04 eVACS OCD 2024 v1.1.PDF.pdf

Elections ACT
Enhancement of eVACS® for the 2024
ACT Legislative Assembly Election

Operational Concept Description

Document Status: Final
Version 1.1
March 2023

Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 3
Document Control Information
The control ed version of this document is in electronic form.
Al  hardcopy versions are uncontrolled.
Modifications
Date of this
Version  Comment
Author
Reviewer  Release
Revision
2022-12-05
0.1
Initial Draft to reflect enhancements for 2024 based  CJB

on OCD for 2020
2022-12-05
0.2
Expanded Draft
CJB

2023-03-10
1.0
Further edits
CJB
CVB

2023-03-16
1.1
Inclusion of reviewer comments
CJB

2023-03-21
Distribution
Name and Appointment
Document Name
Date of Issue
Version
Jiv Sekon, Project Manager, EACT
Operational Concept Description
2023-03-23
1.1

Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 6
1.  Introduction
1.1  Overview
Electronic voting at selected pol ing places in the ACT was first introduced at the 2001 Legislative
Assembly election, using the electronic voting and counting system known as eVACS®.  Minor
upgrades and enhancements were implemented for later Legislative Assembly elections, but following
a review after the 2016 Legislative Assembly election, eVACS® was enhanced to provide an updated
system with increased functionality and features.  In particular, eVACS® was moved to a more
contemporary platform (using the Ada language and touch screens for voters), with improvements in
security, plus inclusion of a secure telephone voting module and incorporation of votes from an online
Overseas Electronic voting (OSEV) system (Attachment B).
This Operational Concept Description (OCD) describes at a high level eVACS® as used for the 2020
ACT Legislative Assembly Election [1] and the enhancements for the 2024 Election [3].
1.2  Document Purpose
The purpose of this document is to provide Software Improvements Pty Ltd (SIPL) Project Team with
a speciﬁcation of the requirements for eVACS® 2024.  The OCD wil  form the basis from which
changes to eVACS®system requirements wil  be developed and then reflected, as appropriate, in
detailed System Requirements and Interface Requirements Speciﬁcation (IRS) documents.
1.3  Reference Documents
Documents referenced in this OCD include:
1.  Software Improvements Pty Ltd, Upgrade of eVACS® for the 2020 ACT Legislative Assembly
Election Operational Concept Description, Final version 1.2, December 2020
2.  Contract – Electronic Voting and Counting System (eVACS®) Enhancements, Services and
Support: ACTGS reference 636238 Final Version 23 July 2019, including the Statement of
Requirements at Schedule 2 being a modified version of the Business Requirements
Specification;
3.  Variation to [2] in relation to the Electronic Voting and Counting System (eVACS) Enhancements,
Services and Support, dated 6 July 2022.
1.4  Abbreviations / Terms
Abbreviation or Term
Meaning
ACT
Australian Capital Territory
ACTEC
ACT Electoral Commission (also EACT)
ACTGS
ACT Government Solicitor
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 7
Abbreviation or Term
Meaning
Ada
Ada is a structured, statical y typed, imperative, and object-oriented
high-level computer programming language
B&VI
Blind and Vision Impaired
CJB
Carol Boughton
CVB
Clive Boughton
DEC
Deputy Electoral Commissioner
EACT
Elections ACT
Early voting centre
A location in the ACT where voting is permissible prior to Election day
and at which electronic voting is to be provided
eVACS® / eVACS
electronic Voting and Counting System
https
Hypertext Transfer Protocol Secure (HTTPS) refers to the protocol used
to send data, specifically the encryption of that data, between a voting
client (browser) and a polling place server with eVACS®. software
installed.
ICT
Information and Communications Technology
IRS
Interface Requirements Specification
IT
Information Technology
IVR
Interactive Voice Response is a technology that allows telephone
users to interact with a computer-operated telephone system through
the use of a keypad.
LAN
Local Area Network
NDA
Non Disclosure Agreement
OCD
Operational Concept Description
OSEV
Overseas Electronic Voting
Polling place
Includes early voting centres and locations where voting occurs on
Election day and at which electronic voting is to be provided
QR code
A form of 2-dimensional barcode (2D barcode)
RB
Russell Baird
SHA-256
Secure Hash Algorithm 256, a set of cryptographic hash functions
SIPL
Software Improvements Pty Ltd
SPARK
A formally defined computer language based on the Ada language,
intended for the development of high integrity software used in
systems where predictable and highly reliable operation is essential.
Is especial y used in safety critical systems.

Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 8
2.  Concept for eVACS® 2024
4.1  Background
The scope of eVACS® for the 2024 ACT Legislative Assembly Election is essentially the same as that
used for the 2020 Election but with the addition of a separate module for viewing ballot details and
layout, the introduction of multi-factor authentication on voting servers (pol ing place and telephone
voting), the generation of tables for the Election Statistics Book, together with a number of
improvements to the operations of eVACS®.  A complete list of changes is provided at Attachment A.
Introduction of the Bal ot Viewer module enables the manipulation of a range of variables (e.g. font
size, column width, and row height) to enable the best display presentation of each electorate’s bal ot.
The inclusion of multi-factor authentication on the voting servers provides another level of security to
the QR code introduced in 2020 and physical security in place since 2001.
Other improved security features introduced in 2020, are:
o  Ensured only audited software is used for an election, and the software for different
modules is generated by and installed via the election server
o  Only menu driven functionality is available, with access controlled via official (master)
QR codes
o  Implemented https (with encryption) for all communications between voting clients
and the polling place servers
  https also used for communications between the telephone voting server and
the IVR system
o  Introduced QR codes for accessing the voting clients at polling places
o  Vote data encrypted when being transferred from polling places for backup and
counting
o  Using SHA-2 algorithms for encryption
o  Mandated the use of QR codes on the election server when vote data is being
uploaded
o  Implemented ACT government approved length passwords whenever passwords are
used
o  Used two-factor authentication for telephone voters
o  Limited via the software the availability of ports on voting server hardware, noting that
EACT also physical y controlled unused ports.
Voter accessibility was improved via:
•  adoption of touch screens, and
•  introduction of telephone voting.
The inclusion into eVACS® of votes from the online Overseas Electronic Voting (OSEV) system was
another avenue where ACT Electors overseas at the time of an election have a greater chance of their
vote being accepted into the count rather than relying on postal voting.
4.2  Operational policies and constraints
For use in any Legislative Assembly election eVACS® must comply with the relevant legislation and
other regulations.  Such legislation governs:
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 9
•  The format of bal ots: order and arrangement of columns and rows
•  Rotation of candidates on a ballot
•  What constitutes a formal vote
•  What types of informal votes can be accepted
•  Counting procedures (including for telephone and overseas voting)
•  Reporting
•  Passwords and encryption algorithms that can be used
The fol owing high-level constraints, or non-functional requirements, are existing features of eVACS®.
4.2.1 Constraints on electronic voting
•  The system al ows input of preferences using a standard telephone style keypad.
•  The system ensures that two copies of the electronic voting data are recorded in separate
locations within the pol ing place server immediately a vote is cast and confirmed by the voter.
o  In practice there are Master and Slave stores on each of two hard disks, providing
four (4) copies of the votes database
•  The system provides for the transfer of electronic voting information (not via the Internet or
any publicly accessible network) from voting at early voting centres at the end of each early
voting day and polling places at the end of voting on Election day to the vote counting system.
•  The system is not connected to any outside network in any of the electronic voting centres
and the central scrutiny centre, so that unauthorised access to the system is prevented.
•  While the telephone voting server must be connected to the IVR servers supporting telephone
