into the

character slots of the subpage, in order. If the character slots are not all

full, the cursor sprite is also pasted into the next available character slot.

13 if self.writein:

14 contest = self.model.contests[self.writein.contest i]

15 subpage = self.model.subpages[contest.subpage i]

16 self.video.goto(len(self.model.pages) + contest.subpage i)

17 offset = len(subpage.subtargets)

18 for i, sprite i in enumerate(self.chars):

19 self.video.paste(sprite i, offset + i)

20 if len(self.chars) < contest.max chars:

21 self.video.paste(subpage.cursor i, offset + len(self.chars))

Ptouch source code 210

Page 224 of 324
Page 225 of 324

When the writein member is None, no subpage is active. The video

driver is told to paste the current page’s background over the entire

screen, then fill in the options, write-ins, and reviews on the page

according to the current selections. The indices of the corresponding

slots are assumed to be arranged in sequential order, as described in

Chapter 5; hence the variable slot i is incremented in each loop and

carried forward to the next loop.

22 else:

23 self.video.goto(self.page i)

To check whether an option is selected, the elements of the contest’s

selection list are scanned for a one-element list containing the option’s

sprite index.

24 slot i = len(self.page.targets)

25 for option in self.page.options:

26 if [option.sprite i] in self.selections[option.contest i]:

27 self.video.paste(option.sprite i, slot i)

28 slot i += 1

To check whether a write-in is selected, the elements of the contest’s

selection list are scanned for a list whose first element is the write-in

option’s sprite index. If such a list is found, the rest of the elements in

the list are the sprite indices of the entered characters, so all the sprites

in the list can be pasted into the write-in’s slots in the order they appear.

(The cursor is not shown on ordinary pages, only on subpages.)

29 for writein in self.page.writeins:

30 for selection in self.selections[writein.contest i]:

31 if selection[0] == writein.sprite i:

32 for j, sprite i in enumerate(selection):

33 self.video.paste(sprite i, slot i + j)

34 slot i += 1 + self.model.contests[writein.contest i].max chars

To display a review, the selections in the contest’s selection list are

pasted into the review’s slots in the order they appear. Since write-in

selections are represented by a list beginning with the write-in sprite

index followed by the entered character sprites, these sprites will fit into

the 1 + contest.max chars slots corresponding to the review. The

inner loop always executes contest.max sels times so that slot i will

be incremented by the correct amount.

35 for review in self.page.reviews:

36 contest = self.model.contests[review.contest i]

37 selections = self.selections[review.contest i]

38 for i in range(contest.max sels):

39 if i < len(selections):

40 for j, sprite i in enumerate(selections[i]):

41 self.video.paste(sprite i, slot i + j)

42 slot i += 1 + contest.max chars

Ptouch source code 211

Page 225 of 324
Page 226 of 324

The activate() method activates a slot when a user touches the

touchscreen within the slot. The triggered behaviour depends on whether

the slot corresponds to a subtarget, a target, an option, or a write-in.

. 43 def activate(self, slot i):

When the writein member is not None, this means the user is currently

on a subpage. The touched slot index is treated as a subtarget index. The

action field of the subtarget determines the action to take: the values

from 0 through 5 correspond to APPEND, APPEND2, DELETE, CLEAR, CANCEL,

and ACCEPT.

44 if self.writein:

45 contest = self.model.contests[self.writein.contest i]

46 subpage = self.model.subpages[contest.subpage i]

47 subtarget = subpage.subtargets[slot i]

APPEND appends the selected character. APPEND2 appends the selected

character only if the write-in is not empty. In both cases the character is

only appended if the maximum length will not be exceeded.

48 if subtarget.action == 0 or subtarget.action == 1 and self.chars:

49 if len(self.chars) < contest.max chars:

50 self.chars += [subtarget.sprite i]

DELETE deletes the last entered character.

51 if subtarget.action == 2:

52 self.chars[-1:] = []

CLEAR clears all the entered characters.

53 if subtarget.action == 3:

54 self.chars = []

CANCEL cancels the write-in and exits the subpage. The write-in option

was already removed from the selection list upon entry to the subpage

(see line 85), so upon return to the original page, the write-in option will

be cleared and deselected.

55 if subtarget.action == 4:

56 self.goto(self.page i)

ACCEPT accepts the write-in and exits the subpage. The write-in sprite

and entered character sprites are placed into a list, and this list is added

to the selection list for this contest.

57 if subtarget.action == 5 and self.chars:

58 self.selections[self.writein.contest i] += [

59 [self.writein.sprite i] + self.chars]

60 self.goto(self.page i)

Ptouch source code 212

Page 226 of 324
Page 227 of 324

The rest of the cases cover user actions when the user is on an ordinary

page. The first case covers targets; the action field of the target can be

0, 1, or 2, corresponding to a plain transition, a transition with clearing

the selections in a contest, and a transition with clearing all the

selections in the entire ballot.

61 elif slot i < len(self.page.targets):

62 target = self.page.targets[slot i]

63 if target.action == 1:

64 self.selections[target.contest i] = []

65 if target.action == 2:

66 self.selections = [[] for contest in self.model.contests]

67 self.goto(target.page i)

The next case handles options. Touching an option toggles whether it is

selected, unless this would exceed the selection limit indicated by the

contest’s max sels field.

68 elif slot i < len(self.page.targets) + len(self.page.options):

69 option = self.page.options[slot i - len(self.page.targets)]

70 selections = self.selections[option.contest i]

71 contest = self.model.contests[option.contest i]

72 if [option.sprite i] in selections:

73 selections.remove([option.sprite i])

74 elif len(selections) < contest.max sels:

75 selections += [[option.sprite i]]

The only remaining case is that the user has touched a write-in. In this

case, slot i is used to find the appropriate write-in, and its contest’s

selection list is searched to see whether the write-in is already selected.

76 else:

77 slot i -= len(self.page.targets) + len(self.page.options)

78 for writein in self.page.writeins:

79 contest = self.model.contests[writein.contest i]

80 if slot i < 1 + contest.max chars:

81 selections = self.selections[writein.contest i]

82 for i, selection in enumerate(selections):

If the write-in is already selected, the write-in characters that were

previously entered need to be moved into the chars buffer so they will

appear on the subpage. The entry for this write-in in the selection list is

removed upon entry to the subpage; it will be added back if the user

decides to accept the write-in (see line 58).

83 if selection[0] == writein.sprite i:

84 self.writein, self.chars = writein, selection[1:]

85 selections[i:i + 1] = []

86 break

87

If the write-in is not selected, its subpage is simply activated.

88 else:

89 if len(selections) < contest.max sels:

90 self.writein = writein

91 break

92 slot i -= 1 + contest.max chars

The display is then updated to reflect the selection changes and/or

transition that were enacted in response to the user’s touch.

93 self.update()

Ptouch source code 213

Page 227 of 324
Page 228 of 324

Video.py

Video display control is provided by the pygame library.

1 from pygame import display, image, FULLSCREEN

The loadimage() function converts a string containing uncompressed

pixel data into a Pygame Image object.

2 def loadimage(i):

3 return image.fromstring(i.pixels, (i.width, i.height), ’RGB’)

The Video class is responsible for pasting full-screen images and sprites

onto the display, as well as translating touch locations into slot indices.

4 class Video:

The video driver is initialized with access to the image library section of

the ballot definition. It initializes the Pygame display and converts all the

images from raw data into Pygame Image objects.

. 5 def init (self, il):

6 display.init()

7 self.screen = display.set mode((il.width, il.height), FULLSCREEN)

8 self.backgrounds = [loadimage(l.background) for l in il.layouts]

9 self.layouts = [l.slots for l in il.layouts]

10 self.sprites = [loadimage(sprite) for sprite in il.sprites]

11 self.goto(0)

The goto() method switches to a given layout, which involves pasting

the layout’s background image over the entire screen. The slots

member always points to the current layout’s slots.

. 12 def goto(self, layout i):

13 self.slots = self.layouts[layout i]

14 self.screen.blit(self.backgrounds[layout i], (0, 0))

The paste() method pastes a given sprite into a given slot. The slot

coordinates come from the current layout.

. 15 def paste(self, sprite i, slot i):

16 slot = self.slots[slot i]

17 self.screen.blit(self.sprites[sprite i], (slot.left, slot.top))

The locate() method finds the slot index corresponding to a given

touch location. It returns the index of the first enclosing slot in the

current layout.

. 18 def locate(self, x, y):

19 for i, slot in enumerate(self.slots):

20 if slot.left <= x < slot.left + slot.width:

21 if slot.top <= y < slot.top + slot.height:

22 return i

Ptouch source code 214

Page 228 of 324
Page 229 of 324

Recorder.py

This Recorder module is responsible for recording the voter’s selections

in a tamper-evident, history-independent format.

1 import sha

2 class Recorder:

3

The Recorder object is initialized with access to the ballot definition so

it can compute a hash of the ballot data.

. 4 def init (self, ballot):

5 self.hash = sha.new(ballot.data).hexdigest()

The write() method does the real work of writing out the selections.

. 6 def write(self, selections):

7 file = open(’votes’, ’r+’)

First, the erased portion of the file is skipped. The four-byte sentinel

’\xff\xff\xff\xff’ signals the beginning of the unerased area.

8 while file.read(4) != ’\xff\xff\xff\xff’:

9 pass

Then all of the currently stored items are read into the items list. Each

item is stored as a block of data preceded with the length of the block as

a 4-byte unsigned integer. A zero signals that there are no more items.

10 items = []

11 size = getint(file)

12 while size:

13 items += [file.read(size)]

14 size = getint(file)

Each selection to be written is then encoded as a string of 4-byte

integers, preceded by the hash of the ballot definition. These strings are

gathered into the items list.

15 for i, contest in enumerate(selections):

16 for selection in contest:

17 item = self.hash + putint(i)

18 for n in selection:

19 item += putint(n)

20 items += [item]

Sorting the items list guarantees a history-independent result.

21 items.sort()

Ptouch source code 215

Page 229 of 324
Page 230 of 324

Next, the size of the region to erase is computed by adding up the

maximum possible lengths that each item could have used up, if the

items were each added one at a time.

22 start = 0

23 maxlength = max([len(item) for item in items] or [’’])

24 for i, item in enumerate(items):

25 start += 4 + (4 + maxlength)*i + 4

26

The file pointer is then moved to the correct starting location and the

new data is written, with the sentinel in front and a zero at the end.

27 file.write(’\0’*(start - file.tell()))

28 file.seek(start)

29 file.write(’\xff\xff\xff\xff’)

30 for item in items:

31 file.write(putint(len(item)) + item)

32 file.write(putint(0))

After the new data has been successfully written, the region in front of

the new data is erased, ensuring an atomic transition from the old data

to the new data.

33 file.seek(0)

34 file.write(’\0’*start)

The getint() function deserializes an unsigned 4-byte integer from a

stream.

35 def getint(stream):

36 bytes = [ord(char) for char in stream.read(4)]

37 return (bytes[0]<<24) + (bytes[1]<<16) + (bytes[2]<<8) + bytes[3]

The putint() function serializes an unsigned integer into a 4-byte

string.

38 def putint(n):

39 char = lambda n: chr(n & 255)

40 return char(n>>24) + char(n>>16) + char(n>>8) + char(n)

Ptouch source code 216

Page 230 of 324
Page 231 of 324

B Pvote source code

The following pages present the source code of Pvote,

consisting of seven modules:

• main.py

• Ballot.py

• verifier.py

• Navigator.py

• Audio.py

• Video.py

• Printer.py

Each line of code is numbered and printed in monospaced type.

42 self.bindings = get list(stream, Binding)

Defining occurrences of classes, methods, and functions appear

in bold.

127 def get enum(stream, cardinality):

Lines marked with a triangle are entry points into a module,

called from other modules. Functions and methods without a

triangle are called only from within the same module.

.48 def press(self, key):

The code is broken into sections, with explanatory text in grey

preceding each section.

Explanatory text looks like this.

Reviewers’ comments, from the Pvote security review, are

marked with bullets and shown in grey italic text after the

section to which they refer.

• Reviewers’ notes look like this.

217

Page 231 of 324
Page 232 of 324

main.py

This is the main Pvote program. It initializes the other software

components with the provided ballot definition file and then processes

incoming Pygame events in a non-terminating loop.

1 import Ballot, verifier, Audio, Video, Printer, Navigator, pygame

These two constants are the type IDs of user-defined events. An

AUDIO DONE event signals that an audio clip has finished playing. A

TIMER DONE event signals that a timed delay has elapsed.

2 AUDIO DONE = pygame.USEREVENT

3 TIMER DONE = pygame.USEREVENT + 1

Reviewers suggested that all constants be moved into a separate

module; thus, for example, both main.py and Audio.py would refer to

the same AUDIO DONE constant instead of redundantly defining it in

both files.

The following lines load the ballot definition, verify it, and then

instantiate the other parts of Pvote with their corresponding sections of

the ballot definition.

4 ballot = Ballot.Ballot(open(”ballot”))

5 verifier.verify(ballot)

6 audio = Audio.Audio(ballot.audio)

7 video = Video.Video(ballot.video)

8 printer = Printer.Printer(ballot.text)

9 navigator = Navigator.Navigator(ballot.model, audio, video, printer)

Pvote source code 218

Page 232 of 324
Page 233 of 324

This is the main event loop. The loop begins by updating the display to

match the framebuffer in memory, so that any display changes made

during the last iteration appear onscreen. The loop never exits.

10 while 1:

11 pygame.display.update()

On each iteration, one event is retrieved from Pygame’s event queue. A

timeout is scheduled before waiting for the event, so that if no events

occur in timeout ms milliseconds, a TIMER DONE event will be posted.

This timeout is then cancelled so that a timer event cannot occur while

other processing is taking place.

12 pygame.time.set timer(TIMER DONE, ballot.model.timeout ms)

13 event = pygame.event.wait()

14 pygame.time.set timer(TIMER DONE, 0)

Keypresses are handled by the navigator’s press() method. Touches on

the touchscreen are handled by looking for a corresponding target; if one

is found, the event is handled by the navigator’s touch() method.

15 if event.type == pygame.KEYDOWN:

16 navigator.press(event.key)

17 if event.type == pygame.MOUSEBUTTONDOWN:

18 [x, y] = event.pos

19 target i = video.locate(x, y)

20 if target i != None:

21 navigator.touch(target i)

The audio driver schedules an AUDIO DONE event to be posted whenever

an audio clip finishes playing. Upon receipt of such an event, the audio

driver’s next() method is called so that any audio clips waiting to be

played next can start playing.

22 if event.type == AUDIO DONE:

23 audio.next()

If a TIMER DONE event was received, that means there has been no user

activity for timeout ms milliseconds. It also means that no AUDIO DONE

event has occurred for timeout ms milliseconds, which means that

either the audio is silent or that a clip has been playing for longer than

timeout ms milliseconds. If the playing flag on the audio driver is

zero, that means the timeout period has elapsed since the last user input

occurred or last audio clip finished.

24 if event.type == TIMER DONE and not audio.playing:

25 navigator.timeout()

Pvote source code 219

Page 233 of 324
Page 234 of 324

Ballot.py

The Ballot module defines the ballot definition data structure. The

main program instantiates a Ballot object to deserialize the ballot data

from a file stream and construct the ballot definition data structure. All

the other classes in this module represent parts of the ballot definition;

each one deserializes its contents from the stream passed to its

constructor.

1 import sha

2 class Ballot:

. 3 def init (self, stream):

4 assert stream.read(8) == “Pvote\x00\x01\x00″

5 [self.stream, self.sha] = [stream, sha.sha()]

In order to produce a SHA-1 hash of all the ballot data, the Ballot object

passes self as the stream object to the other constructors. Its read

method allows it to proxy for the original stream, allowing it to

incorporate all the data into the hash as it passes through. After all four

parts of the ballot definition have been loaded, the last 20 bytes of the

stream are checked to ensure they match the hash.

6 self.model = Model(self)

7 self.text = Text(self)

8 self.audio = Audio(self)

9 self.video = Video(self)

10 assert self.sha.digest() == stream.read(20)

11 def read(self, length):

12 data = self.stream.read(length)

13 self.sha.update(data)

14 return data

Reviewers suggested that the read() method would make more sense

if moved into a separate object playing the role of the stream proxy,

instead of using the Ballot itself as the stream proxy. This change

would also prevent the sub-objects from having access to the

incompletely constructed Ballot object during construction.

Each remaining class loads its contents from the stream in a constructor

that parallels its data structure. These constructors instantiate other

classes to read single components from the stream, call get list() to

read a variable-length list of components from the stream, or call

get int(), get enum(), or get str() to deserialize primitive data

types from the stream.

15 class Model:

16 def init (self, stream):

17 self.groups = get list(stream, Group)

18 self.pages = get list(stream, Page)

19 self.timeout ms = get int(stream, 0)

20 class Group:

21 def init (self, stream):

22 self.max sels = get int(stream, 0)

23 self.max chars = get int(stream, 0)

24 self.option clips = get int(stream, 0)

25 self.options = get list(stream, Option)

Pvote source code 220

Page 234 of 324
Page 235 of 324

26 class Option:

27 def init (self, stream):

28 self.sprite i = get int(stream, 0)

29 self.clip i = get int(stream, 0)

30 self.writein group i = get int(stream, 1)

31 class Page:

32 def init (self, stream):

33 self.bindings = get list(stream, Binding)

34 self.states = get list(stream, State)

35 self.option areas = get list(stream, OptionArea)

36 self.counter areas = get list(stream, CounterArea)

37 self.review areas = get list(stream, ReviewArea)

38 class State:

39 def init (self, stream):

40 self.sprite i = get int(stream, 0)

41 self.segments = get list(stream, Segment)

42 self.bindings = get list(stream, Binding)

43 self.timeout segments = get list(stream, Segment)

44 self.timeout page i = get int(stream, 1)

45 self.timeout state i = get int(stream, 0)

46 class OptionArea:

47 def init (self, stream):

48 self.group i = get int(stream, 0)

49 self.option i = get int(stream, 0)

50 class CounterArea:

51 def init (self, stream):

52 self.group i = get int(stream, 0)

53 self.sprite i = get int(stream, 0)

54 class ReviewArea:

55 def init (self, stream):

56 self.group i = get int(stream, 0)

57 self.cursor sprite i = get int(stream, 1)

58 class Binding:

59 def init (self, stream):

60 self.key = get int(stream, 1)

61 self.target i = get int(stream, 1)

62 self.conditions = get list(stream, Condition)

63 self.steps = get list(stream, Step)

64 self.segments = get list(stream, Segment)

65 self.next page i = get int(stream, 1)

66 self.next state i = get int(stream, 0)

67 class Condition:

68 def init (self, stream):

69 self.predicate = get enum(stream, 3)

70 self.group i = get int(stream, 1)

71 self.option i = get int(stream, 0)

72 self.invert = get enum(stream, 2)

73 class Step:

74 def init (self, stream):

75 self.op = get enum(stream, 5)

76 self.group i = get int(stream, 1)

77 self.option i = get int(stream, 0)

Pvote source code 221

Page 235 of 324
Page 236 of 324

78 class Segment:

79 def init (self, stream):

80 self.conditions = get list(stream, Condition)

81 self.type = get enum(stream, 5)

82 self.clip i = get int(stream, 0)

83 self.group i = get int(stream, 1)

84 self.option i = get int(stream, 0)

85 class Text:

86 def init (self, stream):

87 self.groups = get list(stream, TextGroup)

88 class TextGroup:

89 def init (self, stream):

90 self.name = get str(stream)

91 self.writein = get enum(stream, 2)

92 self.options = get list(stream, get str)

93 class Audio:

94 def init (self, stream):

95 self.sample rate = get int(stream, 0)

96 self.clips = get list(stream, Clip)

The Clip type contains the waveform data for an audio clip, which

resides in a single Python string. In a serialized ballot definition, the

number of samples is stored preceding the audio data. Since each sample

is a 16-bit value, the number of bytes to read is twice the number of

samples.

97 class Clip:

98 def init (self, stream):

99 self.samples = stream.read(get int(stream, 0)*2)

100 class Video:

101 def init (self, stream):

102 self.width = get int(stream, 0)

103 self.height = get int(stream, 0)

104 self.layouts = get list(stream, Layout)

105 self.sprites = get list(stream, Image)

106 class Layout:

107 def init (self, stream):

108 self.screen = Image(stream)

109 self.targets = get list(stream, Rect)

110 self.slots = get list(stream, Rect)

An Image object contains the pixel data for an image, which resides in a

single Python string. In serialized form, the image’s width and height are

stored preceding the pixel data, which contains three bytes per pixel (one

byte each for the red, green, and blue components).

111 class Image:

112 def init (self, stream):

113 self.width = get int(stream, 0)

114 self.height = get int(stream, 0)

115 self.pixels = stream.read(self.width*self.height*3)

116 class Rect:

117 def init (self, stream):

118 self.left = get int(stream, 0)

119 self.top = get int(stream, 0)

120 self.width = get int(stream, 0)

121 self.height = get int(stream, 0)

Pvote source code 222

Page 236 of 324
Page 237 of 324

The get int() function reads an unsigned 4-byte integer from the

stream. The allow none argument is a flag specifying whether the

returned value can be None, which is represented by the sequence

“\xff\xff\xff\xff”. This function ensures that the data meets the

constraints given in the assurance document—namely, that the value is

between 0 and 231 − 1 inclusive, or None only for fields that allow it.

122 def get int(stream, allow none):

123 [a, b, c, d] = list(stream.read(4))

124 if ord(a) < 128:

125 return ord(a)*16777216 + ord(b)*65536 + ord(c)*256 + ord(d)

126 assert allow none and a + b + c + d == “\xff\xff\xff\xff”

• Reviewers suggested that it would be clearer to have two separate

methods (for reading an integer and reading an integer-or-None)

instead of using get int() for both purposes.

• Reviewers agreed that there should be an explicit return None

statement to show that None is the intended return value.

The get enum() function reads an enumerated type from the stream,

which is represented the same way as an integer. The second argument

gives the cardinality of the enumeration, which is used to ensure the

validity of the returned value.

127 def get enum(stream, cardinality):

128 value = get int(stream, 0)

129 assert value < cardinality

130 return value

• Reviewers suggested that it would be clearer to have two separate

methods for reading Boolean values and enumerated values, instead of

using get enum(stream, 2) to read Boolean values.

The get str() function reads a string from the stream, which is

represented as a sequence of bytes prefixed by the length as a 4-byte

integer. This function checks that all the characters in the string fall in

the printable ASCII range, so they will print out in a predictable way. The

tilde character (number 126) is specifically excluded to avoid any

ambiguity in the printed output, because the tilde is used as a delimiter.

131 def get str(stream):

132 str = stream.read(get int(stream, 0))

133 for ch in list(str):

134 assert 32 <= ord(ch) <= 125

135 return str

Reviewers suggested that the condition in line 134 would be easier to

understand if it were written isprint(ch) and ch != ’~’.

The get list() function reads a variable-length list of data structures

from the stream, all of a particular given class. In Python (and Pthin),

classes are first-class objects and can be passed as arguments. In

serialized form, the list is preceded by a 4-byte integer indicating how

many elements to read.

136 def get list(stream, Class):

137 return [Class(stream) for i in range(get int(stream, 0))]

Pvote source code 223

Page 237 of 324
Page 238 of 324

verifier.py

The verifier module contains only one entry point, verify(), whose

responsibility is to abort the program if the ballot definition is not

well-formed. The intention is that, if execution continues after a call to

verify(), it should never abort thereafter—that is: (a) verify() checks

all the assumptions about the ballot definition upon which the rest of

Pvote relies; and (b) the contents of the ballot definition data structures

are never changed after verify() is called.

. 1 def verify(ballot):

2 [groups, sprites] = [ballot.model.groups, ballot.video.sprites]

option sizes contains one list corresponding to each group; it will

collect all the sprites for the options in that group and all the slots in

which such options could be pasted (in option areas and review areas).

char sizes also contains one list for each group; it will collect all the

sprites for characters corresponding to write-in options in the group, as

well as all the slots in which such characters could be pasted (in review

areas). These lists will later be checked to ensure that the sizes of all

sprites match the sizes of all the slots into which they could be pasted.

3 option sizes = [[] for group in groups]

4 char sizes = [[] for group in groups]

The following lines ensure that the parallel arrays have matching size. It

also makes sure that they are also nonempty; for example, the navigator

assumes that there is at least one page when it starts up with a transition

to page 0.

5 assert len(ballot.model.groups) == len(ballot.text.groups) > 0

6 assert len(ballot.model.pages) == len(ballot.video.layouts) > 0

For each page, the list of bindings are checked. Each page also has to

have at least one state.

7 for [page i, page] in enumerate(ballot.model.pages):

8 layout = ballot.video.layouts[page i]

9 for binding in page.bindings:

10 verify binding(ballot, page, binding)

11 assert len(page.states) > 0

For each state, the segments and bindings are checked. The sprite is

checked to make sure it exactly fills its slot, and the timeout transition is

also checked for validity.

12 for [state i, state] in enumerate(page.states):

13 verify size(sprites[state.sprite i], layout.slots[state i])

14 verify segments(ballot, page, state.segments)

15 for binding in state.bindings:

16 verify binding(ballot, page, binding)

17 verify segments(ballot, page, state.timeout segments)

18 verify goto(ballot, state.timeout page i, state.timeout state i)

19 slot i = len(page.states)

Pvote source code 224

Page 238 of 324
Page 239 of 324

Each option area is checked for a valid option reference, and the option

slots are gathered into the appropriate array for later size checking.

20 for area in page.option areas:

21 verify option ref(ballot, page, area)

22 option sizes[area.group i].append(layout.slots[slot i])

23 slot i = slot i + 1

For each counter area, all the possible sprites that could be pasted are

checked to ensure they exactly fill the slot.

24 for area in page.counter areas:

25 for i in range(groups[area.group i].max sels + 1):

26 verify size(sprites[area.sprite i + i], layout.slots[slot i])

27 slot i = slot i + 1

For each review area, the slots for options and characters are gathered

into the appropriate array for later size checking. If there is a cursor

sprite, its size is expected to match the option slots as well.

28 for area in page.review areas:

29 for i in range(groups[area.group i].max sels):

30 option sizes[area.group i].append(layout.slots[slot i])

31 slot i = slot i + 1

32 for j in range(groups[area.group i].max chars):

33 char sizes[area.group i].append(layout.slots[slot i])

34 slot i = slot i + 1

35 if area.cursor sprite i != None:

36 option sizes[area.group i].append(sprites[area.cursor sprite i])

The sprites for all the options and characters are gathered into the

appropriate arrays. The audio clip indices for the options are ensured to

be within range. For write-in options, the number of allowed write-in

characters in the parent group is checked to ensure it matches the

number of allowed selections in the write-in group; thus, all the write-in

options in a group are required to accept the same number of characters.

Write-in groups are not themselves allowed to contain write-ins.

37 for [group i, group] in enumerate(groups):

38 for option in group.options:

39 option sizes[group i].append(sprites[option.sprite i])

40 option sizes[group i].append(sprites[option.sprite i + 1])

41 assert group.option clips > 0

42 ballot.audio.clips[option.clip i + group.option clips - 1]

43 if option.writein group i != None:

44 writein group = groups[option.writein group i]

45 assert writein group.max chars == 0

46 assert writein group.max sels == group.max chars > 0

47 for option in writein group.options:

48 char sizes[group i].append(sprites[option.sprite i])

The sprites and slots that have been collected for each group are now

checked to ensure they all have matching sizes.

49 for object in option sizes[group i]:

50 verify size(object, option sizes[group i][0])

51 for object in char sizes[group i]:

52 verify size(object, char sizes[group i][0])

Pvote source code 225

Page 239 of 324
Page 240 of 324

The text section is checked to ensure that every option has a name, and

ensure that the group names and option names have reasonable lengths

that will print properly.

53 for [group i, group] in enumerate(ballot.text.groups):

54 assert len(group.name) <= 50

55 assert len(group.options) == len(groups[group i].options)

56 for option in group.options:

57 assert len(option) <= 50

Every audio clip is checked to ensure that it has nonzero length. There is

no Pvote code that relies on this property; Pygame has the an

unfortunate limitation that the audio system will abort if asked to play a

zero-length sound.

58 for clip in ballot.audio.clips:

59 assert len(clip.samples) > 0

Finally, the video section is checked. The background images must match

the screen size, all the slots and targets must fit entirely onscreen, and

the image data for each sprite must match the sprite’s claimed

dimensions.

60 assert ballot.video.width*ballot.video.height > 0

61 for layout in ballot.video.layouts:

62 verify size(layout.screen, ballot.video)

63 for rect in layout.targets + layout.slots:

64 assert rect.left + rect.width <= ballot.video.width

65 assert rect.top + rect.height <= ballot.video.height

66 for sprite in ballot.video.sprites:

67 assert len(sprite.pixels) == sprite.width*sprite.height*3 > 0

The verify binding() function checks that a binding is well-formed by

inspecting each of its parts: its list of conditions, its list of steps, its list

of audio segments, and its transition.

68 def verify binding(ballot, page, binding):

69 for condition in binding.conditions:

70 verify option ref(ballot, page, condition)

71 for step in binding.steps:

72 verify option ref(ballot, page, step)

73 verify segments(ballot, page, binding.segments)

74 verify goto(ballot, binding.next page i, binding.next state i)

The verify goto() function checks that the page index and state index

for a transition are within range. None is an allowed value for the page

index.

75 def verify goto(ballot, page i, state i):

76 if page i != None:

77 ballot.model.pages[page i].states[state i]

Pvote source code 226

Page 240 of 324
Page 241 of 324

The verify segments() function checks that a list of segments is

well-formed. It inspects each segment’s list of conditions and, based on

the segment type, ensures that all the possible corresponding indices of

audio clips are within range.

78 def verify segments(ballot, page, segments):

79 for segment in segments:

80 for condition in segment.conditions:

81 verify option ref(ballot, page, condition)

82 ballot.audio.clips[segment.clip i]

83 if segment.type in [1, 2, 3, 4]:

84 group = verify option ref(ballot, page, segment)

85 if segment.type in [1, 2]:

86 assert segment.clip i < group.option clips

87 if segment.type in [3, 4]:

88 ballot.audio.clips[segment.clip i + group.max sels]

Reviewers wanted to see meaningfully named constants here for the

enumerated values. They recommended that all the enumerated value

constants should be pulled out into a separate module—thus, for

example, the above code and the navigator code would refer to the

same set of SG * constants.

