Princeton Undergraduate Student Government

Two weeks ago I delivered my third presentation to the senate regarding the elections project.  This was the first presentation to the senate since we started working with Helios.  The purpose of the presentation was to explain what Helios is, how it works, and what we can do to use it.

The Presentation

I began by going through a quick review of how we got to where we are now:

It certainly wasn't a simple process!  There were plenty of dead ends and u-turns along the way.  But that is what made it such an exciting project!  If you're new to the blog, you can read through the chronicle of blog posts below to get the full picture if you're interested.

Download the presentation here!

Then I discussed two of the critical features of Helios:

1. Ballot Casting Assurance
   Each ballot you cast generates a unique tracking number.  At any time after you cast the ballot, you can go to the Ballot Tracking Center in Helios and make sure that this tracking number matches the one you received when you cast your vote.  If they match, you can be confident that your vote was successfully cast and has not been modified.
2. Universal Verifiability
   Any observer, including a third party auditor, can verify that all of the votes were correctly tallied.  During the UCL election using Helios (see August 4th post below), they hired a third party auditor to do exactly this.  The auditor reached the same conclusion as Helios, and thereby verified the election.

Helios is based on cutting-edge technology -- straight from the lab, you could say.  And I half-jokingly proclaimed that our use of Helios would mean that we have the most advanced election system of all student government elections around the country, world, and cosmos.  But all joking aside, Helios is a huge leap forward in online voting technology, and it is an ideal solution for student government elections.  Not only is it secure, but it is also absolutely free!

That's right!  Helios will not cost us anything.  The software is free, and by using Google Appspot to host the service, the hosting is also free.  As a GNU programmer would point out, the adage "You get what you pay for" definitely doesn't apply here.  Helios could potentially be more secure than non-free alternatives.

Next Steps

At this point, we are 100% invested in using Helios for the class of 2013 election this fall.  For me, this is a huge weight off my shoulders.  There was a point in mid-August where nothing seemed to be working and I wasn't sure if we would have anything in time for this election.  But luck seems to have been on our side.

Timeline

Last week I met with Addie Darling '12, the senior elections manager, to plan the timeline of this election.  In the past, the protocol followed by the elections administrators has been as much to blame for the elections problems as the system itself.  To change this, Addie and I thoroughly planned the whole process out, down to details including the time at which emails will be sent and what will be included in these emails.  This timeline is available now in the elections center.

Playing It Safe

Although I'm thrilled that we are launching Helios, I am also concerned about the adoption of Helios.  I don't have any concerns about Helios itself -- it works.  Period.  The biggest concern I have is that voters will understand how to use Helios.  Admittedly, the increased security in Helios comes at the expense of simplicity, though certainly not to the point of hindering usability.  For example, there are a few extra steps to using Helios not found in the old system.

Here's an example of something I'm concerned about: the login procedure.  In Helios, you don't log in until immediately before you submit the ballot.  Even if you aren't eligible to vote in the election, you can go through the ballot, make choices, encrypt the ballot, and get a tracking number.  However, at this point you must log in to cast your ballot.  This is very different from our old system, where you logged in first, made your choices, and clicked submit.

But it's not that eccentric!  Think of it in terms of a paper ballot.  Anyone can get the paper ballot and mark choices, but when you go up to the ballot box to deposit your ballot, someone checks your ID to make sure you are eligible.  This makes sense, right?

Test, Test, Test

In order to flush out confusion that voters may have, we have been having groups of people test Helios.  We will continue with a larger-scale test next week.  This test will be confined to the class of 2012 to test Helios' ability to check voter eligibility by class year and since it will allow me to reach out to my friends to help.  Addie and I will be sending invitations to test Helios to our friends and then getting feedback.  If you would explicitly like to participate in the review of Helios, I'd be happy to include you.  Just send me an email to yaro@.  We hope to glean from these user experiences the pieces of Helios that cause the most confusion.  Then, based on this feedback, I can tailor my instructions to explain certain parts in more detail.  Also, we can use this feedback to make changes to Helios for a future election.  (It would be unwise to make modifications to Helios now, right before the election, because doing so could introduce problems into the program).

Documentation Galore

Ben and I agree that documentation, a "how-to" guide to Helios, is crucial.  Therefore, I'm going to go overboard on this end.  Video demonstrations, FAQs, pretty pictures, and unicorns.  This will be linked to by a "Help" link at the bottom of Helios.

