Frequently Asked Questions

CCComplete, the developer of BallotPoint, is an employee-owned company with employees who are members of Graphic Communications International Union (GCIU) Local 2/289M.

BallotPoint subscribes to the philosophy that no one element in and of itself can make a balloting system secure, confidential, reliable, and accurate. Rather, it takes the combination of intent, policy, procedure, and technical safeguards to guarantee system integrity. CCComplete views this combination of intent, policy, procedure, and technical safeguards as building a ‘wall of integrity’ around the election process, with each component being a ‘brick’ within the wall, and each procedure being ‘mortar.’ While no one brick will make the wall secure, by combining our components and procedures into an integrated election methodology, we have built a wall with the highest level of secrecy, anonymity, confidentiality, and accuracy. We have engineered every component and procedure within the balloting process to comply with the dictates of Title IV of the LMRDA. We call our process BallotPoint.

All election methods must be based on prudent practices that have been applied in the form of controls that:

• guard against ill intent.
• guard against carelessness.
• provide separation of responsibilities.
• provide protection of confidential information.
• guard against and prevent misuse and abuse.
• provide a record to allow independent review and scrutiny.
• provide accountability.

All election methods must provide adequate safeguards to ensure anonymity, integrity, and secrecy. All election methods must balance the requirements under the law so as to optimize the law’s intent. BallotPoint was specifically engineered to comply with the dictates of Title IV of the LMRDA.

All significant activities of election administrators, members, and BallotPoint personnel are permanently logged and easily reviewed by authorized parties.

• account activations
• archive of all auto-generated election notices and guides
• change PINs
• eligibility changes
• logins
• recredentialing (generation of replacement activation codes)
• roster uploads
• software changes to the Member-Identity Server
• support requests by election administrators to BallotPoint
• view ballot receipt
• votes

A key part of the BallotPoint philosophy is to open up observation to the member-level. With a proper confirmation number, a member can review his cast-ballot until the close of the election by logging in to the Election Server.

A member can view his activity log at any time by logging in to the Election Server.

Observation and transparency are possible from two perspectives — the member and the assigned observers.

Observation at the administration level

The permanent audit trails of election administrators’ activities can be shared with observers. Every significant activity of an administrator is reflected in the audit trail.

• roster uploads
• logins
• eligibility changes
• recredentialing
• view member activity
• ballot voiding
• BallotPoint support requests

In addition, a "who-voted" report is produced after ballot closing and before tallying. This report can be shared with observers when determining whether certain cast-ballots should be voided (per constitution and bylaws).

Observers present at tally-time will see the results of the election at the same time as election administrators. Once an election is tallied and the results presented to administrators, it is not possible to change anything that could alter election results including:  re-opening the election, voiding or un-voiding of any ballot, etc.

Observation at the member level

A key part of the BallotPoint philosophy is to open up observation at the member-level. With a proper confirmation number, a member can review his cast-ballot until the close of the election by logging in to the Election Server. A member can view his activity log at any time by logging in to the Election Server.

Consistent with the way we create audit trails to track system administration, we create audit trails on a per-member basis, permitting members to see when any significant activity (e.g., activation of the voting account, logins, changes in voting credentials, or voting) has occurred on their account. Members may view their own activity log by logging in to the Election Server and selecting the View Activity Log command. Note that the activity log does NOT show how a member voted, only that he voted.

A challenged ballot reflects a dispute about the eligibility of a particular voter. The member is permitted to vote, with the resolution of the dispute delayed until tally-time.

• We implement this through a process we call ballot-voiding.
• In a BallotPoint election, the member in question may be added to the voting roster (a permanent archive of which is stored in the Member-Identity Server) and marked as eligible to vote in the election. The member then votes.
• Records maintained by the election administrator and observers must be reviewed at tally-time to determine which members are in dispute. Those agreed to be ineligible must be marked as such before the tally.
• During ballot-voiding, we produce a list of members whose votes are proposed to be voided, and we list the reasons why.
• Administrators and observers review this list, and accept or reject it entirely. If rejected, the eligibility of the individual members must be resolved, and then we produce an updated list. Some iteration of the list must be accepted before tallying can occur.
• Unlike the typical mail-ballot challenged-ballot process, vote-secrecy is guaranteed to be maintained.

Yes. Member information is physically and logically separated from vote information such that no one, not even BallotPoint’s own engineers, can ever connect the identity of a voter with the contents of his or her vote.

The design of BallotPoint ensures voter secrecy. BallotPoint comprises two secure computer systems that physically reside in separate facilities.  A specially designed software protocol restricts the transfer of any information between the two systems that could potentially link a voter to his or her vote.

The two computer systems are the MRNS (Member Registration and Notification Server) and the ES (Election Server).

Simply put, the MRNS houses member-identifying information (public member ID, name, address, etc) and the ES houses election-specific information (election questions and answers, member login- credentials, and votes).

Due to the physical and logical separation of the two systems, there is no method available for someone, including BallotPoint personnel, to link member-identifying information to votes.

Physical Separation

The MRNS and ES are housed in separate facilities.

The MRNS is located in a secure, offsite facility owned and managed by an independent third-party. The same facility, which is monitored 24 x 7, houses computers conducting financial transactions, as well as computers storing litigation documentation, HIPA compliant medical records, and computer systems owned and operated by departments of the federal government. Access to the facility is controlled and logged by palm-scan and cardkey, and physical access to the MRNS itself requires the use of two keys, the first kept by BallotPoint and the second by the third-party that owns the facility. All physical access to the MRNS is logged. No one can access the MRNS without the event being permanently logged.

