Convened by the American Association for the
Advancement of Science
Main | Participants
DIRECTIONS IN E-VOTING TECHNOLOGY
The Help America Vote Act (HAVA) has given NIST a key role in helping
to realize nationwide improvements in voting systems. To assist
the Election Assistance Commission (EAC) with the development of voluntary
voting system guidelines, HAVA established the Technical Guidelines Development
Committee (TGDC). NIST research in support of the TGDC includes:
- security of computers, computer
networks, and computer data storage used in voting systems;
- methods to detect and prevent
fraud;
- protection of voter privacy;
and
- the role of human factors in
the design and application of voting systems, including assistive technologies
for individuals with disabilities (including blindness) and varying
levels of literacy
This research must take into consideration the often
diverging requirements of accessibility and usability (by both voters
and election officials) and security. From the perspective of voter accessibility,
paperless direct-recording electronic (DRE) machines offer significant
advantages over other voting technologies. This seems also to be the case
from the perspective of usability by election officials. However, there
is wide agreement in the academic community that it is beyond the state
of the art to verify the correctness of large complex programs or to establish
that they are free from malicious software. To most, but not all, security
experts this implies that we cannot trust stand-alone DREs.
By and large, this community has embraced the concept of voter verified
paper audit trails (VVPAT) as the straightforward near term “fix” for
the security problems of DRE. The result has been laws requiring use of
voter verified paper audit trails in many states.
As currently deployed, the VVPAT fix has significant
accessibility and usability problems. There is much ongoing debate on
this important issue. However, it is also important to look beyond the
current state of affairs to technological innovations which might in the
end offer a better solution. Below I describe one promising area of research.
End-to-End Systems.
These systems give the voter the ability to verify that
his or her vote is included in the final count. To make this verification
possible, we generally assume that it is possible to post all votes in
a public bulletin board so that anybody can tally them.
The simplest way to achieve this is for the voter to
receive, at the time the vote is cast, a receipt for her vote. When all
the votes are posted, the voter can verify (using a unique identifier
printed both in the receipt and in the posted ballot) that her vote is
listed. If it is not, she can present the receipt to a voting authority
so that appropriate action can be taken. In order to prevent false receipts
from being presented, it must not be possible to forge valid receipts.
Fortunately, this is a well-solved problem. VVSG07 will likely require
electronic voting units to have strong cryptographic keys. With these
keys, the voting units would be able to issue receipts that cannot be
forged. This is mature technology
already in use for securing financial transactions over the Internet.
Thus, digital signatures and public bulletin boards can
be used to enable voters to verify that their votes are counted as cast.
We note, however, that this does not by itself allow the voter to verify
that all posted votes are valid. Careful monitoring of the number of votes
counted at each aggregation level (e.g., the precinct) is still needed.
Ballot stuffing can be prevented at the precinct level by the presence
of observers who verify that the total number of votes cast is equal to
the number of votes posted in the public bulletin board.
Although the method just described may be acceptable
by some jurisdictions, we note that it may facilitate coercion as well
as allow buying and selling of votes. We now discuss these two problems.
We first note that there is no perfect solution to these
problems. There are people who are vulnerable to coercion even if their
vote is absolutely secret. Similarly, person A may trust person B to honor
a contract to vote a particular way (for a fee). Thus, our goal is to
reduce the incidence of coercion and vote buying and selling. From this
perspective, it helps that these activities are illegal.
We first consider a number of simple palliative measures:
i)
make receipts easily duplicable;
ii)
allow voting units to issue valid receipts picked at random
from a (sufficiently large) set of previously cast votes;
iii)
put an open box near the voting booth were people can drop
their receipts and/or take other people’s receipts;
An additional measure is to engineer the voting unit
in such a way that issued receipts are shredded (rather than given to
the voter) half of the time. In
this way, a voter who is being coerced can always claim she voted as ordered
to but her receipt was destroyed.
Proper implementation of the above techniques requires
careful engineering. For example, in the last technique it is better if
the voting unit does not know which receipts get destroyed.
Finally, we note that a variety of combinatorial and/or
cryptographic techniques can be used to provide end-to-end verifiable
voting. For some of these methods, the mathematics involved is too complex
for non-mathematicians to understand. Other end-to-end methods use simple
mathematics but require the voter to perform counter-intuitive steps.
However, there is no question that these methods are correct and provide
end-to-end voter verifiability, and hence offer great promise for the
future.
| 
