E-Voting
SEMINAR REPORT
ON
E – VOTING
Prepared By
Dhaval Patel
04IT6006
Guided By
Prof. C.R. Mandal
Submitted To:
School Of Information Technology,
IIT Kharagpur
1
MTECH/SIT/SEMINAR/04/01
E-Voting
Purpose Of The Seminar
This Seminar has been developed in an attempt to provide an objective introduction to the
issues of E-Voting surrounding the introduction of information technologies into the
voting process. Voters’ trust in elections comes from a combination of the Mechanisms
and procedures we use to record and tally votes. In this seminar I am going to present the
various Electronic voting Method like voting by kiosk, Internet, telephone, punch card,
and optical scan ballot, Proms and Cons of all voting types. I have also described how
the evolution of various voting machines has been carried out in last 100 eras. There is a
discussion on some of the problem found in e-voting machine like Florida’s butterfly
ballots design problem. As the new problem known to the people, what is a reaction of
the people toward this voting process? Like I have discussed some the well-known issues
like Voter Verifiable result, Mercuri Method, Ballot Design Issues and etc.. At the end I
have illustrated IEEE performance standard for voting machine.
2
MTECH/SIT/SEMINAR/04/01
E-Voting
Introduction
This section is mainly concern of the discussion of the definition of the Voting,
Structure of Vote, and Importance of the Voting. The Subsequent Section discuss
procedure for E-Voting with the specific need of the Voting Machine.
Voting
This is what the public does to choose the politician they want to run their area or
country. Only those over 18 can vote at present
Structure of Votes
The structure of votes depends on the type of Elections. More precisely, It
depends on the question that is put forward to voters in the election and Possible
answers.
Type of Election
We will distinguish between the following types of election.
yes/no voting
Voter’s answer is yes or no. Vote is a one bit: 1
for yes and 0 for no
1-out-of-L voting Voter has L possibilities and he chooses one of
them. Vote is a number in the range 1 . . .L
K-out-of-L voting Voter selects K different elements from the set of
L possibilities. The order of the selected elements
is not important. Vote is a K-tuple (v1 · · · vK)
K-out-of-L
Voter puts into order K different elements
ordered voting
from the set of L possibilities. Vote is an ordered
K-tuple (v1 · · · vK).
1-L-K voting
Voter picks out one of the L sets of possibilities,
and from the selected set he chooses K elements.
Vote is a K+1-tuple (i, a1 · · · aK); a1 · · · aK are
elements of the ith set.
Structured voting There are n levels of possibilities. Voter moves
from the first level to the last one. At the ith level
he can select at most ki possibilities from the
subset Si of all possibilities in the ith level. Si, ki
depend on his choices in the previous levels. Vote
is a tuple (v11, · · · , v1k1 , · · · , vi1, · · · , viki , · ·
· , vnkn), where {vi1, · · · , viki} _ Si.
Write-in voting
Voter formulates his own answer and writes it
down. Vote is a string with specified maximum
length.
3
MTECH/SIT/SEMINAR/04/01
E-Voting
Voting importance
Voting is one of the most critical features in our democratic process. By casting a
vote we hold previous politicians to account and express our hopes for the future.
Of course democracy is more than votes - it's debate, letter writing, campaigning,
consultation - but the vote is how every single citizen can wield real and
immediate power. In addition to providing for the orderly transfer of power, it
also cements the citizen’s trust and confidence in an organization or government
when it operates efficiently. It's incredibly important that everyone can vote
without interference, safe in the knowledge that it will be counted. Through the
long history of democracy we have learnt that in the pursuit of power some
groups are willing to threaten voters to make sure they vote 'the right way'. But if
the vote is secret then there is no way for intimidators to know whether someone
has voted for them or not - threats become useless. So votes are a vital expression
of the people's power, which need to be secret and restricted to only one per
citizen.
E-Voting
Electronic voting is a term used to describe any of several means of determining
people's collective intent electronically. Electronic voting includes voting by
kiosk, Internet, telephone, punch card, and optical scan ballot (a.k.a. mark-sense).