connection, the telephone voting server is located in a secure environment and setup such
that the only communications are via https to the IVR servers.
•  The electronic voting interface incorporates recorded spoken instructions in English broadcast
over disposable headphones for sight impaired people and for people with reading difficulties.
•  For voters using a touch screen to vote, instructions are provided on each screen in the voting
process in multiple languages (currently 12 plus English).
4.2.2 Constraints on electronic vote counting
•  Configuration information provides for a complete backup of data relayed to or captured by the
system.
•  The system is capable of amendment to cater for enhancement and legislation changes.
•  Programming code can be independently audited and available to scrutineers for verification
and to ensure “what goes in is what comes out”.
•  Once verified and audits are complete, code is certified and locked before the start of an
election so no further changes can be made.
4.3  Description of the system
4.3.1 The operational environment and its characteristics
The operational environment is substantially unchanged from the previous releases of eVACS®,
except for the inclusion of two factor authentication on voting servers involving the use of encrypted
USBs.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 10
eVACS® requires the following hardware components:
•  computers as servers capable of running Linux, includes election server, pol ing place servers
and telephone voting server, and servers running Windows for the telephone voting IVR
servers
•  Printers (for printing 2D barcodes, scrutiny sheets and reports)
•  All-in-one computers with touch screen for voting clients at pol ing places and the Ballot
Viewer
•  Telephone-style keypads (for all B&VI voting booths at polling places)
•  Scanners with 2D barcode (QR code) reading capability (for voter authentication and for
official access to menus on the voting clients, polling place servers, telephone voting server
and the election server)
•  Headphones (for use by vision-impaired voters)
4.3.2 Major system components
eVACS® includes the fol owing software components:
•  Election server for setup, counting and reporting (one instance)
•  Electronic voting client (many instances per polling place)
•  Electronic voting server (one instance per pol ing place)
•  Electronic telephone voting server (one instance) with IVR server (one instance)
•  Ballot viewer to review and adjust display presentation of each bal ot (one instance)
The components interact as follows:
•  Two bootable USB-FDs are required: one to setup the election server and the second to setup
the ballot viewer.
•  Al  information concerning the election is entered into the election server, which is used to
generate instal ations for voting servers (polling place and telephone) connected to the
election server via a restricted local area network.
•  Al  instances of the voting (polling) place server are identical.
•  Each group of electronic voting clients is instal ed from the voting server at a pol ing place via
a restricted local area network.
•  Al  instances of the voting client are identical.
•  The telephone voting server interacts with the IVR component of the telephone voting system.
•  The bal ot viewer is setup for a specific election using information required to display ballots
that is entered into the election server.
•  Encrypted USBs are used for the transfer of vote data from voting servers to the Election
Server and for the two factor authentication of voting servers.
4.3.3 Interfaces to external systems or procedures
Paper bal ots
A combination of electronic voting and paper ballots is permissible.  Each paper ballot should have the
number of the rotation printed on it; this number is entered during the paper ballot scanning process.
Paper bal ots are put into batches with unique identifiers for scanning.  Electronic votes from scanning
are uploaded to the eVACS® election server with identifiers based on the batch identifiers.

Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 11
Telephone voting system
The telephone voting system comprising two operations:
i)
registering to vote by telephone, and
ii)
voting via telephone.
The registration process is a manual process in which electors cal  an EACT service and provide
information to establish their identity and that they are on the electoral rol , a private Personal
Identification Number (PIN) to be used later when voting, and an email address which is used to send
a unique voting token to the elector.  The PIN / voting token pair are used by the elector to
authenticate themselves as a registered telephone voter. The PIN / voting token pairs are stored in
the telephone voting server to support the authentication process.
Overseas Electronic Voting (OSEV) System
While the OSEV system is external to eVACS®, the electronic votes recorded via this system are
transferred via encrypted USB-FDs to eVACS® for counting.
4.3.4 Capabilities/functions of eVACS®
4.3.4.1 Integrity of the software and the ballot data
•  Software is provided on two bootable USB-FD (one for the Election Server and one for the
ballot Viewer)
•  Software components are loaded from the Election Server to the Voting Servers (Polling
Place Servers and Telephone Voting Server) and from a Polling Place server to the voting
clients at a pol ing place..  The integrity of such software components is enforced: once
configured by officials for a particular election, it is not possible to make modifications to, or
otherwise tamper with the software.
•  The system does not allow ballots to be added, modified or deleted, other than by
authenticated voters using the electronic voting client or telephone voting.
•  The electronic voting system has a form of checking to verify that the voter’s intention as
expressed by their interaction with the client software is consistent with the vote recorded.
Note: There is never a relationship between a voter’s details and their vote.
4.3.4.2 Election setup
EACT officials provide the following election information to eVACS®:
1.  name and date of the election
2.  names of the electorates
3.  number of seats per electorate
4.  details of early voting and election day pol ing places, including batch numbers for paper
ballots
5.  details of barcodes (by pol ing place and electorate codes)
6.  details of voting tokens for telephone voting (by electorate codes)
7.  information about rotation of candidates on the bal ot (Robson Rotation)
8.  the form of the bal ot papers
9.  audio for vision-impaired voters and telephone voters
10. names of the parties
11. names of the candidates, identified by party (if any) or independent, and electorate
12. layout of each ballot (as determined via the ballot viewer)
13. ‘keyfile’ as part of the two-factor authentication on voting servers
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 12
Note: Daylight saving usually falls within the early voting period for an election. The date daylight
saving commences in the ACT is available directly from the operating system when the hardware
clocks are set to the correct time zone.
Setup procedures take place in two phases:
Phase 1 Election information items 1, 2, 3, 4, 5, 6, 7 and 8 are uploaded to eVACS®.  Electorate and
polling-place-specific barcodes, including Master Admin barcodes, are generated and exported
for sending to a contractor for printing in 2D (QR code) format.  Voting tokens are generated and
stored ready for incorporation into the telephone voting server instal ation software, and exported
to enable assignment to registered telephone voters.
Phase 2 Election information items 9, 10, 11 and 12 are uploaded to eVACS®.  The installation of
voting servers can then be undertaken, including the installation for the telephone voting server.
The keyfile is uploaded to the election server as part of the instal ation for an election server.
4.3.4.3 Electronic voting
The fol owing are key requirements for eVACS®:
•  Each elector may vote at most once for the electorate in which they are enrolled.
•  The bal ot must appear to the voter without bias to a particular candidate or party.
•  The bal ot must be easily readable.
•  Elector details are unknown to eVACS®.
•  At the end of each day of early voting and Election day, electronic back-up copies (master and
slave) of cumulative voting data held on the polling place server at each electronic polling
place and the telephone voting server is to be available.
•  Vote data must be transferrable to the vote counting system without being accidentally or
deliberately lost, altered, copied or stolen.
•  Vote data transfer must occur in a timely manner that ensures that the vote counting system is
able to complete preference distribution of all votes cast electronical y as soon as practicable
on Election night.
•  Once verified and audits are complete, code must be certified and locked so no further
changes can be made.
There are 5 main screens displayed on the voting client during the electronic voting process:
i)
Welcome screen where a barcode is read to commence a voting session
ii)
Language selection screen
iii)
Main (voting screen) where voters select their candidate choices in order of preference,
and can return to change their language of choice
iv)
Confirmation screen - where voters review their choices and either Confirm (with a second
reading of their barcode) or return to change their choices
v)
Thank you for voting (Acknowledgement or Acceptance) screen – advising that the voter’s
vote has been accepted
Other screens are used to display error messages, for informal voting, or if the voter wants to hide
their vote while they seek assistance from an official.
With a touch screen voters are able to touch a candidate’s name/preference box and use screen
