Sunday June 24, 2018

Elections with Sub-Groups of Voters

Some customers have subgroups of voters in their OpaVote online elections. For example, the subgroups could be based on where voters live (e.g., as in the congressional districts shown here) or the grade level of student voters.

For example, consider a high school election that elects a president for the entire school and a representative for each grade (freshmen, sophomores, juniors, and seniors). Every student can vote for president but only students of a grade vote their representative. There are thus five groups of voters (the whole school and a group for each of the four grades).

I'll present two options for doing this with OpaVote. The first is easier for the manager and the second is easier for the voters.

Hold a Separate Election for each Contest

The election manager creates an OpaVote election for each of the five contests. For a example, a first election for president (where all students are voters), a second election for freshmen representative (where only freshmen are voters), and so forth.

When you do this, each voter will receive two voting links. A first voting link to vote for president and a second voting link to vote the representative of their grade. When the elections are over, you count the votes for each election to determine the winners.

While it is very easy for the manager to set up the OpaVote elections this way, it is a little more confusing for each voter to receive two voting links and have to vote twice. It is certainly doable, but you need to clearly communicate to the voters that they will receive two votings links and that they must use each of them.

If you have 100 voters in each grade level, then the price will be $40 for the president election and $10 for each grade level election for a total of $80.

Hold a Separate Election for each Group of Voters

The election manager creates an OpaVote election for each of the four groups of voters. Now, each election will have two contests: a first contest for president and a second contest for the representative of the grade. Each voter now receives one voting link and votes once (for president and grade representative). This makes it very easy for the voters.

When the elections are over, it is easy to determine the winners of the contests for the representatives of the grades. You just count the votes. To determine the winner of the contest for president, the election manager needs to do more work since the ballots are split up among the four grades.

The manager needs to combine the votes to count them all together, and this is a fairly easy process:

Download the votes for president from each grade and give them an appropriate name (e.g., freshmen.txt, sophomores.txt, etc.).
Create an OpaVote Count.
Upload the ballots for the freshmen.
Append the ballots for each of the other classes.
Count the votes to get the winner for president.

I recommend this method over the previous method because it is just a little work for the manager and it makes it easier for the voters.

If you have 100 voters for each grade level, then the price will be $10 for each grade level election and $40 for the OpaVote Count used to combine the votes. The price for the two options is thus about the same.

Updated OpaVote pricing

We've recently revised how we do pricing of elections, and we think it will be a welcome change for you.

Previously, the price of your election depended on how long it lasted. The first week was free, and it would cost $10 for each additional two weeks.

Now, all elections can last for up to 12 weeks (from when you create it) at no additional charge. The pricing is now based solely on the number of voters and candidates.

If you need your election to last more than 12 weeks, please contact us and we can help make that happen for you.

Trusting your Election Manager

Illustration via Max Fleishman

Because of the importance of some elections, the thought of running elections online can create apprehension. Often, the concern is hackers who might try to manipulate your election (see our recent post on our election security practices).

In this blog post, however, we are going to focus on the election manager (the person who is running the election on behalf of the organization) and the steps that OpaVote takes to limit the ability of an election manager to manipulate an election.

To some extent, you need to trust your election election manager as we'll describe in greater detail below. If you want to eliminate all possibility of an election manager improperly influencing your election, then you can hire OpaVote to run your election for you.

Manager Cannot See or Change Individual Votes

The election manger has no access to individual votes. The manager cannot see votes and cannot change votes. The manager can see the number of votes that have been cast in real time, but nothing else.

Manager Cannot See Preliminary Election Results

We do not allow the manager to see preliminary election results. The manager can only see the results once the election is finished and the manager cannot reopen the election. This prevents the manager from closing the election early or late to try to influence the results.

We do have an option to allow anyone to see preliminary results during an election, but this allows all voters to see preliminary results in addition to the manager.

Manager Cannot Change Election Info after Voting Opens

Once voting opens, the manager cannot change any information about the election. For example, the manager cannot change the election description and cannot add or remove candidates. If the manager makes a mistake (such as a typo), then the manager can contact us to fix it (with a support fee), and we make sure that such changes do not improperly influence the election.

Possible ways for Manager to Influence Election

To some extent, you do need to trust your election manager. To run the election, the election manager needs access to information that is not publicly available. Here are some examples, and the steps we take to mitigate the risks.