Voting is done for many reasons and in many situations, ranging from
determining the next garden club officers to determining the next leader of a
country. Depending on the situation, a voting scheme will be required to meet
differing needs depending on the circumstances. One hopes that in this way the
voting process becomes faster, cheaper, more convenient, and also more
secure.
Requirements in E-Voting
A voting system should satisfy these requirements:
•
•
•
•
•
•
•
•
•
Eligibility and authentication – only registered voters must be admitted.
Uniqueness – no voter may cast his vote more than once.
Accuracy – voting systems should record the votes correctly.
Verifiability and audit ability – it should be possible to verify that all votes
have been correctly accounted for in the final tally, and there should be
reliable and verifiably authentic election records.
Secrecy – no one should be able to determine how any individual voted.
Non-coerciability – voters should not be able to prove to others how they
voted; otherwise vote selling and coercion would be facilitated.
Minimum skill requirement for voter
Minimal requirement of equipment
Minimum Time required for vote
4
MTECH/SIT/SEMINAR/04/01
E-Voting
Voting Technique
The traditional way of voting has been to mark a token (shell, card or piece of
paper) in private and then put it into a box or pot. The key points were to make
sure that:
•
•
•
•
•
Each voter could only have one token to vote with.
The token could be marked in private.
The box could only be accessible to voters.
At the end of the election the box would be opened in the presence of
observers of all the parties standing for election.
If results were in doubt different people could count the tokens again.
How Much information to be collected during the voting? If only the Name of
the candidate then it is very easy to count. Consider a case like in USA, large
number of issues Americans are asked to vote on at the same time. Thus to ease
the counting lever and so new voting technique in using an optical machines
are used in elections.
1. Raise Your Hand Or Raise Your Voice Or Put Stick in Box
Election has been used to decide various questions for at least 2000 years. In
ancient Greece, people voted by putting white or black stone in bucket. Early
methods including Shouting out “Aye” or “Nay”, raising hands or depositing
objects to be counted.
2. Paper Ballot (1858, Australian paper ballot introduced)
The first Known use of the paper ballots in an election in the U.S. was in 1629 to
select a church pastor.
Invented By
Australian paper ballot system was considered as a great innovation.
Standardized ballots are printed at government expenses, given to voter at
polling places, and people are required to vote and return the ballot on the
spot. The Australian government comes up with this procedure, which is
now the most widely used system in the world.
Procedure for voting
The paper ballot system employs uniform official ballots of various stock
weights on which the names of all candidates and issues are printed.
Voters record their choices, in private; by marking the boxes next to the
candidate or issue choice they select and drop the voted ballot in a sealed
ballot box.
5
MTECH/SIT/SEMINAR/04/01
E-Voting
Current Usage
As of 1996, paper ballots were still used by 1.7% of the registered voters
in the United States. They are used as the primary voting system in small
communities and rural areas, and quite often for absentee balloting in
other jurisdictions
Problem with Paper Ballot System
It may take a long time to get a hand count under the current system.
(Counting Problem)
A small portion of the disabled may lose the ability to vote privately.
Paper ballot counting and recounting generates endless arguments
about whether the X crosses inside the square
A Specimen for the Paper Ballot Voting
3. Lever Machine (1892, Mechanical lever voting machines)
The first official use of a lever type voting machine, known then as the "Myers
Automatic Booth," occurred in Lockport, New York in 1892.
Procedure for voting
On mechanical lever voting machines, the name of each candidate or
ballot issue choice is assigned a particular lever in a rectangular array of
6
MTECH/SIT/SEMINAR/04/01
E-Voting
levers on the front of the machine. A set of printed strips visible to the
voters identifies the lever assignment for each candidate and issue choice.
The levers are horizontal in their UN voted positions.
The voter enables the machine with a lever that also closes a privacy
curtain. The voter pulls down selected levers to indicate choices. When the
voter exits the booth by opening the privacy curtain with the handle, the
voted levers are automatically returned to their original horizontal
position. As each lever returns, it causes a connected counter wheel within
the machine to turn one-tenth of a full rotation. The counter wheel, serving
as the "ones" position of the numerical count for the associated lever,
drives a "tens" counter one-tenth of a rotation for each of its full rotations.
