Part of a series on |
Election technology |
---|
Technology |
Terminology |
|
Testing |
Manufacturers |
Related aspects |
Part of the Politics series |
Voting |
---|
Politicsportal |
End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were counted as cast, without revealing which candidates were voted for. As such, these systems are sometimes referred to as receipt-based systems. [1]
Electronic voting systems arrive at their final vote totals by a series of steps:
Classical approaches to election integrity tended to focus on mechanisms that operated at each step on the chain from voter intent to the final total. Voting is an example of a distributed system, and in general, distributed system designers have long known that such local focus may miss some vulnerabilities while over-protecting others.[ citation needed ] The alternative is to use end-to-end measures that are designed to measure the integrity of the entire chain. [2]
The failure of conventional optical scan voting systems to meet an end-to-end standard was pointed out in 2002. [3]
Comprehensive coverage of election integrity frequently involves multiple stages. Voters are expected to verify that they have marked their ballots as intended, recounts or audits are used to protect the step from marked ballots to ballot-box totals, and publication of all subtotals allows public verification that the overall totals correctly sum the ballot-box totals. [4]
While measures such as voter verified paper audit trails and manual recounts measure the effectiveness of some steps, they offer only weak measurement of the integrity of the physical or electronic ballot boxes. Ballots could be removed, replaced, or could have marks added to them without detection (i.e.,to fill in undervoted contests with votes for a desired candidate or to overvote and spoil votes for undesired candidates). This shortcoming motivated the development of the end-to-end auditable voting systems discussed here, sometimes referred to as E2E voting systems. These attempt to cover the entire path from voter attempt to election totals with just two measures:
Because of the importance of the right to a secret ballot, some E2E voting schemes also attempt to meet a third requirement, usually referred to as receipt freeness:
A researcher has argued that end-to-end auditability and receipt-freeness should be considered to be orthogonal properties. [5] Other researchers have shown that these properties can co-exist, [6] and these properties are combined in the 2005 Voluntary Voting System Guidelines promulgated by the Election Assistance Commission. [7] This definition is also predominant in the academic literature. [8] [9] [10] [11]
To address ballot stuffing, the following measure can be adopted:
Alternatively, assertions regarding ballot stuffing can be externally verified by comparing the number of ballots on hand with the number of registered voters recorded as having voted, and by auditing other aspects of the registration and ballot delivery system.
Support for E2E auditability, based on prior experience using it with in-person elections, is also seen as a requirement for remote voting over the Internet by many experts. [12]
In 2004, David Chaum proposed a solution that allows each voter to verify that their votes are cast appropriately and that the votes are accurately tallied using visual cryptography. [13] After the voter selects their candidates, a voting machine prints out a specially formatted version of the ballot on two transparencies. When the layers are stacked, they show the human-readable vote. However, each transparency is encrypted with a form of visual cryptography so that it alone does not reveal any information unless it is decrypted. The voter selects one layer to destroy at the poll. The voting machine retains an electronic copy of the other layer and gives the physical copy as a receipt to allow the voter to confirm that the electronic ballot was not later changed. The system detects changes to the voter's ballot and uses a mix-net decryption [14] procedure to check if each vote is accurately counted. Sastry, Karloff and Wagner pointed out that there are issues with both of the Chaum and VoteHere cryptographic solutions. [15]
Chaum's team subsequently developed Punchscan, which has stronger security properties and uses simpler paper ballots. [16] The paper ballots are voted on and then a privacy-preserving portion of the ballot is scanned by an optical scanner.
The Prêt à Voter system, invented by Peter Ryan, uses a shuffled candidate order and a traditional mix network. As in Punchscan, the votes are made on paper ballots and a portion of the ballot is scanned.
The Scratch and Vote system, invented by Ben Adida, uses a scratch-off surface to hide cryptographic information that can be used to verify the correct printing of the ballot. [17]
The ThreeBallot voting protocol, invented by Ron Rivest, was designed to provide some of the benefits of a cryptographic voting system without using cryptography. It can in principle be implemented on paper although the presented version requires an electronic verifier.
The Scantegrity and Scantegrity II systems provide E2E properties. Rather than replacing the entire voting system, as is the case in all the preceding examples, it works as an add-on for existing optical scan voting systems, producing conventional voter-verifiable paper ballots suitable for risk-limiting audits. Scantegrity II employs invisible ink and was developed by a team that included Chaum, Rivest, and Ryan.
