The first government election to use a new cryptographic scheme that lets both voters and auditors check that votes were cast and recorded accurately will be held tomorrow in Takoma Park, MD.
Election controversies like the infamous Florida recounts during the 2000 U.S. presidential election have highlighted the need for more accountable voting technologies, especially for confirming the results of tight races. The system being used in Takoma Park, called Scantegrity, uses cryptography to confirm that votes were counted properly. Its inventors say the system could eliminate the need for recounts and provide better assurance that an election was conducted properly.
After votes are cast, Scantegrity lets voters check online to make sure that their ballots were counted correctly. Officials and independent auditors can also check to make sure ballots were tallied properly–without seeing how any individual voted.
To a voter, Scantegrity shouldn’t present much of a change, explains David Chaum, who invented the system and who previously founded an early electronic-currency corporation called Digicash. A voter takes a paper ballot and fills in the bubble next to the name of his selected candidate, then feeds the ballot into a machine, which scans it and secretly records the result.
The difference is that a special type of ink and pen are used. When the voter fills in a bubble on the ballot using the pen, a previously invisible secret code appears in that space. The voter can record the code or codes and then check them later online. If the code is found in an online database, it means the voter’s ballot was counted correctly. Each ballot has its own randomly assigned codes, to prevent this process from revealing which candidates a voter selected.
Scantegrity lets auditors check other aspects of an election as well. First, it lets them confirm that the ballots are printed properly, because each ballot gets its own set of secret codes hidden in the bubbles. Prior to an election, officials can publicly commit to the codes that will be printed on the ballots. To make sure that this is done correctly, auditors choose half the ballots at random and fill in all the bubbles, making sure the codes match what was supposed to be printed. These test ballots are then discarded–but the process means it’s extremely likely that the rest of the ballots were printed correctly.
Scantegrity also shows an auditor whether votes were recorded correctly. To protect voter privacy, it’s never possible to link a specific ballot to a specific set of candidate names. But election officials provide two lists–a list of codes corresponding to votes and a list of the results. From the lists it’s possible to confirm that the codes do lead to the recorded votes without actually revealing how people voted. The effect, Chaum says, is to ensure that everything is secure from the time ballots are printed up until completion of the audit. “Without that,” he says, “it’s just a waste of time to recount [ballots].”
Scantegrity makes it possible to audit elections with much greater certainty than has been possible before, even with paper systems, according to Alan Sherman, an associate professor of computer science at the University of Maryland, Baltimore County, who is involved with the effort. “It’s fundamentally different, it’s fundamentally better with respect to outcome integrity,” he says.