The manager has sole access to the voting lists. For privacy reasons, we don't allow voters to access voter lists and details about who has and has not voted. If people at your organization other than your election manager need access to this information, then we can provide it to them to allow them to independently confirm that voter lists are correct.
The manager can disable voters to prevent them from voting (e.g., if a voter was accidentally included twice). When this happens, however, the voter will receive a message indicating that their voting code has been disabled. If the manager improperly disables voters, then the voters will know and can take action.
The manager can see who has and has not voted. The manager could use this information to urge supporters of a particular candidate to vote. We see this as a minor risk since the manager can do this even without knowing who has voted.
The biggest risk arises from the use of code voters. When you use code voters, the manager needs access to the secret voting codes so that the manager can distribute them to the voters. Because the manager has access to all of the secret voting codes, then manager is able to enter votes on behalf of voters. One mitigation is that we store the date and time time of each received vote along with the IP address of the computer that was used to enter the vote. If the manager enters multiple votes from the same computer, it is easy to detect this kind of manipulation. If you do not trust your manager, however, then you should either use only email voters or hire OpaVote to run your election for you.

Weighted Votes with Ranked-Choice Voting

For some online elections, it is desired to use weighted votes. In government elections, the vote of each voter counts the same so that each voter has equal influence. In this situation, you could say that each voter has a weight of one. Voters used to government elections may think that weighting some votes more than others is unfair, but there are elections where it is fair and necessary!

Probably the most common example is condominium homeowner association (HOA) elections. For a building with multiple condominium units, the building will often need to make decisions, such as to charge each owner an additional fee to replace the roof. To make these decisions, the HOA will have trustees who are elected by the condo owners to make decisions. The trustees will generally be a subset of the condo owners.

Because the condos in the building have different sizes, each condo owner is assigned a weight corresponding to the size of their condo. For example, the weight of a vote may be the same as the square footage of the condo, and a person with a 2000 sq. ft. condo will have double the voting power of a person with a 1000 sq. ft. condo.

OpaVote now allows you to conduct election with weighted voting for all of the elections supported by OpaVote. You can do weighted voting with ranked-choice voting, the single transferable vote, Condorcet voting, or any our other voting methods.

Specifying the weights for each voter is easy. To add voters to an OpaVote election, you upload a plain text file with one email address per line. You can add a weight to each voter like this:

alice@example.com, 4
bob@example.com, 3
charlie@example.com, 2
diana@example.com

Alice has a weight of 4, Bob has a weight of 3, Charlie has a weight of 2, and Diana has a weight of 1. If you don't specify a weight for a voter, we'll give that voter a weight of one. The weighted votes are counted as if that person had voted that many times. For example, Alice's vote will be counted as if she cast 4 separate ballots.

The weights must be integers (decimals not allowed) and our maximum weight is currently ~~1000~~ 1,000,000. Let us know if you need a larger weight.

We don't yet support weights for code voters, but we'll be adding that soon.

Efficient Manual Entry of Ranked Ballots

Some OpaVote customers hold an election using paper ballots and need to enter the ballots into the OpaVote website. We provide a ballot editor (pictured here) to make it easy to do this, and in this blog post we provide some tips to make this process efficient and prevent errors in ballot entry.

Once you have all of your completed ballots, the first thing you should do is number them. For example, put them in a pile, and write 1 on the top-right corner of the first ballot, 2 on the next one, and so forth. This makes it much easier to verify that the ballots were entered correctly.

Smaller Elections

If you have a relatively small election, one person may create an OpaVote Count and enter all of the ballots using our ballot editor.

The same person or a different person should then verify that the ballots correctly. To verify the ballots, click "View Ballots" from the Count and a new window will open up that shows the ballots, and these ballots will be numbered in the order of entry and should match the numbers that you wrote on the ballots.

The person verifying the ballots should check that each paper ballot is an exact match to each ballot as displayed by OpaVote.

Alternatively, you could have two people each enter all of the ballots. You could save the ballots entered by the first person as ballots1.txt, save the ballots entered by the second person as ballots2.txt, and then compare the two files to make sure they are an exact match. You can use a website like DiffChecker to see if the two files are identical.

Larger Elections

The process for larger elections is the same except that you may want to divide the ballot entry among multiple people to make it faster. Note that our ballot editor only allows you to edit up to 1000 ballots at a time so if you have more than 1000 ballots you will need to do it in smaller chunks as we describe here.

As an example, let's say that you have 2000 ballots, and you would like to divide them into 4 groups of 500 for four people to enter in parallel. Number all of the ballots as described above, and then give the first person ballots 1-500, the second person ballots 501-1000, and so forth.

Each person will create an OpaVote count, enter his or her portion of the ballots, and then verify them as described above. Each person will then download the ballots to a file and give the ballots an appropriate name, such as ballots1-500.txt. Note that there is no cost to enter ballots so there are no extra charges for having multiple people enter ballots (payment is required only when counting ballots). After each person does this, you will have four ballot files.

You now need to combine the four ballot files together like this:

Create a new OpaVote Count
Upload the first ballot file with the Upload Ballots button
Add the second ballot file using the Append Ballots button
Add the third and fourth ballots files using the Append Ballots button two more times
Count the votes!

Using the processes described here allows you to enter ballots quickly and also ensures that they will be entered correctly.