The verify option ref() function checks the validity of an (indirect

or direct) option reference in a condition, step, or segment—all of these

types have a group i field and an option i field. If the group i field is

None, then option i must be the index of a valid option area on the

current page. Otherwise, group i and option i must be valid group

and option indices respectively. The group object is returned as a

convenience for verify segments(), which uses the group object for

other checks.

89 def verify option ref(ballot, page, object):

90 if object.group i == None:

91 area = page.option areas[object.option i]

92 return ballot.model.groups[area.group i]

93 ballot.model.groups[object.group i].options[object.option i]

94 return ballot.model.groups[object.group i]

The verify size() function ensures that two objects (sprites or slots)

have the same dimensions.

95 def verify size(a, b):

96 assert a.width == b.width and a.height == b.height

Pvote source code 227

Page 241 of 324
Page 242 of 324

Navigator.py

The first three lines set up constants corresponding to the three

enumerated types in the ballot model definition: OP * for step types,

SG * for audio segment types, and PR * for predicates in conditions.

1 [OP ADD, OP REMOVE, OP APPEND, OP POP, OP CLEAR] = range(5)

2 [SG CLIP, SG OPTION, SG LIST SELS, SG COUNT SELS, SG MAX SELS] = range(5)

3 [PR GROUP EMPTY, PR GROUP FULL, PR OPTION SELECTED] = range(3)

The navigator is initialized with access to the ballot model data

structure, audio driver, video driver, and printing module. It saves these

references locally, initializes an empty selection state, and begins the

voting session by transitioning to state 0 of page 0.

4 class Navigator:

. 5 def init (self, model, audio, video, printer):

6 self.model = model

7 [self.audio, self.video, self.printer] = [audio, video, printer]

8 self.selections = [[] for group in model.groups]

9 self.page i = None

10 self.goto(0, 0)

The goto() method transitions to a given state and page. It is called by

invoke() and timeout(). If the transition goes to the last page, the

voter’s selections are committed. Any state transition (even a transition

back to the current state) triggers the playback of the state’s audio

segments; the play() method queues the audio instantaneously for later

playback. In the ballot definition, page i can be None to indicate that no

transition should occur; that case is accepted and handled here. Other

methods rely on goto() to always update the video display with a call to

update(), even if no state transition occurs.

11 def goto(self, page i, state i):

12 if page i != None and self.page i != len(self.model.pages) - 1:

13 if page i == len(self.model.pages) - 1:

14 self.printer.write(self.selections)

15 [self.page i, self.page] = [page i, self.model.pages[page i]]

16 [self.state i, self.state] = [state i, self.page.states[state i]]

17 self.play(self.state.segments)

18 self.update()

Reviewers found the logic of line 12 confusing, as it combines the “no

transition” condition with the “already committed” condition. They all

agreed that the navigator should have a flag that indicates whether

the votes have already been committed, and a separate method that

commits the votes and sets the flag. They also suggested that, to make

the commit condition more obvious, the navigator should start on page

1 and always commit on page 0.

Pvote source code 228

Page 242 of 324
Page 243 of 324

The update() method updates the video display based on the current

page, state, and selections. It tells the video driver to paste the page’s

background image over the entire screen, then lay the state’s sprite on

top of that, and finally fills in any option areas, counter areas, and review

areas on the page, in that order. The indices of the slots are assumed to

be arranged in sequential order, as described in Chapter 7; hence the

variable slot i is incremented in each loop and carried forward to the

next loop. Because review areas occupy a variable number of slots

depending on their group, the review area loop relies on the review()

method to return an appropriately incremented value for slot i.

19 def update(self):

20 self.video.goto(self.page i)

21 self.video.paste(self.state.sprite i, self.state i)

22 slot i = len(self.page.states)

23 for area in self.page.option areas:

24 unselected = area.option i not in self.selections[area.group i]

25 group = self.model.groups[area.group i]

26 option = group.options[area.option i]

27 self.video.paste(option.sprite i + unselected, slot i)

28 slot i = slot i + 1

29 for area in self.page.counter areas:

30 count = len(self.selections[area.group i])

31 self.video.paste(area.sprite i + count, slot i)

32 slot i = slot i + 1

33 for area in self.page.review areas:

34 slot i = self.review(area.group i, slot i, area.cursor sprite i)

The review() method fills in the appropriate sprites for a review area.

The arguments group i and cursor sprite i are parameters of the

review area; slot i should be the index of the review area’s first slot.

The main loop always runs group.max sels times to ensure that

slot i cannot go out of range, and that slot i is incremented by the

correct amount: max sels × (1 + max chars). Each selected option is

pasted into a slot, and then, if the option is a write-in option, a recursive

call to review() fills in the characters of the write-in. If a cursor sprite is

given, it is pasted into the slot just after the last selected option.

35 def review(self, group i, slot i, cursor sprite i):

36 group = self.model.groups[group i]

37 selections = self.selections[group i]

38 for i in range(group.max sels):

39 if i < len(selections):

40 option = group.options[selections[i]]

41 self.video.paste(option.sprite i, slot i)

42 if option.writein group i != None:

43 self.review(option.writein group i, slot i + 1, None)

44 if i == len(selections) and cursor sprite i != None:

45 self.video.paste(cursor sprite i, slot i)

46 slot i = slot i + 1 + group.max chars

47 return slot i

• The reviewers generally found this method to be the most confusing

part of the source code, because of its use of recursion and the

arithmetic involved in determining slot i. They suggested splitting

this into two methods such as review contest() and

review writein(); review contest() would call

review writein() when necessary. Even though there would be

substantial duplication between the two methods, the reviewers felt

that eliminating recursion was more important.

Pvote source code 229

Page 243 of 324
Page 244 of 324

The press() and touch() methods handle incoming events from the

main loop: press() handles keypresses and touch() handles screen

touches. Both methods scan through the bindings of the current state

and page, searching for a binding that matches the pressed key or

touched target and whose conditions are all satisfied. The first such

binding (and only the first such binding) is invoked with a call to the

invoke() method.

. 48 def press(self, key):

49 for binding in self.state.bindings + self.page.bindings:

50 if key == binding.key and self.test(binding.conditions):

51 return self.invoke(binding)

. 52 def touch(self, target i):

53 for binding in self.state.bindings + self.page.bindings:

54 if target i == binding.target i and self.test(binding.conditions):

55 return self.invoke(binding)

• Reviewers felt the method names press() and touch() were too

similar and could be made clearer.

The test() method evaluates a list of conditions and returns 1 only if all

the conditions are met. Each of the three predicate types is evaluated in a

separate clause; the cond.invert flag indicates whether to invert the

sense of an individual predicate.

56 def test(self, conditions):

57 for cond in conditions:

58 [group i, option i] = self.get option(cond)

59 if cond.predicate == PR GROUP EMPTY:

60 result = len(self.selections[group i]) == 0

61 if cond.predicate == PR GROUP FULL:

62 max = self.model.groups[group i].max sels

63 result = len(self.selections[group i]) == max

64 if cond.predicate == PR OPTION SELECTED:

65 result = option i in self.selections[group i]

66 if cond.invert == result:

67 return 0

68 return 1

Reviewers felt the comparison of Boolean values on line 66 was “just

too clever for its own good.” They agreed that lines 66 and 67 could

have been more clearly written as

if cond.invert:

result = not result

if not result:

return 0

to show that cond.invert reverses the sense of the condition and that

the loop body returns 0 only when the condition is not met.

The invoke() method invokes a binding. The steps of the action are

carried out, then the audio for the binding is queued, and finally the

state transition, if any, takes place. (The goto() method handles the case

where next page i is None.) Invoking a binding always interrupts any

currently playing audio.

69 def invoke(self, binding):

70 for step in binding.steps:

71 self.execute(step)

72 self.audio.stop()

73 self.play(binding.segments)

74 self.goto(binding.next page i, binding.next state i)

Pvote source code 230

Page 244 of 324
Page 245 of 324

The execute() method executes a single step, which operates on the

selection state. It is responsible for ensuring that invalid selection states

are never reached.

75 def execute(self, step):

76 [group i, option i] = self.get option(step)

77 group = self.model.groups[group i]

78 selections = self.selections[group i]

79 selected = option i in selections

80 if step.op == OP ADD and not selected or step.op == OP APPEND:

81 if len(selections) < group.max sels:

82 selections.append(option i)

83 if step.op == OP REMOVE and selected:

84 selections.remove(option i)

85 if step.op == OP POP and len(selections) > 0:

86 selections.pop()

87 if step.op == OP CLEAR:

88 self.selections[group i] = []

Reviewers felt the Boolean expression on line 80 should be clarified

with parentheses.

• Reviewers found the execute() method more confusing than

necessary because it uses both the list self.selections and a local

variable selections that aliases a part of it. Mixing these two ways of

accessing the list makes it harder to reason about the code, because

each could have side-effects on the other. The method would be easier

to verify if it always accessed the list through just self.selections

or just selections.

• Reviewers felt the method names invoke() and execute() were too

similar and could be made clearer.

The timeout() method handles an inactivity timeout. It is called by the

main event loop.

. 89 def timeout(self):

90 self.play(self.state.timeout segments)

91 self.goto(self.state.timeout page i, self.state.timeout state i)

Pvote source code 231

Page 245 of 324
Page 246 of 324

The play() method plays a list of audio segments. Its job is to translate

a list of segments into a sequence of audio clip indices, and send these

indices to the audio driver to be queued for playing. Each segment’s

conditions are checked; if the conditions are met, the corresponding clip

index (or indices) are sent to the audio driver. After the clips are queued,

play() returns immediately; it does not wait for the audio to finish

playing, or even to start playing.

92 def play(self, segments):

93 for segment in segments:

94 if self.test(segment.conditions):

95 if segment.type == SG CLIP:

96 self.audio.play(segment.clip i)

97 else:

98 [group i, option i] = self.get option(segment)

99 group = self.model.groups[group i]

100 selections = self.selections[group i]

101 if segment.type == SG OPTION:

102 self.play option(group.options[option i], segment.clip i)

103 if segment.type == SG LIST SELS:

104 for option i in selections:

105 self.play option(group.options[option i], segment.clip i)

106 if segment.type == SG COUNT SELS:

107 self.audio.play(segment.clip i + len(selections))

108 if segment.type == SG MAX SELS:

109 self.audio.play(segment.clip i + group.max sels)

The play option() method sends audio clips for a given option to the

audio driver. There can be multiple clips associated with each option, as

dictated by the option clips field of its containing group; the offset

argument selects which one to play. For a write-in option, this entails

playing, in sequence, all the audio clips for the characters in the write-in.

Write-in characters are assumed to have only one clip each.

110 def play option(self, option, offset):

111 self.audio.play(option.clip i + offset)

112 if option.writein group i != None:

113 writein group = self.model.groups[option.writein group i]

114 for option i in self.selections[option.writein group i]:

115 self.audio.play(writein group.options[option i].clip i)

The get option() method is used by test(), execute(), and play()

to determine the specific group and option for a condition, step, or

segment respectively. Conditions, steps, and segments all have fields

named group i and option i that can refer to an option either directly

or indirectly. When group i is None, it’s an indirect reference: option i

is the index of an option area on the current page. When group i is not

None, it’s a direct reference: group i and option i specify the intended

option.

116 def get option(self, object):

117 if object.group i == None:

118 area = self.page.option areas[object.option i]

119 return [area.group i, area.option i]

120 return [object.group i, object.option i]

Pvote source code 232

Page 246 of 324
Page 247 of 324

Audio.py

Audio playback is provided by the pygame library.

1 import pygame

Pygame is based on an event-loop control model. Instead of invoking

callbacks, Pygame queues events for processing by the application. Each

event has an integer type ID, and Pygame supports user-defined events

with type IDs equal to pygame.USEREVENT or higher. This module uses

AUDIO DONE for signalling when an audio clip has finished playing.

2 AUDIO DONE = pygame.USEREVENT

Reviewers suggested that constants like these all be collected in a

separate module, and that main.py and Audio.py refer to the same

AUDIO DONE constant instead of redundantly defining it in both files.

The Audio class is responsible for maintaining a queue of audio clips and

causing them to be played in sequence. It ensures that only one clip is

playing at a time, and that all the clips are played back one after another

until the queue is empty.

3 class Audio:

The audio driver is initialized with access to the audio section of the

ballot definition. It initializes the Pygame audio mixer and converts all

the audio clips from raw data into Pygame Sound objects. The playing

flag is exposed to the main program; it indicates whether or not audio is

currently playing.

. 4 def init (self, audio):

5 rate = audio.sample rate

6 pygame.mixer.init(rate, -16, 0)

7 self.clips = [make sound(rate, clip.samples) for clip in audio.clips]

8 [self.queue, self.playing] = [[], 0]

The play() method puts a single audio clip on the queue. If nothing is

currently playing, playback of the given audio clip immediately begins.

. 9 def play(self, clip i):

10 self.queue.append(clip i)

11 if not self.playing:

12 self.next()

The next() method takes the next available audio clip off of the queue

and starts playing it. The AUDIO DONE event is scheduled to be posted

when the audio clip finishes playing. The playing member is set to a

nonzero value if and only if an audio clip is playing.

. 13 def next(self):

14 self.playing = len(self.queue)

15 if len(self.queue):

16 self.clips[self.queue.pop(0)].play().set endevent(AUDIO DONE)

The stop() method stops audio playback and cancels pending audio.

. 17 def stop(self):

18 self.queue = []

19 pygame.mixer.stop()

Pvote source code 233

Page 247 of 324
Page 248 of 324

The make sound() function converts a string of audio data into a

Pygame Sound object. Because Pygame only knows how to load sounds

from files, and the only uncompressed sound format that Pygame

accepts is the Microsoft WAVE format, we have to construct a fake file

object with a WAVE file header. The header always specifies no

compression, monaural audio, and signed 16-bit samples.

20 def make sound(rate, data):

21 [comp channels, sample size] = [”\x01\x00\x01\x00″, “\x02\x00\x10\x00″]

22 fmt = comp channels + put int(rate) + put int(rate*2) + sample size

23 file = chunk(”RIFF”, “WAVE” + chunk(”fmt “, fmt) + chunk(”data”, data))

24 return pygame.mixer.Sound(Buffer(file))

The chunk() function creates a RIFF chunk, which consists of a 4-byte

type code and a 4-byte length followed by a string of data.

25 def chunk(type, contents):

26 return type + put int(len(contents)) + contents

The put int() function converts an integer into a 4-byte big-endian

representation.

27 def put int(n):

28 [a, b, c, d] = [n/16777216, n/65536, n/256, n]

29 return chr(d % 256) + chr(c % 256) + chr(b % 256) + chr(a % 256)

The Buffer class is a thin wrapper that makes a string look like a

readable file. make sound() wraps this class around the WAVE formatted

audio data so it can be passed to Pygame to create a Sound object.

30 class Buffer:

31 def init (self, data):

32 [self.data, self.pos] = [data, 0]

33 def read(self, length):

34 self.pos = self.pos + length

35 return self.data[self.pos - length:self.pos]

Pvote source code 234

Page 248 of 324
Page 249 of 324

Video.py

Video display control is provided by the pygame library.

1 import pygame

The make image() function converts a string containing uncompressed

pixel data into a Pygame Image object.

2 def make image(im):

3 return pygame.image.fromstring(im.pixels, (im.width, im.height), “RGB”)

The Video class is responsible for pasting full-screen images and sprites

onto the display, as well as translating touch locations into target indices.

4 class Video:

The video driver is initialized with access to the video section of the

ballot definition. It initializes the Pygame display and converts all the

images from raw data into Pygame Image objects. The video driver keeps

a pointer to the current layout in its layout member so it can look up

slots and targets for the current page.

. 5 def init (self, video):

6 size = [video.width, video.height]

7 self.surface = pygame.display.set mode(size, pygame.FULLSCREEN)

8 self.layouts = video.layouts

9 self.screens = [make image(layout.screen) for layout in video.layouts]

10 self.sprites = [make image(sprite) for sprite in video.sprites]

11 self.goto(0)

The goto() method switches to a given layout, which involves pasting

the layout’s background image over the entire screen.

. 12 def goto(self, layout i):

13 self.layout = self.layouts[layout i]

14 self.surface.blit(self.screens[layout i], [0, 0])

The paste() method pastes a given sprite into a given slot. The slot

coordinates are looked up in the current layout.

. 15 def paste(self, sprite i, slot i):

16 slot = self.layout.slots[slot i]

17 self.surface.blit(self.sprites[sprite i], [slot.left, slot.top])

The locate() method finds the target index corresponding to a given

touch location. It returns the index of the first enclosing target in the

current layout.

. 18 def locate(self, x, y):

19 for [i, target] in enumerate(self.layout.targets):

20 if target.left <= x and x < target.left + target.width:

21 if target.top <= y and y < target.top + target.height:

22 return i

Pvote source code 235

Page 249 of 324
Page 250 of 324

Printer.py

The Printer class commits the voter’s selections by printing them out.

(Other vote-recording mechanisms could be substituted for this module.)

It is initialized with access to the text section of the ballot definition.

1 class Printer:

2 def init (self, text):

3 self.text = text

The write() method does the printing, assuming that the standard

output stream is connected to a printer. To prevent any possibility of

ambiguous output, the first character of every printed line indicates its

purpose, and lines never wrap. An asterisk (*) marks a contest, and a

minus sign (-) marks an option. A plus sign (+) marks a write-in group,

and an equals sign (=) marks the text of the write-in. A tilde (~) is printed

after the name of each write-in character because characters can have

names of any length (a feature intended to let ASCII printouts describe

write-ins containing non-ASCII characters.) A tilde on a line by itself

marks the end of the printout. Here is an example of a printout:

* Governor

- Peter Miguel Camejo

* Secretary of State ~ NO SELECTION

* Member of City Council

- William “Bill” G. Glynn

- Write-in 1

+ Member of City Council, Write-in 1

= S~T~E~P~H~E~N~ ~H~A~W~K~I~N~G~

* Proposition 1A

- Yes

~

. 4 def write(self, selections):

5 for [group i, selection] in enumerate(selections):

6 group = self.text.groups[group i]

7 if group.writein:

8 if len(selection):

9 print “\n+ ” + group.name

10 line = “”

11 for option i in selection:

12 if len(line) + len(group.options[option i]) + 1 > 60:

13 print “= ” + line

14 line = “”

15 line = line + group.options[option i] + “~”

16 print “= ” + line

17 else:

18 if len(selection):

19 print “\n* ” + group.name

20 for [option i, option] in enumerate(group.options):

21 if option i in selection:

22 print “- ” + option

23 else:

24 print “\n* ” + group.name + ” NO SELECTION”

25 print “\n~\f”

Pvote source code 236

Page 250 of 324
Page 251 of 324

C Sample Pvote ballot definition

This appendix describes the construction of a ballot definition

file for Pvote (the same ballot file mentioned on page 133). It is

based on ballot style #167 for the November 2006 election in

Contra Costa County, California. The paper ballot has 16

elected offices, 12 judicial confirmations, and 16 referenda.

This ballot definition just contains the first two state offices

(Governor and Secretary of State), one local office (City Council),

and two state measures (Propositions 1A and 1B).

This sample ballot definition is not intended to serve as an

example of optimally usable or optimally accessible ballot

design. It is merely intended to demonstrate a few different

interaction models that are achievable with Pvote, and to make

a plausible case that it is possible to design a single ballot

definition file that works for voters who use only the visual

interface, voters who use only the audio interface, or voters who

use the visual and audio interfaces together.

Audio messages are shown in a sans-serif typeface. Boxes

indicate variable parts of the message. When a series of boxes

are joined by dashes, one box in the series is played depending

on the voter’s current selections. A box can also contain text in

italics describing the message to be played. Here is an example:

Please vote for one. No choices are currently selected.

Your current selection is list of selected options .

The above describes an audio message consisting of:

• First, the spoken message “Please vote for one.”

• Then, either the spoken message “No choices are currently

selected.” or the message “Your current selection is.”

• Finally, a spoken list of the selected options.

237

Page 251 of 324
Page 252 of 324

There are 10 groups and 17 pages in this ballot definition. The groups are as follows.

Group 0. This is the contest for Governor, with max sels = 1, max chars = 25, and

option clips = 2. It contains 7 options. There are two sprites for each option:

Each option has two associated audio clips, for a short and a long spoken description. For

example, option 0 has the two clips:

• Phil Angelides

• Phil Angelides. Democratic Party. Treasurer of the State of California.

The last option, option 6, has writein group = 1; the rest have writein group = None.

Group 1. This is the write-in group for the Governor contest, with max sels = 25,

max chars = 0, and option clips = 1. It has 29 options, with the sprites:

Each option has one associated audio clip with the name of the character (the names of

the letters of the alphabet and the spoken words “hyphen”, “apostrophe”, and “space”).

Sample Pvote ballot definition 238

Page 252 of 324
Page 253 of 324

Group 2. This is the contest for Secretary of State, with max sels = 1, max chars = 25,

and option clips = 2. It contains 7 options, with two sprites for each option:

Just as in group 0, each option has two associated audio clips giving a short and a long

spoken description. The last option, option 6, has writein group = 3; the rest have

writein group = None.

Group 3. This is the write-in group for the Secretary of State contest, with max sels = 25,

max chars = 0, and option clips = 1. It has the same options as group 1.

Group 4. This is the contest for City Council, with max sels = 3, max chars = 25, and

option clips = 2. It contains 8 options, with two sprites for each option:

Sample Pvote ballot definition 239

Page 253 of 324
Page 254 of 324

Just as in groups 0 and 2, each option has two associated audio clips giving a short and a

long spoken description. Each of the last three options has its own write-in group: option

5 has writein group = 5, option 6 has writein group = 6, and option 7 has

writein group = 7. The rest of the options have writein group = None.

Groups 5, 6, and 7. These are the write-in groups for the three write-in options in the City

Council contest. All of them have max sels = 25, max chars = 0, option clips = 1, and

the same options as group 1.

Group 8. This is the contest for Proposition 1A, with max sels = 1, max chars = 0, and

option clips = 2. It contains 2 options, with two sprites for each option:

Option 0 has two audio clips that both say “yes”; option 1 has two audio clips that both

say “no”. (The redundant audio clips are unnecessary; this is just due to the current ballot

compiler’s assumption that every option has a short and a long audio description.) Both

options have writein group = None.

Group 9. This is the contest for Proposition 1B, with max sels = 1, max chars = 0, and

option clips = 2. It contains the same options as group 8.

Sample Pvote ballot definition 240

Page 254 of 324
Page 255 of 324

Page 0. This is the screen image for layout 0.

Page 0 has just one state, state 0, with the following audio message:

This is the General Election for Tuesday, November 7, 2006, Contra Costa County,

California. To begin, touch NEXT in the lower-right corner of the screen. There is also

a number keypad directly below the screen. The numbers are arranged like a

telephone, with 1, 2, and 3 in the top row, 4, 5, and 6 in the second row, 7, 8, and 9 in

the third row, and 0 in the bottom row. To begin, press 6.

There is a target positioned over the NEXT button; the 6 key and this target are both

bound to a transition to page 1. (When no state is mentioned, state 0 is implied.)

Throughout the ballot, the arrangement of keypad controls is loosely associated with

directional movement. The 4 and 6 keys (left and right) always navigate to the previous

and next page; the 2 and 8 keys (up and down) navigate to the previous and next item on

the page; and the 5 key (in the center) selects or activates the current item.

Sample Pvote ballot definition 241

Page 255 of 324
Page 256 of 324

Page 1. This is the screen image for layout 1.

Page 1 has just one state, state 0, with the following audio message:

Touch the screen to make your selections. Use the NEXT and PREVIOUS buttons below

to move from page to page. To continue, touch NEXT or press 6 on the number

keypad.

There are targets positioned over the PREVIOUS and NEXT buttons. The 6 key and the

NEXT target are bound to a transition to page 2. The 4 key and the PREVIOUS target are

bound to a transition to page 0.

Sample Pvote ballot definition 242

Page 256 of 324
Page 257 of 324

Page 2. This is the screen image for layout 2.

Page 2 demonstrates one possible way to present a single-selection contest. Touching any

item changes the selection to that item, automatically deselecting any previous selection.

The voter can also step through the options one by one. using the audio interface and

keypad buttons. For voters who are using the visual and audio interfaces together,

selecting an option by touchscreen also produces audio confirmation, and the options are

also visually highlighted when the keypad buttons are used to step through them.

Page 2 has 8 states. State 0 has the following audio message:

State. Governor. There are 6 candidates. Please vote for one.

No choices are currently selected. Your current selection is list of selected options .

Touch the screen to make selections or press 8 to hear the choices. To skip to the

next contest, press 6.

The number of selections determines whether No choices… or Your current… is played.

Sample Pvote ballot definition 243

Page 257 of 324
Page 258 of 324

In state 0, the 8 key is bound to a transition to state 1. States 1 through 7 correspond to

the seven options for Governor. Each state highlights an option with a dotted red box. For

example, state 1 places this sprite over the first option:

Each of the states 1 through 6 has an audio message of the form:

candidate name . This choice is currently selected. To select this choice, press 5.

To hear the next choice, press 8. To hear your current selections for Governor, press

3. To clear your selections for Governor, press 1.

This choice… or To select… is played depending on whether the option is selected. In

these states, the 8 and 2 keys transition to the next and previous states. The 5 key clears

groups 0 and 1, selects the highlighted option, and plays the audio message:

Selected candidate name for Governor.

State 7, in which the last option is highlighted, has the audio message:

Write-in candidate.

This choice is currently selected. To edit or cancel this write-in, press 5.

To write in a name, press 5. To hear all the choices again, press 4. To hear your

current selections for governor, press 3. To clear your selections for governor, press 1.

This choice… or To write in… is played depending on whether the option is selected. In

this state, the 5 key transitions to page 11, which is the write-in page for Governor.

Page 2 has 7 option areas, located over the 7 choices for governor. Each of the first six

option areas has a corresponding target that clears groups 0 and 1 and then selects the

option. There is a target positioned over the last option that transitions to page 11, which

is the write-in entry page for Governor. The page also has a review area for group 1, with

25 small slots arranged in a row over the last option. This review area displays the entered

text for the write-in candidate. When the write-in candidate has been selected, the

highlighted sprite (with the check mark and green background) is pasted over the last

option, and the review area causes the entered characters to be pasted on top of that.

Sample Pvote ballot definition 244

Page 258 of 324
Page 259 of 324

There is a page-wide binding for the 1 key that clears groups 0 and 1 and plays the audio

message:

The selections for Governor are now cleared.

There is also a page-wide binding for the 3 key that triggers the audio message:

Governor. No choices are currently selected. Your current selection is

list of selected options .

There are targets positioned over the PREVIOUS and NEXT buttons. The 6 key and the

NEXT target are bound to a transition to page 3. The 4 key and the PREVIOUS target are

bound to a transition to page 1.

The page also has one counter area, positioned over the NEXT button. This is a counter

area for group 0, and its sprites look like this:

This counter area demonstrates one way of alerting voters when they proceed to the next

contest without making a selection. When the number of selections is zero, the NEXT

button is visually replaced with the SKIP CONTEST image; its behaviour is unchanged.

Sample Pvote ballot definition 245

Page 259 of 324
Page 260 of 324

Page 3. This is the screen image for layout 3.

Page 3 has 8 states. State 0 has the following audio message:

State. Secretary of State. There are 6 candidates. Please vote for one.

No choices are currently selected. Your current selection is list of selected options .

Touch the screen to make selections or press 8 to hear the choices. To skip to the

next contest, press 6. To go back to the previous contest, press 4.

The structure of the page is the same as page 2: states 1 through 7 highlight each of the

options, and they have the similar bindings and audio messages to those on page 2. There

are 7 option areas with corresponding targets that select them, and a review area for the

write-in characters in group 3, positioned over the last option. Selecting the write-in

option transitions to page 12, the write-in page for Secretary of State. There are targets

positioned over the PREVIOUS and NEXT buttons, with a counter area over the NEXT

button to replace it with a SKIP CONTEST image. The 6 key and the NEXT target go to

page 4; the 4 key and the PREVIOUS target go to page 2.

Sample Pvote ballot definition 246

Page 260 of 324
Page 261 of 324

Page 4. This is the screen image for layout 4.

Page 4 demonstrates a possible way of presenting a multiple-selection contest. Touching

an option toggles whether it is selected or not, except that overvoting is prevented;

attempting to overvote yields an audio explanation.

Page 4 has 9 states. State 0 has the following audio message:

City of Pittsburg. Member of City Council. There are 5 candidates. Please vote for up

to 3. No choices are currently selected. Your current selection is

Your current selections are list of selected options . Touch the screen to make

selections or press 8 to hear the choices. To skip to the next contest, press 6. To go

back to the previous contest, press 4.

The current number of selections determines which of the three clips are played:

No choices… , Your current selection is , or Your current selections are . In state 0, the 8

key is bound to a transition to state 1.

Sample Pvote ballot definition 247

Page 261 of 324
Page 262 of 324

States 1 through 8 correspond to the eight options. Because up to three selections are

allowed in this contest, there are three write-in options. Each state highlights an option

with a dotted red box, just like the pages for Governor and Secretary of State.

Each of the states 1 through 5 has an audio message of the form:

candidate name . To select this choice, press 5.

This choice is currently selected. To deselect it, press 5.

The maximum number of choices is currently selected. If you want to select more

choices, you must first deselect a choice.

If you are done with this contest, press 6. To hear the next choice, press 8. To hear

your current selections for Member of City Council, press 3. To clear your selections

for Member of City Council, press 1.

To select… is played if the option is not selected and the group is not full; This choice…

is played if the option is selected; and The maximum… is played if the option is not

selected and the group is full. In these states, the 8 key goes to the next state and the 2

key goes to the preceding state. If the highlighted option is selected, the 5 key deselects it

and plays the message:

Deselected candidate name for Member of City Council.

