About the SA Blog Network

Guest Blog

Guest Blog

Commentary invited by editors of Scientific American
Guest Blog HomeAboutContact

E- Voting: Trust but Verify

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

With the Presidential elections looming up, some have been asking why the United States is not making more of electronic voting. It’s being adopted in many other countries around the world, with India, Brazil, Estonia, Norway and Switzerland as notable examples.   However, the United States has several examples in recent years where it has backed out of electronic voting that it had already implemented.

For example, in 2010, a trial system for remote voting over the Internet in Washington DC (known as the “Digital vote by mail”) was shown to be vulnerable, when it was penetrated by a research team from the University of Michigan, demonstrating how a real attack could render any results unsound, without detection. The attack was documented in a recent paper by researchers from the University of Michigan.

So who is right?

First, it’s important to differentiate between the types of e-voting.  To some it means using controlled kiosks in polling stations which collect the votes locally. For others it means those kiosks sending the votes to some central collection system.  To others, e-voting is about being able to vote remotely, typically over the Internet.  In all cases, the key element of e-voting is that the vote is captured and processed electronically.  This has several perceived benefits:

  1. More people will be minded to vote.  This has obvious advantages as the turnout in developed democracies around the world is often very disappointing, except in countries where it is a legal requirement to vote, such as Austrlia.
  2. Accessibility: technology can assist blind and partially sighted voters, and those with mobility impairments, to cast their vote.  It can also offer instructions in a range of languages without the cost of printing large numbers of ballot forms in each language.
  3. Handling votes at long distances can be done much more quickly and reliably.  Voters can vote from anywhere in the world without the need to post ballots or ship ballot boxes.

Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?

It comes down to two principles which are peculiar to these types of elections:

  1. Guarantee of integrity with verifiability: an individual who votes needs to be sure that their vote was cast for the person they intended, and has been lodged appropriately. Stories abound from some voters that a system they were using has thanked them for casting their vote for a candidate that they didn’t believe they had voted for, and they have not been able to rectify the situation. There will always be tension within this principle, as security and usability are often seen as opposing forces in system design.
  2. Secrecy: online transactions at present, including voting for your favourite act on a TV show, will involve some form of receipt so that the user can see if something has gone wrong.  In a voting system, issuing this kind of thing means that some form of audit trail will also be formed, which can tie your action (how you voted) to you personally.  Obviously this is something you don’t want in a “secret ballot”.  This is possibly the hardest aspect to “guarantee” in an electronic system.

The key difference between this and, say, online banking rests on the fact that we can check bank statements and retain records of  transactions, which lets us catch any errors and unauthorised transactions.   We can’t do this for voting systems because of the need for ballot secrecy, so we have to trust the voting system instead.   This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.

The Holy Grail for electronic voting is “verifiability” which provides the highest level of trust by publishing the election data in a way that can be checked independently.  Finding a way to do this is a challenge, but some systems have been proposed which make use of cryptography to secure votes while preventing them from being changed, whilst allowing vote processing to be done in an open and verifiable way.

Scantegrity were the first to run a municipal election in this way, at Takoma Park in November 2009 (and again in 2011), which was independently audited and resulted in no serious objections.  Similarly, Helios has run several verifiable elections over the Internet, the largest being for the election of the Recteur (Principal) of the Catholic University of Louvain in Belgium.

Another voter-verifiable system is Prêt à Voter, originally proposed by Peter Ryan of the University of Luxembourg, and which is currently being implemented by the University of Surrey.   In Prêt à Voter, “verification” comprises publishing each step in the election process, from the point where the vote is first cast right through to the final tally.  It’s just like paper based elections where observers can see votes physically placed in the ballot boxes and watch that they are not tampered with throughout the collection and counting process.

Prêt à Voter makes use of cryptographic techniques to preserve the secrecy of the ballot.  It secures the information so that it cannot be tampered with, nor can the person who cast the vote claim it wasn’t them that made a specific vote.  All of this is done in such a way that voters can track their vote without providing a casual observer with the linkage between individuals and a specific vote.    The processing steps come with mathematical proofs that the votes have been processed, decrypted and tallied correctly.

It’s clear that successful e-voting systems work on the principle of “assume voters will trust but allow them to verify if they wish”. As more e-voting is implemented using this this principle it will become something demanded by voters, as it is not just an automated version of the current manual systems, but something that offers truly verifiable democracy. In an era when people are jaded about the political process, that must surely be a good thing.


Steve Schneider and Alan Woodward About the Author: Professors Steve Schneider and Alan Woodward are at the Department of Computing in the University of Surrey, UK. Alan writes extensively in the wider press trying to explain cyber security to those who have little or no computing experience. Steve is an investigator currently working on an initiative entitled “Trustworthy Voting Systems”, funded by the UK Engineering and Physical Sciences Research Council . Both specialise in security where Steve has built an international reputation in the analysis and verification of protocols, and Alan has become well known for his work in analysing the cyber threat, and forensics. Alan continues to spend part of his time outside of the University advising organisations, including governments, on cyber security. Follow on Twitter @ProfWoodward.

The views expressed are those of the author and are not necessarily those of Scientific American.

Comments 12 Comments

Add Comment
  1. 1. Alex_masselot 11:19 am 06/19/2012

    Evoking has not been adopted by Switzerland. It is tested, for some votations, in some cantons. The risk/benefit ratio is not clear for e majority of the citizens. The main “remote” voting system is snail mail for most of the voters and stillhas plenty of advantages.

    Link to this
  2. 2. BaldEgalitarian 11:36 am 06/19/2012

    Voting a month or so before results are posted might give time to receive a verifying statement and rectify any discrepancies.