The STAR-Vote system [18] was defined for Travis County, the fifth most populous county in Texas, and home of the state capital, Austin. [19] It illustrated another way to combine an E2E system with conventionally auditable paper ballots, produced in this case by a ballot marking device. [20] The project produced a detailed spec and request for proposals in 2016, and bids were received for all the components, but no existing contractor with an EAC certified voting was willing to adapt their system to work with the novel cryptographic open-source components, as required by the RFP. [21] [22]
Building on the STAR-Vote experience, Josh Benaloh at Microsoft led the design and development of ElectionGuard, a software development kit that can be combined with existing voting systems to add E2E support. The voting system interprets the voter's choices, stores them for further processing, then calls ElectionGuard which encrypts these interpretations and prints a receipt for the voter. The receipt has a number which corresponds to the encrypted interpretation. The voter can then disavow the ballot (spoil it), and vote again. Later, independent sources, such as political parties, can obtain the file of numbered encrypted ballots and sum the different contests on the encrypted file to see if they match the election totals. The voter can ask those independent sources if the number(s) on the voter's receipt(s) appear in the file. If enough voters check that their numbers are in the file, they will find if ballots are omitted. Voters can get the decrypted contents of their spoiled ballots, to determine if they accurately match what the voter remembers was on those ballots. The voter cannot get decrypted copies of voted ballots, to prevent selling votes. If enough voters check spoiled ballots, they will show mistakes in encryptions. [23] [24] ElectionGuard does not detect ballot stuffing, which must be detected by traditional records. It does not detect people who falsify receipts, claiming their ballot is missing or was interpreted in error. Election officials will need to decide how to track claimed errors, how many are needed to start an investigation, how to investigate and how to recover from errors, State law may give staff no authority to take action. [24] ElectionGuard does not tally write-ins, except as an undifferentiated total. It is incompatible with overvotes. [25] [23] [24]
The city of Takoma Park, Maryland used Scantegrity II for its 2009 and 2011 city elections. [26] [27]
Helios has been used since 2009 by several organizations and universities for general elections, board elections, and student council elections. [28] [29]
Wombat Voting was used in student council elections at the private research college Interdisciplinary Center Herzliya in 2011 and 2012, [30] [31] as well as in the primary elections for the Israeli political party Meretz in 2012. [32]
A modified version of Prêt à Voter was used as part of the vVote poll-site electronic voting system at the 2014 Victorian State Election in Australia. [33]
ElectionGuard was combined with a voting system from VotingWorks and used for the Fulton, Wisconsin spring primary election on February 18, 2020. [34]
The DRE-ip system was trialed in a polling station in Gateshead on 2 May 2019 as part of the 2019 United Kingdom local elections. [35] [36]
David Lee Chaum is an American computer scientist, cryptographer, and inventor. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper. He has been referred to as "the father of online anonymity", and "the godfather of cryptocurrency".
A voting machine is a machine used to record votes in an election without paper. The first voting machines were mechanical but it is increasingly more common to use electronic voting machines. Traditionally, a voting machine has been defined by its mechanism, and whether the system tallies votes at each voting location, or centrally. Voting machines should not be confused with tabulating machines, which count votes done by paper ballot.
Electronic voting is voting that uses electronic means to either aid or take care of casting and counting ballots.
In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.
An electronic voting machine is a voting machine based on electronics. Two main technologies exist: optical scanning and direct recording (DRE).
Vote counting is the process of counting votes in an election. It can be done manually or by machines. In the United States, the compilation of election returns and validation of the outcome that forms the basis of the official results is called canvassing.
Voter verifiable paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters using a ballotless voting system. A VVPAT is intended as an independent verification system for voting machines designed to allow voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It contains the name of the candidate and symbol of the party/individual candidate. While it has gained in use in the United States compared with ballotless voting systems without it, it looks unlikely to overtake hand-marked ballots.
A DRE voting machine, or direct-recording electronic voting machine, records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter. These are typically buttons or a touchscreen; and they process data using a computer program to record voting data and ballot images in memory components. After the election, it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location. The device started to be massively used in 1996 in Brazil where 100% of the elections voting system is carried out using machines.
The Mercuri method is the most popular and notable form of a voter verified paper audit trail (VVPAT). It is a modification to direct-recording electronic (DRE) voting machines to provide a physical paper audit record that may be used to verify an electronic vote count.
Electronic voting in Estonia gained popularity in 2001 with the "e-minded" coalition government. In 2005, it became the first nation to hold legally binding general elections over the Internet with their pilot project for municipal elections. Estonian election officials declared the electronic voting system a success and found that it withstood the test of real-world use.
ThreeBallot is a voting protocol invented by Ron Rivest in 2006. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptographic keys.
Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end (E2E) audit mechanism, and issues a ballot receipt to each voter. The system won grand prize at the 2007 University Voting Systems Competition.
An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.
Prêt à Voter is an E2E voting system devised by Peter Ryan of the University of Luxembourg. It aims to provide guarantees of accuracy of the count and ballot privacy that are independent of software, hardware etc. Assurance of accuracy flows from maximal transparency of the process, consistent with maintaining ballot privacy. In particular, Prêt à Voter enables voters to confirm that their vote is accurately included in the count whilst avoiding dangers of coercion or vote buying.
The Voluntary Voting System Guidelines (VVSG) are guidelines adopted by the United States Election Assistance Commission (EAC) for the certification of voting systems. The National Institute of Standards and Technology's Technical Guidelines Development Committee (TGDC) drafts the VVSG and gives them to the EAC in draft form for their adoption.
Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.
Bingo voting is an electronic voting scheme for transparent, secure, end-to-end auditable elections. It was introduced in 2007 by Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich at the Institute of Cryptography and Security (IKS) of the Karlsruhe Institute of Technology (KIT).
The Verified Voting Foundation is a non-governmental, nonpartisan organization founded in 2004 by David L. Dill, a computer scientist from Stanford University, focused on how technology impacts the administration of US elections. The organization's mission is to “strengthen democracy for all voters by promoting the responsible use of technology in elections.” Verified Voting works with election officials, elected leaders, and other policymakers who are responsible for managing local and state election systems to mitigate the risks associated with novel voting technologies.
Helios Voting is an open-source, web-based electronic voting system. Users can vote in elections and users can create elections. Anyone can cast a ballot; however, for the final vote to be counted, the voter's identification must be verified. Helios uses homomorphic encryption to ensure ballot secrecy.
Direct Recording Electronic with Integrity and Enforced Privacy (DRE-ip) is an End-to-End (E2E) verifiable e-voting system without involving any tallying authorities, proposed by Siamak Shahandashti and Feng Hao in 2016. It improves a previous DRE-i system by using a real-time computation strategy and providing enhanced privacy. A touch-screen based prototype of the system was trialed in the Gateshead Civic Centre polling station on 2 May 2019 during the 2019 United Kingdom local elections with positive voter feedback. A proposal that includes DRE-ip as a solution for large-scale elections was ranked 3rd place in the 2016 Economist Cybersecurity Challenge jointly organized by The Economist and Kaspersky Lab.