If the option isn’t selected and the group is not full, the 5 key selects it and plays:

Selected candidate name for Member of City Council.

If the option isn’t selected and the group is full, the 5 key plays the audio message:

You may only vote for up to 3 choices for Member of City Council. To vote for this

choice, you must deselect another choice first. Your current selections are

list of selected options .

States 6, 7, and 8, which correspond to the write-in options, have the audio message:

Write-in candidate. To write in a name, press 5.

This write-in is currently selected. To edit or cancel this write-in, press 5.

The maximum number of choices is currently selected. If you want to select more

choices, you must first deselect a choice.

Sample Pvote ballot definition 248

Page 262 of 324
Page 263 of 324

If you are done with this contest, press 6. To hear the next choice, press 8. To hear

your current selections for Member of City Council, press 3. To clear your selections

for Member of City Council, press 1.

As with states 1 through 5, To write in… is played if the option is not selected and the

group is not full; This choice… is played if the option is selected; and The maximum… is

played otherwise. The 8 and 2 keys navigate between states. If the option is selected, or if

it isn’t selected and the group is not full, the 5 key jumps to the corresponding write-in

page (page 13, 14, or 15). If the option isn’t selected and the group is full, the 5 key

produces the same message as in states 1 through 5:

You may only vote for up to 3 choices for Member of City Council. To vote for this

choice, you must deselect another choice first. Your current selections are

list of selected options .

Page 4 has 8 option areas, located over the 8 choices for City Council. Each of the option

areas has a target with a page-wide binding just like the binding described above for the 5

key in states 1 through 8. The page has 3 review areas located over the last three options;

these are for groups 5, 6, and 7, the write-in groups for this contest.

Just like pages 2 and 3, there are targets positioned over the PREVIOUS and NEXT buttons,

with a counter area over the NEXT button to replace it with a SKIP CONTEST image. The 6

key and the NEXT button go to page 5; the 4 key and the PREVIOUS button go to page 3.

Sample Pvote ballot definition 249

Page 263 of 324
Page 264 of 324

Page 5. This is the screen image for layout 5.

Page 5 demonstrates one way to present a contest with a small, fixed number of choices.

This example is a referendum with only two choices, so it’s possible to map them directly

to two buttons instead of highlighting each choice in a separate state. A non-touchscreen

user can choose an option just by pressing the button for that option, instead of stepping

through the options to find the desired one.

Page 5 has 3 states. State 0 has the following audio message:

State Measures. Proposition 1A. No choices are currently selected.

Your current selection is list of selected options . To hear the full text of this

proposition, press 8. Touch your selection on the screen, or, to select yes, press 7; to

select no, press 9.

In state 0, the 8 key transitions to state 1.

Sample Pvote ballot definition 250

Page 264 of 324
Page 265 of 324

State 1 has the audio message:

Transportation funding protection. Legislative constitutional amendment. Protects

transportation funding… text of paragraph describing proposition …in 2007 and

thereafter. To hear the text of this proposition again, press 8. Touch your selection on

the screen, or, to select yes, press 7; to select no, press 9.

In state 1, the 8 key transitions back to state 1, which causes the audio message to repeat.

There are two option areas on the page, one for YES and one for NO. There are two

targets, one located over each option, and page-wide bindings for the 7 and 9 keys. The 7

key and the YES target clear the contest (group 9) and select option 0 for yes; the 9 key

and the NO target clear the contest (group 9) and select option 1 for no. Both keys and

both targets trigger the audio message:

Selected option name on Proposition 1A.

As on the preceding pages, there are targets positioned over the PREVIOUS and NEXT

buttons, with a counter area over the NEXT button to replace it with a SKIP CONTEST

image. The 6 key and the NEXT target go to page 6; the 4 key and the PREVIOUS target go

to page 4.

Sample Pvote ballot definition 251

Page 265 of 324
Page 266 of 324

Page 6. This is the screen image for layout 6.

Page 6 has 2 states. State 0 has the following audio message:

State Measures. Proposition 1B. No choices are currently selected.

Your current selection is list of selected options . To hear the full text of this

proposition, press 8. Touch your selection on the screen, or, to select yes, press 7; to

select no, press 9.

The structure of the page is the same as page 5: the 8 key transitions to state 1, with an

audio message that reads out the text of the onscreen description. The 7 and 9 keys and

YES and NO buttons work as on page 5. There are targets positioned over the PREVIOUS

and NEXT buttons, with a counter area over the NEXT button to replace it with a SKIP

CONTEST image. The 6 key and the NEXT target go to page 7; the 4 key and the

PREVIOUS target go to page 5.

Sample Pvote ballot definition 252

Page 266 of 324
Page 267 of 324

Page 7. This is the screen image for layout 7.

Pages 7, 8, and 9 allow the voter to review selections before casting the ballot. A voter

using the audio interface can step through all the contests (automatically skipping from

the end of one page to the beginning of the next) by repeatedly pressing the 8 key.

Page 7 has 3 states. State 0 has the following audio message:

Review your selections before casting your ballot. To change your selections for any

contest, touch that contest on the screen. Use the NEXT and PREVIOUS buttons to

move from page to page. Or, to hear your selections read back to you, press 8.

In state 0, the 8 key transitions to state 1, which has the audio message:

Governor. You have not made a selection for this contest. Your current selection is

list of selected options . To make a selection To change your selection , press 5. For

the next contest, press 8.

Sample Pvote ballot definition 253

Page 267 of 324
Page 268 of 324

State 1 highlights the Governor contest with a dotted red box by placing this sprite over it:

In state 1, the 5 key transitions to state 0 of page 2, and the 8 key transitions to state 2 of

page 7. State 2 has the audio message:

Secretary of State. You have not made a selection for this contest.

Your current selection is list of selected options . To make a selection

To change your selection , press 5. For the next contest, press 8. For the previous

contest, press 2.

State 2 highlights the second contest with its sprite:

In state 2, the 5 key transitions to state 0 of page 3, the 8 key transitions to state 1 of page

8, and the 2 key transitions to state 1 of page 7.

The page has two review areas: one for group 0, positioned to overlay the box under

“Governor”, and one for group 2, positioned to overlay the box under “Secretary of State.”

Thus, when there is no selection, the NO SELECTION MADE message shows through from

the background; when there is a selection, it covers up the NO SELECTION MADE

message. There is a target positioned over each of the two contests; these targets

transition to pages 2 and 3 respectively. There are also targets positioned over the

PREVIOUS and NEXT buttons. The 6 key and the NEXT target go to page 8; the 4 key and

the PREVIOUS target go to page 6.

Sample Pvote ballot definition 254

Page 268 of 324
Page 269 of 324

Page 8. This is the screen image for layout 8.

Page 8 shows just one contest. (On a larger ballot, there could be many contests on each

review page.)

Page 8 has 2 states. State 0 has the same audio message as page 7:

Review your selections before casting your ballot. To change your selections for any

contest, touch that contest on the screen. Use the NEXT and PREVIOUS buttons to

move from page to page. Or, to hear your selections read back to you, press 8.

In state 0, the 8 key transitions to state 1, which has the audio message:

Member of City Council. You have not made a selection for this contest.

Your current selection is Your current selections are list of selected options .

To make a selection To change your selection , press 5. For the next contest, press

8. For the previous contest, press 2.

Sample Pvote ballot definition 255

Page 269 of 324
Page 270 of 324

State 1 highlights the City Council contest with its sprite:

In state 1, the 5 key transitions to state 0 of page 4, the 8 key transitions to state 1 of page

9, and the 2 key transitions to state 2 of page 7.

The page has one review area for group 4, with its three slots positioned to overlay the

three boxes under “Member of City Council.” When there are fewer than three selections

in group 4, one of the NO SELECTION MADE messages will show through. There is one

target positioned over this review area that transitions to page 4, as well as two targets

positioned over the PREVIOUS and NEXT buttons. The 6 key and the NEXT target go to

page 9; the 4 key and the PREVIOUS target go to page 7.

Sample Pvote ballot definition 256

Page 270 of 324
Page 271 of 324

Page 9. This is the screen image for layout 9.

Page 9 has 3 states. State 0 has the same audio message as the previous two pages. States

1 and 2 correspond to the two propositions; each one highlights a proposition and reads

back the selection for that proposition, similar to the previous two pages. In state 1, the 5

key transitions to state 0 of page 5, the 8 key transitions to state 2 of page 9, and the 2

key transition to state 1 of page 8. In state 2, the 5 key transitions to state 0 of page 6, the

2 key transitions to state 1 of page 9, and the 8 key produces the audio message:

This is the last contest. To proceed with casting your ballot, press 6.

The page has two review areas positioned over the two boxes for Propositions 1A and 1B,

for group 8 and group 9 respectively, and targets over these regions that transition to

page 5 and page 6 respectively. For the whole page, the 6 key and the NEXT target go to

page 10; the 4 key and the PREVIOUS target go to page 8.

Sample Pvote ballot definition 257

Page 271 of 324
Page 272 of 324

Page 10. This is the screen image for layout 10.

Page 10 is the final confirmation page before casting the ballot; it has just one state. State

0 has the audio message:

This is your last chance to review your selections before casting your ballot. To review

your selections, press 1. To cast your ballot now, press 0.

The 1 key and the REVIEW button transition to page 7. The 0 key and the CAST BALLOT

button transition to page 16. The 4 key and the PREVIOUS button transition to page 9.

Sample Pvote ballot definition 258

Page 272 of 324
Page 273 of 324

Page 11. This is the screen image for layout 11.

Pages 11 through 15 are pages for entering write-in candidates, corresponding to the

write-in options in the Governor contest (1 write-in option), the Secretary of State contest

(1 write-in option), and the City Council contest (3 write-in options). The voter can enter

characters either by touching them on the screen or by using the keypad to step through

the alphabet. The voter leaves the write-in page by either accepting or cancelling the

write-in, which selects or deselects the corresponding write-in option.

Page 11 has 30 states. State 0 has the audio message:

Write-in candidate for Governor. This write-in is empty. This write-in contains

list of selected characters . To write in a name, touch the letters on the screen.

To edit this write-in, touch the letters on the screen. To delete the last letter, touch

BACKSPACE or press 1.

Touch ACCEPT when you are finished, or touch CANCEL to cancel this write-in. Or, to

advance through the alphabet using the keypad, press 6.

Sample Pvote ballot definition 259

Page 273 of 324
Page 274 of 324

Whether the write-in is empty determines whether This write-in is empty. or

This write-in contains is played, and also whether To write in a name… or

To edit this write-in… is played. The 6 key advances to state 1.

State 1 highlights the A button with this sprite:

and has the audio message:

A. To add this letter to the write-in, press 5. To delete the last letter, press 1. To

advance to the next letter of the alphabet, press 6. For the previous letter, press 4. To

read back the letters you have entered, press 3. To accept this write-in, press 7. To

cancel this write-in, press 9.

The name of the letter is spoken first so that the voter can quickly scan through the

alphabet using the 6 and 4 keys to interrupt the message and navigate to the next and

previous letters. The 7 and 9 keys express affirmative and negative actions, somewhat

consistent with their use to select YES and NO on pages 5 and 6. the 1 key is used for

deletion, somewhat consistent with its use to clear selections in other contests. And the 3

key is used to request a playback of selections, as it does on other pages.

States 2 through 29 highlight each of the other character buttons from B through SPACE,

and they have similar audio messages. In all of these states, the 5 key appends the

character to the group, the 1 key removes the last character, and the 6 and 4 keys

transition to the next and previous state. In state 1, the 4 key goes to state 29; in state 29,

the 6 key goes to state 1. If the group is not full, the 5 key appends the highlighted

character to the group and plays the name of the character. If the group is full, the 5 key

produces the audio message:

There is no room for more letters.

The page has one review area with 25 slots in a row over the green box at the top of the

page. This review area shows the characters selected in group 1 and has a cursor sprite:

Sample Pvote ballot definition 260

Page 274 of 324
Page 275 of 324

There are targets for each of the 29 letter buttons; each target is bound to the same action

as the 5 key for that button (either it appends the character or notifies the voter that there

is no more room).

There are targets over the CLEAR and BACKSPACE buttons. The CLEAR button clears the

group and plays the audio message:

Clear.

If the group is empty, the 1 key and the BACKSPACE target just play the message:

This write-in is empty.

Otherwise, the 1 key and the BACKSPACE target remove the last character from the group.

There is a page-wide binding for the 3 key that plays the audio message:

This write-in is empty. This write-in contains list of selected characters .

There are also targets over the ACCEPT and CANCEL buttons. If the group is empty, the 7

key and the ACCEPT target just play the message:

This write-in is empty.

Otherwise, they clear group 0 (the contest for Governor) and select option 6 in group 0

(the write-in option for Governor), transition back to page 2, and play the message:

Selected write-in candidate list of characters for Governor.

The 9 key and the CANCEL target clear group 1 (this write-in group) remove option 6 from

group 0 (the write-in option for Governor), transition back to page 2, and play the

message:

Cancelled write-in.

Sample Pvote ballot definition 261

Page 275 of 324
Page 276 of 324

Page 12. This is the screen image for layout 12.

Page 12 has 30 states, like page 11. State 0 has the audio message:

Write-in candidate for Secretary of State. This write-in is empty.

This write-in contains list of selected characters .

To write in a name, touch the letters on the screen.

To edit this write-in, touch the letters on the screen. To delete the last letter, touch

BACKSPACE or press 1.

Touch ACCEPT when you are finished, or touch CANCEL to cancel this write-in. Or, to

advance through the alphabet using the keypad, press 6.

The page has the same structure as page 11, except that it corresponds to group 3 (the

write-in group for Secretary of State) and to option 6 of group 2 (the write-in option for

Secretary of State), and transitions back to page 3 when the write-in is accepted or

cancelled.

Sample Pvote ballot definition 262

Page 276 of 324
Page 277 of 324

Page 13. This is the screen image for layout 13.

Page 13 has 30 states, like the other write-in pages. State 0 has the audio message:

Write-in candidate for Member of City Council. This write-in is empty.

This write-in contains list of selected characters .

To write in a name, touch the letters on the screen.

To edit this write-in, touch the letters on the screen. To delete the last letter, touch

BACKSPACE or press 1.

Touch ACCEPT when you are finished, or touch CANCEL to cancel this write-in. Or, to

advance through the alphabet using the keypad, press 6.

This page has the same structure as pages 11 and 12, except that it corresponds to group

5 (the first write-in group for Member of City Council) and to option 5 of group 4 (the first

write-in option for Member of City Council), and transitions back to page 4 when the

write-in is accepted or cancelled. When the write-in is accepted, group 4 is not cleared;

option 5 is just added to the selections for group 4 since there can be multiple selections.

Sample Pvote ballot definition 263

Page 277 of 324
Page 278 of 324

Page 14. This is the screen image for layout 14.

Page 14 is identical to page 13 except that it corresponds to group 6 (the second write-in

group for Member of City Council) and to option 6 of group 4 (the second write-in option

for Member of City Council).

Sample Pvote ballot definition 264

Page 278 of 324
Page 279 of 324

Page 15. This is the screen image for layout 15.

Page 15 is identical to pages 13 and 14 except that it corresponds to group 7 (the third

write-in group for Member of City Council) and to option 7 of group 4 (the third write-in

option for Member of City Council).

Sample Pvote ballot definition 265

Page 279 of 324
Page 280 of 324

Page 16. This is the screen image for layout 16.

Page 16 is the last page; transitioning here casts the ballot. There is just one state, and it

has the audio message:

Thank you for voting. Your ballot has been recorded. sound of applause

There are no bindings on this page.

Sample Pvote ballot definition 266

Page 280 of 324
Page 281 of 324

D Sample Pvote ballot designs

This appendix presents a few other possible designs for

electronic ballots that could work with Pvote, to illustrate the

flexibility of Pvote to handle other visual appearances and

interaction styles.

267

Page 281 of 324
Page 282 of 324

An alternate visual design.

This is an example of a selection page with a different “look and feel” than the sample

ballot in Appendix C. The video display has a different resolution (640 × 480 pixels), and

the buttons appear shiny instead of flat. Square buttons are used for options and rounded

buttons are used for navigation.

In Pvote, this design can be implemented just by drawing different full-screen images

for each page and providing option sprites that match the new “look and feel.” For

example, when the YES and NO options are selected, they can be overlaid with these

sprites:

Sample Pvote ballot designs 268

Page 282 of 324
Page 283 of 324

Random-access navigation.

This design offers a high-level overview of the ballot, always visible on the left third of the

display. The overview region allows the voter to jump directly to any contest on the ballot,

and also provides an indication of which contests are undervoted at all times. The right

two-thirds of the display are similar to the ballot design in Appendix C.

In Pvote, this design can be implemented by including the overview pane with its YOU

ARE HERE arrow as part of the full-screen image for each page. The undervote indicators

next to each contest in the overview pane can be implemented with counter areas for each

contest.

Sample Pvote ballot designs 269

Page 283 of 324
Page 284 of 324

Persistent review.

This design is a variant of the previous random-access design. Instead of merely showing

which contests are undervoted, the overview pane now shows the selection that the voter

made. Thus, the overview pane functions as an everpresent review screen.

In Pvote, this design can be implemented by adding an “indicator group” to

correspond to each contest group. Each indicator group would contain “indicator options”

with small indicator-size sprites representing each option. Every operation that selects or

deselects an option would also select or deselect the corresponding indicator option. Then

the review indicators in the overview pane would be implemeneted as review areas for the

indicator groups corresponding to each contest group.

The tediousness and redundancy in such a ballot definition suggests that Pvote could

be improved by extending the ballot definition format to allow each option to be

represented by an arbitrary number of sprites of different sizes, instead of just two

sprites (selected and unselected) of the same size. Such an extension would also improve

Pvote’s support for ballots that accommodate vision-impaired users (see page 104) or

ballots that allow the voter to switch languages in mid-session.

Sample Pvote ballot designs 270

Page 284 of 324
Page 285 of 324

Imitation paper ballot.

This design emulates a paper ballot in its appearance and behaviour, offering a familiar

interface for voters who are used to optically scanned ballots. The voter touches the

candidates to fill in the bubbles and uses the arrow buttons at the bottom of the screen to

flip through the ballot. Reviewing selections before casting the ballot consists of flipping

back through the same pages and checking the marked bubbles, just as one would do with

a paper ballot.

In Pvote, this design can be implemented by using empty and filled bubbles as the

option sprites. The targets that select options can be large (covering the entire candidate

name and description) while the corresponding option sprites are small (covering just the

bubble).

Sample Pvote ballot designs 271

Page 285 of 324
Page 286 of 324

E Pvote security review findings

This appendix presents the findings from the code review of

Pvote, taken from the “Report on the Pvote security review” [93].

272

Page 286 of 324
Page 287 of 324

Correctness

The reviewers did not find any bugs in the original Pvote source

code. However, they did find some errors and omissions in the

assurance document.

Correctness claim for R1 (non-termination). Pvote is supposed

to “never abort during a voting session” (R1). As part of the

supporting argument for this claim, Section 7.11 of the

assurance document describes how an upper bound on Pvote’s

memory usage can be statically determined from the ballot

definition. The memory usage argument identifies strings and

lists as the only kinds of values with variable size, and

establishes limits on how long they can possibly grow. But since

Python (and Pthin) integers have unlimited range, a single

integer can also have a variable size. The argument for R1 is

incomplete because it neglects to establish any upper limit on

the integer values used by Pvote.

However, the missing part of the argument can be filled in

by examining all the expressions in the Pvote code that yield

new integers. There are only four built-in functions that return

integers, and all of them return values that are known to be

bounded:

• range() yields a list of integers between 0 and its

argument.

• ord() yields an integer between 0 and 255.

• len() yields the length of the list or string argument, and

the argument in the assurance document already

establishes that lists and strings have bounded size.

• enumerate() yields lists containing integers all between 0

and the length of the list, and the argument in the assurance

document already establishes that list lengths are bounded.

Aside from built-in functions, the only other way to produce a

new integer value is by performing arithmetic. Arithmetic

expressions occur in the Pvote source code on the following

lines:

Pvote security review findings 273

Page 287 of 324
Page 288 of 324

• Ballot.py line 125: This line always yields an integer less

than 231

.

• verifier.py lines 23, 27, 31, 34; Navigator.py lines 28,

32, 46: These lines all increment an integer loop index by a

constant or a quantity fixed in the ballot definition. The

iteration count in each of these loops is determined by a

fixed value in the ballot definition.

• main.py line 3; verifier.py lines 40, 42, 60, 64, 65, 67, 88;

Navigator.py lines 12, 13, 27, 31; Video.py lines 20, 21;

Printer.py line 12; Audio.py lines 28, 29, 35: These lines

all perform arithmetic and do not store the result. The

operands to the arithmetic expressions are all bounded

values (constants, Boolean values such as 0 or 1, values

fixed in the ballot definition, list lengths, or string lengths).

• Navigator.py lines 107, 109, 111: These lines perform

arithmetic and pass the result to the Audio.play()

method. The operands to the arithmetic expressions are all

bounded values. The audio driver stores the clip indices,

but does not perform any arithmetic on them.

• Audio.py line 22: This line performs arithmetic on rate,

which is fixed in the ballot definition, and passes it to

put int(), which converts it to a string without storing it.

• Audio.py line 34: This line increments the stored integer

self.pos by a passed-in value. In order for this integer to

remain bounded, Pvote relies on Pygame’s Sound

constructor to stop calling read() after it returns an empty

string to signal that the end of the file has been reached.

Correctness claim for R9 (ballot casting). Pvote is supposed to

“commit the ballot when and only when so requested by the

voter” (R9). By design, a Pvote ballot definition can specify a

page transition to occur automatically after some amount of

time has passed with no response from the user. Because a

transition to the last page commits the ballot, this automatic

timeout transition can be made to commit the ballot without

explicit voter action, in violation of R9. A timeout transition

could also prevent the user from committing by jumping to a

Pvote security review findings 274

Page 288 of 324
Page 289 of 324

page with no escape; or it could indirectly force the user to

commit by jumping to a page with no escape except to cast the

ballot (the user has no way to go back and change selections).

Pvote’s design assumes that the ballot definition file will be

checked before an election (A5). Pvote should ensure that the

ballot file will not cause Pvote to crash; the pre-election checks

should ensure that the ballot does not mislead or misrepresent

the voter. To uphold R9, one of these checks must ensure that

no timeout transition deprives the user of the ability to cast the

ballot or the ability to change their selections before casting the

ballot. The assurance document failed to mention that such a

check is necessary.

Missing requirement for voter privacy. The assurance

document states no explicit requirement for preserving a

voter’s privacy once the voter’s ballot has been committed.

Although Pvote is restarted afresh for each new voter (A3), there

is no assurance of privacy for the interval from when the voter

walks away until the machine is reset. For example, a ballot

definition with a review area on the last page might reveal the

voter’s choices to the pollworker or the next voter, without

violating any requirements stated in the assurance document.

There needs to be an assurance argument or a ballot definition

audit requirement to ensure that the images and audio shown

on the final page are independent of all prior choices. In

combination with R3 (Pvote should become inert after a ballot is

committed), this would ensure that the voter’s choices will not

be revealed after the voter commits the ballot.

Negative integers. The assurance document (in Section 7.1)

makes an argument that negative integers are never used in

Pvote. This argument claims to list all the uses of the

subtraction operator in Pvote, but neglects to mention the

expression len(self.model.pages) - 1, which appears on

lines 12 and 13 of Navigator.py. Nonetheless, the claim that

negative integers are never used still holds, since the verifier

ensures that model.pages always has a length of at least 1.

Pvote security review findings 275

Page 289 of 324
Page 290 of 324

Pthin specification. Pthin was intended to be a subset of

Python in that any valid Pthin program is a valid Python

program with the same behaviour. However, the Pthin

specification does not accurately describe how a Pthin program

would behave when run under a Python interpreter.

In some cases where Pthin specifies that a fatal error should

occur, Python will not raise an exception. This is significant for

Pvote because Pvote relies on fatal errors to ensure that invalid

ballot definitions never make it past the verifier.

1. According to the Pthin specification, substring slicing

s[i:j] should cause a fatal error unless 0 ≤ i ≤ j < n,

where n is the length of s, but Python actually accepts any

integers for the starting and stopping indices.

2. According to the Pthin specification, list indexing l[i]

should cause a fatal error unless 0 ≤ i < n, where n is the

length of the list, but Python actually allows -n ≤ i < n. The

same holds for string indexing as well.

3. According to the Pthin specification, any type violation or

illegal argument to a built-in operation causes a fatal error.

But, if Pvote were to pass a callback function to Pygame, and

that function were to throw an exception inside Pygame,

then Pygame could catch the exception and thereby deviate

from the Pthin specification.

The Pthin specification also deviates from the behaviour of the

Python interpreter in the following ways:

4. The Pthin specification neglects to mention that and and or

have short-circuit evaluation, as in Python.

5. The Pthin specification documents the pop() method with

no arguments, but doesn’t document pop() with one

argument, which is used on line 16 of Audio.py.

Although the Pthin specification is in error, it does not appear

that any of the above five deviations would cause Pvote to

function incorrectly:

1. The verifier does not use the slicing operator, so there is no

risk that the slicing operator will fail to produce a fatal error

when it should.

Pvote security review findings 276

Page 290 of 324
Page 291 of 324

2. Section 7.1 of the assurance document establishes that a

negative integer never appears as a string or list index.

3. Pvote never passes any callback functions to Pygame.

4. The and and or operators are used at main.py line 24,

verifier.py line 96, Ballot.py line 126, Navigator.py

lines 12, 44, 50, 54, 80, 83, and 85, and Video.py lines 20

and 21. None of the operands cause side effects; among all

these expressions, the only function calls are to the

Navigator.test() method, and this method has no side

effects.

5. This is simply a documentation error; no security claims

rely on it.

Figure 6.1. A causal connection is missing from the diagram in

Figure 6.1 of the assurance document. There should be a dotted

line leaving the event loop to indicate that it schedules timer

events, and another dotted line entering the event loop for the

timer events it receives.

Pvote security review findings 277

Page 291 of 324
Page 292 of 324

Consensus recommendations

This section describes recommendations made by reviewers on

ways that Pvote or its assurance document could be improved

to make Pvote easier to deploy, use, or review.

Assurance document. The reviewers agreed that the document

should give a detailed breakdown of all the properties that need

to be verified about a ballot definition, in three categories:

those checked by human review, those checked by automated

tools outside of Pvote, and those checked by Pvote’s verifier.

The reviewers recommended that a section of the document

should separately enumerate all causal connectivity with the

outside world (e.g., primitives or library calls that have external

effects, such as the print statement or the open() function).

The reviewers suggested that the assurance document

should explicitly state, on line 89 of Navigator.py, the

precondition that audio.playing has to be false by that point,

and that if the program reaches this point, it has been false for

at least the last ballot.model.timeout ms milliseconds.

The reviewers recommended that the assurance document

explicitly state that cursor sprites need to be checked to make

sure they are not confusable with a candidate or a character.

The reviewers noted that Python dumps a stack trace when

an exception is thrown. If an exception occurs during a voting

session, a record of the corresponding stack trace could

conceivably violate voter privacy. The reviewers recommended

that the assurance document mention this issue and propose

ways to deal with it.

Pthin. The reviewers recommended that the Pthin specification

should prohibit all unprintable characters in source code except

newline, and specifically should prohibit tab characters to avoid

ambiguity in indentation levels. (It was confirmed that the Pvote

source code contains no unprintable characters except newline.)

The reviewers recommended that Pthin should prohibit all

Pvote security review findings 278

Page 292 of 324
Page 293 of 324

identifiers containing double-underscores except init , to

avoid the possibility of triggering any special or implicit

behaviours in Python.

The reviewers suggested that Pthin explicitly forbid nested

class definitions and function definitions, for simplicity.

The reviewers suggested that Pthin could avoid some bugs

caused by one-character changes from == to = by excluding

chained assignments of the form x = y = z.

Ballot definition. The reviewers recommended that ballot

definition analysis tools should be distributed with Pvote to

help reviewers check commonly desired properties of ballot

definitions. Some examples of such properties are reachability

of all pages from the starting state, reachability of the commit

page from any page, and reachability of all the selection pages

from any page.

The reviewers suggested that the ballot definition’s int type

be renamed nat to make it more clear that this type excludes

negative numbers.

The reviewers suggested that ballot definitions be digitally

signed and that Pvote check the signature. The reviewers also

agreed that the ballot definition file’s 8-byte header should be

included in the computation of the hash at the end of the file.

Serialization format. Some reviewers, concerned that the binary

format of the ballot definition file would make it difficult for

humans to examine, initially suggested XML as an alternative

serialization format, with images and audio stored in auxiliary

files. Other reviewers objected that XML is also unreadable. The

reviewers reached the consensus that the ballot definition

should remain the current binary format, so that the Pvote code

for reading it can remain simple and elegant; a separate, textual

ballot definition format should be specified so that the textual

form can be put in a one-to-one correspondence with the binary

form. The Pvote system should include a disassembler (that

converts the binary form into the textual form together with any

auxiliary binary files) and an assembler (that does the opposite).

Pvote security review findings 279

Page 293 of 324
Page 294 of 324

No one has the option to write their own voting software and

vote on it, but anyone who wants to verify a correct conversion

has the option to write their own assembler and disassembler.

The reviewers thought it would also be nice to have a

one-way translator that produces interactive HTML pages or a

Flash animation, so that voters can visit a web page and preview

the voting experience in a browser.

Implementation. The changes suggested by the reviewers are

described here and also noted in the code listing in Appendix B.

Navigator. The reviewers agreed that the navigator should have

something like a self.committed flag to indicate that the

ballot has been committed, together with a commit() method

that commits the ballot and sets the committed flag.

The reviewers felt that some method names in the navigator

could be clarified, such as press(), touch(), invoke(),

execute().

The reviewers felt that lines 66 to 67 of Navigator.py were

just “too clever for its own good.” The intent of these lines

could be expressed more clearly by writing:

if cond.invert:

result = not result

if not result:

return 0

to show that cond.invert reverses the sense of the condition

and that 0 is returned the only when the condition is not met.