The ES is located in the secure facility operated by BallotPoint. Two different password-protected keyless entries are required to gain access to the ES. Even with access, no information is available to link a voter to a vote.

Logical Separation

No programmatic method exists to allow member-indentifying information on the MRNS to be joined with vote information on the ES. A carefully designed software protocol prevents such information from being passed between the two systems.  In the event of any investigation, this software protocol may be reviewed.

All application software on the MRNS is written by BallotPoint, but installed only by the independent third-party from an encrypted CD provided to them by BallotPoint. Installation takes place over the secure web; application software installers never physically access the MRNS. No application software is modified or added to the MRNS in any other way.

Installation by BallotPoint is neither permitted nor possible. This discipline provides a complete-from-day-1 archive, maintained by the third-party, of every application software change made to the MRNS. In the event of any investigation, this code-record may be reviewed by a competent authority to verify that the MRNS has always protected member-identifying information.

Public Member IDs vs. Private Voter IDs

The identification numbers an organization knows its members by is considered public information and therefore cannot be used by BallotPoint as any part of identifying credentials allowing access to the voting system.

The MRNS assigns random, 7-digit voter identification numbers, or VINs, to members when voting rosters are uploaded by the organization to the MRNS. The VIN for a given member is stored in the MRNS along with name/etc, but the ES never receives this member-identifying information. When an election roster is uploaded, the MRNS provides only a list of VINs eligible to vote in that election to the ES, with no member-identifying information.

VINs are never known by anyone outside of the member and BallotPoint. As previously discussed, there is no way for BallotPoint to tie the VIN to the member. This means the member is the only one with the information necessary to tie login credentials to the member.

Summary

The design of the BallotPoint system guarantees vote-secrecy.  Essential aspects of this design are:

• Physical separation of servers – one housing member-identifying information and the other housing election-specific information and votes.
• Software protocol that logically separates member-identities and votes.
• Independent third-party installs software updates on server which houses member-identities.
• Permanent archive of all software updates for server which houses member-identities.
• Availability of software protocol and application software for review, if warranted, by a competent authority during an election investigation.
• Random voter identification numbers known only to member.
• Extensive permanent audit trails showing physical access to the server housing member identity information, software archives showing all updates from day-1, logs viewable by administrators and observers that show administrator activities, and logs viewable by the member that shows all activity on member’s account.

BallotPoint has been specifically engineered to comply with Title IV of the LMRDA. We are confident that when utilized properly the BallotPoint voting system fully complies with Title IV of the LMRDA. For this reason, we guarantee our clients that if there is an election challenge to the BallotPoint system and if, after investigation, the Department of Labor concludes that the election must be rerun due to a finding that the BallotPoint system did not comply with Title IV, we will remedy the situation and rerun the election under the supervision of the Department of Labor at no additional cost to the union.

Until recently the Courts have not had the opportunity to review electronic voting systems with regards to Title IV compliance. With the Chao v. APA case (CIVIL ACTION NO.4:05-CV-338-Y) what we learned is that it’s not the voting method that matters but whether or not voter secrecy was compromised. We also learned that not all electronic voting systems are the same.

While DOL admitted it could not find any specific evidence that secrecy was violated, DOL asserted and the Court concurred that there were many voting system weaknesses where a violation of secrecy could have occurred. The Court’s primary concern with the AAA system was that it “failed to employ any mechanism to assure ballot secrecy.” A vote and the voter’s identity were stored in a manner such that it was possible for someone other than the voter to discover how the ballot was cast.

Although now vacated, the Judge in his order denying DOL’s motion for summary judgment clearly understood that at issue was not how the votes were cast, but rather the overriding necessity of adequate safeguards and controls in the election process.

The key is to implement the appropriate processes with the appropriate safeguards – checks and balances – to ensure that the highest levels of integrity and confidence are achieved. In the Court’s order denying DOL’s motion for summary judgment, the Court placed a significant emphasis on this point: that the AAA voting system lacked appropriate processes with adequate safeguards. In the final analysis, this overriding principle has no sunset and is not vacated along with the Court’s order due to a settlement agreement.  The notion of adequate safeguards is the most important concept in understanding election process and integrity.

Please see APA Court Case Analysis

• BallotPoint is designed to ensure ballot secrecy and election integrity to comply with Title IV of the LMRDA.
• BallotPoint provides complete ballot accountability and absolute vote-count accuracy.
• BallotPoint’s election process is transparent and open to observation.
• Member identity and eligibility is validated before a member is allowed to vote.
• BallotPoint provides members the flexibility to vote in private by telephone or web at a time and place of their choosing.
• BallotPoint guarantees Title IV compliance.
• BallotPoint is a resource to labor offering in-depth election expertise.

We are confident that when utilized properly the BallotPoint voting system fully complies with Title IV of the LMRDA.

For this reason, we guarantee our clients that if there is an election challenge to the BallotPoint system and if, after investigation, the Department of Labor concludes that the election must be rerun due to a finding that the BallotPoint system did not comply with Title IV, we will remedy the situation and rerun the election under the supervision of the Department of Labor at no additional cost to the union.