2017 Year in Review

Happy New Year from OpaVote! We are based in the Boston area, which means that winter has arrived and our local yeti is roaming the streets! I don't know if he supports ranked-choice voting, but I'll try and find out.

We'll use this end of the year round up to give you an overview of all the accomplishments over the past year.

New Arrivals in 2017

We had our largest election ever with more than 41,000 voters. To be honest, we were a little nervous, but it went off beautifully. Since we run on Google and Sendgrid servers, they were easily able to scale up to handle this larger election.
We completely revamped our management console to make it easier to use. One cool feature is that we show you a preview of how the election page will look right in the console.
We now support voting pages in Spanish, Portuguese, and French (though management are only in English).
We implemented a backup email delivery system so that we can make sure as many voters as possible will receive their voting emails.
We send more emails to election managers to keep them up to date on their elections. We send you an email to notify you when you can send reminders to voters, we send you an email when your election has ended, and we send an email with election results so you can archive them for as long as you need.
Managers can now create a password account with OpaVote instead of logging in with another account (e.g., Google or Facebook).
We launched a new portal at www.kwikvote.com to make it really easy for people to run free ranked-choice voting polls.
We did a thorough security audit to make sure that your can confidently run your elections worry free. See this blog post describing our security practices and also this one comparing us to our competitors.
We now have an online chat widget so you can get quick answers to your questions. We do need to sleep, but you can get live support during our business hours.

Donations by OpaVote

We continue to support election reform and we have donated to the following causes in 2017:

Fair Vote USA
Fair Vote Canada
Electoral Reform Society
American Civil Liberties Union
Fair Vote Minnesota
Voter Choice Massachusetts (They are trying to enact RCV in my own state!)

Please consider these organizations in making your own charitable contributions.

That is our wrap up for 2017, and we are looking forward to a great 2018!

OpaVote Security Practices

Some OpaVote customers are nervous about the security of online elections. To reduce risk, OpaVote follows many security best practices, and in this post we explain some of them to reassure you that it is safe to run your elections with OpaVote.

This is a followup post to a previous one where we showed that OpaVote has far better practices than other online election providers as determined by independent third parties.

Hackers have five possibilities in trying to undermine your election:

Breaking into Google servers (OpaVote runs on Google)
Accessing secret codes of voters
Obtaining an election manager's password
Obtaining an OpaVote administrator password
Exploiting possible vulnerabilities in the OpaVote website.

We'll address each of these below.

Google Servers

Google fully maintains all the servers used by OpaVote. Because Google runs many important websites, it goes to great lengths to ensure security. For this reason, we can rely on Google to make sure that servers have been updated with the latest security patches, and that the doors to the server rooms are locked.

Voters

For email voters, we provide each voter with a 128-bit code. This provides a HUGE number of codes. Here is the number written out: 340,282,366,920,938,000,000,000,000,000,000,000,000. If you could try a billion codes per second, then it would take more than a billion years to try all of the codes. For this reason, hackers cannot guess voter codes.

Your voters' email accounts are the weakest link, because many of your voters likely don't have good security practices with their personal email accounts. Though email providers keep getting better in enforcing security practices (e.g., strong passwords) so it is still hard for a hacker to gain access to an individual email account, and much harder to gain access to enough email accounts to have an influence on the election.

Election Managers

This one is mostly up to you. You should be using a strong password for your account and a password that is different from all of your other passwords. Preferably, you login to OpaVote using an existing account (e.g., a Google or Facebook account) with two-factor authentication. If you do create a password at OpaVote, we store only a salted hash of your password so that even if someone broke into OpaVote, there would be no way for them to get your actual password.

OpaVote Administrator

We can access OpaVote servers as administrators using an administrator password. We have only a single password for administrator access, it is strong, it is different from all other passwords used by us at OpaVote, and we have enabled two-factor authentication. This prevents hackers from getting administrative access.

OpaVote Website

There are many different ways that hackers can attack a website, such as by trying to upload harmful code or sniffing Internet traffic. This is a very complicated area, but here are some of the measures we take to prevent attacks on the OpaVote website:

All traffic to OpaVote is encrypted using HTTPS and HSTS. Any non-encrypted requests are immediately redirected to encrypted requests.
Cookies are encrypted.
We don't store any sensitive information, such as credit card numbers. Payments are handled by secure third party providers.
To prevent injection attacks and cross-site scripting attacks, all queries are parameterized and user input is escaped. Where we do allow HTML input, we check it against a whitelist to prevent unsafe content.
We have tests to continually check that management pages are only accessible to authorized managers.
All form inputs use CSRF to prevent hackers from causing you to execute unwanted actions.

To see more details, check out the security grades that OpaVote has received from these independent third parties:

A+ from SSL Labs
A+ from HT Bridge
A+ from Security Headers
B+ from Mozilla Observatory (This is a very high standard. Even gmail gets a B on this test.)

Please feel free to contact us with any questions on our security practices.