First Test for Election Cryptography
Novel voting technology will be used in a local government election.
The first government election to use a new cryptographic scheme that lets both voters and auditors check that votes were cast and recorded accurately will be held tomorrow in Takoma Park, MD.
Election controversies like the infamous Florida recounts during the 2000 U.S. presidential election have highlighted the need for more accountable voting technologies, especially for confirming the results of tight races. The system being used in Takoma Park, called Scantegrity, uses cryptography to confirm that votes were counted properly. Its inventors say the system could eliminate the need for recounts and provide better assurance that an election was conducted properly.
After votes are cast, Scantegrity lets voters check online to make sure that their ballots were counted correctly. Officials and independent auditors can also check to make sure ballots were tallied properly–without seeing how any individual voted.
To a voter, Scantegrity shouldn’t present much of a change, explains David Chaum, who invented the system and who previously founded an early electronic-currency corporation called Digicash. A voter takes a paper ballot and fills in the bubble next to the name of his selected candidate, then feeds the ballot into a machine, which scans it and secretly records the result.
The difference is that a special type of ink and pen are used. When the voter fills in a bubble on the ballot using the pen, a previously invisible secret code appears in that space. The voter can record the code or codes and then check them later online. If the code is found in an online database, it means the voter’s ballot was counted correctly. Each ballot has its own randomly assigned codes, to prevent this process from revealing which candidates a voter selected.
Scantegrity lets auditors check other aspects of an election as well. First, it lets them confirm that the ballots are printed properly, because each ballot gets its own set of secret codes hidden in the bubbles. Prior to an election, officials can publicly commit to the codes that will be printed on the ballots. To make sure that this is done correctly, auditors choose half the ballots at random and fill in all the bubbles, making sure the codes match what was supposed to be printed. These test ballots are then discarded–but the process means it’s extremely likely that the rest of the ballots were printed correctly.
Scantegrity also shows an auditor whether votes were recorded correctly. To protect voter privacy, it’s never possible to link a specific ballot to a specific set of candidate names. But election officials provide two lists–a list of codes corresponding to votes and a list of the results. From the lists it’s possible to confirm that the codes do lead to the recorded votes without actually revealing how people voted. The effect, Chaum says, is to ensure that everything is secure from the time ballots are printed up until completion of the audit. “Without that,” he says, “it’s just a waste of time to recount [ballots].”
Scantegrity makes it possible to audit elections with much greater certainty than has been possible before, even with paper systems, according to Alan Sherman, an associate professor of computer science at the University of Maryland, Baltimore County, who is involved with the effort. “It’s fundamentally different, it’s fundamentally better with respect to outcome integrity,” he says.
Because Scantegrity is an open system, the results of an election can be verified by completely independent auditors. Ben Adida, a fellow at Harvard University’s Center for Research on Computation and Society, who is not involved with Scantegrity, plans to perform an audit to check the tallied results of the Takoma Park election. “The real issue with voting systems that don’t have end-to-end verification is that you’re quibbling and arguing about stuff, but you have no proof,” Adida says.
In the case of the Florida elections, for example, Adida notes that voters could have been encouraged to use the system to make sure their votes were counted, and candidates could have checked the tallies.
Scantegrity is “the best of its kind that I’ve seen,” adds Ben Bederson, an associate professor of computer science at the University of Maryland, College Park, who has studied election technologies extensively. “It strikes a pretty good balance of usability, security, and understandability, compared to other systems.”
However, Bederson worries that the system may be too complicated for some voters. His research group has studied election auditing systems and found that “any verification significantly increases voters’ need for help.” Bederson is also concerned that, if voters need more help or take longer to cast votes, the system could contribute to higher costs for elections or long lines that might cause some people to give up and leave without voting.
“I hate to be critical of something that is so well-intended and is likely to actually increase security, but I don’t think this is likely to be deployable on a large scale,” Bederson says.
Nevertheless, Anne Sergeant, chair of the Takoma Park board of elections, says it’s important for people to be able to check that their votes are counted as cast.
Before trying Scantegrity in an official election, the city held a mock vote in April to work out kinks in the system. In that test, she says, about 30 percent of participants went home and used the system to verify their votes. Sergeant says that Scantegrity representatives talked extensively with voters and election officials after the April test and have improved their system accordingly. “I hope we can provide an experience where people walk away and say, ‘That was awesome,’” she says. “It’s a goal to which we aspire.”