The reviewers agreed that line 80 of Navigator.py could

use some parentheses to clarify the Boolean expression.

The reviewers suggested eliminating the recursion in

review() by duplicating the body of the method in two

specialized methods, review contest() and

review writein(). review contest() would call

review writein() and there would be no recursive calls,

making it easier for reviewers to understand.

Pvote security review findings 280

Page 294 of 324
Page 295 of 324

The reviewers found Navigator.execute() more

confusing than necessary because it uses both the list

self.selections and a local variable selections that aliases

a part of it. Mixing these two ways of accessing the list makes it

harder to reason about the code, because each could have

side-effects on the other. The method would be easier to verify

if it always accessed the list through just self.selections or

just selections.

Some reviewers were uncomfortable with the get option()

method, whose parameter is not limited to a specific type; it

accepts any object with members named group i and

option i (thus, any Condition, Step, or Segment).

Ballot. The reviewers suggested that the Ballot module would

be easier to understand if the hashing were performed by a

separate object, not the Ballot itself. This would also prevent

other objects from having access to the incompletely

constructed Ballot object during construction.

Verifier. The reviewers suggested that the verifier have separate

methods get bool() and get enum() instead of get enum()

for both purposes, and separate methods get int() and

get intn() instead of get int() for both purposes.

The reviewers suggested that get str() would be clearer if

it checked isprint(ch) and ch != ’~’ rather than 32 <=

ord(ch) <= 125.

General style. The reviewers suggested that all the constants be

moved to a single module and that each enumerated type be

defined as a class that consolidates the cardinality of the

enumeration, the symbolic names of the elements, and the

values of the elements. The reviewers noted that, for example,

AUDIO DONE is assigned in two separate files, with no condition

that they be assigned the same value.

The reviewers suggested that explicit return None

statements be inserted where None is an intentionally returned

value, instead of relying on None to be returned by default.

Pvote security review findings 281

Page 295 of 324
Page 296 of 324

Inconclusive recommendations

This section contains recommendations made during the review

that did not reach general agreement, were disputed, or were

ultimately withdrawn.

Ballot definition. Some reviewers were concerned that each

write-in option needs its own separate write-in text entry page,

with the text entry state machine duplicated on each page.

Thus, for example, for a ballot with two single-selection

contests and two three-selection contests, if all the contests

allow write-ins (in English letters), there will be eight nearly

identical write-in pages with about 30 states each. This is

because the VM doesn’t have a stack, doesn’t support

subroutines, and can’t pass parameters. It was suggested that

ballot definition complexity could be substantially reduced by

turning the VM from a finite-state machine to a pushdown

automaton. Call-return semantics would also be useful not only

for write-ins, but also for displaying help pages and revisiting

contests from a review screen.

Other reviewers were not convinced that this duplication

was that important. They felt that 30 states was not enough of

an explosion of states to justify additional complexity in the

ballot definition language. Ultimately there was no consensus

that call-return should be added.

A possible compromise might be to create a deterministic

compiler that translates from a language with a call-return

feature to the current language without call-return, and then

publish its input and output for verification.

Image format. Adding an alpha channel to images was

suggested as a way of increasing flexibility in the design of the

ballot definition. However, this would add a little more code to

the voting machine and make human review of ballot

definitions harder. The true appearance of the ballot might be

hidden from human reviewers using alpha compositing tricks

Pvote security review findings 282

Page 296 of 324
Page 297 of 324

(for instance, a sprite with an alpha channel could appear

normal over one background but contain a hidden message that

appears when it is composited over another background).

Programming language. Some reviewers objected to the use of

chained-inequality expressions such as x == y > z because

they were potentially misleading for a reader used to the C

interpretation; they recommended that this syntactic shorthand

be removed from the Pthin specification and that the clauses be

written out separately as x == y and y > z. Others found

such expressions sensible and concise.

Pvote security review findings 283

Page 297 of 324
Page 298 of 324

Observations

This section documents other notable observations that

reviewers made.

Single source vs. multiple sources. The reviewers agreed that

the most critical code is code that:

• has to be in the voting machine,

• has to be correct, and

• cannot be multiply sourced.

Pthin. Some reviewers noted Pthin’s simplicity and readability,

and mentioned that they were impressed at their ability to read

and understand a language they didn’t know.

The definition of Pthin implies that a Pthin program has no

access to information about its environment other than explicit

user inputs, and therefore no way to distinguish a real election

from a test. The assurance document could state explicitly that

the Pthin language is deterministic and that it has no

implementation-dependent or compiler-dependent features

other than memory capacity limits (which, if exceeded, can only

cause fatal errors).

The definition of Pthin helps support some of the assurance

requirements:

• R5 says that Pvote’s behaviour in each session should be

independent of any previous sessions. Satisfying this

requirement doesn’t depend on the code of Pvote; it relies

upon Pthin’s definition (e.g., no arbitrary access to the

filesystem), together with the design choice that the

pollworker resets the voting station.

• R7 says that Pvote’s behaviour should be determined

entirely by the ballot definition and the stream of user input

events. This also doesn’t depend on the code of Pvote; it is

ensured by the interfaces to Pvote and the fact that Pthin is

deterministic. Neither Pthin nor Pygame provide any access

to clocks or sources of randomness.

Pvote security review findings 284

Page 298 of 324
Page 299 of 324

Terminology. The definition of Pthin misuses the term

“precondition.” A precondition is something that is assumed to

be true, and if the precondition is violated then the resulting

behaviour is undefined. However, in the Pthin definition, the

word “precondition” is used to describe any condition whose

violation is required to cause a fatal error. This distinction is

important because such fatal errors are necessary to the

assurance arguments that are made in the annotations on the

Pvote source code.

Separation of concerns. The separation between the video

driver and the navigator is a separation of space and time: the

video driver knows about space but has no concept of time (no

history); the navigator knows about time but knows nothing of

space (screen layout).

A claim worth stating and verifying is that once the video

driver receives a goto message, it should be history-insensitive

about all prior state, as if a new video driver was freshly

instantiated on each page transition.

Temporal categories of variables. One reviewer noted that

many variables are intended to describe the state of the world

at a particular time, either past, future, or present. For example,

the navigator uses self.page i to refer to the current page

and the parameter page i refers to what will become the

current page. It would be helpful to have a naming convention

to reflect this, so it is easy to tell what point in time a variable

refers to. For example, the parameter page i could be named

new page i or next page i.

Something similar may also be useful in the audio module,

which has to distinguish between what Pvote thinks the audio

state is (busy or available) and what the Pygame audio driver

thinks the audio state is.

Printer output. Some reviewers found the printer output

unfriendly for human readers; in particular, they felt the

insertion of markers after each write-in character was ugly.

Pvote security review findings 285

Page 299 of 324
Page 300 of 324

Arithmetic. Some reviewers commented that arithmetic is

difficult to reason about— it’s something humans are especially

bad at, compared to computers. In particular, the

Navigator.review() method was harder to verify than it

could have been, because it relies on arithmetic to establish a

correspondence between the array of slots and various other

structures. The reviewers found the incrementing of slot i

and the passing of slot i recursively to review() tricky to

understand (and hence suspicious).

Design consistency. The reviewers noticed that certain features

of Pvote violated the design heuristic of prioritizing the

simplicity of the ballot format:

• The SG MAX SELS audio segment type is not strictly

necessary. Since the maximum number of selections in each

contest is statically known, every instance of SG MAX SELS

could be replaced by SG CLIP. The ballot definition might

be slightly harder to audit as a result.

• States are also not strictly necessary and could be

eliminated. Each state could be turned into a separate page,

at the cost of duplicating all the common information that

states currently share.

Fleeing voters. Some local policies require that fleeing voters

should have their ballots automatically cast for them. One way

to implement this for Pvote would be to provide a special

button on the machine (perhaps behind a locked door) that

pollworkers could press to cast the ballot of a fleeing voter.

Code annotations. The assurance document presented a

precondition/postcondition analysis as a set of annotations to

the source code. This analysis was extremely tedious to

perform by hand, even for less than 500 lines of code, and

would also be extremely tedious for reviewers to verify by hand.

The reviewers were concerned that annotations kept separate

from the code would be difficult to maintain, and would be

better expressed directly in the source code. The reviewers felt

Pvote security review findings 286

Page 300 of 324
Page 301 of 324

that, to be practical, verification support based on annotations

has to be cheap and has to require few annotations to be added

by the programmer.

In a statically typed language, many or most of the

annotations in the assurance document would have been

unnecessary, and would be automatically checked by a

compiler. In many reviewers’ opinion, this affirmed the value of

type systems for secure and reliable code.

Pvote security review findings 287

Page 301 of 324
Page 302 of 324

Open issues

This section describes other unresolved issues and ideas that

were discussed at the review concerning Pvote or software

auditing in general.

Ballot definition. We discussed the following topics concerning

the ballot definition.

Validity. How much should Pvote constrain the ballot

definition? There is a trade-off between the strictness of the

constraints enforced by Pvote’s verifier and the length of time

that the Pvote software goes unchanged between revisions. With

too many constraints, we run the risk that unanticipated

changes in laws and regulations (or differences in regulations

among jurisdictions) may invalidate Pvote’s assumptions and

force Pvote to change frequently; this would argue for

minimizing these constraints. New laws could also require

Pvote to support new features, which similarly could require

less constrained ballot definitions. On the other hand, too few

constraints on the ballot definition would make it harder to

ensure that Pvote doesn’t crash.

There is also a trade-off between the ease of auditing a

published ballot definition file and the size of the TCB. A

higher-level ballot definition is easier for humans to audit, but

is also likely to mean more code in Pvote.

Auditing. Instead of reviewing the ballot definition directly,

assurance could be gained by publishing the input to the ballot

layout tool and the code of the ballot layout tool. If the ballot

layout tool is deterministic, anyone should be able to run it to

regenerate the ballot definition file.

For auditing the ballot definition, it could also be helpful to

be able to start from the ballot definition file and

unambiguously recover the original input to the ballot layout

tool (for example, by performing OCR on the images, perhaps

Pvote security review findings 288

Page 302 of 324
Page 303 of 324

with some hints from the ballot layout tool). This might be a

requirement to impose on the ballot layout tool.

Programming language. The effect of programming language

design on source code review was another prominent topic.

Mistyped or confusing identifiers. Python automatically creates a

new binding when you make a local assignment; thus, assigning

to a misspelled variable name will just silently create another

variable. The same is true for assignment to member variables.

The reviewers considered this error-prone and suggested some

ways to address the problem:

• Use a tool to check identifiers that are suspiciously similar.

• Use a tool to check for variables that are assigned but then

unused.

• Require all functions to declare their local variables in

comments or decorators and statically check these

declarations.

• Require constructors to initialize all member variables, and

forbid self from escaping the constructor before all fields

are assigned.

One way for code to be (inadvertently or intentionally)

confusing is to reuse the same identifier names in different

scopes. The reviewers suggested that Pthin could forbid

shadowing of identifiers, and perhaps even forbid using

self.foo and foo in the same context. For example,

Navigator.execute() uses both self.selections and

selections, which some reviewers found tricky to follow.

One reviewer suggested the principle of never reusing a

variable name for two different purposes. For example,

Navigator.play() uses the local variable option i for

different purposes on lines 98 and 104. This particular violation

could be found by a static analysis that requires all loop

counters to be unbound before the loop begins.

A possible language feature that would reduce this problem

would be a requirement that the first binding of any variable be

preceded with a keyword (such as var as in JavaScript). This

Pvote security review findings 289

Page 303 of 324
Page 304 of 324

would force programmers to declare whether they expect each

variable to be already bound or not.

Subsetting. The reviewers noted that it is useful for a

programming language to provide easy ways to enforce that a

given portion of a program is in a particular subset of the

language. Examples of this are the extensible auditing features

in E and Joe-E. If reviewers can rely on static checkers to ensure

that parts of a program are in declared subsets of the language,

that can make their job as reviewers much easier.

Type distinctions. Python has no truly separate Boolean type;

Boolean values behave in almost all respects like the integers 0

and 1. The reviewers suggested that it might be good for Pthin

to treat integers and Boolean values as separate types and

statically check that they are used in a type-safe way. There are

a few places in the current Pvote code that would violate such a

type restriction, such as Navigator.py line 27.

One reviewer noted difficulty in telling whether a variable

name such as group i stood for an nullable or non-nullable

integer. This could be addressed by a type distinction or a

naming convention. One suggested naming convention uses the

prefix opt for optional (i.e., nullable) variables.

Mutability. The reviewers suggested that it would be useful to

be able to declare some variables “eventually read-only.” Such

variables would be initially mutable, but at some later point

irreversibly become immutable (either upon exiting a particular

scope or upon being marked immutable by the Pthin program).

These could be used to ensure that the ballot definition is

read-only after it is loaded and verified. An alternative would be

to construct the ballot definition only out of immutable objects.

Another potentially useful behaviour that the reviewers

suggested was a variant on Java’s final keyword: a variable

that, after initialization, can only be set to None. Thus, it would

be possible to “throw away” the variable as a way of divesting

authority, but not to change it.

Pvote security review findings 290

Page 304 of 324
Page 305 of 324

The reviewers also suggested that Pthin might require

constructors to set all the member variables of the object being

constructed.

Compilation. The reviewers suggested that instead of verifying

the compiler, auditors could verify that the assembly-language

output from the compiler is a valid compilation of the source

code input to the compiler.

If Pthin were small enough, perhaps it could be reliably

mechanically translated to a variety of target languages.

Other languages. The following other programming languages

were suggested for implementing Pvote:

• BitC

• CCured

• Cyclone

• Java

• Joe-E (subset of Java)

• Ada

• SPARK Ada (subset of Ada)

• ML

In addition, JML (Java Modelling Language) declarations could

be added to an implementation in Java or Joe-E, and verified by

a static checker such as ESC/Java2.

Porting Pvote to Joe-E would help reviewers reason about

statelessness and determinism (e.g., statelessness of the

Ballot constructor or determinism of the verifier).

There is a trade-off here between choosing a well-known

language (with a large community of potential code reviewers)

and a more obscure language with verification features. The

importance of public confidence in the election affects this

trade-off.

Other language features. The reviewers mentioned that static

typing and explicit control over memory allocation could be

potentially helpful language features for the design and review

of Pvote.

Pvote security review findings 291

Page 305 of 324
Page 306 of 324

The reviewers wondered if it might be possible to further

reduce Pthin by eliminating negative integers and strings,

thereby making it easier to translate into other languages.

Also, there are a few places where Pthin had to be a slightly

larger language in order to accommodate an existing API. An

alternative to this would be to create an abstraction around the

API, implement the abstraction in Python, and use a call to the

Python function in the Pthin program. (This example illustrates

the benefits of flexibility in choosing language subsets.)

Memory usage. Section 7.11 of the assurance document

attempts to provide an argument that the memory usage of

Pvote is bounded. How would an actual upper bound on

memory usage be calculated given a particular ballot definition?

How might Pvote’s design and Pthin’s specification be changed

in order to make such a calculation straightforward?

Hardware. For a voting machine that emits audio via a typical

headphone port, there is a risk that the audio may be recorded

in violation of voter privacy. In particular, if audio is enabled by

default and most voters don’t use audio, a cable running from

the audio port to a recording device may go unnoticed [61].

Accessibility. The only user input events Pvote understands are

screen touches and button presses, not including their duration,

movement, velocity, pressure, or release. In particular, Pvote

cannot distinguish long and short presses or detect

double-clicks. We need to identify the norms for input devices

in the accessibility community; if timed features like this are

needed, Pvote may have to be altered to support them. (One

reviewer pointed out that some support for such features could

also be provided by hardware, such as hardware that translates

a long button press into one keycode and a short button press

into a different keycode.)

One-button or other low-bandwidth input interfaces could

require Pvote to be more aware of timing. One example would

be an interface where “pause” is an input event; another would

Pvote security review findings 292

Page 306 of 324
Page 307 of 324

be an interface where options are read off slowly one at a time,

and the user signals when he hears the desired option. For

these designs, we would want to be able to specify a separate

timeout length for each state, and potentially also an arbitrary

action (not just a transition) to be triggered on a timeout.

Use of pointers. The reviewers debated whether it would be an

improvement to have the verifier, as it goes through the ballot

definition checking array indices, replace the integer array

indices with pointers to the referenced array elements. This

would make it easier to be sure that the preconditions checked

in the verifier match the preconditions on which the rest of

Pvote relies. However, there is a good rationale for using indices

instead of pointers, since passing indices transfers no authority.

For example, other modules can pass indices into the printer

module that will be used as indices into the text data, even

though these other modules don’t have access to the text data.

One reviewer suggested that rights amplification might be a

possible solution (bringing together an opaque array object and

an opaque index object would yield an array element). It might

be tricky to make this work for parallel arrays, which Pvote uses.

Output. The reviewers discussed the possibility of declaring the

output module to be a replaceable component, separate from

Pvote. Thus the interface to Pvote would be: take a ballot

definition file as input, produce a cast vote record as output.

The output module would print or record the cast vote in

whatever appropriate manner. There was no consensus on how

the output interface should be defined.

Printing. The reviewers were concerned that the printing

module is based around 7-bit ASCII, thus restricting candidate

names to 7-bit ASCII. Alternatively, if the printing module were

to print images instead of text, problems related to text

encoding would go away. Several options were discussed:

• Print numeric identifiers instead of strings; the numbers

would refer to the ballot definition. (But one useful purpose

Pvote security review findings 293

Page 307 of 324
Page 308 of 324

of a printed record is to allow votes to be counted even if all

electronic records are lost; this option lacks that feature.)

• Allow Unicode strings; pass them through opaquely to the

printer. The printer module should export a validation

method that checks whether strings are printable by the

printer hardware (e.g., the printer might support only 7-bit

ASCII, or it might provide a font that supports some subset

of Unicode). This validation would be performed on all

strings at ballot loading time to ensure they will be safely

printable.

• Just print sprites; eliminate all strings from the ballot

definition and from Pthin. Some possibilities:

• For each sprite to be shown on the display, provide a

corresponding black-and-white sprite for printing.

• Restrict all displayed sprites to 1-bit black-and-white

bitmaps, so the printer output can match it exactly.

(This also has the fairness advantage that colour-blind

voters will perceive exactly the same ballot as other

voters.)

• Allow both of the above approaches and add a flag to

the ballot definition to let the ballot designer choose one

of them.

• Specify an algorithm for converting a colour image to a

black-and-white image for printing. If the ballot designer

chooses to use a colour sprite, it is their responsibility to

make sure that its black-and-white conversion is legible.

System platform. The reviewers pondered what a minimal

platform for Pvote would look like, and sketched out the

following:

• Audio driver (hardware that plays from a memory-mapped

buffer, with software that keeps the buffer full)

• Interrupts for all input devices (including touchscreen

touches)

• Printer driver

• Storage driver (SD card, etc.)

• Single-threaded program

Pvote security review findings 294

Page 308 of 324
Page 309 of 324

Code documentation. The Pvote code was presented to the

reviewers without comments, for fear that comments might bias

their evaluation. Some reviewers had opinions about this:

• Some reviewers felt that it would be nice to see comments in

the code, and that leaving comments out of the code didn’t

make their job easier.

• One reviewer was glad that the comments were separated,

because (a) more code fits on fewer pages, and (b) he was

not being influenced by comments he could not trust. He

felt that he was getting more benefit by being forced to

reconstruct for himself the argument for why the code was

correct.

• One reviewer would prefer to see the meaning of fields

described in comments right in the code (like Javadoc).

• “Code that needs no documentation” is a myth; the code

says how, but the comments say why.

A possible compromise would be to include comments in the

code, and also offer a way for the reviewers to view the code

with the comments hidden.

Tests. Adding a suite of unit tests and regression tests might

help the reviewers perform testing, though it would constitute

more code for them to audit.

Pvote security review findings 295

Page 309 of 324
Page 310 of 324

Bug insertion

This section describes the bug insertion experiment that we

conducted. On the third and fourth days of the review, the

reviewers were given a new hardcopy of the source code

containing bugs that David Wagner and I had inserted. We told

the reviewers that we had inserted at least one bug in the code,

and asked them to try to find it.

Since insider attacks are a major unaddressed threat in

existing systems, we specifically wanted to experiment with this

scenario. Therefore, we warned the reviewers to treat us as

untrusted adversaries, and that we might not always tell the

truth. However, since it was in everyone’s interest to use our

limited time efficiently, we settled on a time-saving convention.

We promised to truthfully answer any question about a factual

matter that the reviewers could conceivably verify mechanically

or by checking an independent source—for example, questions

about the Python language, about static properties of the code,

about its runtime behaviour, and so on.

As we sought to craft bugs on the evening of March 30,

David Wagner and I chose the following criteria to make the

experiment more realistic:

• The bug had to conceivably enable an attack that would

affect election results. We assumed that the attacker also

had the ability to distribute a maliciously designed ballot

definition.

• The bug had to conceivably escape detection in a live

walkthrough test, such as a “Logic and Accuracy Test” for an

election, which typically consists of going through the whole

casting process for several ballots so that at least one vote is

cast for each candidate.

• The bug could not violate the Pthin language definition.

We only considered bugs that individually met all these criteria.

David and I devised and inserted three bugs with varying levels

of subtlety:

Pvote security review findings 296

Page 310 of 324
Page 311 of 324

1. Easy: Lines 83–84 in Navigator.py are as follows.

83 if step.op == OP REMOVE and selected:

84 selections.remove(option i)

We removed and selected from line 84. The consequence

is that an attempt to deselect an option using OP REMOVE

will crash if the option is not already selected. A ballot

definition could use this bug to selectively crash the

machine in a particular situation (e.g., to disenfranchise

those who vote for a particular party). The ballot definition

could still pass a walkthrough test and avoid crashing under

normal circumstances by using a condition to prevent

OP REMOVE from being executed when the option is not

selected.

2. Medium: Lines 78–79 in Navigator.py are as follows.

78 selections = self.selections[group i]

79 selected = option i in selections

We changed selections to self.selections in the

second line (line 79). The consequence is that selected will

always be 0, because self.selections is a list of lists, not

a list of integers. The consequence is that OP ADD will keep

adding a selection to the list even after it has already been

selected. So, in a contest with a max sels of 3, for example,

a voter could cast three votes for the same candidate. (Note

that this bug could be caught by a static type checker.)

3. Hard: Lines 42–43 in Navigator.py are as follows.

42 if option.writein group i != None:

43 self.review(option.writein group i, slot i + 1, None)

This is the recursive call within the review() method. The

recursion only goes one level deep: the outer call displays

the selected options within a contest, and the inner call

displays the selected characters within a write-in. Thus, the

outer call passes the write-in group to the inner call. We

changed None to cursor sprite i in the recursive call on

line 43. This takes the cursor sprite i index that was

passed in (which would be a sprite the size of an option)

Pvote security review findings 297

Page 311 of 324
Page 312 of 324

and passes it on to the inner call (which would attempt to

paste it into a slot the size of a character). The ballot

definition could set up a situation in which this size

mismatch caused a sprite to exceed the bounds of the

screen, causing the program to crash.

We decided to insert all of these bugs in a 100-line region of a

single file, lines 11 to 109 of Navigator.py, and told the

reviewers to look in this region. We did this both because the

navigator was the most interesting in terms of the program

logic and because we knew the reviewers would have limited

time. The new version of the code that we gave the reviewers

contained all three bugs, but we did not tell the reviewers how

many bugs there were.

March 31. Three reviewers were present on March 31:

Tadayoshi Kohno, Mark Miller, and Dan Sandler. Dan was

already very familiar with Python; he worked separately. He

found the “medium” bug about 35 minutes after he started his

search, purely by manual inspection, saying the line “looked

suspicious.” He then found the “easy” bug about 35 minutes

later (70 minutes after starting). He hypothesized that the

condition was incomplete by reading the code, then tested his

hypothesis by running Pvote and finding a way to make the

program crash.

The other two reviewers, Mark and Yoshi, worked together.

They were less familiar with Python; one had spent the

preceding two days learning about Pvote’s design and

inspecting the code, and the other was encountering Pvote for

the first time with the bugs embedded. About four hours into

the review (not including a lunch break), they expressed some

concern about the code near the “easy” bug. About ten minutes

later, they noticed that the annotations to the left of line 83

didn’t match the code. Another ten minutes later, they declared

that they had found a bug (the “easy” bug). Part of what had

caused them to inspect this region of code carefully was an

attempt to systematically verify, one by one, each of the

Pvote security review findings 298

Page 312 of 324
Page 313 of 324

assurance arguments given in Chapter 7 of the assurance

document. They did not find the “medium” bug.

By the time the reviewers quit late in the day, none had

found the “hard” bug, although there had been some questions

about ways that cursor sprites could be used to conduct an

attack. They had spent a total of about 20 reviewer-hours

examining the version of the code with the three inserted bugs.

May 20. Two reviewers were present on May 20: Ian Goldberg

and Tadayoshi Kohno. Ian found the “easy” bug about 130

minutes after starting his search, despite being new to Pvote.

About 90 minutes later, after no more bugs were found, we

decided to switch strategies. To test out the “read-write review”

idea that Dan Sandler had previously proposed (see Section E),

both reviewers would try to insert bugs into the code, and we

would see if this helped them find the bugs that David and I

had inserted earlier.

Yoshi spent the next 50 minutes inserting bugs into the

code. I examined his altered code and, by manual inspection

alone, was able to find the three bugs he inserted in about 30

minutes. (Of course, as the author of the code, I was uniquely

familiar with it, so this doesn’t reveal much about the subtlety

of the inserted bugs.) No more bugs were discovered for the

rest of the day. By the end of the day, the reviewers had

inspected the code for about 13 reviewer-hours.

Pvote security review findings 299

Page 313 of 324
Page 314 of 324

Review process

This section describes ideas and suggestions regarding the

software review process that came up during the review.

Viewing code. One reviewer remarked that he was much more

effective at comprehending someone else’s code when all the

code was spread out on the wall in front of him, on paper. He

found this surprising because he had spent the last 20 years

editing code on computer screens.

Analysis tools. The reviewers mentioned that these tools would

have been helpful to them:

• a static checker to verify that Pvote is written in the Pthin

subset

• a checker for suspiciously similar (possibly mistyped)

identifiers

• an information flow analyzer

• a static analyzer to determine the maximum possible call

depth

Trust in the adversary. The reviewers mentioned on several

occasions that it was difficult to maintain the requisite level of

distrust in the programmer, especially when the programmer

was present in the room and was a friendly face. The

significance of the social relationship between programmer and

reviewer is an important difference between code review for

accidental mistakes and code review for intentional malice. The

reviewers agreed that in an adversarial review, programmers

should not socialize with the reviewers; perhaps they should

even not be physically in the same room, or communicate only

over a text-based communication channel. The reviewers

believed that measures like these—to “dehumanize the

enemy”—would help them maintain the necessary distrust of

the programmer.

One reviewer noted that, although his suspicions were

Pvote security review findings 300

Page 314 of 324
Page 315 of 324

raised during the bug-finding test by a missing annotation, he

would have been easily tricked by a bogus annotation. He would

not have bothered to check that the annotation was correct,

since it appeared that the programmer had thought about the

issue and claimed to offer some justification, and since every

other time he had checked out an annotation, it did turn out to

be valid. This weakness resulted from a combination of the

tediousness of checking annotations and insufficient distrust in

the programmer.

Reviewer fatigue. The reviewers generally felt that the point

where one becomes tired of inspecting code comes long before

one has subjected it to enough scrutiny. It might be a good idea

to limit the amount of time spent per reviewer: the more

familiar one becomes with it, the more confident and

comfortable one becomes at making assumptions of

correctness. One reviewer suggested that, since reviewers

shouldn’t ever become complacent with the code being

reviewed, the review process should follow a “principle of most

surprise” to keep reviewers on their toes.

One-line change test. Mark Miller proposed the following test:

suppose that, as an attacker, you had the ability to change just

one line of code. How much damage could you do (i.e., which

assurance requirements could you cause the program to

violate)? Figuring out which lines are the most sensitive would

provide a map of the “hot spots” in the program—the places

that require especially close attention during a code review. For

example, changing - 1 to + 1 on line 12 of Navigator.py is

sufficient to make Pvote keep printing out ballots repeatedly if

left unattended. Therefore, this line is part of the TCB for R3

(become inert after a ballot is commtited) and also for R9

(commit the ballot only when so requested by the voter).

In a variant of this test, there are a series of trials. For each

trial, one line of the program is chosen at random and the

attacker is allowed to change just that line. With enough trials,

one could estimate the size of the TCB for each assurance

Pvote security review findings 301

Page 315 of 324
Page 316 of 324

requirement. For example, if the attacker is able to violate a

particular requirement in 1/4 of the trials, then the TCB for that

requirement is probably about 1/4 the size of the program.

By changing almost any single line, one can trivially cause

the program to crash. It is more of a challenge to cause a

meaningful effect on an election without failing a simple

operational test.

Our discussion of the one-line change test highlighted the

benefits of read-only types. Without read-only restrictions,

almost any line in Pvote can be changed to one that maliciously

modifies the ballot data in memory.

The read-write review. Dan Sandler suggested the possibility

of taking the bug insertion experiment one step further by

encouraging the reviewers to insert their own bugs, a process he

called the “read-write review.” He conjectured that being tasked

to insert bugs would:

• Motivate reviewers to find “hot spots” in the code that were

especially vulnerable to small changes, thereby leading

them to scrutinize places where malicious bugs were likely

to have been inserted.

• Force reviewers to modify and run the program with the

intention of producing a specific change in behaviour, thus

requiring them to develop a deeper understanding of how

the program works than they would get from merely

reading the code.

• Yield a program with known bugs that could then be passed

on to another group of reviewers to inspect. The existence

of the known bugs would motivate the next group, and the

fraction of those bugs they found could offer some measure

of their effectiveness.

One could imagine several groups of reviewers performing a

multi-round review, in which each group inserts some bugs and

then passes on the code to the next group.

Other tasks might also improve code understanding by

getting reviewers to modify and interact with the code.

Reviewers could be asked to translate it to another

Pvote security review findings 302

Page 316 of 324
Page 317 of 324

programming language, or to rewrite parts of the code they find

hard to understand, and then verify that their rewritten or

translated code produces equivalent behaviour.

