Scratch-and-Vote System Could Help Eliminate Election Fraud
A new lottery-style scratch card has been developed that might make elections less susceptible to rigging.
Compared with modern touch-screen voting systems, it may seem low tech. But according to its creators, the scratch-and-vote (S&V) system is a good way to let voters check that their ballot papers have been counted as they intended.
Using a current touch-screen system, “there is no way for an individual voter to know that his or her vote has been properly counted,” says Josh Benaloh, a cryptographer who pioneered the development of cryptography in elections, and who now works for Microsoft Research in Redmond, WA. “Even election officials cannot be certain that the systems are free of errors.”
Some of these machines are now designed to print paper receipts for each vote that’s cast. This procedure is a little better, says Benaloh; but voters are still dependent on other people and procedures. “In practice, voters have no way to ensure that their votes are being counted properly or that they are being counted at all,” he says.
With encryption-based voting systems, end-to-end verifiability is possible, because any voter should be able to “audit” the entire voting process. At the same time, such auditing processes must be balanced against the need for anonymity, says Ben Adida at MIT’s Computer Science and Artificial Intelligence Laboratory. Adida created the S&V system with Ronald Rivest, professor of electrical engineering and computer science at MIT, who co-created RSA, one of the most widely used encryption algorithms.
Traditional paper-based systems do not provide sufficient anonymity because the unique number printed on the ballot to ensure that it is legitimate can be traced back to the voter’s name. Therefore, a number of researchers have tried using cryptographic techniques to keep a voter’s identity a secret while ensuring that all votes cast are legitimate.
The S&V approach builds on this idea and can be used in conjunction with a number of existing voting schemes. One recently proposed scheme, called Prêt-à-Voter, involves the listing the candidates’ names in random order on one half of the ballot, with the tick boxes on the opposite side. After votes have been cast, a voter tears along a perforated line separating the list of names from the tick boxes. Developed by Peter Ryan at the University of Newcastle-upon-Tyne in England and David Chaum, a cryptographer who founded DigiCash, the system depends on a cryptographic code on the tick-box side of the ballot to encode the list of candidates’ names in the order they appeared on the original ballot.
The concern with this kind of system is how to ensure that the information encrypted matches the order of the candidates’ names. This can be achieved by giving each voter two ballot papers. The voters choose which ballot is audited and which they’ll use to cast their vote. This audit process tells them nothing about the validity of the ballot paper itself – but it does provide a 50:50 chance of spotting a rigged ballot paper. And, given such a high probability, illegitimate ballot papers would quickly show up in an entire electorate.
The S&V approach makes this auditing process secure because it allows a ballot paper to be checked without having to involve an election official (who in theory could be corrupt and tamper with a ballot). When applied to the Prêt-à-Voter scheme, S&V adds a scratch surface on the side bearing the candidates’ names, while the order of the candidates’ names is encoded cryptographically beneath the tick boxes. “This scratch surface is exactly like a lottery card,” says Adida.
To check that a ballot paper hasn’t been rigged, the voter simply scratches off the surface to reveal a number that can be combined with a number corresponding to the order of the names and a publicly available encryption key. In theory, voters could use cryptographic software at the poll to perform these operations; but in practice, trusted third-party organizations could provide a means for voters to check their ballot papers. If the codes match, the “audit” ballot is legitimate, and it should be okay to vote with the other ballot.
An S&V system should also be useful in post-vote auditing, because all of the encrypted votes could be posted online. Once voters cast their ballots, by scanning them into a machine, they keep them as a receipt. Later, they can use this paper to check that their vote has been counted, by simply looking up their vote and seeing that the encryption code matches the one on their ballot paper.
Using scratch surfaces has been proposed before, says Ryan. But with the S&V system the scratch surface serves as a way of voiding the ballot. If it has been scratched off, it ensures that an audited ballot cannot be used.
The success of such a system will depend on more than its security features, however. Ultimately, it must be easy for voters to understand. Adida accepts that their system is complicated – but he’s unapologetic: “All this complexity is not gratuitous, it is necessary to make sure that you have a secret ballot.”
Michael Shamos, who carries out voting system evaluations, and is co-director of the Institute for eCommerce at Carnegie Mellon University in Pittsburgh, PA, says he has high hopes for cryptographic voting schemes like this one. Still, he believes it will be a challenge to get them adopted. Officials will need to understand and accept them and the public need to be persuaded of the benefits. “These are all tall orders,” he says. The cryptographic techniques that underlie them are complicated and may require officials to put their faith in the claims of mathematicians. “I wonder if legislators will ever be willing to do that,” he says.
Rivest is more optimistic. Legislators are already putting their faith in computer software that they don’t understand, he says. There is an irony that using encryption to make elections more transparent could make the underlying processes seem more complex, he says. Even so, Rivest is hopeful. “There is a trend in the U.S. for legislators to move toward paper-verified auditable trails,” he says. And this trend, he believes, is a step in the right direction.