buttons, such as ‘Clear Choices’, ‘Undo Last Choice, for changing candidate selections, ‘Hide My
Vote’ and ‘Next’, ‘Go Back’ to move between screens, or ‘Change Language’ to return to the language
choice screen.
The setup for B&VI voters remains unchanged, with voters using a keypad to navigate and audio
instructions in English to guide the voting process.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 13
4.3.4.4 Scanning of paper ballots
For those electors who vote using a paper bal ot the voting procedure and the collection of bal ot
papers remains unchanged.  Similarly, the processes for obtaining electronic vote data from scanning
of paper ballots are unchanged.
4.3.4.5 Counting and reporting
The vote counting program produces the required scrutiny sheets for the election.  The program
calculates preference distribution results using the data stored in the ‘committed’ votes database,
which contains electronic votes (from polling places, telephone voting server and OSEV voting) and
votes from scanning of preferences from paper bal ots.  Progressive reporting, from election night
onwards, is possible during the process of scanning ballot papers.
The counting system can export its own vote data and import vote data generated by any electronic
voting server (polling place, telephone voting and OSEV voting). Each bal ot stored in the votes
database is tagged in such a way as to prevent it from being uploaded more than once or counted
twice.
The counting system can also be operated when a casual vacancy arises and a countback is required.
The fol owing functional requirements apply to eVACS®:
•  An audit trail for election results is essential.
•  Election officials are able to test eVACS® under load conditions to the satisfaction of election
participants prior to acceptance of the system.
•  eVACS® shal  be able to generate the election statistical tables published by Elections ACT
for each ACT Legislative Assembly Election.
4.3.5 Performance characteristics
The fol owing characteristics apply to eVACS®:
•  After the electronic voting client is used to cast a vote, the voting client shall be ready for the
next elector within a specified time.
•  Display a particular coloured screen for an agreed period of time to visual y indicate that an
elector has successfully finalised the casting of their vote.
•  The voting client Welcome screen shall remain visible for an extended period between voters.
4.3.6 Quality attributes
eVACS® programming code can be independently audited and available to scrutineers for verification
and to ensure “what goes in is what comes out”.
Excluding the Counting program which uses PostgreSQL stored procedures, as from 2020 eVACS® is
written in the Ada language because of its inherent quality features:
•  Clear and unambiguous syntax
•  Strong typing
•  No pointers
•  Architecture that groups related entities together
•  Object-oriented programming that encapsulates types
•  Object construction controls
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 14
•  Memory management
•  Correct startup
•  Safe and secure communication
•  Concurrency within the language
The SPARK subset of Ada 2012 is currently not used for eVACS®, because the integrity of Ada
together with the libraries built on a strong basis of integrity, was deemed adequate for the overal
integrity of eVACS®.
4.3.7 Provisions for security and recovery
The fol owing characteristics apply to eVACS®.
•  Two backup copies of the electronic voting data are recorded in separate locations within the
polling place server immediately after a vote is cast and confirmed by the voter.
•  At the end of each day of early voting, electronic back-up copies of voting data from each
electronic polling place are generated.
•  Electronic voting information is transferred (not via the Internet or any publicly accessible
network) from early voting centres and electronic pol ing places at the end of voting on
Election Day to the computer vote counting system.
•  The storage and transfer of data operates securely in order to ensure data is not accidentally
or deliberately lost, altered, copied or stolen.
•  Backup of the election server is supported.
•  A secure process is in place to support recovery and replacement of any failed disk in a voting
server under strict control of EACT.
•  Two factor authentication
4.4  User/affected personnel
The fol owing categories of user are involved in the operation of eVACS®:
•  Election officials
•  Hardware and technical support
•  Polling place officials
•  Voters
Scanning operators are involved in scanning paper bal ots, tbut have no involvement with eVACS®.
4.5  Support and maintenance
Support for EACT is negotiated on an as required basis.
EACT has included in the upgrade contract maintenance of the system in the year preceding the 2024
election to ensure the latest versions of software are incorporated in preparation for the election.
Such upgrades include:
•  Linux Operating System
•  PostgreSQL Database
•  Ada Language
•  Hardware computers/drivers
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 15
5. Operational scenarios
Sample interactions with various components of eVACS® are provided at a high level for electronic
voting, including touch screen voting, keypad with audio voting and telephone voting.  The examples
are not intended to capture all possible interactions within each component, but rather act as an aid to
understanding the broad scope of the system.
Detailed event-action lists are included in the Software System Specification.
5.1  Electronic voting
The fol owing scenarios il ustrates successful electronic voting by a voter. Treatment of error
conditions (e.g. unsuccessful read of QR code on e-voting card) is omitted.  There are three
scenarios:
•  Touch screen voting
•  Keypad with audio voting
•  Telephone voting
5.1.1 Touch screen voting
1.  Voter has name marked off on electoral roll, receives e-voting card from pol ing official, and
proceeds to electronic pol ing booth.
2.  Voter sees Welcome message with option to scan e-voting card to commence
3.  Voter places e-voting card under scanner. If valid e-voting card, ‘select language’ screen is
displayed.
4.  On selecting a language al  instructions are displayed in that language and the Main Voting
screen is displayed, with the entire ballot paper viewable on screen.
5.  If the language is incorrect, selecting CHANGE LANGUAGE displays the select language
screen to enable an alternative selection.  After selection Main Voting screen is displayed.
6.  Voter presses screen for desired first preference candidate. Preference box against
Candidate name is highlighted and the number 1 appears in the box.
7.  Voter then presses another candidate name for second preference and so on, with the
number 2, etc appearing in the box next to the candidates in order chosen.
8.  Voter presses NEXT. The vote confirmation screen is displayed, which lists the names and
parties (if any) of the previously selected candidates in increasing order of preference.
9.  Voter has option to GO BACK to Main Voting screen or to scan e-voting card to cast vote.
10. Voter places e-voting card under barcode reader. If the two barcode reads match, the vote is
accepted and the vote acceptance screen is displayed.
11. After a timeout, the Welcome screen reappears.
5.1.2 Keypad with audio voting
1.  Voter has name marked off on electoral roll, receives e-voting card (and headphones if
required) from pol ing official, and proceeds to electronic pol ing booth.
2.  Voter puts on headphones (and if necessary seeks assistance to plug in headphones) and
hears welcome message and instructions to press any key to find out what it does (played in a
loop), with message to scan e-voting card to commence voting.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 16
3.  Voter places e-voting card under barcode reader and If valid barcode the group heading
where the cursor is randomly located is announced.
4.  Voter navigates between groups by selecting the 4 (previous) or 6 (next) key, and up/down to
candidates within a group by selecting the 2 (up) or 8(down) key.
5.  When voter reaches first choice of candidate, audio announces the name of candidate and
group, and when voter presses the SELECT (5) key, the name of candidate, group and the
preference number, in this case ‘one’, are announced.
6.  Voter navigates up/down between candidates and previous/next between groups and for each
press of the Select key until they have selected all their preferences, numbered in increasing
sequential order.
7.  When al  choices have been selected, the Voter presses the FINISH (#) key.  The names of
candidates and their groups and preference numbers are then announced in order
commencing with their first preference.
8.  If selection list is as the voter means to vote, the Voter places their e-voting card under the
reader again.  If the two barcode reads match, the vote is accepted.
9.  Voter receives a message to say their vote has been accepted and thanking them for voting.
10. After a timeout, the welcome message is heard.
5.1.3 Telephone voting
Although the selection and confirmation of candidate preferences is the same for telephone voting as
for keypad with audio voting (steps 4 to 9 above), they are repeated below (steps 6 to 11) for
completeness.
1. Voter has previously registered for telephone voting, provided a private Personal Identification
Number (PIN) and received an email with a unique voting token.
2.  Voter cal s the telephone voting number and selects 3 to vote (selecting 1 is registering to
vote, selecting 2 plays voting instructions).
3.  Voter hears message welcoming them to the ACT Legislative Assembly election, and they are
asked to enter their PIN fol owed by their voting token.
4.  If PIN and voting token pair match with a pair in the database, audio is played with instructions
on how to vote by using the telephone keypad and when they are ready to vote to press 3
(Note: key 3 is used to Hide My Vote in the non B&VI system).
5.  Voter presses 3 and audio is played announcing the electorate of the ballot paper and at
which group the system is currently located.
6.  Voter navigates between groups by selecting the 4 (previous) or 6 (next) key, and up/down to
candidates within a group by selecting the 2 (up) or 8 (down) key.
7.  When voter reaches first choice of candidate, audio announces the name of candidate and
group, and when voter presses the SELECT (5) key, the name of candidate, group and the
preference number, in this case ‘one’, are announced.
8.  Voter navigates up/down between candidates and previous/next between groups and for each
press of the Select (5) key until they have selected all their preferences, numbered in
increasing sequential order.
9.  When al  choices have been selected, the Voter presses the FINISH (#) key.  The names of
candidates and their groups and preference number are then announced in order
commencing with their first preference.
10. If selection list is as the voter means to vote, the Voter enters their PIN again. If the PIN is a
match with that entered at the start of the voting session, the vote is accepted.
11. Voter receives a message to say their vote has been accepted and thanking them for voting.
12. The system then terminates the telephone connection.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 18
18 (64)
Change the eVACS® Table II scrutiny sheet to highlight in bold text the elected
members and their elected position.
19 (65)
Produce scrutiny sheets in excel and PDF formats only.