The "tens" counter similarly drives a "hundreds" counter. If all mechanical
connections are fully operational during the voting period, and the
counters are initially set to zero, the position of each counter at the close
of the polls indicates the number of votes cast on the lever that drives it.
Interlocks in the machine prevent the voter from voting for more choices
than permitted.
Current Usage
Nationally, mechanical lever machines were used by 20.7% of voters in
the 1996 Presidential election. Trend is to replace them with computer
based Mark sense or Direct Recording Electronic systems.
Problem with Lever Machine
Lever-handle voting machines are subject to malfunctions that can
invalidate hundreds of votes
7
MTECH/SIT/SEMINAR/04/01
E-Voting
4. Postal
Step Of Postal Voting
•
•
•
•
Ordinary paper ballot is delivered to voters, by post
Paper ballot is returned by post for counting
Voters need to sign a declaration
They have to prove they are authorized to cast the vote posted
Problem
How sure we can be that only authorized citizens have cast their votes?
5. Punch Card (1964, Punched card voting (Votomatic))
Invented
Herman Hollerith invented a punchcard tabulation machine system for
statistical computation
Procedure for voting
Punch card systems employ a card (or cards) and a small clipboard-sized
device for recording votes. Voters punch holes in the cards (with a
8
MTECH/SIT/SEMINAR/04/01
E-Voting
supplied punch device) opposite their candidate or ballot issue choice.
After voting, the voter may place the ballot in a ballot box, or the ballot
may be fed into a computer vote-tabulating device at the precinct.
Two common types of punch cards are the "votomatic" card and the "data
vote" card. With the votomatic, the locations at which holes may be
punched to indicate votes are each assigned numbers. The number of the
hole is the only information printed on the card. The list of candidates or
ballot issue choices and directions for punching the corresponding holes
are printed in a separate booklet. (Today’s "votomatic" cards are the direct
descendents of the original punchcard developed from a concept
introduced by political scientist and former government administrator Dr.
Joseph P. Harris) With the datavote, the name of the candidate or
description of the issue choice is printed on the ballot next to the location
of the hole to be punched. The tabulation may be done either by a
computer equipped with a standard punched-card reader or by an
electromechanical tabulating machine.
Feature
•
•
•
•
Voters with a stylus punch holes in cards to register their votes
Mechanical machines counted automatically
Punch card election results have been very solid in recounts
Ambiguous ballots ("hanging chads") are extremely rare
Problem
•
•
•
•
•
•
It is common to notice a few pieces of chad accumulating in areas
where Votomatic ballots are being processed, and each of these
may represent a vote added to some candidates total by accident
Systems have reliability problem
Cards can be checked manually
Poor user interface the punch card voting device
Centralized handling and ballot counting they require
Use of secret, proprietary software to do the counting
The problems with punch-card ballots became well known after the state
of Florida’s 2000 US Presidential Election. Because voters might not completely
remove punch-card holes, it can be unclear from a punch card what the voter
intended. Unlike permanent markings on paper, punch-card ballots are susceptible
to accidental voters have lost faith in them, which makes them unacceptable.
After the Florida elections served to destroy voter confidence in punch-card
systems, the US government passed a law encouraging states to replace their
9
MTECH/SIT/SEMINAR/04/01
E-Voting
punch card and mechanical-lever systems. The Help America Vote Act of 2002
(HAVA) allocated US$3.86 billion for election upgrades. According to the
HAVA act, US states that accept funds must replace their existing punch card and
mechanical-lever voting machines.
6. Optical Scanning (Mark sense)(~1970, Optical mark-sense ballots)
Invented
In 1937, IBM introduced the Type 805 Test Scoring Machine, sensing
graphite pencil marks on paper by their electrical conductivity
Procedure of Voting
In this system voters record their choices on a ballot card by filling in a
circle, rectangle or oval or by completing the arrow. They then either
place the ballot in a sealed box, or they feed it into a computer-tabulating
device at the precinct. The tabulating device reads the votes using “dark
mark logic,” selecting the darkest mark within a given set as the correct
vote. This technology has existed for decades.
