The image “” cannot be displayed, because it contains errors.


National Issues

Electronic Verification for E-voting: A Dead End for Voter Confidence PDF  | Print |  Email
By Sean Flaherty, Verified Voting Foundation   
June 02, 2008
Paperless electronic voting is in retreat, its popularity done in by disturbing security reviews of current e-voting systems and significant voter concern about the integrity of elections. Optically scanned paper ballots, which also use software to count votes but allow software-independent hand audits and recounts, are the most common voting system in the United States.  A number of states that have purchased paperless electronic voting machines are moving to adopt optical scan systems, with accessible ballot-marking devices for voters with disabilities.  Approximately 60% of America's voters live in jurisdictions in which voter-marked paper ballots will be the primary voting system in the November elections.

But we live in a technological age, and to some it seems logical that in crafting laws governing voting systems we not “stifle innovation” by closing the door on paperless voting.  The present generation of systems was a bust – but could a new generation of paperless voting systems contain enough redundancies that paper ballots or voter-verifiable paper records could become unnecessary?

Cryptographic voting systems have been touted as a way of doing away with paper ballots.  For starters, “cryptographic” is not a word that associates readily with thoughts of transparent and publicly verifiable elections, but what does it mean?  Cryptography is the art of coding and decoding messages, and forms the basis for computer security. It allows us to conduct electronic commerce.  For more information, see RSA Laboratories' Frequently Asked Questions on cryptography. Is what is good for e-commerce good for voting, though?

First, it is necessary to compare electronic voting to electronic commerce.  There is a fundamental problem in comparing e-voting to e-commerce: the secret ballot. Secure electronic commerce depends in part on connecting the individual investor with the online stock trade, the taxpayer with the 1040 form, the traveler with the flight itinerary.  The secret ballot, an essential element of our democratic tradition, requires that the voter not be connected with the votes she has cast.  If taxpayers had no way of confirming to their satisfaction that their tax returns were received by the IRS as they submitted them, most would never consider filing their taxes electronically.

Some proposed cryptographic voting systems promise to address this concern, and provide a way for voters to check that their votes were recorded correctly without compromising the secrecy of their ballots.  Most of these systems would be “paperless” only in the sense that there would be no official paper ballot of record; the voter would get a printed receipt with a verification code on it that does not allow them to prove to anyone how they voted.  Several computer scientists, including electronic voting expert David Wagner of the University of California Berkeley, noted in a 2005 paper (p. 15) that these systems have promising properties, but that there are weaknesses in them that would be mitigated by, ironically, a conventional voter-verifiable paper audit trail, a paper record with vote choices printed in uncoded form that would be retained by election officials and used in audits and recounts.  The paper audit trail could, Wagner and his colleagues wrote; provide “an independent way to audit that the cryptography is correctly functioning.”

And as of May 2008, a descendant of one these cryptographically based systems is being developed as an add-on to paper ballot optical scan technology.  A system that started as an attempt at secure voting without paper ballots has, ironically, evolved into a system designed for compatibility with existing paper ballot voting systems.

Cryptographic solutions, which are more difficult for voting than for commerce, are by their very nature difficult to do correctly.  Even the latest, supposedly bullet-proof cryptographic systems, like the one showcased in Switzerland's elections last year, have been shown to be vulnerable.

Is the certification process for voting equipment up to the challenge of ensuring that electronic verification can secure an election?  Not if the current track record of high-tech systems is anything to go by.  Edward Felten, head of the Center for Information Technology Policy at Princeton University, testified last year about America's notoriously weak voting equipment certification process, and cautioned lawmakers:

"For example, most vendors of today’s paperless DRE voting machines claim to keep redundant electronic records of each ballot. In fact, what most of them do is keep two copies, in identical or similar memory chips, located in the same computer and controlled by a single software program. This is clearly inadequate, because the two copies lack diversity and will tend to fail at the same time." Even assuming that other electronic-plus-electronic redundant systems can be suitably reliable and secure, we would need to trust that the certification process could tell the difference between adequate redundancy and the kind of pseudo-redundancy discussed in the previous paragraph. The certification process has historically had trouble making such judgments."

Dr. Felten notes that the new EAC testing and certification process is more effective than the previous program overseen by the National Association of State Election Directors, but much improvement is still needed.  Felten also notes that election tampering with paper and election tampering with computer manipulation are likely to occur at different stages of the election process.  Paper ballots are more likely to be tampered with after the election, and electronic records prior to the election, so a paper-ballot/electronic system like optical scan offers defense against different types of vulnerabilities.

The Association for Computing Machinery (ACM), the largest and oldest organization of computer professionals, has called since 2004 for a physical record of every cast vote.  ACM does not specifically call for paper, but for a record that cannot be corrupted by a failure of software.  Paper is the only “physical record” that serves that purpose at present.  From the ACM statement:

“Making those [voter-verifiable] records permanent (i.e., not based solely in computer memory) provides a means by which an accurate recount may be conducted.”

And what about transparency to the voters? Cryptographic verification requires that voters use a code to avoid compromising the secrecy of the ballot, and understanding the mathematics of the coding system would require substantial training on the part of voters.  A 2003 Congressional Research Report noted (p.31):

“Also, it is not clear that it [cryptography] would have the same potential positive impact on voter confidence as paper-based voter verification might. That is because a voter who does not understand the technology behind the system — and few voters are likely to — may have no greater basis for confidence in the correspondence between the encrypted receipt and the choices the voter made than is currently the case with DREs. Some proponents, however, believe that those concepts are simple enough that they can be taught in secondary school.”

Advanced algebra is simple enough to teach in secondary school too, but even highly educated voters have forgotten much of the algebra they learned back in the day.  Stating that the principles of a cryptographic system are “simple enough to teach in secondary school” is equivalent to acknowledging that those principles will leave many, if not most, voters scratching their heads.  If e-commerce transactions offered only a coded receipt that would make no sense to any third party and would force participants to trust the integrity of a cryptographic setup, few would feel as comfortable as they do now with e-commerce.  By contrast, the chain of custody of paper ballots and the use of hand counts to verify computer tallies are procedures comprehensible to all voters. 

As we consider whether or not to leave the door open for crypto-dependent voting systems without paper ballots of record, we would do well to recall a statement by Bruce Schneier, one of the world's foremost authorities on computer security:

"Building a secure cryptographic system is easy to do badly, and very difficult to do well. Unfortunately, most people can't tell the difference."
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...
National Pages
Federal Government
Federal Legislation
Help America Vote Act (HAVA)
Election Assistance Commission (EAC)
Federal Election Commission
Department of Justice - Voting Section
Non-Government Institutions
Independent Testing Authority
The Election Center
Carter Baker Commission
Voting System Standards
Electoral College
Open Source Voting System Software
Proposed Legislation
Voting Rights
Campaign Finance
Overseas/Military Voting
Electronic Verification
: mosShowVIMenu( $params ); break; } ?>