It’s been a while since I’ve written about e-voting here on DailyTech. Given that the 2008 presidential election is coming up – or is already in progress in some states – it certainly seems like a good time to sit down for a little refresher, doesn’t it?
Accusations of foul play are already flying. As expected, fallout from the U.S. government’s sordid love affair with these newfangled e-voting machines surfaced earlier this week, this time in the early-bird State of West Virginia: voters say the machines are switching their votes, and officials are both sadly and predictably discounting their claims.
There are other stories, of course, but I’m not here to talk about them.
Instead, let’s talk a little bit about the future: namely, the fact there are a number of very smart people officially on the job for proposing a better, more secure presidential election in 2012.
An article in The Economist points out three different proposals for how an e-Voting system might be carried out, each one very different from the others but simultaneously identical in its emphasis on the four things important in any good election: security, privacy, integrity, and accountability.
Of course, our current e-Voting systems promise these things, but then hide the where-and-how inside an information black box. The proposals I am about to describe are backed by vetted techniques in encryption and security science, and do not make use of exotic or closed-source technologies.
The first proposal, currently under development by UK University of Newcastle upon Tyne computer scientist Dr. Peter Ryan, involves a two-part ballot that is torn in half when the voter is finished: the half with the names is kept, and the half with the votes is handed in. The candidates’ names is written in a randomized order, and each possible order is represented equally among all the ballots distributed; the votes, on the other hand, are read with an optical scanner and include a barcode, or some other form of computer-readable identification, with information pointing to the ballot’s original order. This technique has the advantage in that the ballot cannot be read by humans beings who might be inclined to manipulate its results.
Their important bit here is that the each ballot's order is determined by a pseudorandom number, whose seed is generated by a secret key that can be handed out, in parts, to various parties for safekeeping. Since a sequence of “random” numbers – computers cannot generate truly random numbers – is entirely predictable if one knows the original seed, disputes revolving around it can be settled by reassembling the seed and then tracing the number that determined the ballot’s order. Ryan calls this method “Prêt à Voter”.
A second method, which The Economist describes as an elaboration upon the first method, comes to us from Ben Adida and Ron Rivest of the Massacheusetts Institute of Technology. Titled “Scratch & Vote,” (PDF) adds a scratch-off area of the kind used in Lottery Scratchers, which contains a piece of the information used to generate the ballot’s order that, when combined with a public key, divulges the order that candidates are listed in.
A third option, called “Scantegrity II” and devised by cryptography expert David Chaum, consists of a normal “fill-in-the-bubble” ballot printed with special ink that, when used in combination with a special kind of pen, reveals a three-digit code at the center of the filled-in area. A voter could take note of these codes, along with the ballot’s serial number, and log on to a publicly-available election to double check the values of what’s recorded. Since the vote-counting machines’ optical scanners cannot read the characters, it should be impossible for the vote-counting system to store this data – forcing it to regenerate it, based upon what it recorded in the votes, on-the-fly. If the codes presented on the web site match up with what the voter recorded, then the ballot is untouched. If they aren’t, then an investigation can be opened.
These techniques are, for the most part, still in the very early stages of development, and have yet to undergo the full battery of research and development – meaning that they certainly not be appearing this November 4. (Scantegrity II is an exception, however, in that it seems to be seeing some use in the State of Washington.) In a few years’ time, maybe they'll appear – but I’d say that’s only possible if election officials can stave off the seemingly omnipresent e-voting lobbies.
To be the most effective – and secure – each of these techniques needs to be developed and deployed in as open a fashion as possible: given the proper equipment, anyone should be able to recreate an election scenario from publicly-available documentation and source code. The body that handles the master keys and seeds, before they are split apart, should represent the pinnacle of trustworthiness. Any kind of behind-the-scenes or inside interference could cause the entire system to unravel – forcing a time-consuming and still-possibly-corruptible recount.
There’s another, more plausible scenario – and this one’s more of the tin-foil hat variety than anything else – that the machinery presented for voters to use is claimed to be working while being secretly broken, so that during the count the entire process is fudged. An open-source architecture mitigates this somewhat; but if the voters’ ability to audit their vote is compromised in a way that makes auditing individual results impossible – whether by an intentionally broken vote-counting system or by an over-reliance on technology – then we’re back to the “trust the e-voting machines and the vote counting officials” scenario that we currently face.