Feature
•
•
Counts are quicker
Problems arise recounts of the ballot can still be done by hand
Problem
Error rates from using the wrong type of pencil
Misunderstanding the card
7. Phone
Provide voting either through a touch-tone system or through SMS text messages
on mobile phones. Authentication is achieved through the use of PIN and access
codes, which are mailed to voters ahead of the ballot
Telephone voting allows people to call different telephone numbers to indicate
preference for different options, or a voter might call one number and indicate a
preference by pressing buttons in a menu system. Its main drawback is the
difficulty in verifying the identity of the voter and in permitting only one vote per
person. Its chief advantage is the ease in getting people to participate.
10
MTECH/SIT/SEMINAR/04/01
E-Voting
Problem
Poor. Convenient but extremely unlikely to meet basic voting
requirements
The Fox TV Network used telephone voting to determine the winner of
the American Idol television talent contest.
In the case of the 2003 Ruben Studdard/Clay Aiken contest, another
drawback of telephone voting appeared. Viewers were asked to call a
number indicating their preference, but the telephone systems, presumably
two identical systems for counting votes, were operating very near
capacity for the duration of the voting period. Perhaps as a result, out of 24
million votes cast, Stoddard "won" by only 130,000 votes.
8.Electronic Machine Voting [EMV] (Direct Recording Electronic [DRE])
~1985, Direct-recording electronic voting (Electro vote 2000)
The most recent configuration in the evolution of voting systems are
known as direct recording electronic, or DRE. They are an electronic
implementation of the old mechanical lever systems. As with the lever
machines, there is no ballot; the possible choices are visible to the voter on
the front of the machine. The voter directly enters choices into electronic
storage with the use of a touch-screen, push buttons, or similar device. An
alphabetic keyboard is often provided with the entry device to allow for
the possibility of write-in votes. The voter’s choices are stored in these
machines via a memory cartridge, diskette or smart card and added to the
choices of all other voters.
Consists of a normal computer or more often a specially designed
electronic 'kiosk' in the polling booth Use buttons or a touch screen votes
are made which are stored in an electronic memory Recounts are not
possible
In 1996, 7.7% of the registered voters in the United States used some type
of direct recording electronic voting system.
Advantages
DRE voting systems are often favored because they can incorporate
assistive technologies for handicapped people, allowing them to vote
without involving another person in the process
They can also offer immediate feedback on the validity of a particular
ballot so that the voter can have an opportunity to correct problems if they
are noticed.
11
MTECH/SIT/SEMINAR/04/01
E-Voting
Challenges DRE have to fulfilled
1. How voter can verify the vote?
Mercuri Method
The Mercuri Method of electronic voting, described by Rebecca Mercuri,
addresses the problem by having the voting machine print a paper ballot or
receipt that is verified by the voter before being dropped into a ballot box.
Brazil uses the Mercuri Method for elections.
The paper is treated as a ballot, it is primary and the electronic records are
used for recounts and audits. If the paper is treated as a receipt or audit
trail, it would then be used for recounts, if necessary because of legal
challenges, or on a random sampling basis to ensure the integrity of the
process.
David Chaum proposes a solution to the repeatability and verifiability
issues that allows the voter to verify that the vote is cast appropriately and
that the vote is counted. He proposes a two-layer printout from a DRE
voting machine (Chaum, 1988). The layers, when combined, show the
human-readable vote. The voter selects one layer to destroy at the poll and
takes the other layer as a receipt, and the voter can verify that his
particular vote was counted with that receipt, but the actual vote cast is
thoroughly encrypted. The chief drawback to Chaum's method is that the
cryptographic mathematics involved are not understood by most
observers, election officials, legislators, and procurement officials.
12
MTECH/SIT/SEMINAR/04/01
E-Voting
Source: Safevote Inc.
2. Presentation of Information on Voting Machine
Another challenge for DRE systems is a requirement in some areas that
the entire ballot be presented to the voter simultaneously, so the voter can
"vote for President, then vote for dog catcher, then leave," according to
Rebecca Mercuri in a November 14, 2003 presentation. DRE systems in
those areas need particularly large screens to accommodate all choices.