The idea of the read-write review was inspired by Dan’s

experience with the Hack-a-Vote class exercise, in which more

bugs were found by students while inserting bugs than while

looking for bugs. The insight was that although Hack-a-Vote was

conceived as a test of the students doing the hacking, it is also a

test of the Hack-a-Vote software’s resistance to undetected

tampering.

Ideally, if reviewers find most or all of the planted bugs,

while finding few or no bugs in the original code, this might be

grounds for confidence in the original code. However, we noted

several ways that an actual attacker (the original, possibly

malicious programmer who initially wrote the software) might

be a stronger adversary than a fake attacker (a code reviewer

asked to insert bugs into the software):

• A real attacker could simply be smarter.

• A real attacker may be more motivated or have more at

stake.

• A real attacker may have more time and resources than a

team of reviewers would have in one round of the review.

• A real attacker would be more familiar with the code, and

could have chosen the design and implementation

specifically to enable particular malicious bugs.

On the fourth day of the review, reviewers were asked to

insert their own bugs. They commented:

• It’s possible that inserting bugs may reduce a reviewer’s

chances of finding bugs. Inserting bugs under time

constraints may encourage reviewers to stick to the parts of

code they already understand well, instead of diving deep

into unfamiliar parts of the code.

• The code can be divided into three classes: (a) parts you

understand, (b) parts you don’t understand, and (c) parts

you don’t understand but think you do. Reviewers will tend

to insert bugs in types (a) and (c), but not (b).

Pvote security review findings 303

Page 317 of 324
Page 318 of 324

Post-review survey

After the conclusion of the first three-day meeting, we

informally surveyed the reviewers by e-mail. Their responses

are paraphrased here.

Thoroughness of review . How thorough was this review,

compared to other security reviews you have participated in, or

other reviews of voting software?

• This was comparable to other code reviews, though very

different from reviewing commercial voting software

because Pvote is so much smaller.

• Other reviews expended more total effort, but this review

spent more effort per line of code.

• This did not go into as much depth as other security reviews

because we were focused on just the Pvote component.

• For me, not that thorough.

General confidence. After this review, how much confidence do

you have have in Pvote, compared to other voting systems you

are familiar with?

• Much more confidence in Pvote than any commercial voting

system; however, Pvote is only one component and many of

the security flaws in other voting systems occur in parts

outside of Pvote’s scope. “Comparing Pvote to the

comparable portions of commercial systems is no contest.

Pvote kills them.”

• For what Pvote does, much better than any of the other

systems I have seen.

• I’m not familiar with other voting systems.

• I can’t give a confidence level about Pvote, though I am

confident it would be easier to argue the security of Pvote

than other designs.

Lack of accidental bugs. How confident are you that Pvote is

free of accidental bugs? In other words, if you assume that Ping

Pvote security review findings 304

Page 318 of 324
Page 319 of 324

is not malicious and was trying his best to make Pvote

trustworthy, how confident are you that you would have found

any inadvertent bugs in Pvote?

• Reasonably confident.

• Rather highly.

• Confident due to the efforts of the group as a whole, though

not very confident I would have found them on my own.

• It’s hard to say.

Lack of malicious bugs. How confident are you that Pvote is

free of malicious code? In other words, if you assume that Ping is

malicious and may have been trying his best to introduce a

backdoor, how confident are you that you would have found it?

• Not at all confident.

• Poorly.

• Confident due to the efforts of the group as a whole, though

not very confident I would have found them on my own.

• Not very confident.

Pvote security review findings 305

Page 319 of 324
Page 320 of 324

GNU Free Documentation License

1.2, November 2002

Copyright © 2000, 2001, 2002 Free Software Foundation, Inc.

51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not

allowed.

Preamble

The purpose of this License is to make a manual, textbook, or other functional and useful document “free” in

the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without

modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and

publisher a way to get credit for their work, while not being considered responsible for modifications made by

others.

This License is a kind of “copyleft”, which means that derivative works of the document must themselves

be free in the same sense. It complements the GNU General Public License, which is a copyleft license

designed for free software.

We have designed this License in order to use it for manuals for free software, because free software

needs free documentation: a free program should come with manuals providing the same freedoms that the

software does. But this License is not limited to software manuals; it can be used for any textual work,

regardless of subject matter or whether it is published as a printed book. We recommend this License

principally for works whose purpose is instruction or reference.

1. Applicability and definitions

This License applies to any manual or other work, in any medium, that contains a notice placed by the

copyright holder saying it can be distributed under the terms of this License. Such a notice grants a

world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein.

The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is

addressed as “you”. You accept the license if you copy, modify or distribute the work in a way requiring

permission under copyright law.

A “Modified Version” of the Document means any work containing the Document or a portion of it,

either copied verbatim, or with modifications and/or translated into another language.

A “Secondary Section” is a named appendix or a front-matter section of the Document that deals

exclusively with the relationship of the publishers or authors of the Document to the Document’s overall

subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus,

if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.)

The relationship could be a matter of historical connection with the subject or with related matters, or of

legal, commercial, philosophical, ethical or political position regarding them.

The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of

Invariant Sections, in the notice that says that the Document is released under this License. If a section does

not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document

may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are

none.

The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover

Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at

most 5 words, and a Back-Cover Text may be at most 25 words.

306

Page 320 of 324
Page 321 of 324

A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose

specification is available to the general public, that is suitable for revising the document straightforwardly

with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some

widely available drawing editor, and that is suitable for input to text formatters or for automatic translation

to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file

format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent

modification by readers is not Transparent. An image format is not Transparent if used for any substantial

amount of text. A copy that is not “Transparent” is called “Opaque”.

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input

format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple

HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include

PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by

proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally

available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output

purposes only.

The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed

to hold, legibly, the material this License requires to appear in the title page. For works in formats which do

not have any title page as such, “Title Page” means the text near the most prominent appearance of the work’s

title, preceding the beginning of the body of the text.

A section “Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or

contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a

specific section name mentioned below, such as “Acknowledgements”, “Dedications”, “Endorsements”, or

“History”.) To “Preserve the Title” of such a section when you modify the Document means that it remains a

section “Entitled XYZ” according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies

to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but

only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is

void and has no effect on the meaning of this License.

2. Verbatim copying

You may copy and distribute the Document in any medium, either commercially or noncommercially,

provided that this License, the copyright notices, and the license notice saying this License applies to the

Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this

License. You may not use technical measures to obstruct or control the reading or further copying of the

copies you make or distribute. However, you may accept compensation in exchange for copies. If you

distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. Copying in quantity

If you publish printed copies (or copies in media that commonly have printed covers) of the Document,

numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the

copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and

Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of

these copies. The front cover must present the full title with all words of the title equally prominent and

visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as

long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim

copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed

(as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either

include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque

copy a computer-network location from which the general network-using public has access to download using

public-standard network protocols a complete Transparent copy of the Document, free of added material. If

you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque

copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until

GNU Free Documentation License 307

Page 321 of 324
Page 322 of 324

at least one year after the last time you distribute an Opaque copy (directly or through your agents or

retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing

any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. Modifications

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3

above, provided that you release the Modified Version under precisely this License, with the Modified Version

filling the role of the Document, thus licensing distribution and modification of the Modified Version to

whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those

of previous versions (which should, if there were any, be listed in the History section of the Document).

You may use the same title as a previous version if the original publisher of that version gives permission.

B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the

modifications in the Modified Version, together with at least five of the principal authors of the Document

(all of its principal authors, if it has fewer than five), unless they release you from this requirement.

C. State on the Title page the name of the publisher of the Modified Version, as the publisher.

D. Preserve all the copyright notices of the Document.

E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

F. Include, immediately after the copyright notices, a license notice giving the public permission to use the

Modified Version under the terms of this License, in the form shown in the Addendum below.

G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the

Document’s license notice.

H. Include an unaltered copy of this License.

I. Preserve the section Entitled “History”, Preserve its Title, and add to it an item stating at least the title,

year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section

Entitled “History” in the Document, create one stating the title, year, authors, and publisher of the

Document as given on its Title Page, then add an item describing the Modified Version as stated in the

previous sentence.

J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of

the Document, and likewise the network locations given in the Document for previous versions it was

based on. These may be placed in the “History” section. You may omit a network location for a work that

was published at least four years before the Document itself, or if the original publisher of the version it

refers to gives permission.

K. For any section Entitled “Acknowledgements” or “Dedications”, Preserve the Title of the section, and

preserve in the section all the substance and tone of each of the contributor acknowledgements and/or

dedications given therein.

L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section

numbers or the equivalent are not considered part of the section titles.

M. Delete any section Entitled “Endorsements”. Such a section may not be included in the Modified Version.

N. Do not retitle any existing section to be Entitled “Endorsements” or to conflict in title with any Invariant

Section.

O. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections

and contain no material copied from the Document, you may at your option designate some or all of these

sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s

license notice. These titles must be distinct from any other section titles.

You may add a section Entitled “Endorsements”, provided it contains nothing but endorsements of your

Modified Version by various parties–for example, statements of peer review or that the text has been

approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a

Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover

Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the

Document already includes a cover text for the same cover, previously added by you or by arrangement made

GNU Free Documentation License 308

Page 322 of 324
Page 323 of 324

by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on

explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names

for publicity for or to assert or imply endorsement of any Modified Version.

5. Combining documents

You may combine the Document with other documents released under this License, under the terms defined

in section 4 above for modified versions, provided that you include in the combination all of the Invariant

Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined

work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections

may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different

contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of

the original author or publisher of that section if known, or else a unique number. Make the same adjustment

to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled “History” in the various original documents,

forming one section Entitled “History”; likewise combine any sections Entitled “Acknowledgements”, and any

sections Entitled “Dedications”. You must delete all sections Entitled “Endorsements”.

6. Collections of documents

You may make a collection consisting of the Document and other documents released under this License, and

replace the individual copies of this License in the various documents with a single copy that is included in

the collection, provided that you follow the rules of this License for verbatim copying of each of the

documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this

License, provided you insert a copy of this License into the extracted document, and follow this License in all

other respects regarding verbatim copying of that document.

7. Aggregation with independent works

A compilation of the Document or its derivatives with other separate and independent documents or works,

in or on a volume of a storage or distribution medium, is called an “aggregate” if the copyright resulting from

the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual

works permit. When the Document is included in an aggregate, this License does not apply to the other works

in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the

Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers

that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in

electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. Translation

Translation is considered a kind of modification, so you may distribute translations of the Document under

the terms of section 4. Replacing Invariant Sections with translations requires special permission from their

copyright holders, but you may include translations of some or all Invariant Sections in addition to the

original versions of these Invariant Sections. You may include a translation of this License, and all the license

notices in the Document, and any Warranty Disclaimers, provided that you also include the original English

version of this License and the original versions of those notices and disclaimers. In case of a disagreement

between the translation and the original version of this License or a notice or disclaimer, the original version

will prevail.

If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the

requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

GNU Free Documentation License 309

Page 323 of 324
Page 324 of 324

9. Termination

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this

License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will

automatically terminate your rights under this License. However, parties who have received copies, or rights,

from you under this License will not have their licenses terminated so long as such parties remain in full

compliance.

10. Future revisions of this license

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License

from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to

address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a

particular numbered version of this License “or any later version” applies to it, you have the option of

following the terms and conditions either of that specified version or of any later version that has been

published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number

of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

Addendum: How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the

following copyright and license notices just after the title page:

Copyright © YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document

under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by

the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled “GNU Free Documentation License”.

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with . . . Texts.” line with

this:

with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the

Back-Cover Texts being LIST.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two

alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these

examples in parallel under your choice of free software license, such as the GNU General Public License, to

permit their use in free software.

310

Page 324 of 324

yee-phd.pdf
Page 321 of 324



http://bestanimations.com/Holidays/Thankyou-01-june.gif

comments (0)
12/21/16
2085 Thu 22 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF)https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n681/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal BSP is the Number One Largest Party in the Country with all societies (sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay. https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/… The CEC said that all the EVMs will be replaced in the 2019 general elections. Ex CJI SADHASIVAM, shirked his duty & committed a grave error of judgment by allowing in phased manner the Fraud Tamperable EVMs on the request of ex CEC SAMPATH because of the 1600 crore cost to replace them and dealt a fatal blow to the Country’s democracy. From: dmallihcu Date: Fri, Dec 2, 2016 at 2:34 PM Subject: electronic voting machines Hai anna, http://www.dailypioneer.com/…/distributing-laptops-wont-hel… Students who got laptops without internet connections which cost Rs 1000 per month started selling them. Slamming Samajwadi Party (SP) government over massive inauguration and foundation laying ceremonies, Bahujan Samaj Party supremo Mayawati said that Chief Minister Akhilesh Yadav has realized that his Party will not come in power again that why they are distributing their leftover laptops to their Party workers rampantly. http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html Rs 100, Rs 50 currency notes are now facing security threat, Arun Jaitly tell India Today
Filed under: General
Posted by: site admin @ 10:49 pm




2085 Thu 22 Dec 2016


LESSONS


from

Rector
JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart

an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan
of


Free Online
Buddhism - World

Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506
Awaken One With Awareness Mind
(A1wAM)
+ ioT (insight-net of Things)  - the art of Giving, taking and Living   to attain Eternal Bliss
as Final Goal through Electronic Visual Communication Course on
Political Science -Techno-Politico-Socio Transformation and Economic
Emancipation Movement (TPSTEEM).


Struggle hard to see that all fraud EVMs are replaced by paper ballots by

Start
using Internet of things by creating Websites, blogs. Make the best use
of facebook, twitter etc., to propagate TPSTEEM thru
FOA1TRPUVF.

Practice
Insight Meditation in all postures of the body - Sitting, standing,
lying, walking, jogging, cycling, swimming, martial arts etc., for
health mind in a healthy body.



 from

INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University
in Visual Format (FOA1TRPUVF)

https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n681/mode/2up

free online university research practice









up a level through http://sarvajan.ambedkar.orgup a level



https://awakenmediaprabandhak. wordpress.com/












email-0565.gif from 123gifs.eu Download & Greeting Card


modinotourpm@gmail.com
jchandra1942@icloud.com
sarvajanow@yahoo.co.in



is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages.


Rendering exact translation as a lesson of this
University in one’s mother tongue to this Google Translation and
propagation entitles to become a Stream
Enterer (Sottapanna) and

to attain Eternal Bliss as a Final Goal

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…


The CEC said that all the EVMs will be replaced in the 2019 general elections.



Ex CJI SADHASIVAM, shirked his duty & committed a grave error of
judgment by allowing in phased manner the Fraud Tamperable EVMs on the
request of ex CEC SAMPATH because of the 1600 crore cost to replace them
and dealt a fatal blow to the Country’s democracy.

From: dmallihcu
Date: Fri, Dec 2, 2016 at 2:34 PM
Subject: electronic voting machines

Hai anna,

http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

Students who got laptops without internet connections which cost Rs 1000 per month started selling them.

Slamming Samajwadi Party (SP) government over massive inauguration and
foundation laying ceremonies, Bahujan Samaj Party supremo Mayawati said
that Chief Minister Akhilesh Yadav has realized that his Party will not
come in power again that why they are distributing their leftover
laptops to their Party workers rampantly.


http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

Rs 100, Rs 50 currency notes are now facing security threat, Arun Jaitly tell India Today


https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
Uttar Pradesh News, Uttar Pradesh Election, kairana issue, bjp kairana,
Chief Election Commissioner Nasim Zaidi, Uttar Pradesh News, Uttar
Pradesh Election news, Latest news, India news

The CEC said that all the EVMs will be replaced in the 2019 general elections.

http://economictimes.indiatimes.com/…/articles…/51106327.cms


without ordering for paper ballots till all the EVMs are totally
replaced. Now in UP the elections are conducted with these EVMs just
because Ms Mayawati’s BSP will win in thumping majority as it did in the
last UP Panchayat elections and rest of the parties will not even get
1% votes.

They cant think beyond tampering the fraud EVMs (Evil
Voting Machines) for gobbling power because of their greed for money and
theses people in their stupor state of mind along with the Presstitute
media are trying to bury the teaching of the Awakened One with Awareness
and the Techno-Poltico-Socio Transformation and Economic Emancipation
Movement of BSP without realising that they are seeds that kep sprouting
as Bodhi Trees.


Ex CJI SADHASIVAM, shirked his duty & committed a grave error of
judgment by allowing in phased manner the Fraud Tamperable EVMs on the
request of ex CEC SAMPATH because of the 1600 crore cost to replace them
and dealt a fatal blow to the Country’s democracy.

Ex CEC
SAMPATH is number one enemy of Democracy, Liberty, Equality and
fraternity as enshrined in our Constitution for the welfare, happiness
and peace of Sarvajan Samaj.

In fact when the BJP was in opposition its remotely controlling RSS
favored paper ballots which is now silent after gaining power through
the very same fraud EVMs.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

RSS favours paper ballots, EVMs subjected to public scrutinyNew Delhi | Saturday, Aug 28 2010 IST


Joining the controversy regarding the reliablity of Electronic Voting
Machines (EVMs) which have been questioned by political parties, the RSS
today asked the Election Commission (EC) to revert back to tried and
tested paper ballots and subject EVMs to public scrutiny whether these
gadgets are tamper proof. In an editorial titled ‘Can we trust our
EVMs?’, The Organiser, the RSS mouthpiece, noted it was a fact that till
date an absolutely tamper-proof machine had not been invented and
credibility of any system depends on ‘transparency, verifiability and
trustworthiness’ than on blind and atavistic faith in its infallibility.
The issue is not a ‘private affair’ and it involves the future of
India. Even if the EVMs were genuine, there was no reason for the EC to
be touchy about it, the paper commented. The Government and the EC can’t
impose EVMs as a fait accompli on Indian democracy as the only option
before the voter.

There were flaws like booth capturing, rigging,
bogus voting, tampering and ballot paper snatching in the ballot paper
system of polling leading the country to switch over to the EVMs and all
these problems were relevant in EVMs too. Rigging was possible even at
the counting stage.

What made the ballot papers voter-friendly
was that all aberrations were taking place before the public eye and
hence open for corrections whereas the manipulations in the EVMs is
entirely in the hands of powers that be and the political appointees
manning the sytem, the paper commented. The EVM has only one advantage —
’speed’ but that advantage has been undermined by the staggered polls
at times spread over three to four months. ‘’This has already killed the
fun of the election process,’’ the paper noted. Of the dozen General
Elections held in the country, only two were through the EVMs and
instead of rationally addressing the doubts aired by reputed
institutions and experts the Government has resorted to silence its
critics by ‘intimidation and arrests on false charges’, the paper
observed, recalling the arrest of Hyederabad-based technocrat Hari
Prasad by the Mumbai Police. Prasad’s research has proved that the EVMs
were ‘vulnerable to fraud’. The authorities want to send a message that
anybody who challenges the EC runs the risk of persecution and
harassment, the RSS observed. Most
countries around the world looked at the EVMs with suspicion and
countries like the Netherlands, Italy, Germany and Ireland had all
reverted back to paper ballots shunning EVMs because they were ‘easy to
falsify, risked eavesdropping and lacked transparency’.


Democracy is too precious to be handed over to whims or an opaque
establishment and network of unsafe gizmos. ‘’For the health of Indian
democracy it is better to return to tried and tested methods or else
elections in future can turn out to be a farce,’’ the editorial said.–
(UNI) — 28DI28.xml

Therefore it is high time that the CEC
nasimzaidi@eci.gov.in
make arrangements to dismiss the Central Government and all the state
governments selected by these fraud EVMs till all the EVMs are replaced
before 2019 as claimed by the CEC.

All lovers of democracy throughout the world must insist the CEC to save from Murderer of democratic institutions (Modi)

From: dmallihcu
Date: Fri, Dec 2, 2016 at 2:34 PM
Subject: electronic voting machines

Hai anna,

7.pdf
​​
199-211_Vegas_Belgian-E- voting.pdf
​​
295-JI174.pdf
​​
331.pdf
​​
1002evot.pdf
​​
1602.02509.pdf
​​
1981-3821-bpsr-9-3-0004.pdf
​​
2009-PBY-HICSS-Voting.pdf
​​
9093.pdf
​​
11946.pdf
​​
Advanced-Security-to-Enable- Trustworthy-Electro…
​​
Appendix 1A.pdf
​​
bevoting-1_gb.pdf
​​
bevoting-2_gb.pdf
​​
Cohen-2006-Auditing- Technology-for-Voting-Machi…
​​
crsreport.pdf
​​
CSECS-12.pdf
​​
e2014_fr17.pdf
​​
E-votingHistory.pdf
​​
ElectionWatch 3 Low.pdf
​​
electronic_voting_machines. pdf
​​
ElectronicVotingMachine.pdf
​​
EverettGreeneBWDST_08.pdf
​​
EVM.ppt
​​
evm_tr2010.pdf
​​
EVMOld.pdf
​​
ftnCCS05.pdf
​​
halal-4-evoting-errors-v5.pdf
​​
I504036163.pdf
​​
IDEA.Introducing-Electronic- Voting-Essential-Co…
​​
IFESkazakhstan.pdf
​​
IJCSE11-03-05-045.pdf
​​
IJETR_APRIL_2014_STET_72.pdf
​​
IJRET20140319003.pdf
​​
nam2014eisa.pdf
​​
p-4812–Cell phone Based Voting Machine.pdf
​​
privacy-electronic-voting- chapter.pdf
​​
privacy-electronic-voting- WPES-2004.pdf
​​
revised_summary31.pdf
​​
sastry-phd.pdf
​​
scientificamerican1004-90.pdf
​​
Thesis.pdf
​​
vote.pdf
​​
voting.pdf
​​
voting_good_bad_stupid.pdf
​​
yee-phd.pdf


191 points and 38 comments so far on reddit
reddit.com

http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

Students who got laptops without internet connections which cost Rs 1000 per month started selling them.


Slamming Samajwadi Party (SP) government over massive inauguration and
foundation laying ceremonies, Bahujan Samaj Party supremo Mayawati said
that Chief Minister Akhilesh Yadav has realized that his Party will not
come in power again that why they are distributing their leftover
laptops to their Party workers rampantly.


Akilesh Yadav and his senior ministers are distributing leftover
laptops across the State. BSP and other Opposition parties are alleging
that most of the beneficiaries of the laptops were party workers only
and public understands this corrupt practice.

Mayawati
commented that despite of SP government’s indiscriminate prize
distribution to persons of all religion and cast for votes, public will
vote them out for deteriorating law and order condition of the state.
Targeting inaugurations, foundation, and announcements of SP government
in the view of assembly elections early next, Mayawati said here on
Tuesday that these activities of the state government are like cheating
with public as many of the projects and polices are not completed yet.


“The government is just throwing dust in the eyes of the public in the
name of development”, she asserted while condemning Akhilesh and his
government over inaugurating incomplete projects. As she had already
claimed that most of Akhilesh government development projects were
started in her tenure but for cheap publicity SP government took the
appreciation on self.

Mayawati said after misguiding the public,
SP will face loss in election rather any profit as public never accepts
corrupt practices. Criticizing Bharatiya Janata Party’s inaugurations of
different development projects Mayawati said even BJP remembered to
inaugurate many project and policies just before assembly polls of UP
but public understands these vicious activities and will vote for right
Party.

BSP
is the Number One Largest Party in the Country with all societies
(sarvajan Samaj ) supporting it for Sarvajan Hitay sarvajan Sukhay.


Ms Mayawati with her best governance as CM of UP distributed the wealth
of the State equally among all societies as enshrined in our modern
constitution. She became eligible to be the next PM of Prabuddha
Bharath.

This became intolerant by Congress, BJP and SP. So they tampered the EVMs to defeat her.


While BSP lost in the 2007 and 2014 elections because of these fraud
EVMs. It won majority of the seats in UP Panchayat elections.

The
ex CJI Sadasivam committed a grave error of judgement by ordering that
the EVMs to be replaced in phases as suggested by ex CEC Sampath because
of the cost of Rs 1600 crores involved in replacing the entire EVMs.

The present CEC said that the entire EVMs will only be replaced in 2019.

Till such time none of them ordered for paper ballots as followed by 80 democracies of the world.


Therefore the CJI, CEC and all democracy loving people all over the
world must see to it that paper ballots were used till the entire EVMs
were replaced.

The central and state governments selected by these fraud EVMs must be dissolved and go for fresh polls with paper ballots.



http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

Rs 100, Rs 50 currency notes are now facing security threat, Arun Jaitly tell India Today


The notes mostly of 100 rupees and some with 50 rupee denominations now
run the risk of being counterfeited. Focus is now on clamping down on
fake currency racketeers.

As the
regulatory authorities crack the whip to unearth black money, the next
focus is clamping down on fake currency racketeers, who are changing
their strategy.

1. While traditionally 500 and 1000 rupee notes
have been largely counterfeited, now sources in the Ministry of Finance
have told India Today that the smaller denomination notes face graver
security threat. That is, notes of mostly 100 rupee and some 50 rupee
denominations run the risk of being counterfeited.

2. “There are
new security features in 500 and 2,000 rupee notes and these notes have
not been compromised so far, but smaller denomination notes are being
pushed by unscrupulous elements”, said a top finance ministry official.


3. Recent data tabled in Lok Sabha from National Crime Records Bureau
shows that over 26 lakh fake notes of 500 and 1000 rupee denominations
or currency worth 167 crore has been recovered by RBI in the past 4
years. In fact, over 18.9 lakh fake notes of 500 rupee denomination have
been intercepted as compared to 7.6 lakh fake notes of 1000 rupee
denomination. The threat of being counterfeited that smaller
denomination notes face will be a fresh challenge for the investigative
agencies.

4. The hot belt of fake currency inflow remains,
Indo-Nepal and West Bengal-Bangladesh borders. A recent NIA forensic
report stated that counterfeit notes or Fake Indian Currency Notes
(FICN) had been printed on ‘highly sophisticated machines involving huge
capital investment’ in Pakistan. These centres have been working
overtime to make up for the loss on the account of the demonetisation
drive.

5. Looking at the mounting threat, RBI has already
announced that a new series of smaller denomination notes will be
introduced with different inset numbers.

Suresh Hari

This is a good time to demonetize these currency notes. Adding salt onto wound. Go Modi Go for it. Let the people suffer

Shivkumar Mohite


Yes, go ahead and scrap all currency notes. Close down cash
transactions completely and we can go cashless. Only a few banks may be
required to deal with that therefore, most banks including RBI can lock
down and tell their employees to go cashless altogether.


Notes
mostly of 100 rupees and some with 50 rupee denominations now run the
risk of being counterfeited. Focus is now on clamping down on fake
currency racketeers.
indiatoday.intoday.in


9) Classical Bengali

9) ক্লাসিক্যাল বাংলা

2085 বৃহস্পতি 22 ডিসেম্বর 2016

এই গুগল অনুবাদ অন্যতম মাতৃভাষায় এই বিশ্ববিদ্যালয়ের একটি অনুশীলনী
প্রসারণ হিসেবে সঠিক অনুবাদ রেন্ডারিং একটি স্ট্রিম প্রবেশক (Sottapanna)
এবং একটি চূড়ান্ত লক্ষ্য হিসেবে শাশ্বত সফলকাম হবার অপেক্ষা

বিএসপি সব সমিতি (সমাজ sarvajan) সঙ্গে দেশ এক নম্বর বৃহত্তম অনুষ্ঠান Sarvajan Hitay sarvajan Sukhay জন্য এটা সমর্থন করা হয়.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

সিইসি বলেন যে সব ইভিএম 2019 সাধারণ নির্বাচনে প্রতিস্থাপন করা হবে.

প্রাক্তন CJI SADHASIVAM, তার দায়িত্ব shirked & তাদের প্রতিস্থাপন
বিকাশ পদ্ধতিতে 1600 কোটি ব্যয়ের কারণ সাবেক সিইসি SAMPATH অনুরোধে ফ্রড
Tamperable ইভিএম এ অনুমতি দিয়ে রায় একটি বড় ভুল করেছে এবং দেশের
গণতন্ত্র একটি মারাত্মক ঘা মোকাবিলা.

তারিখ: শুক্র, ডিসেম্বর 2, 2016 এ 2:34 PM তে পোস্ট করা
বিষয়: ইলেকট্রনিক ভোটিং মেশিন
হ্যায় আনা,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

শিক্ষার্থীরা যারা ইন্টারনেট সংযোগ যা খরচ 1000 টাকা প্রতি মাসে ছাড়া ল্যাপটপের পেয়েছিলাম তাদের বিক্রি করা শুরু করে.

Slamming
সমাজবাদী পার্টি (এসপি) বৃহদায়তন উদ্বোধন এবং ভিত্তিপ্রস্তর ডিম্বপ্রসর
অনুষ্ঠান ওপর সরকারি, বহুজন সমাজ পার্টি সুপ্রিমো মায়াবতী বলেন,
মুখ্যমন্ত্রী অখিলেশ যাদব উপলব্ধি করেছেন যে তার দল কেন তারা rampantly
তাদের পার্টির কর্মীদের তাদের শেষভাগ ল্যাপটপের বিতরণ করছে যে আবার
ক্ষমতায় আসবে না
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 টাকা, টাকা 50 কারেন্সি নোট এখন নিরাপত্তা হুমকির সম্মুখীন হয়, অরুণ Jaitly বলতে ইন্ডিয়া টুডে

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
উত্তরপ্রদেশ খবর, উত্তরপ্রদেশ-এর নির্বাচন, kairana ইস্যু বিজেপি
kairana, প্রধান নির্বাচন কমিশনার নাসিম Zaidi, উত্তরপ্রদেশ-এর খবর,
উত্তরপ্রদেশ নির্বাচন সংবাদ, সর্বশেষ সংবাদ, ভারত সংবাদ

সিইসি বলেন যে সব ইভিএম 2019 সাধারণ নির্বাচনে প্রতিস্থাপন করা হবে.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

সব ইভিএম পর্যন্ত কাগজ ব্যালটের জন্য ক্রম ছাড়া সম্পূর্ণভাবে প্রতিস্থাপিত হয়. এখন পর্যন্ত নির্বাচনের এই ইভিএম দিয়ে পরিচালিত হয় যেমন গত ইউপি
পঞ্চায়েত নির্বাচনে করেছিলাম কারণ মায়াবতীর এর বিএসপি অস্বাভাবিকরকম
সংখ্যাগুরু জিতবে এবং দলগুলোর বাকি এমনকি 1% ভোট পাবেন না.