Feedback Requested

The best way to improve Helios is to learn from real use.  To that end, I'm going to set up a survey to get everyone's feedback on Helios after they use it.  This will help me focus the guide and further refine Helios

Now, I'm off to set up the test election.  The contest between Mickey Mouse and Chuck Norris for the class presidency is heating up!

Message to Registrar and Elections Committee

Below is the message I just send to the Registrar and all of the other contributors to the project:

Hello, Ms. Griffin, Dean Dunne, and members of the committee that assisted with the election project this summer;

It's been a while since our last meeting regarding the USG elections, and I'm thrilled to announce that, in this time, the USG has settled on our solution: Helios.

Dr. Ben Adida and I have been working tirelessly along with members of OIT's Security and Data Protection group, the USG, and other voting security experts from within and beyond Princeton.  Through all of this, we have a tangible result: Princeton's very own instance of the Helios voting booth, an instance that is completely ready for us to use in the upcoming election.  It integrates with Princeton's Central Authentication System and successfully checks voter eligibility based on class year.  Our plan to launch Helios for this fall election with the class of 2013 is well underway and right on track for a successful launch in two weeks

Helios is a thoroughly-tested system -- our election is far from the first to use Helios.  In fact, as I may have mentioned at our August 4th meeting, the Université catholique de Louvain in Belgium used an earlier version of Helios to elect their university president.  This high-stakes election had as much publicity involved as you might expect if we were analogously to elect President Tilghman's replacement.  In this election, the university ended up praising Dr. Adida and Helios for enabling them to conduct such a well-run and reliable election.  Since then, Dr. Adida has made a number of presentations on Helios at universities and voting security conferences, and his peers in academia have also contributed to giving him feedback that has allowed him to tighten the security even further and create the version of Helios, version 3.0, that we have today.

However, even though I am confident that there are no problems inherent to Helios, there are potential challenges to launching any new voting system to such a large population of voters, especially one as advanced as Helios.  As such, we are planning a full-scale test election next week, in which the class of 2012 will be the first class to use Helios by responding to a simple survey through Helios.  Through this test, I hope to identify which parts of Helios voters find most confusing so that I may create guides and documentation to address these causes of confusion.  Then, for the December election, we can perhaps modify Helios to address these concerns.

In addition, we will use this test election to conduct a full-scale test of the component we have implemented that verifies voter eligibility.  You may be comforted to know that this system was built using the very same authentication procedures implemented by James' WebSurvey.  As a result, Helios will be equally as sensitive to voter eligibility as WebSurvey was; Helios' ability to discriminate between eligible and ineligible voters is equally as powerful as the system used by WebSurvey.  In fact, it is the very same system.

One notable difference between Helios and WebSurvey that is of explicit interest to this committee is the role of the elections administrators, such as the USG Elections Manager and the Office of the Registrar.  In WebSurvey, a representative from the Office of the Registrar logged in to click a button and tally the votes.  This process constituted "Registrar Certification" in previous elections.   The process with Helios is similar, albeit slightly more secure. 

In Helios, there can be a number of trustees that divide the power to decrypt the ballots and tally the votes.  For our elections, the USG is proposing to distribute this power between two trustees: the Office of the Registrar and the USG Elections Manger.  Through this arrangement, the results of the election cannot be tallied or published until both trustees input their unique decryption keys.  Without both of the decryption keys (think of these as passwords, analogous to physical keys), no single person can gain advanced access to the ballots or the results.  This is similar to how a personal vault at a bank might work -- both keys must be present to "open the box."  No single party acting on his or her own could gain advanced knowledge of the vote counts -- this includes any member of the USG senate or the elections manger herself.  It is also, critical, though that neither of these keys (which are strings of characters like passwords) be lost, since if one of the keys is lost it will be impossible to tally the votes.

As a result, elections using Helios will still depend on a strong relationship of cooperation between the USG and the Office of the Registrar.  I would like to meet with whoever in the Office of the Registrar will be responsible for this "trustee" roll sometime soon so that we may learn the full protocol from Ben.  We can then use the class of 2012 test election as a way to have a "dress rehearsal" of our roles as trustees.  The test election will take place next week, concurrent with the campaigning period for the actual election.  Then, in the week following, the actual election with the class of 2013 will take place using Helios.

To everyone on this committee, thank you for all of your generous assistance along the way.  I cannot adequately express how thankful the USG is for the level of cooperation between so many parties in this project.  This has been a complicated project, involving many people, and with numerous abrupt changes in direction along the way.  Our successful launch of Helios will be a standing testament to this remarkable cooperation and the achievement we have conjointly made.  I anxiously await the full launch of Helios in two weeks!

Sincerely,
Michael