Problem
•
•
•
•
DREs (direct recording electronic voting machines) are costly.
There is no clear reason to trust a DRE vote count.
DREs fail to prove that the vote stored in the machine is really
what the voter saw and confirmed on the screen.
DREs may behave as ideal “con machines” for voters.
13
MTECH/SIT/SEMINAR/04/01
E-Voting
•
•
•
A DRE has no witness to its acts but itself.
Open source software does not guarantee accuracy and
reliability – bugs, fraud, virus, Trojan horses and faults can still
influence
9. Remote Electronic Voting [REV] (Online Voting) ~2000, Internet voting
With Internet voting people cast their ballots online, generally via a web
interface, although email voting has occasionally been tried. With web
voting the voter navigates to the proper election site using a web browser
on an ordinary PC and authenticates him or she to see the appropriate
blank ballot form presented onscreen. The voter then fills out the ballot
form and, when satisfied, clicks the "cast vote" button to send the
completed ballot back to the election server
Some corporations routinely use Internet voting to elect officers and Board
members and for other proxy elections. However, its use for public
elections where the security, privacy, and audit ability standards are much
higher, is generally considered prohibitively dangerous because, besides
all of the dangers of ordinary electronic voting, there are additional severe
security problems inherent in the PC and in the Internet that have no good
solutions with current technology
The main weakness of the PC architecture is its vulnerability to malicious
code, which can be introduced through a hundred different channels to
interfere with voting in lots of ways, many of them undetectable. The
voter may be prevented from voting, or the privacy of the vote might be
compromised, or the vote might be altered before transmission without the
voter's knowledge, etc
The weaknesses of the Internet include its vulnerability to many kinds of
denial of service attacks, spoofing attacks, and man-in-the-middle attacks,
which could lead to massive, selective voter disenfranchisement, or to
automated vote buying and selling. Attacks on Internet voting systems can
be launched remotely from anywhere in the world, and might change the
results of elections undetectably; or if the attack is detected, there may be
no way to correct the tally
Because of these security concerns the U.S. military cancelled the
SERVE program (Secure Electronic Registration and Voting Experiment)
in early 2004 that would have allowed military personnel and overseas
citizens of eight states to vote online in the 2004 presidential election.
Voter privacy and anonymity are also hard to maintain.
14
MTECH/SIT/SEMINAR/04/01
E-Voting
U.S. Voting Methods 2000-2004
•Punched-card (32%)
•Optical scan (28%)
•Lever (16%)
•DRE (12%)
•Paper (1%)
•Indeterminate: (11%)
•Optical scan (34%)
•DRE (31%)
•Lever (14%)
•Punched-card (14%)
•Paper (1%)
•Indeterminate: (6%)
________________________________________________________________________
Convenience vs. security
In the past, changes in the election process have proceeded deliberately and judiciously,
often entailing lengthy debates over even the minutest detail. These changes have been
approached with caution because discrepancies with the election system threaten the very
principles that make our society democratic.
Michael Shamos devised the Six Commandments of Electronic Voting. Although stated
humorously, the assertions made are intended to be taken seriously. The commandments
are in estimated order of importance, judged by statutes and willingness of election
officials to compromise on the various requirements
Six commandments of electronic voting
1. Keep each voter's choices an inviolable secret
2. Allow each eligible voter to vote only once, and only for those offices for which
she is authorized to cast a vote
3. Not permit tampering with thy voting system, nor the exchange of gold for votes
4. Report all votes accurately
5. Voting system shall remain operable throughout each election
6. Keep an audit trail to detect sins against Commandments 2-4, but thy audit trail
shall not violate Commandment 1
15
MTECH/SIT/SEMINAR/04/01
E-Voting
Voters’ trust in elections comes from a combination of the Mechanisms and procedures
we use to record and tally votes, With a plain paper-based voting system, voters can rely
on some aspects of the process based solely on their own actions and observations.