Reports
20 (66)
Amend eVACS® LAPPERDS output file (FirstPreference.txt) *
(i)
to show correct entries where there are zero votes received by
candidates;
(ii)
fix errors in displaying candidate names;
(iii)  remove entries for electronic votes at static pol ing places;
(iv)  address scenarios where there are fewer than 20 votes received at a
polling place for any electorate (both paper or electronic); and
(v)
allow central scrutiny results to be displayed for both paper and
electronic votes (fewer than 20 votes for any electorate).
21 (67)
Polling place server error reports to capture the number of incomplete votes as
well as the number of resets.
22 (68)
Provision eVACS® to produce the tables required for the election statistics
book
23 (69)
Add an additional report to the statistics book to provide only total ACT early
voting figures, electronic and paper votes.
24 (70)
Produce break in sequence and length of tables.

Casual vacancy
25 (71)
Ensure lists of candidates do not roll off the screen when identify the
candidates contenting the casual vacancy.
26 (72)
Scrutiny sheet be available as electronic files in excel format.
27 (73)
Casual vacancy scrutiny sheets can be re-printed.

# = Contract number as in [3]
* = Details of the LAPPERDS output file are at Attachment C.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 19
At achment B – Enhancements implemented for 2020

Access passwords – to be accepted a password to meet ACT Government and ASD password
security standards.
Audio – .WAV files to be used.

Audio files to be nested for easy identification of individual files by EACT staff
Autonomy – no details of an election to be hard coded into the software.  Configuration of the system
is to be possible with specific inputs as part of tailoring the system for a particular election.
Such tailoring is to continue to be carried out by EACT staff without the need for intervention of
SIPL staff.
Bal ot layout – the layout of electronic bal ots is currently fixed.  As part of the setup process, the
format of a bal ot paper to be customisable for an election, including configuration of:
i)
font size for candidate names
ii)
font type, size and placement of text.
Bal ot rotations - eVACS® allows for Robson Rotations based on 5 and 7 member electorates,
although currently al  electorates have only 5 members. Flexibility in having different numbers
of members should not be deleted from the system; this includes allowing for input of number of
members and the associated rotation sequences.
Barcodes– 1D barcodes used by voters to be replaced with 2D barcodes (QR codes).

Official, or master QR code, to be introduced for use by officials to access new menu for
selection of appropriate reset options on voting clients with touch screens.

QR codes able to be prepared as postscript file for provision to contracted printer, as well as
ready-for-printing inhouse.

Convert SHA-2 encrypted hash code output to QR code at polling place server to be read as
input to election sever when uploading vote data.
Counting – provide for the calculation of vote values rounded down to 6 decimal places.

Counting to be based on Ada 2012 and stored procedures.