তারা
নাকিসুরে অর্থের জন্য তাদের লোভের কারণ ক্ষমতা gobbling জন্য জালিয়াতি
ইভিএম (ইভিল ভোটিং মেশিন) গরমিল তার বাইরে এবং Presstitute মিডিয়ার সঙ্গে
বরাবর মনের তাদের অসাড়তা রাজ্যের মানুষ নিবন্ধ সচেতনতা এবং সঙ্গে জাগরিত
এক শিক্ষণ সমাহিত করার চেষ্টা করছেন
টেকনো-Poltico-সামাজিক ট্রান্সফরমেসন এবং বিএসপি অর্থনৈতিক মুক্তির
আন্দোলন বুঝতে যে তারা বীজ যে বোধি বৃক্ষ হিসেবে উদ্গম kep হয় ছাড়া.

প্রাক্তন CJI SADHASIVAM, তার দায়িত্ব shirked & তাদের প্রতিস্থাপন
বিকাশ পদ্ধতিতে 1600 কোটি ব্যয়ের কারণ সাবেক সিইসি SAMPATH অনুরোধে ফ্রড
Tamperable ইভিএম এ অনুমতি দিয়ে রায় একটি বড় ভুল করেছে এবং দেশের
গণতন্ত্র একটি মারাত্মক ঘা মোকাবিলা.

সাবেক সিইসি SAMPATH গণতন্ত্র, স্বাধীনতা, সমতা এক নম্বর শত্রু ও
ভ্রাতৃত্বের কল্যাণ, সুখ এবং Sarvajan সমাজের শান্তির জন্য আমাদের সংবিধানে
সন্নিবেশিত হয়.

আসলে যখন বিজেপির বিরোধিতায় তার দূরবর্তী নিয়ন্ত্রণের আরএসএস ছিল
বিশেষ সুবিধাপ্রাপ্ত কাগজ ব্যালট যা এখন ক্ষমতায় হত্তন পর নীরব
একই জালিয়াতি ইভিএম.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| আরএসএস কাগজ ব্যালট, ইভিএম পাবলিক scrutinyNew দিল্লি দিতে নিতেন তারিখ: শুক্র, ডিসেম্বর 2, 2016 এ 2:34 PM তে পোস্ট করা
বিষয়: ইলেকট্রনিক ভোটিং মেশিন

হ্যায় আনা,

7.pdf

199-211_Vegas_Belgian-ই voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

এডভান্স সিকিউরিটি টু Enable- বিশ্বস্ত-তাড়িত …

পরিশিষ্ট 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

কোহেন-2006-Auditing- প্রযুক্তি-জন্য-ভোটিং-খেলাটা দেখি …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ই-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. পিডিএফ

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

হালাল-4-evoting-ত্রুটি-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- ভোটিং-আবশ্যিক-কো …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

ভোটিং Machine.pdf সেল ফোন নির্ভরশীল - পি 4812

গোপনীয়তা-ইলেকট্রনিক-voting- chapter.pdf

গোপনীয়তা-ইলেকট্রনিক-voting- WPES-2004.pdf

revised_summary31.pdf

sastry-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

Yee-phd.pdf

“হ্যাকিং” ভোটিং মেশিন • / R / জিআইএফ
191 পয়েন্ট এবং 38 মন্তব্য এতদূর reddit উপর
reddit.com


38) Classical Hindi

38) शास्त्रीय हिन्दी

2085 गुरु 22 दिसं, 2016 और अधिक पढ़ें

इस गूगल अनुवाद करने के लिए एक मातृभाषा में इस विश्वविद्यालय के लिए एक
सबक है और प्रचार के रूप में सटीक अनुवाद प्रतिपादन एक स्ट्रीम दर्ज करने
वाले (Sottapanna) और एक अंतिम लक्ष्य के रूप में शाश्वत आनंद पाने के लिए
बनने के लिए भी मिलती हैं

बसपा सभी समाजों (समाज sarvajan) के साथ देश में नंबर एक सबसे बड़ी पार्टी Sarvajan Hitay sarvajan Sukhay के लिए यह समर्थन है।

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

मुख्य चुनाव आयुक्त ने कहा कि सभी ईवीएम 2019 के आम चुनावों में प्रतिस्थापित किया जाएगा।

पूर्व मुख्य न्यायाधीश SADHASIVAM, अपने कर्तव्य shirked और उन्हें बदलने
के लिए चरणबद्ध तरीके से 1600 करोड़ लागत की वजह से पूर्व सीईसी SAMPATH
के अनुरोध पर धोखाधड़ी Tamperable ईवीएम में अनुमति देकर न्याय की एक गंभीर
गलती की है और देश के लोकतंत्र के लिए एक घातक झटका निपटा।

दिनांक: शुक्र दिसंबर 2, 2016 को 2:34 PM पर पोस्टेड
विषय: इलेक्ट्रॉनिक वोटिंग मशीनों
हाई अन्ना,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

जो छात्र इंटरनेट कनेक्शन है जो लागत 1000 रुपये प्रति माह के बिना लैपटॉप मिला है उन्हें बेचने शुरू कर दिया।

बंद
समाजवादी पार्टी (सपा) बड़े पैमाने पर उद्घाटन और नींव रखने समारोहों पर
सरकार, बहुजन समाज पार्टी प्रमुख मायावती ने कहा कि मुख्यमंत्री अखिलेश
यादव का एहसास हो गया है कि उनकी पार्टी क्यों वे उग्रता से उनकी पार्टी के
कार्यकर्ताओं के लिए उनके बचे हुए लैपटॉप वितरण कर रहे हैं कि फिर से
सत्ता में नहीं आ जाएगा

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 रुपये, 50 नोटों अब सुरक्षा खतरे का सामना कर रहे, अरुण जेटली बता इंडिया टुडे

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
उत्तर प्रदेश समाचार, उत्तर प्रदेश के चुनाव, कैराना मुद्दा भाजपा
कैराना, मुख्य चुनाव आयुक्त नसीम जैदी, उत्तर प्रदेश समाचार, उत्तर प्रदेश
के चुनाव समाचार, नवीनतम समाचार, भारत समाचार

मुख्य चुनाव आयुक्त ने कहा कि सभी ईवीएम 2019 के आम चुनावों में प्रतिस्थापित किया जाएगा।

http://economictimes.indiatimes.com/…/articles…/51106327.cms

सभी ईवीएम तक कागज मतपत्र के लिए आदेश देने के बिना पूरी तरह से बदल दिया जाता है। अब उत्तर प्रदेश में चुनाव इन ईवीएम मशीनों के साथ आयोजित की जाती हैं के
रूप में यह आखिरी यूपी पंचायत चुनाव में किया था, सिर्फ इसलिए कि सुश्री
मायावती की बसपा ज़बरदस्त बहुमत में जीत जाएगा और पार्टियों के बाकी भी 1%
वोट नहीं मिलेगा।

वे
पैसे के लिए नहीं कर सकते उनके लालच की वजह से बिजली gobbling के लिए
धोखाधड़ी ईवीएम (ईविल वोटिंग मशीनों) छेड़छाड़ से परे लगता है और
Presstitute मीडिया के साथ-साथ उनके मन की व्यामोह राज्य में लोगों शोध करे
और जागरूकता के साथ जागा वन के शिक्षण को दफनाने के लिए कोशिश कर रहे हैं
टेक्नो-Poltico-सामाजिक परिवर्तन और बसपा के आर्थिक मुक्ति आंदोलन को
साकार है कि वे बीज है कि बोधि पेड़ के रूप में अंकुरण kep हैं बिना।

पूर्व मुख्य न्यायाधीश SADHASIVAM, अपने कर्तव्य shirked और उन्हें बदलने
के लिए चरणबद्ध तरीके से 1600 करोड़ लागत की वजह से पूर्व सीईसी SAMPATH
के अनुरोध पर धोखाधड़ी Tamperable ईवीएम में अनुमति देकर न्याय की एक गंभीर
गलती की है और देश के लोकतंत्र के लिए एक घातक झटका निपटा।

पूर्व मुख्य चुनाव आयुक्त SAMPATH लोकतंत्र, स्वतंत्रता, समानता का नंबर
एक दुश्मन है और बिरादरी कल्याण, सुख और Sarvajan समाज की शांति के लिए
हमारे संविधान में निहित के रूप में है।

वास्तव में जब भाजपा विपक्ष में अपने दूर से नियंत्रित करने के लिए आरएसएस था
इष्ट कागज मतपत्र जो अब के माध्यम से सत्ता पाने के बाद चुप है
बहुत ही धोखाधड़ी ईवीएम।

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| आरएसएस कागज मतपत्र, ईवीएम सार्वजनिक scrutinyNew दिल्ली के अधीन के पक्ष में दिनांक: शुक्र दिसंबर 2, 2016 को 2:34 PM पर पोस्टेड
विषय: इलेक्ट्रॉनिक वोटिंग मशीनों

हाई अन्ना,

7.pdf

199-211_Vegas_Belgian-ई voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

उन्नत सुरक्षा-टु-Enable- भरोसेमंद इलेक्ट्रो …

परिशिष्ट 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

कोहेन-2006-Auditing- प्रौद्योगिकी के लिए वोटिंग-मची …

crsreport.pdf

सीएसईसीएस-12.pdf

e2014_fr17.pdf

ई-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines। पीडीएफ

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

हलाल-4-evoting-त्रुटियों-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- मतदान जरूरी-सह …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

मतदान Machine.pdf सेल फोन के आधार पर - पी-4812

गोपनीयता इलेक्ट्रॉनिक-voting- chapter.pdf

गोपनीयता इलेक्ट्रॉनिक-voting- WPES-2004.pdf

revised_summary31.pdf

शास्त्री-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

यी-phd.pdf

“हैकिंग” वोटिंग मशीनों • / आर / GIFs
191 अंक और 38 टिप्पणियाँ अब तक रेडिट पर
reddit.com


74) Classical Punjabi

74) ਕਲਾਸੀਕਲ ਦਾ ਪੰਜਾਬੀ

2085 Thu 22 ਦਸੰਬਰ ਨੂੰ 2016

ਇਸ Google ਅਨੁਵਾਦ ਕਰਨ ਲਈ ਇੱਕ ਦੀ ਮਾਤ ਭਾਸ਼ਾ ਵਿੱਚ ਇਸ ਯੂਨੀਵਰਸਿਟੀ ਦੇ ਇਕ ਸਬਕ
ਹੈ ਅਤੇ ਪ੍ਰਸਾਰ ਦੇ ਤੌਰ ਤੇ ਸਹੀ ਅਨੁਵਾਦ ਪੇਸ਼ਕਾਰੀ ਇੱਕ ਧਾਰਾ ਨੂੰ Enterer
(Sottapanna) ਅਤੇ ਅੰਤਮ ਟੀਚਾ ਦੇ ਤੌਰ ਤੇ ਅਨਾਦਿ Bliss ਨੂੰ ਪ੍ਰਾਪਤ ਕਰਨ ਦੀ ਬਣਨ
ਲਈ ਹੱਕਦਾਰ

ਬਸਪਾ ਦੇ ਸਾਰੇ ਸਮਾਜ (ਸਮਾਜ sarvajan) ਨਾਲ ਦੇਸ਼ ਵਿਚ ਨੰਬਰ ਇਕ ਵੱਡੀ ਪਾਰਟੀ Sarvajan Hitay sarvajan Sukhay ਲਈ ਇਸ ਨੂੰ ਦਾ ਸਮਰਥਨ ਕਰਦਾ ਹੈ.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

ਸੀਈਸੀ ਨੇ ਕਿਹਾ ਕਿ ਸਾਰੇ ਈਵੀਐਮ 2019 ਆਮ ਚੋਣ ਵਿੱਚ ਤਬਦੀਲ ਕਰ ਦਿੱਤਾ ਜਾਵੇਗਾ.

ਸਾਬਕਾ ਚੀਫ ਜਸਟਿਸ SADHASIVAM, ਉਸ ਦੀ ਡਿਊਟੀ ਪਰਹੇਜ਼ ਅਤੇ ਉਹ ਨੂੰ ਤਬਦੀਲ ਕਰਨ ਲਈ
ਪੜਾਅਵਾਰ ਢੰਗ ਨਾਲ 1600 ਕਰੋੜ ਦੀ ਲਾਗਤ ਦੇ ਕਾਰਨ ਸਾਬਕਾ ਸੀਈਸੀ ਸੰਪਤ ਦੀ ਬੇਨਤੀ ‘ਤੇ
ਫਰਾਡ Tamperable ਈਵੀਐਮ ਵਿਚ, ਜਿਸ ਨੇ ਸਜ਼ਾ ਦੇ ਇੱਕ ਕਬਰ ਗਲਤੀ ਵਚਨਬੱਧ ਹੈ ਅਤੇ
ਦੇਸ਼ ਦੇ ਲੋਕਤੰਤਰ ਨੂੰ ਇੱਕ ਘਾਤਕ ਝਟਕਾ ਨਜਿੱਠਿਆ.

ਤਾਰੀਖ: ਸ਼ੁੱਕਰ, 2 ਦਸੰਬਰ, 2016 ‘ਤੇ 2:34 ਪ੍ਰਧਾਨ ਮੰਤਰੀ
ਵਿਸ਼ਾ: ਇਲੈਕਟ੍ਰਾਨਿਕ ਵੋਟਿੰਗ ਮਸ਼ੀਨ
Hai ਅੰਨਾ,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

ਜੋ ਵਿਦਿਆਰਥੀ ਨੂੰ ਇੰਟਰਨੈੱਟ ਕੁਨੈਕਸ਼ਨ ਹੈ, ਜੋ ਕਿ ਦੀ ਕੀਮਤ 1000 ਰੁਪਏ ਪ੍ਰਤੀ ਮਹੀਨਾ ਦੇ ਬਿਨਾ ਲੈਪਟਾਪ ਮਿਲੀ ਉਹ ਵੇਚਣ ਸ਼ੁਰੂ ਕਰ ਦਿੱਤਾ.

ਆਲੋਚਨਾ
ਸਮਾਜਵਾਦੀ ਪਾਰਟੀ (ਸਪਾ) ਵੱਡੇ ਉਦਘਾਟਨ ਅਤੇ ਬੁਨਿਆਦ ਰੱਖਣ ਸਮਾਰੋਹ ‘ਤੇ ਸਰਕਾਰ ਨੂੰ,
ਬਹੁਜਨ ਸਮਾਜ ਪਾਰਟੀ ਸੁਪਰੀਮੋ ਮਾਇਆਵਤੀ ਨੇ ਕਿਹਾ ਹੈ ਕਿ ਮੁੱਖ ਮੰਤਰੀ ਅਖਿਲੇਸ਼ ਯਾਦਵ
ਨੂੰ ਅਹਿਸਾਸ ਹੈ ਕਿ ਉਸ ਦੇ ਪਾਰਟੀ ਇਸੇ ਲਈ ਉਹ rampantly ਆਪਣੇ ਪਾਰਟੀ ਵਰਕਰ ਨੂੰ
ਆਪਣੇ ਬਚੇ ਹੋਏ ਲੈਪਟਾਪ ਵੰਡ ਕਰ ਰਹੇ ਹਨ, ਜੋ ਕਿ ਮੁੜ ਕੇ ਸੱਤਾ ਵਿਚ ਨਾ ਆ ਜਾਵੇਗਾ
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 ਰੁਪਏ, 50 ਰੁਪਏ ਕਰੰਸੀ ਨੋਟ ਹੁਣ ਸੁਰੱਖਿਆ ਨੂੰ ਖ਼ਤਰਾ ਦਾ ਸਾਹਮਣਾ ਕਰ ਰਹੇ ਹਨ, ਅਰੁਣ ਜੇਤਲੀ ਨੂੰ ਦੱਸੋ ਕਿ ਭਾਰਤ ਅੱਜ

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
ਉੱਤਰ ਪ੍ਰਦੇਸ਼ ਨਿਊਜ਼, ਉੱਤਰ ਪ੍ਰਦੇਸ਼ ਚੋਣ, ਕੇਰਾਨਾ ਮੁੱਦੇ ਨੂੰ ਭਾਜਪਾ ਦੇ
ਕੇਰਾਨਾ, ਮੁੱਖ ਚੋਣ ਕਮਿਸ਼ਨਰ ਨਸੀਮ ਜ਼ੈਦੀ, ਉੱਤਰ ਪ੍ਰਦੇਸ਼ ਨਿਊਜ਼, ਉੱਤਰ ਪ੍ਰਦੇਸ਼
ਚੋਣ ਖਬਰ, ਤਾਜ਼ਾ ਖਬਰ, ਭਾਰਤ ਨੂੰ ਖ਼ਬਰੀ

ਸੀਈਸੀ ਨੇ ਕਿਹਾ ਕਿ ਸਾਰੇ ਈਵੀਐਮ 2019 ਆਮ ਚੋਣ ਵਿੱਚ ਤਬਦੀਲ ਕਰ ਦਿੱਤਾ ਜਾਵੇਗਾ.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

ਸਾਰੇ ਈਵੀਐਮ ਤਕ ਕਾਗਜ਼ ਵੋਟ ਲਈ ਆਦੇਸ਼ ਦੇ ਬਗੈਰ ਪੂਰੀ ਤਬਦੀਲ ਕਰ ਰਹੇ ਹਨ. ਹੁਣ ਉੱਤਰ ਪ੍ਰਦੇਸ਼ ਵਿਚ ਚੋਣ ਇਹ ਈਵੀਐਮ ਨਾਲ ਕਰਵਾਏ ਗਏ ਹਨ ਦੇ ਤੌਰ ਤੇ ਇਸ ਨੂੰ
ਪਿਛਲੇ ਉੱਤਰ ਪ੍ਰਦੇਸ਼ ਪੰਚਾਇਤ ਚੋਣ ‘ਚ ਕੀਤਾ ਸੀ, ਕੇਵਲ, ਕਿਉਕਿ ਸ੍ਰੀਮਤੀ ਮਾਇਆਵਤੀ ਦੀ
ਬਸਪਾ ਸ਼ਾਨਦਾਰ ਬਹੁਮਤ ਵਿਚ ਜਿੱਤ ਜਾਵੇਗਾ ਅਤੇ ਪੱਖ ਦੇ ਬਾਕੀ ਦੇ ਵੀ 1% ਵੋਟ ਪ੍ਰਾਪਤ
ਨਹੀ ਕਰੇਗਾ.

ਉਹ
ਜਾ ਸਕਦਾ ਪੈਸੇ ਲਈ ਆਪਣੇ ਲਾਲਚ ਦੇ ਕਾਰਣ ਬਿਜਲੀ ਦੀ gobbling ਲਈ ਧੋਖਾਧੜੀ ਈਵੀਐਮ
(ਸ਼ੈਤਾਨ ਵੋਟਿੰਗ ਮਸ਼ੀਨ) ਛੇੜਛਾੜ ਪਰੇ ਸੋਚਦੇ ਅਤੇ Presstitute ਮੀਡੀਆ ਦੇ ਨਾਲ-ਨਾਲ
ਮਨ ਦੀ ਆਪਣੀ ਤੇ ਹੋਸ਼ ਰਾਜ ਵਿਚ ਲੋਕ ਸ਼ੋਧ-ਜਾਗਰੂਕਤਾ ਅਤੇ ਨਾਲ ਜਗਾਇਆ ਇਕ ਦੀ ਸਿੱਖਿਆ
ਨੂੰ ਦਫ਼ਨ ਕਰਨ ਦੀ ਕੋਸ਼ਿਸ਼ ਕਰ ਰਹੇ ਹਨ,
ਟੈਕਨੋ-Poltico-ਸਮਾਜਿਕ ਤਬਦੀਲੀ ਅਤੇ ਬਸਪਾ ਦੇ ਆਰਥਿਕ ਮੁਕਤੀ ਅੰਦੋਲਨ ਨੂੰ ਅਨੁਭਵ
ਕੀਤਾ ਕਿ ਉਹ ਬੀਜ, ਜੋ ਕਿ ਬੋਧੀ ਰੁੱਖ ਦੇ ਰੂਪ ਵਿੱਚ ਉੱਗੇ kep ਹਨ ਬਿਨਾ.

ਸਾਬਕਾ ਚੀਫ ਜਸਟਿਸ SADHASIVAM, ਉਸ ਦੀ ਡਿਊਟੀ ਪਰਹੇਜ਼ ਅਤੇ ਉਹ ਨੂੰ ਤਬਦੀਲ ਕਰਨ ਲਈ
ਪੜਾਅਵਾਰ ਢੰਗ ਨਾਲ 1600 ਕਰੋੜ ਦੀ ਲਾਗਤ ਦੇ ਕਾਰਨ ਸਾਬਕਾ ਸੀਈਸੀ ਸੰਪਤ ਦੀ ਬੇਨਤੀ ‘ਤੇ
ਫਰਾਡ Tamperable ਈਵੀਐਮ ਵਿਚ, ਜਿਸ ਨੇ ਸਜ਼ਾ ਦੇ ਇੱਕ ਕਬਰ ਗਲਤੀ ਵਚਨਬੱਧ ਹੈ ਅਤੇ
ਦੇਸ਼ ਦੇ ਲੋਕਤੰਤਰ ਨੂੰ ਇੱਕ ਘਾਤਕ ਝਟਕਾ ਨਜਿੱਠਿਆ.

ਸਾਬਕਾ ਸੀਈਸੀ ਸੰਪਤ ਲੋਕਤੰਤਰ, ਆਜ਼ਾਦੀ, ਬਰਾਬਰੀ ਦੇ ਨੰਬਰ ਇਕ ਦੁਸ਼ਮਣ ਹੈ ਅਤੇ
ਭਾਈਚਾਰੇ ਦੀ ਭਲਾਈ, ਖੁਸ਼ੀ ਅਤੇ Sarvajan ਸਮਾਜ ਦੇ ਅਮਨ ਲਈ ਸਾਡੇ ਸੰਵਿਧਾਨ ਵਿਚ ਦਰਜ
ਹੈ.

ਅਸਲ ਵਿਚ ਜਦ ਭਾਜਪਾ ਨੇ ਵਿਰੋਧੀ ਧਿਰ ‘ਚ ਇਸ ਦੇ ਰਿਮੋਟ ਕੰਟਰੋਲ ਆਰ.ਐਸ.ਐਸ. ਸੀ
ਮੁਬਾਰਕ ਕਾਗਜ਼ ਵੋਟ ਹੈ, ਜਿਸ ਨੂੰ ਹੁਣ ਦੁਆਰਾ ਬਿਜਲੀ ਦੇ ਹਾਸਲ ਬਾਅਦ ਚੁੱਪ ਹੈ
ਬਹੁਤ ਹੀ ਉਸੇ ਹੀ ਧੋਖਾਧੜੀ ਈਵੀਐਮ.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| ਆਰ.ਐਸ.ਐਸ. ਕਾਗਜ਼ ਵੋਟ, ਈਵੀਐਮ ਜਨਤਕ scrutinyNew ਨੂੰ ਦਿੱਲੀ ਦੇ ਅਧੀਨ ਪੂਰਦਾ ਹੈ ਤਾਰੀਖ: ਸ਼ੁੱਕਰ, 2 ਦਸੰਬਰ, 2016 ‘ਤੇ 2:34 ਪ੍ਰਧਾਨ ਮੰਤਰੀ
ਵਿਸ਼ਾ: ਇਲੈਕਟ੍ਰਾਨਿਕ ਵੋਟਿੰਗ ਮਸ਼ੀਨ

Hai ਅੰਨਾ,

7.pdf

199-211_Vegas_Belgian-ਆਕਸ਼ਨ voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009 ਦੇ-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

ਤਕਨੀਕੀ-ਸੁਰੱਖਿਆ-ਨੂੰ-Enable- ਭਰੋਸੇਯੋਗ-ਇਲੈਕਟ੍ਰੋ …

ਅੰਤਿਕਾ 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

ਕੋਹੇਨ-2006-Auditing- ਤਕਨਾਲੋਜੀ-ਲਈ-ਵੋਟਿੰਗ-Machi …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ਈ-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. PDF

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

ਹਲਾਲ-4-evoting-ਗਲਤੀ-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- ਵੋਟ-ਜ਼ਰੂਰੀ-ਕੋ …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

ਵੋਟ Machine.pdf ਸੈੱਲ ਫੋਨ ਦੀ ਆਧਾਰਿਤ - p-4812

ਗੋਪਨੀਯਤਾ-ਇਲੈਕਟ੍ਰਾਨਿਕ-voting- chapter.pdf

ਗੋਪਨੀਯਤਾ-ਇਲੈਕਟ੍ਰਾਨਿਕ-voting- WPES-2004.pdf

revised_summary31.pdf

ਪਟਬੰਧਾ-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

yee-phd.pdf

“ਹੈਕਿੰਗ” ਵੋਟਿੰਗ ਮਸ਼ੀਨ • / R / ਗਿਫਸ
191 ਅੰਕ ਅਤੇ 38 ਟਿੱਪਣੀ ਇਸ ਲਈ ਹੁਣ ਤੱਕ Reddit ‘ਤੇ
reddit.com


97) Classical Urdu

97) کلاسیکل اردو

2085 جمعرات 22 دسمبر 2016

اس گوگل ترجمہ کرنے کے لئے ایک کی مادری زبان میں اس یونیورسٹی کا ایک
سبق اور تبلیغ کے طور پر عین مطابق ترجمہ رینڈرینگ ایک ندی Enterer
(Sottapanna) اور حتمی مقصد کے طور پر ابدی فلاح کے لیے بننے کا مستحق

بی ایس پی کے تمام معاشروں (سماج sarvajan) کے ساتھ ملک میں نمبر ایک سب
سے بڑی پارٹی Sarvajan Hitay sarvajan Sukhay لئے اس کی حمایت کی ہے.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

CEC تمام الیکٹرانک ووٹنگ مشینوں 2019 کے عام انتخابات میں تبدیل کیا جائے گا.

سابق چیف جسٹس SADHASIVAM، اپنے فرض shirked & ان کو تبدیل کرنے
چرنبدق کیونکہ 1600 کروڑ روپے کی لاگت کے سابق چیف الیکشن کمشنر سمپت کی
درخواست پر فراڈ Tamperable الیکٹرانک ووٹنگ مشینوں میں اجازت دے کر فیصلے
کی ایک سنگین غلطی کا ارتکاب کیا ہے اور ملک کی جمہوریت کے لئے ایک مہلک
دھچکا نمٹا.

تاریخ اشاعت: جمعہ، دسمبر 2، 2016 میں 2:34 PM
مقصد: الیکٹرانک ووٹنگ مشینیں
Hai کی انا،
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

انٹرنیٹ کنکشن جس فی ماہ 1000 روپے لاگت کے بغیر لیپ ٹاپ حاصل کرنے والے طلباء کو ان کی فروخت شروع.

slamming
سے سماج وادی پارٹی (ایس پی) کی بڑے پیمانے پر افتتاح اور بنیاد قائم کی
تقریبات کے دوران حکومت، بہوجن سماج پارٹی سپریمو مایاوتی کہ وزیر اعلی
اکھلیش یادو کہ ان کی پارٹی نہیں کیوں وہ rampantly اپنی پارٹی کے کارکنوں
کو ان کے باقی لیپ ٹاپ تقسیم کر رہے ہیں کہ دوبارہ اقتدار میں آئے گی کا
احساس ہو گیا کہا
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 روپے، 50 روپے کے کرنسی نوٹ اب سلامتی خطرے کا سامنا ہے، ارون جیٹلی بھارت آج بتا دے

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
اتر پردیش کی خبریں، اتر پردیش الیکشن، kairana مسئلہ، بی جے پی kairana،
چیف الیکشن کمشنر نسیم زیدی، اتر پردیش کی خبریں، اتر پردیش الیکشن کی
خبریں، تازہ ترین خبریں، بھارت کی خبروں

CEC تمام الیکٹرانک ووٹنگ مشینوں 2019 کے عام انتخابات میں تبدیل کیا جائے گا.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

تمام الیکٹرانک ووٹنگ مشینوں تک کاغذ بیلٹ کے حکم کے بغیر مکمل طور پر تبدیل کر رہے ہیں. محترمہ مایاوتی کے بی ایس پی بھاری اکثریت میں جیت جائے گا یہ آخری UP
پنچایت انتخابات میں کیا تھا اور پارٹیوں کے باقی بھی 1 فیصد ووٹ نہیں ملے
گا صرف اس وجہ سے اب میں انتخابات ان الیکٹرانک ووٹنگ مشینوں کے ساتھ منعقد
کئے جاتے ہیں.

وہ
فراڈ الیکٹرانک ووٹنگ مشینوں (بدی ووٹنگ مشینیں) کیونکہ پیسے کے لئے ان کے
لالچ کی طاقت gobbling کے لئے چھیڑچھاڑ سے آگے سوچتے ہیں اور Presstitute
میڈیا کے ساتھ ساتھ ذہن کے ان کے ویاموہ ریاست میں لوگوں تھیسس بیداری اور
کے ساتھ بیدار ون کی تعلیمات کو دفن کرنے کی کوشش کر رہے ہیں کے نہیں کر
سکتے
کہ وہ بودھی درخت کے طور پر انکرن kep کی کہ بیج ہیں احساس کئے بغیر
ٹیکنالوجی Poltico-سماجی تبدیلی اور بی ایس پی کی معاشی آزادی تحریک.

سابق چیف جسٹس SADHASIVAM، اپنے فرض shirked & ان کو تبدیل کرنے
چرنبدق کیونکہ 1600 کروڑ روپے کی لاگت کے سابق چیف الیکشن کمشنر سمپت کی
درخواست پر فراڈ Tamperable الیکٹرانک ووٹنگ مشینوں میں اجازت دے کر فیصلے
کی ایک سنگین غلطی کا ارتکاب کیا ہے اور ملک کی جمہوریت کے لئے ایک مہلک
دھچکا نمٹا.