Voters know that the ballot they cast accurately reflects their intent because they can
examine that ballot themselves. Furthermore, they know that a physical record of their
vote exists. That record cannot be destroyed, lost, or tampered with without leaving some
physical evidence. Voting systems that do not produce a physical record, such as
mechanical-lever and electronic-voting machines, create additional trust issues. We lose
transparent verifiability and must trust that the machines function correctly. This expands
the scope of trust from the local election officials to include the manufacturers who make
those machines as well as the people and processes used to inspect, maintain, and operate
them.
Electronic voting also increases the potential for large-scale fraud. If many voting
machines run the same software, and no mechanisms exist for voters to verify their votes
are recorded correctly or for election officials to conduct a meaningful recount, an
intentional or accidental flaw in that software can irrevocably affect an election’s
outcome.
Voting interfaces
When it comes to voting, usability and security are closely intertwined. An election’s
integrity depends on the recorded votes accurately reflecting the voter’s intent. This could
be compromised either by tampering with the recording of voter intent or by interfaces
that increase the probability that the recorded votes will not accurately reflect the voter’s
intent. A notorious example is the butterfly ballot design used in Palm Beach County,
Florida, in the 2000 US presidential election, which made it easy for voters to mistakenly
record their intent. This design used the votomatic punch-card ballot, which makes it
difficult for voters to verify that their ballot reports their intent. One report estimated that
2,000 votes in Palm Beach that were intended for Democratic candidate Al Gore were
mistakenly recorded for Republican candidate Pat Buchanan.
A voter interacts with a DRE machine through a user interface, often using a touchscreen display. The goal of minimizing voter error can increase the voting machine
software’s complexity and conflict with ease of use. For example, DRE machines can
require a voter to confirm an undervote, but this requires an additional step from the
voter. Complex interfaces also make pre-election ballot reviews more difficult. With
paper ballots, it is easy to print and publicly review sample ballots before an election.
With DRE equipment, it is harder to review the ballot presentation because it is in the
form of a complex user interface. A series of screenshots can’t capture an interface fully,
and ballot issues might not be apparent without conducting test votes using the DRE
machines (which exposes the machines and raises other security issues). These issues
were apparent in the recent California gubernatorial recall election in which DRE
machines in Alameda County were programmed so that voters could not view the
16
MTECH/SIT/SEMINAR/04/01
E-Voting
instructions after they began voting. This might have increased the number of voters who
voted against the recall but did not cast a vote for a replacement candidate, even though
they were allowed to do so. Recent studies conducted in Georgia and Maryland
concluded that although most voters can use DRE machines without difficulty, a
significant proportion of voters, especially older ones, required assistance. The Carl
Vinson Institute of Government conducted a public opinion telephone survey to study
voter confidence in DRE machines in Georgia.4 They found that fewer than 2 percent of
responders reported difficulties in using DRE touch-screen machines. A University of
Maryland study conducted an exit poll on voters using Diebold’s AccuVote-TS touchscreen DRE machines in two counties in Maryland. Three percent of voters encountered
technical problems with the machines, 7 percent reported that they were not easy to use,
and 9 percent asked for assistance using the machines. Difficulty with the interface was
correlated with age and education. Twentyone percent of the voters 65 years or older
asked for help; the lowest age group asking for help was those 35 to 49, who asked for
help 5 percent of the time. The youngest voters, ages 18 to 24, were second highest in
asking for help at 16 percent, but this might be largely due to inexperience with voting in
general. Of those with no college experience, 18 percent asked for assistance. Voters with
a four-year degree or some college experience asked for help 9 percent of the time, and
only 8 percent of voters with graduate school education asked for help. The amount of
assistance required does play a role in voter trust in a voting system because that help will
usually come from a poll-site worker. Voters who ask for he risk compromising their
anonymity, and voters who need assistance might be reluctant to ask for it because of this
or just personal embarrassment. This study’s results indicate that many voters who did
not ask for help received help anyway. This likely indicates that these voters were closely
observed by poll-site workers trying to help, which some voters might interpret as a
violation of privacy.
Vote Recording
Given a user interface that voters believe lets them enter their vote without error, DRE
machines’ trustworthiness depends on how accurately the recorded vote reflects the
entered vote. The trust citizens place in DRE machines depends on their experience using
them as a voter and their understanding (or misunderstanding) of how the machines and
the surrounding process works.
