Ballot Verification
Objectives of Verification
At the moment a voter completes voting at Skypunch Technology, an email confirmation is sent to that voter including three pieces of data that may be used to later verify their ballot. This is done by visiting www.electionsonline.com/verify where a voter may:
- step through the process of verifying that their ballot has been recorded.
- verify with absolute certainty the ballot has not been altered.
- ensure the ballot is included in the vote count.
Verification Steps
Step One—Verify version number
Ballots are stored inside an immutable system of record that can only perform append operations. This means when data like that collected by a voter making selections on a ballot is committed to this system, it does so as a block of data with a version identifier of zero assigned to it. Were that block of data to be modified or deleted at some later point in time, the append-only behavior means that the original data is not overwritten. Rather, a new entry is added and additionally hash-chained to the original data block thereby creating an auditable history of activity performed on that data where each new entry has a version identifier incremented by one. Because no ballot should ever be modified once it enters the system, no ballot should have a version identifier greater than zero. Therefore, the first step to ballot verification is to confirm that a given ballot is on version zero. Upon successfully completing version number verification, a user will be presented the opportunity to advance to retrieve the block address for a ballot.
Step Two—Get block address
Once it is established that a ballot is at version zero, further verification may be performed to ensure this one and only version has not been altered since the moment it was committed to the ledger. Steps two through four collect the data necessary to perform this verification and begins by retrieving the block address for the ballot which is as simple as proceeding to step two.
Step Three—Provide digest and digest tip address
The digest provided in the email confirmation may be defined as a 256-bit hash value that uniquely represents a ledger’s entire history of document revisions as of a point in time. And the digest tip address (also in the email confirmation) is simply the latest block location covered by the digest that you requested.
Notice from the definitions above that the digest and tip address both make reference to time. When we perform verification, what we are really proving is that data has not been altered between the time the digest was generated and the verification is performed. That is the reason voters are provided the option of capturing and saving a digest immediately after submitting their ballot rather than to use a digest generated later during the verification process.
Step Four—Get a proof and verify the ballot
With all the data collected in the previous steps we now have all that is needed to retrieve a proof and perform verification. A proof is the ordered list of 256-bit hash values for a given digest and document revision. It consists of the hashes that are required by a Merkle tree model to chain the given revision hash to the digest hash. A proof enables you to verify the integrity of your revisions relative to the digest.
With this data the verification process is able to recalculate a hash for the digest. When this recalculated digest matches the expected digest hash, verification is successful.
Step Five—Ensuring ballot is included in vote count
All verification activity discussed above is performed against a system of record which is not used to support reporting and analysis of the election results. Therefore, once voters have verified that their ballot has been captured and is unaltered in this system of record, they may also confirm that one, and only one, exact duplicate of their ballot also exists in the reporting platform.
Viewing ballot
After a ballot has been verified, you may also proceed to view the ballot showing the selections made by the voter.