سابق چیف الیکشن کمشنر سمپت جمہوریت، آزادی، مساوات کی تعداد ایک دشمن
اور Sarvajan سماج کی فلاح و بہبود، خوشی اور امن کے لئے ہماری آئین کے
مطابق برادری ہے.

سچ تو یہ ہے کہ بی جے پی کی مخالفت میں اس دور سے کنٹرول کرنے RSS تھا جب
کے ذریعے طاقت حاصل کرنے کے بعد اب خاموش ہے جس سے اختیار کاغذ ووٹ
اسی فراڈ الیکٹرانک ووٹنگ مشینوں.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| RSS کاغذ ووٹ، الیکٹرانک ووٹنگ مشینوں عوامی scrutinyNew دہلی کا نشانہ حق میں تاریخ اشاعت: جمعہ، دسمبر 2، 2016 میں 2:34 PM
مقصد: الیکٹرانک ووٹنگ مشینیں

Hai کی انا،

7.pdf

199-211_Vegas_Belgian-E- voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

اعلی درجے کی سیکورٹی ٹو Enable- ثقہ الیکٹرو …

اپینڈکس 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

کوہن-2006-Auditing- ٹیکنالوجی کے لئے ووٹنگ-مارچ …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ای votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. پی ڈی ایف

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

حلال-4-evoting-غلطیاں-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- ووٹنگ ضروری-سہ …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

P-4812 - سیل فون کی بنیاد پر ووٹنگ Machine.pdf

نجی معلومات کی حفاظتی الیکٹرانک voting- chapter.pdf

نجی معلومات کی حفاظتی الیکٹرانک voting- WPES-2004.pdf

revised_summary31.pdf

شاستری-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

یی-phd.pdf

“ہیکنگ” ووٹنگ مشینوں • / R / والی gifs
اٹ پر اب تک 191 پوائنٹس اور 38 تبصرے
reddit.com

33) Classical Gujarati

33) આ Classical ગુજરાતી

2085 ગુરુ 22 ડિસે 2016

આ Google અનુવાદ એક માતૃભાષાના આ યુનિવર્સિટી એક પાઠ અને પ્રચાર તરીકે
ચોક્કસ અનુવાદ રેન્ડરીંગ પ્રવાહ Enterer (Sottapanna) અને અંતિમ ધ્યેય
તરીકે શાશ્વત આનંદ પ્રાપ્ત કરવા માટે બની હકદાર

બીએસપી બધા સોસાયટીઝ (સમાજ sarvajan) સાથે દેશમાં નંબર વન સૌથી મોટા પક્ષ Sarvajan Hitay sarvajan Sukhay માટે તેને ટેકો છે.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

સીઇસી જણાવ્યું હતું કે તમામ અનિચ્છનીય 2019 ની સામાન્ય ચૂંટણીમાં બદલવામાં આવશે.

સ સીજેઆઇ SADHASIVAM, તેના ફરજ shirked અને તેમને બદલવા માટે તબક્કાવાર
રીતે 1600 કરોડનો ખર્ચ કારણે ભૂતપૂર્વ સીઇસી સંપત વિનંતી પર છેતરપિંડીની
Tamperable અનિચ્છનીય પરવાનગી આપે દ્વારા ચુકાદો એક ગંભીર ભૂલ પ્રતિબદ્ધ છે
અને દેશની લોકશાહી માટે ઘાતક ફટકો કાર્યવાહી.

તારીખ: શુક્ર, ડિસે પર 2, 2016 અંતે 2:34 PM પર પોસ્ટેડ
વિષય: ઇલેક્ટ્રોનિક વોટિંગ મશીન
હૈ અન્ના,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

વિદ્યાર્થી જે ઈન્ટરનેટ જોડાણો કે જે કિંમત 1000 રૂપિયા દર મહિને વગર લેપટોપ મળી તેમને વેચાણ શરૂ કર્યું.

ટીકા
કરતાં સમાજવાદી પક્ષ (એસપી) મોટા ઉદ્ઘાટન અને પાયો બિછાવે વિધિ પર સરકાર,
બહુજન સમાજ પાર્ટી સુપ્રીમો માયાવતી જણાવ્યું હતું કે મુખ્યમંત્રી અખિલેશ
યાદવે સમજાયું છે કે, તેમનો પક્ષ શા માટે તેઓ ઘાતકી તેમના પક્ષના કાર્યકરો
તેમના leftover લેપટોપ વિતરણ કરવામાં આવે છે કે ફરીથી સત્તામાં આવશે
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 કરોડ, રૂ 50 ચલણી નોટો હવે સુરક્ષા ધમકી સામનો કરી રહ્યા છે, અરુણ Jaitly કહેવું ઇન્ડિયા ટુડે

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
ઉત્તર પ્રદેશ સમાચાર, ઉત્તર પ્રદેશ ચૂંટણી, kairana મુદ્દો ભાજપના
kairana, મુખ્ય ચૂંટણી કમિશનર નસીમ ઝૈદી, ઉત્તર પ્રદેશ સમાચાર, ઉત્તર
પ્રદેશ ચૂંટણી સમાચાર, સમાચાર, ભારત સમાચાર

સીઇસી જણાવ્યું હતું કે તમામ અનિચ્છનીય 2019 ની સામાન્ય ચૂંટણીમાં બદલવામાં આવશે.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

બધા અનિચ્છનીય સુધી કાગળ મતદાન માટે ઓર્ડર વગર તદ્દન બદલાઈ રહ્યા છે. હવે ચૂંટણી આ અનિચ્છનીય સાથે હાથ ધરવામાં આવે છે કારણ કે તે છેલ્લા યુપી
પંચાયત ચૂંટણીમાં કર્યું કારણ કે Ms માયાવતીની બીએસપી પ્રચંડ બહુમતી જીતી
જશે અને પક્ષો બાકીના પણ 1% મતો મળશે નહીં.

તેઓ
પોકળ વાણી પૈસા માટે તેમના લોભ કારણે શક્તિ gobbling માટે છેતરપિંડી
અનિચ્છનીય (દુષ્ટ વોટિંગ મશીન) સાથે ચેડાં બહાર લાગે છે અને Presstitute
મીડિયા સાથે મન તેમના ઘેન એ રાજ્યમાં લોકોને ખાસ કરીને ડૉક્ટરેટપદવી જાગૃતિ
અને જાગૃત એક શિક્ષણ દફનાવી કરવાનો પ્રયાસ કરી રહ્યા
ટેકનો-Poltico-સામાજિક ટ્રાન્સફોર્મેશન અને બહુજન સમાજ આર્થિક મુક્તિ
ચળવળ ભૂલી જાય છે કે તેઓ બીજ કે બોધી વૃક્ષો તરીકે sprouting KEP છે વગર.

સ સીજેઆઇ SADHASIVAM, તેના ફરજ shirked અને તેમને બદલવા માટે તબક્કાવાર
રીતે 1600 કરોડનો ખર્ચ કારણે ભૂતપૂર્વ સીઇસી સંપત વિનંતી પર છેતરપિંડીની
Tamperable અનિચ્છનીય પરવાનગી આપે દ્વારા ચુકાદો એક ગંભીર ભૂલ પ્રતિબદ્ધ છે
અને દેશની લોકશાહી માટે ઘાતક ફટકો કાર્યવાહી.

સ સીઇસી સંપત લોકશાહી, લિબર્ટી, સમાનતા સંખ્યા એક દુશ્મન અને બંધુત્વ
કલ્યાણ, સુખ અને Sarvajan સમાજ શાંતિ માટે અમારા બંધારણમાં સ્થાપિત થઇ ગયો
છે.

હકીકતમાં જ્યારે ભાજપની વિરોધ તેના દૂરસ્થ નિયંત્રિત આરએસએસ હતી
તરફેણ કાગળ મતદાન જે હવે દ્વારા સત્તા મેળવ્યા બાદ શાંત છે
ખૂબ જ છેતરપિંડી અનિચ્છનીય.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| આરએસએસ કાગળ મતદાન અનિચ્છનીય જાહેર scrutinyNew દિલ્હી આધિન તરફેણ તારીખ: શુક્ર, ડિસે પર 2, 2016 અંતે 2:34 PM પર પોસ્ટેડ
વિષય: ઇલેક્ટ્રોનિક વોટિંગ મશીન

હૈ અન્ના,

7.pdf

199-211_Vegas_Belgian-ઇ voting.pdf

295 JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

ઉન્નત સુરક્ષા-થી-Enable- વિશ્વસનીય-ઇલેક્ટ્રો …

પરિશિષ્ટ 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

કોહેન-2006-Auditing- ટેકનોલોજી માટે વોટિંગ માર્ચ …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ઇ votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. પીડીએફ

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

હલાલ-4-evoting-ભૂલો-v5.pdf

I504036163.pdf

IDEA.Introducing-ઇલેક્ટર્ોિનક મતદાન જરૂરી-કો …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

મતદાન Machine.pdf સેલ ફોન આધારિત છે - પી 4812

ગોપનીયતા ઇલેક્ટ્રોનિક voting- chapter.pdf

ગોપનીયતા ઇલેક્ટ્રોનિક voting- WPES-2004.pdf

revised_summary31.pdf

શાસ્ત્રીએ-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

યી-phd.pdf

“હેકિંગ” વોટિંગ મશીન • / / r GIFs
191 પોઇન્ટ અને 38 ટિપ્પણીઓ અત્યાર સુધી reddit પર
reddit.com……

48) Classical Kannada

48) ಶಾಸ್ತ್ರೀಯ ಕನ್ನಡ

2085 ಗುರು 22 ಡಿಸೆಂಬರ್ 2016

ಈ Google ಅನುವಾದ ಒಬ್ಬರ ಮಾತೃಭಾಷೆಯಲ್ಲಿ ಈ ವಿಶ್ವವಿದ್ಯಾಲಯದ ಪಾಠ ಮತ್ತು
ಪುನರುತ್ಪತ್ತಿ ನಿಖರವಾದ ಅನುವಾದ ಸಲ್ಲಿಕೆ ಒಂದು ಸ್ಟ್ರೀಮ್ Enterer (Sottapanna)
ಮತ್ತು ಫೈನಲ್ ಗೋಲು ಶಾಶ್ವತ ಪರಮಾನಂದದ ಸಾಧಿಸುವುದು ಆಗಲು ಅರ್ಹತೆ

ಬಿಎಸ್ಪಿ Sarvajan Hitay sarvajan Sukhay ಅದನ್ನು ಬೆಂಬಲಿಸುವ ಎಲ್ಲಾ
ಸಮಾಜಗಳಿಗೆ (ಸಮಾಜ sarvajan) ಜೊತೆ ವಾಸಿಸುತ್ತಿರುವ ಅಗ್ರಸ್ಥಾನ ದೊಡ್ಡ ಪಕ್ಷ.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

ಸಿಇಸಿ ಎಲ್ಲಾ ವಿದ್ಯುನ್ಮಾನ ಮತಯಂತ್ರಗಳ 2019 ಸಾರ್ವತ್ರಿಕ ಚುನಾವಣೆಯಲ್ಲಿ ಬದಲಿಗೆ ಎಂದು ಹೇಳಿದರು.

ಮಾಜಿ ಸಿಜೆಐ SADHASIVAM, ತಮ್ಮ ಕರ್ತವ್ಯವನ್ನು shirked & ಅವುಗಳನ್ನು
ಬದಲಾಯಿಸಲು ಹಂತ ಹಂತವಾಗಿ ಏಕೆಂದರೆ 1600 ಕೋಟಿ ವೆಚ್ಚ ಮಾಜಿ ಸಿಇಸಿ ಸಂಪತ್
ಕೋರಿಕೆಯ ಮೇಲೆ ವಂಚನೆ Tamperable ಗಳನ್ನು ಅವಕಾಶ ತೀರ್ಪಿನ ಒಂದು ಸಮಾಧಿ
ತಪ್ಪನ್ನು ಮತ್ತು ದೇಶದ ಪ್ರಜಾಪ್ರಭುತ್ವ ಮಾರಣಾಂತಿಕ ಹೊಡೆತವನ್ನು ವ್ಯವಹರಿಸಬೇಕು.

ದಿನಾಂಕ: ಶನಿ, ಡಿ 2, 2016 2:34 PM ರಂದು ಪೋಸ್ಟ್ ಮಾಡಲಾಗಿದೆ
ವಿಷಯ: ಮತದಾನದ ಯಂತ್ರಗಳ
ಹೈ ಅಣ್ಣಾ
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

ಇದು ತಿಂಗಳಿಗೆ ರೂ 1000 ವೆಚ್ಚ ಇಂಟರ್ನೆಟ್ ಸಂಪರ್ಕಗಳನ್ನು ಇಲ್ಲದೆ ಲ್ಯಾಪ್ ಪಡೆದ ವಿದ್ಯಾರ್ಥಿಗಳ ಮಾರಾಟ ಮಾಡಲಾರಂಭಿಸಿದರು.

ಅಪ್ಪಳಿಸುತ್ತಾರೆ
ಸಮಾಜವಾದಿ ಪಕ್ಷದ (ಎಸ್ಪಿ) ಬೃಹತ್ ಉದ್ಘಾಟನಾ ಮತ್ತು ಅಡಿಪಾಯ ಹಾಕಿದ ಸಮಾರಂಭಗಳಲ್ಲಿ
ಹೆಚ್ಚಿನ ಸರ್ಕಾರ, ಬಹುಜನ ಸಮಾಜ ಪಕ್ಷ ನಾಯಕಿ ಮಾಯಾವತಿ ಮುಖ್ಯಮಂತ್ರಿ ಅಖಿಲೇಶ್ ಯಾದವ್
ಪಕ್ಷದ ಏತಕ್ಕಾಗಿ ಅತಿರೇಕದಿಂದ ತಮ್ಮ ಪಕ್ಷದ ಕಾರ್ಯಕರ್ತರು ತಮ್ಮ ಉಳಿದ ಲ್ಯಾಪ್
ವಿತರಿಸುವ ಎಂದು ಮತ್ತೆ ವಿದ್ಯುತ್ ಬರುತ್ತವೆ ಅರಿವಾಯಿತು ಎಂದು ಹೇಳಿದರು
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

ರೂ 100, ರೂ 50 ಚಲಾವಣಾ ನೋಟುಗಳ ಈಗ ಭದ್ರತಾ ಬೆದರಿಕೆ ಎದುರಿಸುತ್ತಿವೆ, ಅರುಣ್ Jaitly ಭಾರತ ಹೇಳಲು

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
ಉತ್ತರ ಪ್ರದೇಶ ನ್ಯೂಸ್, ಉತ್ತರ ಪ್ರದೇಶ ಚುನಾವಣೆಯ kairana ಸಮಸ್ಯೆಯನ್ನು
ಬಿಜೆಪಿ kairana ಮುಖ್ಯ ಚುನಾವಣಾ ಆಯುಕ್ತ ನಸೀಮ್ ಜೈದಿ, ಉತ್ತರ ಪ್ರದೇಶ ನ್ಯೂಸ್,
ಉತ್ತರ ಪ್ರದೇಶ ಚುನಾವಣಾ ಸುದ್ದಿ, ಇತ್ತೀಚೆಗಿನ ಸುದ್ದಿ, ಭಾರತ ಸುದ್ದಿ

ಸಿಇಸಿ ಎಲ್ಲಾ ವಿದ್ಯುನ್ಮಾನ ಮತಯಂತ್ರಗಳ 2019 ಸಾರ್ವತ್ರಿಕ ಚುನಾವಣೆಯಲ್ಲಿ ಬದಲಿಗೆ ಎಂದು ಹೇಳಿದರು.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

ಎಲ್ಲಾ ವಿದ್ಯುನ್ಮಾನ ಮತಯಂತ್ರಗಳ ತನಕ ಕಾಗದದ ಮತಪತ್ರಗಳನ್ನು ಫಾರ್ ಆದೇಶ ಇಲ್ಲದೆ ಸಂಪೂರ್ಣವಾಗಿ ಬದಲಾಯಿಸಲಾಗುತ್ತದೆ. ಈಗ ಚುನಾವಣೆಗಳನ್ನು ಶ್ರೀಮತಿ ಮಾಯಾವತಿ ಬಿಎಸ್ಪಿ ಕಳೆದ ಯುಪಿ ಪಂಚಾಯತ್
ಚುನಾವಣೆಯಲ್ಲಿ ಮಾಡಿದಂತೆ ಸ್ಥಾನಗಳನ್ನು ಪಡೆದುಕೊಳ್ಳುವುದರ ಮೂಲಕ ಯಶಸ್ಸು ಬಹುತೇಕ
ಗಳಿಸಿತು ಕೇವಲ ಪಕ್ಷಗಳು ಉಳಿದ ಸಹ 1% ಮತಗಳನ್ನು ಸಿಗುವುದಿಲ್ಲ ಈ ವಿದ್ಯುನ್ಮಾನ
ಮತಯಂತ್ರಗಳ ಜೊತೆ ನಡೆಸಲಾಗುತ್ತದೆ.

ಅವರು
ಏಕೆಂದರೆ ಹಣಕ್ಕೆ ತಮ್ಮ ದುರಾಶೆ ಶಕ್ತಿ gobbling ಅಕ್ರಮವೆಸಗಿದ ಗಳನ್ನು (ಇವಿಲ್
ಮತದಾನ ಯಂತ್ರಗಳ) ಅಕ್ರಮವಾಗಿ ಯೋಚಿಸಬೇಕು ಮತ್ತು ಜಾಗೃತಿ ಮತ್ತು ಜಾಗೃತ ಒಂದು
ಬೋಧನೆ ಮುಚ್ಚಲು ಪ್ರಯತ್ನಿಸುತ್ತಿದ್ದಾರೆ Presstitute ಮಾಧ್ಯಮ ಜೊತೆಗೆ ಮನಸ್ಸಿನ
ತಮ್ಮ ಸಂವೇದನಾಶೂನ್ಯತೆಯಲ್ಲಿ ರಾಜ್ಯದ ಜನರು theses cant
ಅವರು ಬೋಧಿ ಮರಗಳು ಜನವಸತಿಗಳು KEP ಎಂದು ಬೀಜಗಳು ಎಂದು ಅರಿತ ಇಲ್ಲದೆ ಟೆಕ್ನೊ
Poltico-ಸಾಮಾಜಿಕ ಟ್ರಾನ್ಸ್ಫರ್ಮೇಷನ್ ಮತ್ತು ಬಿಎಸ್ಪಿ ಆರ್ಥಿಕ ಸ್ವಾತಂತ್ರ್ಯಕ್ಕೆ
ಚಳುವಳಿ.

ಮಾಜಿ ಸಿಜೆಐ SADHASIVAM, ತಮ್ಮ ಕರ್ತವ್ಯವನ್ನು shirked & ಅವುಗಳನ್ನು
ಬದಲಾಯಿಸಲು ಹಂತ ಹಂತವಾಗಿ ಏಕೆಂದರೆ 1600 ಕೋಟಿ ವೆಚ್ಚ ಮಾಜಿ ಸಿಇಸಿ ಸಂಪತ್
ಕೋರಿಕೆಯ ಮೇಲೆ ವಂಚನೆ Tamperable ಗಳನ್ನು ಅವಕಾಶ ತೀರ್ಪಿನ ಒಂದು ಸಮಾಧಿ
ತಪ್ಪನ್ನು ಮತ್ತು ದೇಶದ ಪ್ರಜಾಪ್ರಭುತ್ವ ಮಾರಣಾಂತಿಕ ಹೊಡೆತವನ್ನು ವ್ಯವಹರಿಸಬೇಕು.

ಮಾಜಿ ಸಿಇಸಿ ಸಂಪತ್ ಡೆಮಾಕ್ರಸಿ, ಲಿಬರ್ಟಿ ಸಮಾನತೆ ನಂಬರ್ ಒನ್ ಶತ್ರು ಮತ್ತು
ಕಲ್ಯಾಣ, ಸಂತೋಷ ಮತ್ತು Sarvajan ಸಮಾಜ ಶಾಂತಿಗಾಗಿ ನಮ್ಮ ಸಂವಿಧಾನದಲ್ಲಿ ಎಂದು
ಭ್ರಾತೃತ್ವ ಆಗಿದೆ.

ವಾಸ್ತವವಾಗಿ ಬಿಜೆಪಿ ವಿರೋಧ ತನ್ನ ರಿಮೋಟ್ ನಿಯಂತ್ರಿಸುವ ಮೇ ಬಂದಾಗ
ಮೂಲಕ ಪ್ರಾಬಲ್ಯವನ್ನು ಗಳಿಸಿದ ನಂತರ ಈಗ ಮೌನವಾಗಿದೆ ಒಲವು ಕಾಗದದ ಮತಪತ್ರಗಳನ್ನು
ಅದೇ ವಂಚನೆ ಗಳನ್ನು.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| ಮೇ ಕಾಗದದ ಮತಪತ್ರಗಳನ್ನು ವಿದ್ಯುನ್ಮಾನ ಮತಯಂತ್ರಗಳ ಸಾರ್ವಜನಿಕ scrutinyNew ದೆಹಲಿ ಒಳಗಾಗುತ್ತದೆ ಪರವಾಗಿದೆ ದಿನಾಂಕ: ಶನಿ, ಡಿ 2, 2016 2:34 PM ರಂದು ಪೋಸ್ಟ್ ಮಾಡಲಾಗಿದೆ
ವಿಷಯ: ಮತದಾನದ ಯಂತ್ರಗಳ

ಹೈ ಅಣ್ಣಾ

7.pdf

199-211_Vegas_Belgian-ಇ voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

ಸುಧಾರಿತ ಸೆಕ್ಯುರಿಟಿ ಯಾ Enable- ವಿಶ್ವಾಸಾರ್ಹ ಎಲೆಕ್ಟ್ರೋ …

ಅನುಬಂಧ 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

ಕೊಹೆನ್-2006-Auditing- ತಂತ್ರಜ್ಞಾನ ಫಾರ್ ಮತದಾನ ಮ್ಯಾಚಿ …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ಇ votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. ಪಿಡಿಎಫ್

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

ಹಲಾಲ್-4-evoting-ದೋಷಗಳನ್ನು-v5.pdf

I504036163.pdf

IDEA.Introducing Electronic- -ಕೋ ಮತದಾನ ಅನಗತ್ಯ …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

ಪಿ 4812 - ಸೆಲ್ ಫೋನ್ ಆಧಾರಿತ ಮತದಾನದ Machine.pdf

ಗೌಪ್ಯತೆ ವಿದ್ಯುನ್ಮಾನ voting- chapter.pdf

ಗೌಪ್ಯತೆ ವಿದ್ಯುನ್ಮಾನ voting- WPES-2004.pdf

revised_summary31.pdf

ಶಾಸ್ತ್ರಿ-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

ಯೇ-phd.pdf

“ಹ್ಯಾಕಿಂಗ್” ಮತದಾನ ಯಂತ್ರಗಳ • / ಆರ್ / GIF ಗಳನ್ನು
191 ಅಂಕಗಳನ್ನು ಮತ್ತು ಇಲ್ಲಿಯವರೆಗೆ ರೆಡ್ಡಿಟ್ 38 ಪ್ರತಿಕ್ರಿಯೆಗಳು
reddit.com


65) Classical Marathi
65) शास्त्रीय मराठी

2085 गुरु 22 डिसेंबर 2016

या Google अनुवाद एक आई जीभ या विद्यापीठातून धडा व तत्वज्ञान म्हणून
तंतोतंत भाषांतर प्रस्तुत करत आहे प्रवाह Enterer (Sottapanna) आणि अंतिम
ध्येय म्हणून सनातन परमानंद प्राप्त होण्यासाठी entitles

बसपाने सर्व सोसायट्या (समाज sarvajan) सह देश क्रमांक एक सर्वात मोठे पार्टी Sarvajan Hitay sarvajan Sukhay देत आहे.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

मुख्य निवडणूक आयुक्त, ते सर्व इलेक्ट्रॉनिक मतदान यंत्रांद्वारे मतदान 2019 च्या सार्वत्रिक निवडणुकीत बदलले जाणार आहे.

माजी CJI SADHASIVAM, आपले कर्तव्य shirked आणि त्यांना पुनर्स्थित
करण्यासाठी रद्दबातल रीतीने कारण 1600 कोटी खर्च माजी मुख्य निवडणूक आयुक्त
संपत यांनी केलेल्या विनंतीवरून फसवणूक Tamperable इलेक्ट्रॉनिक मतदान
यंत्रांद्वारे मतदान मध्ये परवानगी देऊन न्यायाच्या एक गंभीर चूक केली आणि
देशातील लोकशाही एक जीवघेणा धक्का बसला.

तारीख: शुक्र, 2 डिसेंबर, 2016 येथे 2:34 PM
विषय: इलेक्ट्रॉनिक मतदान यंत्रे
है अन्ना,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

जे खर्च दरमहा 1000 रुपये इंटरनेट कनेक्शन न लॅपटॉप आला विद्यार्थ्यांना त्यांना विक्री करायला सुरुवात केली.

Slamming
समाजवादी पक्षाचे (एसपी) भव्य उद्घाटन आणि पाया समारंभ प्रती सरकार, बहुजन
समाज पक्षाच्या सर्वेसर्वा मायावती यांनी मुख्यमंत्री अखिलेश यादव यांनी,
त्याच्या पार्टी का ते rampantly त्यांच्या पक्षाच्या कार्यकर्त्यांनी
त्यांच्या त्या उरलेल्या लॅपटॉप वितरीत करीत आहेत की पुन्हा पॉवर येईल नाही
याची जाणीव आहे की,
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 रुपये 50 नोटा सुरक्षा धमकी येत आहेत, अरुण Jaitly भारत आज सांगतो

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
उत्तर प्रदेश बातम्या, उत्तर प्रदेश निवडणूक kairana समस्या, भाजप
kairana मुख्य निवडणूक आयुक्त नसीम झैदी यांनी उत्तर प्रदेश बातम्या, उत्तर
प्रदेश निवडणूक बातम्या, ताज्या बातम्या, भारत बातम्या

मुख्य निवडणूक आयुक्त, ते सर्व इलेक्ट्रॉनिक मतदान यंत्रांद्वारे मतदान 2019 च्या सार्वत्रिक निवडणुकीत बदलले जाणार आहे.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

कागद मतपत्रिका सर्व इलेक्ट्रॉनिक मतदान यंत्रांद्वारे मतदान पर्यंत साठी क्रम न पूर्णपणे बदलले आहेत. आता तो गेल्या प्रदेश ग्रामपंचायत निवडणूक केलं म्हणून मायावती बहुजन
समाज पक्षाला बहुमतानं मध्ये विजय करतील आणि पक्षांच्या उर्वरित अगदी 1%
मते मिळणार नाही फक्त कारण निवडणुकांमध्ये इलेक्ट्रॉनिक मतदान
यंत्रांद्वारे मतदान सह आयोजित केले जातात.

ते
पैसे त्यांच्या हाव शक्ती gobbling साठी फसवणूक इलेक्ट्रॉनिक मतदान
यंत्रांद्वारे मतदान (वाईट मतदान यंत्रांसह) फेरफार पलीकडे विचार आणि
जागरुकता आणि जागृत एक शिकवण दफन करण्याचा प्रयत्न करीत आहेत Presstitute
मीडिया सोबत मन त्यांच्या ग्लानी राज्यातील लोक प्रबंध शकत नाही
टेक्नो-Poltico-सामाजिक परिवर्तन आणि बसपा आर्थिक सुटका चळवळ ते बोधी झाडे म्हणून sprouting kep की बिया असतात की लक्षात न.

माजी CJI SADHASIVAM, आपले कर्तव्य shirked आणि त्यांना पुनर्स्थित
करण्यासाठी रद्दबातल रीतीने कारण 1600 कोटी खर्च माजी मुख्य निवडणूक आयुक्त
संपत यांनी केलेल्या विनंतीवरून फसवणूक Tamperable इलेक्ट्रॉनिक मतदान
यंत्रांद्वारे मतदान मध्ये परवानगी देऊन न्यायाच्या एक गंभीर चूक केली आणि
देशातील लोकशाही एक जीवघेणा धक्का बसला.

माजी मुख्य निवडणूक आयुक्त संपत लोकशाही, स्वातंत्र्य, समता संख्या एक
शत्रू आणि Sarvajan समाज कल्याण, आनंद आणि शांती साठी आपल्या घटनेच्या
मध्ये नमूद केल्याप्रमाणे समितीतील आहे.

खरं तर भाजप विरोधी त्याच्या दूरस्थपणे नियंत्रण राष्ट्रीय स्वयंसेवक संघाचे असताना
द्वारे शक्ती मिळविण्यापासून केल्यानंतर आता शांत आहे ज्याला जास्त अनुकूलता दाखविली कागद मतदान
त्याच फसवणूक इलेक्ट्रॉनिक मतदान यंत्रांद्वारे मतदान.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| राष्ट्रीय स्वयंसेवक संघाचे कागद मतदान, इलेक्ट्रॉनिक मतदान यंत्रांद्वारे मतदान सार्वजनिक scrutinyNew दिल्ली कामा अनुकूल ठरत तारीख: शुक्र, 2 डिसेंबर, 2016 येथे 2:34 PM
विषय: इलेक्ट्रॉनिक मतदान यंत्रे

है अन्ना,

7.pdf

199-211_Vegas_Belgian-ई voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

प्रगत-सुरक्षा-टू-Enable- विश्वसनीय-इलेक्ट्रो …

परिशिष्ट 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

कोहेन-2006-Auditing- तंत्रज्ञान-साठी मतदान-माची …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ई-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. पीडीएफ

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

हलाल-4-evoting-त्रुटी-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- मतदान अत्यावश्यक-को …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

पी-4812 - सेल फोन आधारित मतदान Machine.pdf

गोपनीयता इलेक्ट्रॉनिक-voting- chapter.pdf

गोपनीयता इलेक्ट्रॉनिक-voting- WPES-2004.pdf

revised_summary31.pdf

शास्त्री-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

Yee-phd.pdf

“हॅक ‘मतदान यंत्रांसह • / आर / gifs
191 गुण आणि 38 टिप्पण्या आतापर्यंत पंचकर्म वर
reddit.com

62) Classical Malayalam

62) ക്ലാസ്സിക്കൽ മലയാളം

2085 വ്യാ 22 ഡിസംബർ 2016

ഒറ്റ അമ്മ മാതൃഭാഷ ഈ Google പരിഭാഷ ലേക്ക് ഈ സർവ്വകലാശാലയുടെ ഒരു
സ്മരണയുമാണത് കൃത്യമായ പരിഭാഷയെ തർജ്ജമ ചെയ്ത് പ്രചരിപ്പിക്കുന്നതും ഒരു
സ്ട്രീം Enterer (Sottapanna) ആകുവാൻ അന്തിമ ലക്ഷ്യം എറ്റേണൽ വിജയം
പ്രാപിച്ചേക്കാം ലേക്ക് ഉകെയ്

ബിഎസ്പി എല്ലാ സമൂഹങ്ങളിലും (സമാജ് sarvajan) Sarvajan Hitay sarvajan Sukhay വേണ്ടി പിന്തുണ രാജ്യത്തെ നമ്പർ വൺ വലിയ കക്ഷി ആണ്.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

വിളവുമേനി എല്ലാ വോട്ടിംഗ് യന്ത്രത്തിൽ 2019 ലെ തെരഞ്ഞെടുപ്പിൽ മാറ്റിസ്ഥാപിക്കും പറഞ്ഞു.

