Trustworthy Elections without Paper Ballots
Why vote receipts deserve consideration
C. Andrew Neff, Ph.D.
Chief Scientist
VoteHere, Inc.
May 26, 2004
How does this relate to technology?
The election community is in a bind:
 It wants to use machines to “improve things” – as the finance industry has
 But there is a widespread feeling that machines cannot be trusted for
elections
 …or at best, can only be trusted when used in ways that severely
restrict their capabilities and functions
I am not here to say that machines are inherently safe for our elections,
nor that any machine can be sufficiently secured for our elections.
I am here to say that a great deal of machine power can be used safely in
our elections.
In fact, our elections can be made safer with machines than they have
been without them.
Trustworthy Elections without Paper Ballots
p. 2
Are machines the problem, or what we expect
from them?
“Systems are just a means to an end. What matters is that there be
trust in election results.”
-- Ron Rivest (paraphrased), NIST 12/2003
The Goal: Accept that machines (as well as humans) have
vulnerabilities and uncertainties, and instead of attempting to
prevent them, enable a way to openly audit the accuracy of the
final count so that fraud and errors are always detected.
Let’s enable confidence in the results, rather than demand
trust in specific system components.
Trustworthy Elections without Paper Ballots
p. 3
What mechanisms enable confidence in results?
Option 1: Use familiar, psychologically comfortable methods
and devices (such as paper ballots)
 Science cannot help: Like trying to argue evolution with a creationist
Option 2: Take someone else’s word: Results are
“announced by NBC”
 Again, science cannot help
Option 3: Verify results through first hand observations of
events & data
 Science can and should help, but this requires transparency of data and events
Trustworthy Elections without Paper Ballots
p. 4
How to bake a ham
Jack: “Why do you cut the ends off the ham?”
Jill: “It cooks better that way.”
Jack: “Cooks better how?… Faster? Tastier?”
Jill:
“That’s how my mother always did it.”
Trustworthy Elections without Paper Ballots
p. 5
How to bake a ham – round 2
Jack: “Why do you cut the ends off the ham?”
Mother-In-Law: “It cooks better that way.”
Jack: “Cooks better how?… Faster? Tastier?”
Mother-In-Law:
“That’s how my mother always did it.”
Trustworthy Elections without Paper Ballots
p. 6
How to bake a ham – round 3
Jack: “Why do you cut the ends off the ham?”
Grandmother-In-Law:
“I only had a very small pan.”
Trustworthy Elections without Paper Ballots
p. 7
Elections & ham baking have a bit in common
 For current DRE's, “hand recount” is anachronistic.
 “Voter Verified Paper Ballot” systems are better, but:
 Remarkable lack of precision in specifying what to do with the paper
 “Print a paper ballot for the voter to look at” is far from a complete system
specification because it only addresses voter verification at the poll site
 Trust/confidence properties are highly dependent on the specifics
 Most disappointingly, few have stopped to ask, “Why?”
“Why are we cutting the ends off the ham?”
“Do we have a bigger pan now?”
Trustworthy Elections without Paper Ballots
p. 8
Key ingredient for trusted results
Independent / external verification (audit)
 Need lots of people to look at the data - the more the better.
 All the data? Not necessarily – random sampling can be powerful tool.
 Requires transparency
 Data from which results are reasoned must be “first hand available” to
many.
 Should allow basic logic and reasoning tests by anyone who wants to
independently check results
Precise accountability is highly desirable.
Trustworthy Elections without Paper Ballots
p. 9
We do have a bigger pan now
We can now make digital data permanent and authentic:
 Methods for encryption and authentication in widespread use
 The technology that makes e-commerce work.
 NIST Digital Signature Standard (DSS)
So now, digital data can be indisputably audited
around the world.
 Solves the audit-scale problem with physical objects, bringing us
much closer to the ideal “one room” paper ballot election
Trustworthy Elections without Paper Ballots
p. 10
Steps in an electronic “show of hands” election
1.
Voters cast ballots.
2.
Leave with permanent, authentic vote receipt listing vote choices.
3.
Permanent, authentic ballot box data is broadcast to the world.
4.
Voters compare their receipt data to ballot data.

5.
Any discrepancy – voter “wins”: Election compromises always detected.
The final count (tally) can be verified by anyone.
But, does not provide a secret ballot.
Trustworthy Elections without Paper Ballots
p. 11
Steps in an electronic show of hands election
with secret ballots
1. Voters cast ballots.
2. Still leaves with permanent, authentic vote receipt, but receipt does not
show “yes” or “no”, but voter-specific data (e.g. “X3Z1” or “17JK”)

In privacy of voting booth, voter sees something that convinces:

“If I see ‘X3Z1’ on my broadcast ballot, my vote will be counted as “yes”

“If I see ’17JK’ on my broadcast ballot, my vote will be counted as “no”
All other aspects of election verification (audit) are the same
Trustworthy Elections without Paper Ballots
p. 12
Lottery audits are more sound than election
audits today
Would you walk away from the lottery counter without a
ticket?
 Trust that “everything will be taken care of”?
 That you’ll be contacted in the case you are a winner?
 That the ticket sellers won’t claim the winnings as their own?
Current paper ballot elections ask you to do exactly this.
Trustworthy Elections without Paper Ballots
p. 13
Detection and the importance of saying “fail”
USA vs. USSR “man on the moon” programs
 USA succeeded because failures were openly acknowledged
 USSR hid failures for sake of propaganda
Florida 2000 is a perfect example of how this should NOT
work.
 Failure hidden by legal and political maneuvering
 Flipping a coin might have been as good a method for resolution!
Trustworthy Elections without Paper Ballots
p. 14
Conclusion
 Receipt based, secret ballot election methodologies have been the
subject of research for 20 years

D. Chaum, J. Benaloh, M. Yung, B. Schoenmakers, et. al.
 Openly seek review and dialog

NIST, IEEE, EAC, GAO, peers, election officials, voters, activists

Without this, cannot achieve “best of breed” solutions
 With caution, let science and innovation work

Legislation has been a deterrent by mandating specific solutions
rather than accuracy and audit requirements.
Trustworthy Elections without Paper Ballots
p. 15
Conclusion
To bake a bigger ham, you need a bigger pan.
But
If you have a bigger pan, use it.
Trustworthy Elections without Paper Ballots
p. 16