One of the reasons voters’ trusts DRE machines is their surface resemblance to ATMs.
After all, if we can trust an electronic machine to count money, surely we can trust it to
count votes. The fallacy in this argument is the difference in accountability. With an
ATM machine, the user receives a paper receipt as well as a monthly bank statement. If
any discrepancies exist, the customer can dispute the statement with the bank—in the US,
it is the bank’s responsibility to prove the transaction record is correct. With a DRE
machine, there is no receipt, no transaction statement, and no way for a voter to dispute
the recorded results.
The Maryland study5 asked voters if they felt confident that their vote was recorded
according to their intent, and 10 percent of respondents did not feel confident that their
17
MTECH/SIT/SEMINAR/04/01
E-Voting
vote was accurately recorded. The study also asked voters if they trusted the mechanicallever or punch-card system used in previous elections. Compared to 90.7 percent of
voters who trusted the DRE machines used in the election just conducted, only 70.5
percent of voters trusted the mechanical-lever or punch-card system they used in previous
elections.
DRE machines’ actual trustworthiness depends on many properties that are invisible to
the voter. Unlike paper-based voting systems where voters can personally examine the
physical record of their vote and deposit it in a secure ballot box, voter trust in DRE
equipment depends on trusting the voting machine hardware and software in combination
with the people and procedures designed to safeguard it.
Increasing trust
Several mechanisms have been proposed to provide voters with increased confidence that
their vote is cast as intended and that the votes are tabulated correctly. The procedures
protecting the voting process as well as the actual
Process can enhance trust. A particular design decision’s impact on security is often
different from the impact perceived by typical voters. Measures that increase the
perception of security often do not significantly increase actual security. To perform a
recount electronically for votes that only exist as data on a computer, the trusted official
can push a recount button, but because this is merely recounting the electronically
recorded votes, it provides little actual benefit. Independently stored audit records that
record each individual vote can provide somewhat more trust enhancement but only
against computational counting mistakes or careless fraud that modifies only the vote
totals and not the audit records. These recounts have little security benefit against
accidental or malicious programming errors in the vote recording process because they
can affect both the counts and audit records.
We can use verification procedures to increase confidence in voting machines. In
paperless voting systems, the voters depend entirely on the voting machine to record their
votes correctly. Although officials are rapidly phasing out mechanical-lever machines, it
is instructive to consider the procedures necessary to adequately verify a mechanicallever machine and compare those to the difficulties of verifying DRE equipment.
The value of any certification process depends on procedures to ensure that the machines
used are identical to the machines that were certified. With mechanical-lever machines,
we can use a tamper evident seal to ensure that the machine’s mechanics cannot be
tampered with without detection. With DRE machines, however, this is a much harder
problem. Unlike mechanical tampering, software changes are not obviously apparent.
Because ballot definition files must be loaded into the machine, there must be a way of
changing what is in the machine’s memory and any changes to the voting machine code
will not be apparent. Although election procedures are designed to limit access to voting
machines to trusted election officials, voting machines are often kept in insecure
locations. Procedures in Alameda County for the recent California recall election left
18
MTECH/SIT/SEMINAR/04/01
E-Voting
voting machines unattended in insecure poll sites with ballots loaded for several days
before the election.
In addition to certification, officials test voting machines at poll sites. These tests, known
as logic-and-accuracy tests typically involve poll workers casting a series of test votes on
voting machines and then checking that the
reported tally is consistent with the entered votes. Testers might make mistakes when
entering numerous votes, so if the reported tally is off by one, this might not raise alarm.
Because the number of test votes is limited by the testers’ patience, it is unlikely that
testers would detect malicious voting software that records the first few hundred votes
correctly and then incorrectly counts later votes.
Another approach uses automated testing. This increases the number of votes possible
and reduces the chances of testing mistakes. However, it makes the testing easily
distinguished from normal use by the software and
lets a clever programmer inject a bug that appears only in normal use—some DRE
machines even specify a test mode, so that the tests run different code from production
use. Testing procedures specify when officials should do the logic and accuracy tests,
generally before and after the election, but not during it. Malicious software could be
programmed to count votes correctly at all times except during the middle of election
days.