Note: Subsequently changed by EACT to rounding up to 6 decimal places.  Post 2020 election,
EACT reverted to rounding down to 6 decimal places.
Error codes – error codes to have a direct reference to the exact nature of the error. The nature of
error and resolution actions to be detailed in system documentation.  Refers to error codes that
could be displayed on voting client screens
Hardware – dependencies on particular hardware configuration items to be minimised, for example,
the existing eVACS® places requirements on the choice of printers.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 20
Incorporation of touch screens for voting, noting that the use of a setup with a telephone-style
keypad and audio instructions wil  continue to be available at each polling place for B&VI
electors.
Unused ports on hardware at pol ing places to be decommissioned via the operating system.
Polling place and telephone voting servers to be capable of supporting printing of reports, hence
the connection of a printer.
The absence of disk readers in modern hardware, challenges the continued use of WORM
disks for instal ation of software on hardware and the transfer of data. Hence, disks to be
replaced with secure USB memory sticks that support encryption of contents.
Multiple languages – the interfaces used by voters to be based on Unicode text and available in
multiple languages, where the number and specific languages to be used can vary between
elections.
Unicode text also to be used for al  interfaces used by officials and the reports generated by the
system.
Multiple pol ing place servers – currently the polling place servers, one per electorate, are created
by loading a voting server installation created by the election setup server. This manual
process is to be replaced with an automatic load process using an isolated LAN connected to
the election setup server.  As part of the installation process, automatic testing to ensure correct
operation of the server is to be implemented.
Identification of the pol ing place of a particular voting server is to be undertaken after delivery to
the polling place.
Multiple voting clients – each pol ing place has multiple identical voting clients connected via a LAN
to the pol ing place server.  The manual process of installing the voting client software onto
hardware to be replaced with an automatic load and test process from the pol ing place server.
Network encryption – eVACS® currently uses http for communications across the LAN at each
polling places.  Update to https (currently based on TLS1.2) to ensure al  these communications
are encrypted.
Printing – In addition to scrutiny sheets, new reports to be printed include:
i)
first preference count for each polling place and telephone voting after close of polling on
Election day
ii)
reports of errors, votes not concluded, languages used, and use of B&VI system printed
individually and collectively
iii)
SHA2 hash in QR code form in association with daily export of votes at pol ing places
iv)
Scrutiny sheet preference tracking report (not provided)
Privacy – ensure no potential link between voter and their vote by eliminating any timestamp
associated with a vote, shuffling votes within votes database on polling place server and
encrypting votes with SHA-2 algorithm. (see also Vote data encryption)
Reports – the format of scrutiny sheets and other generated reports is currently fixed. The reporting
software to be flexible enough to support a variety of different types of reports, noting that a
number of additional reports are required:
i)
frequency of types of error code experienced during polling
ii)
number of electronic votes commenced but not concluded
iii)
number of occurrences of selection of each language other than English
iv)
number of occurrences system accessed by B&VI electors
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023

Operational Concept Description

Page 21
v)
‘result of count’ (first preference count) undertaken after close of pol ing on Election day
to be printable
vi)
report for import into LAPPERDS (see Appendix B for file format)
vii)
Scrutiny sheet preference tracking report
Scanning of paper bal ots – scanning of paper bal ots to continue outside of eVACS®.  The
electronic vote data obtained from scanning to continue to be imported into eVACS®.
Setup procedure – the existing eVACS® setup server comes with certain database tables already
created; these tables to be created from data entered during the autonomous election setup
procedures.

The change to daylight saving occurs during the early voting period for ACT Legislative
Assembly elections.  Date of change to be incorporated into required setup election data so that
servers can automatically change the date during operations.

To support testing of the system, provide for the resetting of the date and time without needing
to adjust the settings in the BIOS.
Software – Al  existing functionality to be migrated from ‘C’ to Ada 2012, with SPARK used to ‘prove’
the integrity of the software.
To that effect, the SPARK language subset of Ada 2012 should be adopted.

Provide for a version of the source code easily publishable on the Elections ACT website, as
well providing to an independent code auditing company. (Subsequently code provided only
under a Non Disclosure Agreement.

Provision of a transparent and control ed mechanism for recovering data from a failed hard
drive.
Telephone voting server – incorporation of a telephone voting module requires inclusion of a
telephone voting server. Although similar in purpose to a polling place server, because
additional functionality is required, a separate telephone voting server installation and creation
via the setup election server is necessary.
Vote data encryption – vote data to be encrypted in the polling place server database using SHA-2
algorithm and when exported.
Vote reconstruction – as part of confirming a vote, the current voting client sends to the voting server
not only the list of preferences but also the list of keystrokes used to construct the vote. The
voting server then ‘reconstructs’ the vote using the keystrokes and compares it with the list of
preferences.  Only if there is a match is the vote confirmed. (A failure to match should never
occur.)  This checking to be continued for the B&VI booth at the pol ing centres.

With the introduction of touch screens for voting, where used the list of keystrokes to be
replaced with a list of screen touches for comparison with the preferences list.
Vote transfer – vote data to be encrypted for transfer from polling place server to election server, with
mandated entry of ‘hash code’ before upload to election server possible.
Voting – display a particular coloured screen for an agreed period of time to visual y indicate that an
elector has successfully finalised the casting of their vote.

Preference box and candidate name to be a single touch element on touch screens.
Commercial-in-Confidence

Software Improvements Pty Ltd © 2023