മുൻ ചീഫ് SADHASIVAM, പകരം തന്റെ നിയോഗം കാരണം 1600 കോടി ചിലവു മുൻ
വിളവുമേനി സമ്പത്ത് അഭ്യർത്ഥനയെ ഫ്രോഡ് Tamperable വോട്ടിംഗ് യന്ത്രത്തിൽ
shirked & ഘട്ടംഘട്ടമായി അനുവദിക്കുന്നതിലൂടെ ന്യായത്തിന്റെ ഗ്രേവ്
പിശക് പ്രവർത്തിക്കുകയും, രാജ്യത്തെ ജനാധിപത്യത്തിന്റെ ഒരു മാരകമായ
പ്രഹരമേൽപ്പിച്ചത്.

തീയതി: വെള്ളി, ഡിസം 2 2016 2:34 PM
വിഷയം: ഇലക്ട്രോണിക് വോട്ടിംഗ് യന്ത്രം
ഹായ് ഹസാരെ
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

ചെലവില്ലാതെ രൂപ 1000 പ്രതിമാസം ഇന്റർനെറ്റ് കണക്ഷനുകൾ ഇല്ലാതെ ലാപ്ടോപ്പുകൾ നൽകിയെന്നായിരുന്നു വിദ്യാർത്ഥികൾക്ക് വില്പന തുടങ്ങി.

വൻ
ഉദ്ഘാടനം ഫൌണ്ടേഷന് മുട്ടയിടുന്ന ചടങ്ങുകളിൽ മേൽ മുഖ്യ സമാജ്വാദി പാർട്ടി
(എസ്.പി) സർക്കാർ ബഹുജൻ സമാജ് പാർട്ടി നേതാവ് മായാവതി മുഖ്യമന്ത്രി
അഖിലേഷ് യാദവ് പാർട്ടി rampantly തങ്ങളുടെ പാർട്ടി പ്രവർത്തകർ വീണ്ടും
അധികാരത്തിൽ വരികയില്ലെന്നോ അവർ തങ്ങളുടെ ശേഷിച്ച ലാപ്ടോപ്പുകൾ വിതരണം
തിരിച്ചറിഞ്ഞു പറഞ്ഞു
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

100 രൂപ, 50 രൂപയുടെ കറൻസി നോട്ടുകൾ ഇപ്പോൾ സുരക്ഷാ ഭീഷണി നേരിടുന്ന അരുൺ Jaitly ഇന്ത്യ ഇന്ന് പറയുന്നു

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
ഉത്തർപ്രദേശ് വാർത്ത, ഉത്തർപ്രദേശ് തിരഞ്ഞെടുപ്പ്, kairana പ്രശ്നം
ബിജെപി kairana മുഖ്യ തെരഞ്ഞെടുപ്പ് കമ്മീഷണർ നസീം സെയ്ദി, ഉത്തർപ്രദേശ്
വാർത്ത, ഉത്തർപ്രദേശ് തിരഞ്ഞെടുപ്പ് വാർത്തകൾ, പുതിയ വാർത്തകൾ, ഇന്ത്യ
വാർത്ത

വിളവുമേനി എല്ലാ വോട്ടിംഗ് യന്ത്രത്തിൽ 2019 ലെ തെരഞ്ഞെടുപ്പിൽ മാറ്റിസ്ഥാപിക്കും പറഞ്ഞു.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

എല്ലാ വോട്ടിംഗ് യന്ത്രത്തിൽ തികച്ചും പകരം വരെ പേപ്പർ ബാലറ്റുകൾ വേണ്ടി ആജ്ഞാപിക്കുന്നു ഇല്ലാതെ. ഇപ്പോൾ അത് അവസാനമായി യുപി പഞ്ചായത്ത് തിരഞ്ഞെടുപ്പിൽ ചെയ്തു
പാർട്ടികൾക്ക് ബാക്കി പോലും 1% വോട്ടുകൾ നേടുകയും പോലെ മിസ് മായാവതിയുടെ
ബിഎസ്പി വമ്പിച്ച ഭൂരിപക്ഷം നേടും കാരണം ഈ വോട്ടിംഗ് യന്ത്രത്തിൽ കൊണ്ട്
തെരഞ്ഞെടുപ്പ് നടത്തുന്നത്.

അവർ
കാരണം പണം ദുർമോഹം ശക്തി gobbling വേണ്ടി തട്ടിപ്പ് വോട്ടിംഗ്
യന്ത്രത്തിൽ (ദുഷിച്ച വോട്ടിംഗ് മെഷീനുകൾ) കൃത്രിമം അപ്പുറം ചിന്തിക്കു
Presstitute മീഡിയ സഹിതം മനസ്സിന്റെ അവരുടെ ഗാഢ സംസ്ഥാനത്തെ ആളുകളെ വാദങ്ങൾ
ഫോണില്ലേ അവബോധം ഉറക്കത്തിലായിരുന്ന വൺ ഉപദേശം അടക്കം ശ്രമിക്കുന്ന
ഒപ്പം
അവർ ബോധി മരങ്ങൾ പോലെ സമർഥിക്കാനുള്ള .കൌതുകവും വിത്തുകൾ അവർ
മനസ്സിലാക്കുന്നില്ല ഇല്ലാതെ ടെക്നോ-Poltico-സാമൂഹിക ട്രാൻസ്ഫോർമേഷൻ
ബിഎസ്പി സാമ്പത്തിക ഇമാൻസിപ്പേഷൻ പ്രസ്ഥാനം.

മുൻ ചീഫ് SADHASIVAM, പകരം തന്റെ നിയോഗം കാരണം 1600 കോടി ചിലവു മുൻ
വിളവുമേനി സമ്പത്ത് അഭ്യർത്ഥനയെ ഫ്രോഡ് Tamperable വോട്ടിംഗ് യന്ത്രത്തിൽ
shirked & ഘട്ടംഘട്ടമായി അനുവദിക്കുന്നതിലൂടെ ന്യായത്തിന്റെ ഗ്രേവ്
പിശക് പ്രവർത്തിക്കുകയും, രാജ്യത്തെ ജനാധിപത്യത്തിന്റെ ഒരു മാരകമായ
പ്രഹരമേൽപ്പിച്ചത്.

Sarvajan സമാജ് ക്ഷേമം, സന്തോഷവും സമാധാനവും ഞങ്ങളുടെ ഭരണഘടന നിഷ്ഠമായ
പോലെ മുൻ വിളവുമേനി സമ്പത്ത് ഡെമോക്രസി, ലിബർട്ടി, സമത്വവും സാഹോദര്യവും
എണ്ണം ഒറ്റ ശത്രുവാണ്.

വാസ്തവത്തിൽ ബിജെപി പ്രതിപക്ഷ അതിന്റെ വിദൂരമായി ആർ.എസ്.എസ് നിയന്ത്രിയ്ക്കാനുള്ള ചെയ്തപ്പോൾ
ശക്തിയായിരുന്നു ലഭിച്ചിരിക്കുകയാണ് ശേഷം ഇപ്പോൾ മിണ്ടാതിരിക്കുന്ന ഏത് ശ്രേഷ്ഠത പേപ്പർ ബാലറ്റുകൾ
ഇതേ തട്ടിപ്പ് വോട്ടിംഗ് യന്ത്രത്തിൽ.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

ആർഎസ്എസ് പേപ്പർ ബാലറ്റുകൾ, പൊതു scrutinyNew ഡൽഹി വിധേയമാക്കിയിരുന്നു വോട്ടിംഗ് യന്ത്രത്തിൽ മുന്തൂക്കം | തീയതി: വെള്ളി, ഡിസം 2 2016 2:34 PM
വിഷയം: ഇലക്ട്രോണിക് വോട്ടിംഗ് യന്ത്രം

ഹായ് ഹസാരെ

7.pdf

199-211_Vegas_Belgian-ഇ voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

വിപുലമായ-സുരക്ഷാ-ടു-Enable- വിശ്വാസയോഗ്യമായ-ഇലക്ട്രോ …

അനുബന്ധം 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

കോഹൻ-2006-Auditing- ടെക്നോളജി-നുള്ള വോട്ടവകാശമില്ലാത്ത-മാഖിയുടെ …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ഇ-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. PDF

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

ഹലാൽ-4-evoting-പിശകുകൾ-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- വോട്ടെടുപ്പ്-എസൻഷ്യൽ-കോ …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

പി-4812 - സെൽ ഫോൺ അടിസ്ഥാനത്തിലുള്ള വോട്ടെടുപ്പ് Machine.pdf

സ്വകാര്യത-ഇലക്ട്രോണിക്-voting- chapter.pdf

സ്വകാര്യത-ഇലക്ട്രോണിക്-voting- WPES-2004.pdf

revised_summary31.pdf

sastry-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

yee-phd.pdf

“ഹാക്കിംഗ്” വോട്ടിംഗ് യന്ത്രം • / R / ഗിഫ്സ്
191 പോയിന്റ് ഇതുവരെ Reddit- നെ 38 അഭിപ്രായങ്ങൾ
reddit.com



92) Classical Tamil

92) தமிழ் செம்மொழி

2085 வி 22 டிசம்பர் 2016

இந்த கூகிள் மொழிபெயர்ப்பு ஒருவரின் தாய்மொழியை இந்த பல்கலைக்கழகத்தின்
ஒரு பாடம் மற்றும் பரவல் போன்ற துல்லியமான மொழிபெயர்ப்பு இடையீடு ஒரு
நீரோடை Enterer (Sottapanna) மற்றும் இறுதி இலக்காகக் போன்ற நித்திய
ஆனந்தம் அடைய ஆக உரிமை

பகுஜன் சமாஜ் கட்சி Sarvajan Hitay sarvajan Sukhay அதை ஆதரிக்கும்
அனைத்து சமூகங்கள் (சமாஜ் sarvajan) கொண்ட நாடு நம்பர் ஒன் பெரிய கட்சியாக
தான்.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

சிஈசி அனைத்து வாக்குப் பதிவு இயந்திரங்கள் 2019 பொதுத் தேர்தலில் மாற்றப்படும் என்று கூறினார்.

முன்னாள் தலைமை SADHASIVAM, அவரது கடமை shirked மற்றும் அவர்களுக்கு
பதிலாக படிப்படியாக ஏனெனில் 1600 கோடி செலவு முன்னாள் தலைமை தேர்தல்
சம்பத் கோரிக்கை மீது மோசடி Tamperable வாக்குப் பதிவு இயந்திரங்கள் உள்ள
அனுமதிப்பதன் மூலம் தீர்ப்பு ஒரு தவறைச் செய்த மற்றும் நாட்டின் ஜனநாயகம்
ஒரு மரண அடியை தீர்க்கப்பட.

நாள்: Sat, டிசம்பர் 2, 2016 இல் 2:34 பிற்பகல்
பொருள்: மின்னணு வாக்குப் பதிவு இயந்திரங்கள்
ஹை அண்ணா,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

இது செலவு மாதம் ரூ 1000 இணைய இணைப்புகள் இல்லாமல் மடிக்கணினிகள் யார் மாணவர்கள் அவற்றை விற்பனை தொடங்கியது.

வளராத
சமாஜ்வாதிக் கட்சியின் (SP) பாரிய திறப்பு விழா மற்றும் அடித்தளமிட்ட
விழாக்களில் அரசாங்கம், பகுஜன் சமாஜ் கட்சி தலைவருமான மாயாவதி முதல்வர்
அகிலேஷ் யாதவ் தனது கட்சி ஏன் அவர்கள் rampantly தங்கள் கட்சி
தொழிலாளர்கள் தங்கள் எஞ்சியிருக்கும் மடிக்கணினிகள் விநியோகித்து என்று
மீண்டும் ஆட்சிக்கு வராது என்று உணர்ந்தேன் என்று கூறினார்
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

ரூ .100, ரூ 50 நாணயத்தாள்களை இப்போது பாதுகாப்பு அச்சுறுத்தல்களுக்கு முகம் கொடுக்கின்றனர், அருண் Jaitly இந்தியா டுடே சொல்ல

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
உத்தரப் பிரதேசம் செய்திகள், உத்தரப் பிரதேசம் தேர்தல், kairana
பிரச்சினை, பாஜக kairana, தலைமைத் தேர்தல் ஆணையர் நசீம் ஜைதி, உத்தரப்
பிரதேசம் செய்திகள், உத்தரப் பிரதேசம் தேர்தல் செய்தி, சமீபத்திய செய்தி,
இந்தியா செய்தி

சிஈசி அனைத்து வாக்குப் பதிவு இயந்திரங்கள் 2019 பொதுத் தேர்தலில் மாற்றப்படும் என்று கூறினார்.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

அனைத்து வாக்குப் பதிவு இயந்திரங்கள் வரை காகித வாக்குச் சீட்டுக்கள் வரிசைப்படுத்தும் இல்லாமல் முற்றிலும் மாற்றப்படுகின்றன. இப்பொழுது உத்தரப் பிரதேசத்தில் கடந்த உ.பி. பஞ்சாயத்து தேர்தலில்
செய்தது போல் மாயாவதி பி.எஸ்.பி நடந்த வாக்கெடுப்பில் வெற்றி பெறும்
மற்றும் கட்சிகள் மீதமுள்ள கூட 1% வாக்குகள் பெற முடியாது, ஏனெனில் இந்த
வாக்குப் பதிவு இயந்திரங்கள் தேர்தல் நடத்தப்படுகிறது.

அவர்கள்
ஏனெனில் பணம் பேராசை சக்தி gobbling மோசடி வாக்குப் பதிவு இயந்திரங்கள்
(தீய வாக்குப்பதிவு எந்திரங்களை) சேதப்படுத்திய அப்பால் என்று மற்றும்
விழிப்புணர்வு மற்றும் விழித்துக்கொண்டது ஒரு கற்பித்தல் புதைக்க
முயல்கின்றனர் Presstitute ஊடகங்களுடன் சேர்ந்து தங்களுடைய மன மயக்கத்தில்
மாநில மக்கள் ஆய்வுரைகளை சரிவு
அவர்கள் போதி மரங்கள் என வேகமாக வளர்ந்து KEP என்று விதைகள் இருக்கும்
என்று உணராமலேயே டெக்னோ-Poltico-சமூக மாற்றம் மற்றும் பகுஜன் பொருளாதார
விடுதலை இயக்கம்.

முன்னாள் தலைமை SADHASIVAM, அவரது கடமை shirked மற்றும் அவர்களுக்கு
பதிலாக படிப்படியாக ஏனெனில் 1600 கோடி செலவு முன்னாள் தலைமை தேர்தல்
சம்பத் கோரிக்கை மீது மோசடி Tamperable வாக்குப் பதிவு இயந்திரங்கள் உள்ள
அனுமதிப்பதன் மூலம் தீர்ப்பு ஒரு தவறைச் செய்த மற்றும் நாட்டின் ஜனநாயகம்
ஒரு மரண அடியை தீர்க்கப்பட.

முன்னாள் தலைமை தேர்தல் சம்பத் ஜனநாயகம், சுதந்திரம், சமத்துவம்
எண்ணிக்கை ஒரு எதிரியும் Sarvajan சமாஜ் நலன்புரி, மகிழ்ச்சியும்
சமாதானமும் எங்கள் அரசியல் சாசனத்தில் பொதிந்துள்ளது என சகோதரத்துவம்
உள்ளது.

உண்மையில் பாஜக தொலை கட்டுப்படுத்தும் மே எதிராக இருக்கையில்
மூலம் அதிகாரத்தை பெற்ற பிறகு இப்போது அமைதியாக இது சாதகமாகவே பேப்பர் வாக்குச்சீட்டுக்களை
அதே மோசடி வாக்குப் பதிவு இயந்திரங்கள்.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

| மே காகித வாக்குகள், வாக்குப் பதிவு இயந்திரங்கள் பொது scrutinyNew தில்லி உள்ளாகி சாதகமாக நாள்: Sat, டிசம்பர் 2, 2016 இல் 2:34 பிற்பகல்
பொருள்: மின்னணு வாக்குப் பதிவு இயந்திரங்கள்

ஹை அண்ணா,

7.pdf

199-211_Vegas_Belgian-இ- voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

மேம்பட்ட-பாதுகாப்பு-க்கு Enable- நம்பகமான-எலக்ட்ரோ …

பின் இணைப்பு 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

கோஹன்-2006-Auditing- தொழில்நுட்பம்-க்கு வாக்கு-குடி …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

மின் votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. PDF

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

ஹலால்-4-evoting-பிழைகள்-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- வாக்களிப்பு-அத்தியாவசிய-கோ …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

ப-4812 - செல் போன் அடிப்படையில் வாக்களிப்பு Machine.pdf

தனியுரிமை மின்னணு-voting- chapter.pdf

தனியுரிமை மின்னணு-voting- WPES-2004.pdf

revised_summary31.pdf

சாஸ்திரி-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

யீ-phd.pdf

“ஹேக்கிங்” வாக்குப்பதிவு எந்திரங்களை • / R / GIF களை
இதுவரை ரெட்டிட்டில் 191 புள்ளிகள் மற்றும் 38 கருத்துகள்
reddit.com

93) Classical Telugu

93) ప్రాచీన తెలుగు

2085 Thu Dec 22 2016

ఈ Google అనువాద ఒకరి మాతృభాషలో విశ్వవిద్యాలయ ఒక పాఠం మరియు ప్రచారానికి
ఖచ్చితమైన అనువాదం రెండరింగ్ ఒక స్ట్రీమ్ Enterer (Sottapanna) మరియు ఒక
ఫైనల్ గోల్, ఎటర్నల్ బ్లిస్ సాధించడానికి మారింది చేసుకోవచ్చును

బిఎస్పీ సమాజాలు (సమాజ్ sarvajan) తో దేశం నెంబర్ వన్ లార్జెస్ట్ పార్టీ Sarvajan Hitay sarvajan Sukhay అది సహకరిస్తుంది.

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

సిఇసి అన్ని ఈవీఎంలు 2019 సాధారణ ఎన్నికల్లో భర్తీ చేయబడుతుంది చెప్పారు.

మాజీ సిజెఐ SADHASIVAM, తన విధి shirked & వాటిని స్థానంలో దశలవారీగా
ఎందుకంటే 1600 కోట్ల ఖర్చు మాజీ సిఇసి సంపత్ అభ్యర్ధన మీద ఫ్రాడ్
Tamperable ఈవీఎంలు లో అనుమతించడం ద్వారా తీర్పు ఒక సమాధి లోపం కట్టుబడి
మరియు దేశం యొక్క ప్రజాస్వామ్య ఒక ప్రమాదకరమైన దెబ్బ కొట్టాయి.

తేదీ: Fri, డిసెంబర్ 2, 2016 నాడు 2:34 PM
విషయం: ఎలక్ట్రానిక్ ఓటింగ్ యంత్రాలు
హై అన్నా,
http://www.dailypioneer.com/…/distributing-laptops-wont-hel…

ఖర్చు నెలకు రూ 1000 ఇంటర్నెట్ అనుసంధానాలు లేని ల్యాప్టాప్లు వచ్చింది ఎవరు స్టూడెంట్స్ వారిని మొదలుపెట్టారు.

Slamming
సమాజ్వాది పార్టీ (ఎస్పి) భారీ ప్రారంభోత్సవం మరియు పునాది వెయ్యటానికి
వేడుకలు పైగా ప్రభుత్వ, బహుజన్ సమాజ్ పార్టీ అధినేత్రి మాయావతి
ముఖ్యమంత్రి అఖిలేష్ యాదవ్ తన పార్టీ ఎందుకు వారు ప్రబల వారి పార్టీ
కార్యకర్తలు తమ మిగిలిపోయిన ల్యాప్టాప్లు పంపిణీ చేసే మళ్ళీ అధికారంలో
వచ్చి కాదని గ్రహించారు ఉంది అన్నారు
.

http://indiatoday.intoday.in/…/rs-100-rs-50-r…/1/840031.html

రూ 100, రూ .50 కరెన్సీ నోట్లు ఇప్పుడు భద్రతా ముప్పు ఎదుర్కొంటున్న, అరుణ్ జైట్లీ చెప్పడం భారతదేశం నేడు

https://www.reddit.com/…/c…/4y17kg/hacking_voting_machines/…

http://indianexpress.com/…/ec-team-on-3-day-visit-to-uttar…/
ఉత్తరప్రదేశ్ న్యూస్ ఉత్తరప్రదేశ్ ఎలక్షన్, kairana సమస్య, బీజేపీ
kairana చీఫ్ ఎలక్షన్ కమిషనర్ నాసిం జైది, ఉత్తరప్రదేశ్ న్యూస్
ఉత్తరప్రదేశ్ ఎలక్షన్ వార్తలు, తాజా వార్తలు, భారతదేశం వార్తలు

సిఇసి అన్ని ఈవీఎంలు 2019 సాధారణ ఎన్నికల్లో భర్తీ చేయబడుతుంది చెప్పారు.

http://economictimes.indiatimes.com/…/articles…/51106327.cms

అన్ని ఈవీఎంలు వరకు కాగితం బ్యాలెట్ల ఆర్దరింగ్ లేకుండా పూర్తిగా భర్తీ చేయబడతాయి. మాయావతి యొక్క బి.ఎస్.పి అఖండ మెజారిటీ విజయం ఇది గత యుపి పంచాయతీ
ఎన్నికల్లో వలె మరియు పార్టీలు మిగిలిన 1% కూడా ఓట్ల అందదు కేవలం ఎందుకంటే
ఇప్పుడు యుపిలో ఎన్నికలు ఈ ఈవీఎంలు తో నిర్వహిస్తారు.

వారు
ఎందుకంటే డబ్బు కోసం వారి దురాశ శక్తి gobbling కోసం మోసం ఈవీఎంలు (ఈవిల్
ఓటింగ్ యంత్రాలు) దిద్దుబాటు మించి ఆలోచించడానికి మరియు అవగాహన మరియు
జాగృతం వన్ యొక్క బోధన దాయు ప్రయత్నిస్తున్నారు Presstitute మీడియాతో పాటు
మనస్సు వారి సగమో లేక పూర్తిగానో తెలివితో రాష్ట్ర ప్రజలకు థీసిస్ పరి
వారు బోధి చెట్లు మొలకెత్తుతుంది KEP విత్తనాలను అని గ్రహించి లేకుండా
టెక్నో-Poltico-సామాజిక ట్రాన్స్ఫార్మేషన్ మరియు బిఎస్పి ఆర్థిక విమోచన
ఉద్యమం.

మాజీ సిజెఐ SADHASIVAM, తన విధి shirked & వాటిని స్థానంలో దశలవారీగా
ఎందుకంటే 1600 కోట్ల ఖర్చు మాజీ సిఇసి సంపత్ అభ్యర్ధన మీద ఫ్రాడ్
Tamperable ఈవీఎంలు లో అనుమతించడం ద్వారా తీర్పు ఒక సమాధి లోపం కట్టుబడి
మరియు దేశం యొక్క ప్రజాస్వామ్య ఒక ప్రమాదకరమైన దెబ్బ కొట్టాయి.

మాజీ సిఇసి సంపత్ డెమోక్రసీ, స్వేచ్ఛ, సమానత్వం ప్రథమ శత్రువు మరియు
Sarvajan సమాజ్ సంక్షేమం, ఆనందం మరియు శాంతి కోసం మా రాజ్యాంగం లో
పొందుపరిచారు కూటమిలో ఉంది.

నిజానికి BJP ప్రతిపక్షంగా దాని రిమోట్గా నియంత్రించడంలో RSS ఉన్నప్పుడు
దీని ద్వారా అధికారం పొందకుండా తర్వాత ఇప్పుడు మౌనంగా ఉంది మెచ్చిన పేపర్ బ్యాలెట్లను
చాలా అదే మోసం ఈవీఎంలు.

http://news.webindia123.com/…/A…/India/20100828/1575461.html

RSS నిస్తుంది పేపర్ బ్యాలెట్లను, ఈవీఎంలు ప్రజా scrutinyNew ఢిల్లీ గురి | తేదీ: Fri, డిసెంబర్ 2, 2016 నాడు 2:34 PM
విషయం: ఎలక్ట్రానిక్ ఓటింగ్ యంత్రాలు

హై అన్నా,

7.pdf

199-211_Vegas_Belgian-ఇ voting.pdf

295-JI174.pdf

331.pdf

1002evot.pdf

1602.02509.pdf

1981-3821-bpsr-9-3-0004.pdf

2009-PBY-HICSS-Voting.pdf

9093.pdf

11946.pdf

ఆధునిక-సెక్యూరిటీ టు Enable- నమ్మదగిన-ఎలక్ట్రో …

అపెండిక్స్ 1A.pdf

bevoting-1_gb.pdf

bevoting-2_gb.pdf

కోహెన్-2006-Auditing- కోసం ఓటింగ్-మాచీ టెక్నాలజీ …

crsreport.pdf

CSECS-12.pdf

e2014_fr17.pdf

ఇ-votingHistory.pdf

ElectionWatch 3 Low.pdf

electronic_voting_machines. పిడిఎఫ్

ElectronicVotingMachine.pdf

EverettGreeneBWDST_08.pdf

EVM.ppt

evm_tr2010.pdf

EVMOld.pdf

ftnCCS05.pdf

హలాల్-4-evoting-లోపాలు-v5.pdf

I504036163.pdf

IDEA.Introducing-Electronic- ఓటింగ్-ఎసెన్షియల్-కో …

IFESkazakhstan.pdf

IJCSE11-03-05-045.pdf

IJETR_APRIL_2014_STET_72.pdf

IJRET20140319003.pdf

nam2014eisa.pdf

పే-4812 - సెల్ ఫోన్ ఆధారంగా ఓటింగ్ Machine.pdf

గోప్యతా ఎలక్ట్రానిక్-voting- chapter.pdf

గోప్యతా ఎలక్ట్రానిక్-voting- WPES-2004.pdf

revised_summary31.pdf

శాస్త్రి-phd.pdf

scientificamerican1004-90.pdf

Thesis.pdf

vote.pdf

voting.pdf

voting_good_bad_stupid.pdf

Yee-phd.pdf

“హ్యాకింగ్” ఓటింగ్ యంత్రాల • / R / gif లు
ఇప్పటివరకు reddit న 191 పాయింట్లు మరియు 38 వ్యాఖ్యలు
reddit.com


comments (0)
12/20/16
2084 Wed 21 Dec 2016 LESSONS from Rector JCMesh J Alphabets Letter Animation ClipartMesh C Alphabets Letter Animation Clipart an expert who identifies experts influenced by Expert and Infulencer Sashikanth Chandrasekharan of Free Online Buddhism - World Religions for Kidshttps://drambedkarbooks.com/2015/03/14/the-chamcha-age-by-saheb-kanshi-ram/#more-1506Awaken One With Awareness Mind (A1wAM)+ ioT (insight-net of Things) - the art of Giving, taking and Living to attain Eternal Bliss as Final Goal through Electronic Visual Communication Course on Political Science -Techno-Politico-Socio Transformation and Economic Emancipation Movement (TPSTEEM). Struggle hard to see that all fraud EVMs are replaced by paper ballots by Start using Internet of things by creating Websites, blogs. Make the best use of facebook, twitter etc., to propagate TPSTEEM thru FOA1TRPUVF. Practice Insight Meditation in all postures of the body - Sitting, standing, lying, walking, jogging, cycling, swimming, martial arts etc., for health mind in a healthy body. from INSIGHT-NET-Hi Tech Radio Free Animation Clipart Online A1 (Awakened One) Tipiṭaka Research & Practice University in Visual Format (FOA1TRPUVF)https://archive.org/stream/DhammapadaIllustrated/dhammapada_illustrated#page/n681/mode/2up free online university research practice up a level through http://sarvajan.ambedkar.orgup a level https://awakenmediaprabandhak. wordpress.com/ email-0565.gif from 123gifs.eu Download & Greeting Card modinotourpm@gmail.com jchandra1942@icloud.com sarvajanow@yahoo.co.in is the most Positive Energy of informative and research oriented site propagating the teachings of the Awakened One with Awareness the Buddha and on Techno-Politico-Socio Transformation and Economic Emancipation Movement followed by millions of people all over the world in 105 Classical languages. Rendering exact translation as a lesson of this University in one’s mother tongue to this Google Translation and propagation entitles to become a Stream Enterer (Sottapanna) and to attain Eternal Bliss as a Final Goal-http://www.countercurrents.org/…/demonetization-the-politi…/ There have been various and repeated references to the suffering of the public caused by the decision of demonetization by Modi. http://www.countercurrents.org/…/humansofdemonetisedindia-…/ The demonetisation tsunami is slowly gaining momentum. One mild wave touched me today.
Filed under: General
Posted by: site admin @ 9:51 pm

Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 1517631 bytes) in /home/pegasus/SiteBlog-2.0.0-RELEASE_bundle/SiteBlog/wp-includes/functions-formatting.php on line 345