    Link to this
  3. 3. Stranger 11:48 am 06/19/2012

    Mathematicians should be employed in designing any e-voting system. And ‘Applied Cryptography’ by Bruce Schneier must be a handbook for system designer.

    Link to this
  4. 4. JamesDavis 11:56 am 06/19/2012

    I think the political parties know that once e-voting comes on line with encrypted security, finger prints identifications, and user passwords (your voter registration number) and systems that can keep track of the voters (name, address and such) just like a secure bank can with your transactions, political parties know that they no longer can ‘stuff the ballet box’ or toss out a ballot because they say they cannot read the pencil marks or buy a judge off to declare them the winner, there may be more honest politicians coming into elections and more honest people wanting to cast their vote. Pay Pal bank can already do that with their banking system and there is no reason you cannot do the same thing with a voting booth. The best thing about electronic voting, the vote can be counted as soon as it is cast and the voter can see who that vote was cast for, and if there is a conflict, the voter can recall their ballet and a booth helper can help them recall their vote and then cast it for whomever they want. If the ballot makes the same mistake again, the ballot can be renewed and the voter can start over, and you can cast your vote from where ever you are in the world.

    Link to this
  5. 5. RDH 12:30 pm 06/19/2012

    Voting should be at least as hard as buying a beer. If someone cannot be bothered to get out and vote the old fashioned way, who cares what their vote might have been?

    But if we are going to do this, then I want to be in charge of the servers and software. Oh, and the virus writing people the Obama admin outed in the Stuxnet virus case. I want to be in charge of them too.

    I fell a landslide coming! And once again it is going my way.

    Link to this
  6. 6. MadScientist72 1:22 pm 06/19/2012

    @ JamesDavis – It sounds like you don’t remember the 2004 US presidential election, when the president of Diebold – who manufactures e-voting machines – promised to ‘deliver’ Ohio to George Bush.

    Link to this
  7. 7. LarryW 1:33 pm 06/19/2012

    One other key element not discussed is the need for national IDs (including biometrics) which guarantees voter eligibility (and likely access to government benefits generally).

    The e-voter technology will be viewed as easy compared to the need for a national ID system.

    Link to this
  8. 8. tucanofulano 3:13 pm 06/19/2012

    “Trust But Verify” – You must mean there are those who are not to be trusted; this is exactly the point of photo ID at the polls, or “chop” (thumbprint) on a touch-screen, or video voting on the net, etc.

    Link to this
  9. 9. gmperkins 12:07 am 06/20/2012

    @LarryW I feel that is the crux of the problem, Americans don’t want a secure ID for themselves. They fear it will allow “them” to track them and what not (even though their current info is so freely dispersed all over by themselves and the companies that exploit it). Fear of new technology really. The argument of “all the data will be centralized” is silly since the Government already collects all the data centrally via taxes and other means. A secure citizen ID would make many things much easier, more secure and more cost effective.

    Link to this
  10. 10. bbsimons 5:09 pm 06/20/2012

    As Doug Jones and I show in our book “Broken Ballots: Will Your Vote Count?”, Internet voting is far too dangerous to be used in any major election. Schneider and Woodward appear to argue that cryptographically based systems can be safely used for Internet voting and that such systems can offer “truly verifiable democracy”. One of the examples they cite of such a system is Helios. Yet, Ben Adida, the developer of Helios, has publicly stated: “All the verifiability doesn’t change the fact that a client side corruption in my browser can flip my vote even before it’s encrypted.” Adida further observed that powerful viruses like Stuxnet illustrate that critical Internet-based elections would be vulnerable to attack.

    The authors also mention the all too common argument: “Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?” But they then neglect to educate the reader about how millions of dollars are stolen annually from online bank accounts. The banks quietly cover the losses, since online banking still saves them the costs of paying for additional teller windows and tellers.

    The authors also ignore many other threats to Internet voting, including massive denial of service attacks and the inability to conduct a recount, should the announced results be questioned.

    Encryption-based voting schemes may be fine to use for relatively unimportant elections. But they should not be deployed for any major U.S. elections. As Ron Rivest, the “R” in RSA has observed, “Coming up with ‘best practices for Internet voting’ is like coming up with ‘best practices for drunk driving.’ You don’t really want to go there.”

    Barbara Simons

    Link to this
  11. 11. John.Sebes 5:42 pm 06/21/2012

    Good-on-yer to the authors for saying “This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.” However, to fully understand how e-banking is not a good model for voting, there are two follow-on points:
    1) With e-banking there are real financial losses from real unauthorized transactions, and there is a responsible party (the bank) for reversing them.
    2) In voting, there is no one like the bank who can take responsibility for reversing an unauthorized transaction;
    once your secret ballot has been cast (by you or anyone else) and counted (as intended by you or not) you cannot reverse your votes.

    Achieving both ballot secrecy and fraud prevention is a big job even for in person voting on paper ballots. Doing both with Internet voting from home computers, in elections run by US counties’ election officials, obeying all election law and regulation in force today … a nearly insurmountable task.

    – John Sebes
    Open Source Digital Voting

    Link to this
  12. 12. 8:38 pm 09/6/2012

    With this is of technology, we cannot deny that casting of votes can be possibly done thru the internet. It may sound impossible to some voters but online voting has make its toll for a more easy election. Although this process has been carefully studied, there are also some people who are not convinced about the accuracy of it. There are also some secrecy issues where the vote and the identity of the voter may be jeopardize. This online voting shoudl be resolved properly, giving the people the trust and confidence in order to give the country a clean and honest election.

    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article