Voter-verifiable ballots
One way to decrease the trust voters must place in voting machine software is to let
voters physically verify that their intent is recorded correctly. Rebecca Mercuri has
proposed a method for voter-verifiable ballots. After a
voter has finished making selections using a DRE machine, the machine prints out a
paper ballot that contains the voter’s selections for each choice. The printed ballot is kept
behind a window to prevent voters from having any opportunity to tamper with it. Voters
can examine the ballot and confirm that it accurately reflects their selections. If voters
approve the ballot, they press a button to confirm their vote and observe the printed ballot
drop into an opaque ballot box. If voters do not approve the ballot, they must consult a
poll worker to void the ballot and vote again. This process provides voters with a high
degree of confidence that their intended vote was accurately recorded. The paper ballots
also provide a mechanism for validating results reported by the electronic voting
machine. They can be manually counted or electronically counted to confirm the results if
there is a dispute regarding the election results. Some elections should also be randomly
selected for counting paper ballots.
Voter-verifiable paper ballots eliminate the need to trust the voting machine software to
correctly record the voter’s intent. Furthermore, they provide voters with substantially
increased confidence that their intended vote will be counted. They are not, however,
without cost. The need to support printing and collection of paper ballots increases the
maintenance costs and election complexity for the poll workers. Voters must perform two
steps to complete their vote: the first confirmation prints the ballot, and the second
19
MTECH/SIT/SEMINAR/04/01
E-Voting
confirmation casts the vote and deposits the ballot in the ballot box. With a fully
integrated voting booth, it would be possible to include a curtain that opens only after the
second confirmation is complete. Without this, voters might assume they are finished
after the first confirmation and the next voter would have an opportunity to examine the
previous voter’s ballot and decide whether to cast it or void it. Another issue that must be
considered carefully is that there are now two potentially contradictory records of the
election: the data stored in the DRE machine and the paper ballots. Any discrepancies
between the results reported by the DRE machine and the paper audit count must be
examined carefully and would likely lead to controversies. Except in cases where
evidence of tampering with the paper ballots exists, the paper ballots should be
considered the official record of the election because the voters had an opportunity to
confirm that they recorded their intent correctly.
IEEE (Voting Equipment Standards) - Project 1583
Project P1583 is charged with development of a standard of requirements and evaluation
methods for election voting equipment. The standard will provide technical specifications
for electronic, mechanical, and human factors that can be used by manufacturers of
voting machines or by those purchasing such machines.
Project Scope & Purpose
P1583 was approved on June 14, 2001 with the following scope and purpose:
Scope
Develop a standard for the evaluation of election voting equipment.
Purpose
The purpose of this project is to develop an evaluation standard for election voting
equipment. The standard will provide technical specifications for electronic, mechanical,
and human factors that can be used by manufacturers of voting machines or by those
purchasing such machines. The tests and criteria developed will assure equipment:
· Accessibility
· Accuracy
· Confidentiality
· Reliability
· Security
· Usability
20
MTECH/SIT/SEMINAR/04/01
E-Voting
References
1. Voting: What Is, What could Be, Cal Tech – MIT Voting Technology Project
Report, July 2001; www.vote.cal-tech.edu/Reports/.
2. K. Zetter, “Time to Recall E-Vote Machine” 6th Oct. 2003,
http://www.wired.com/news/
3. Voting Accessibility Comparision (2001) National Organization on Disability
,Ws, DC
4. Electron Data Services, http://electiondataservices.com/
5. Federal Election Commission http:// fec.gov/index.html
6. Election commissioner of India http://www.eci.gov.in/EVM
7. http://www.govtalk.gov.uk/
8.
Sarah Granger – Trouble of E-Voting, Verifiability and Other Technical
Requirements for Online Voting Systems, German National Institute of
Metrology
9. E-VOTE AND PKI'S: A NEED, A BLISS OR A CURSE?, Sarah Granger –
Trouble of E-Voting , Universit_a degli Studi di Milano, Italy
21
MTECH/SIT/SEMINAR/04/01