Skip to main content
Scientific American

June 19, 2012

E- Voting: Trust but Verify

By Steve Schneider and Alan Woodward

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American

With the Presidential elections looming up, some have been asking why the United States is not making more of electronic voting. It’s being adopted in many other countries around the world, with India, Brazil, Estonia, Norway and Switzerland as notable examples. However, the United States has several examples in recent years where it has backed out of electronic voting that it had already implemented.

For example, in 2010, a trial system for remote voting over the Internet in Washington DC (known as the “Digital vote by mail”) was shown to be vulnerable, when it was penetrated by a research team from the University of Michigan, demonstrating how a real attack could render any results unsound, without detection. The attack was documented in a recent paper by researchers from the University of Michigan.

So who is right?

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

First, it’s important to differentiate between the types of e-voting. To some it means using controlled kiosks in polling stations which collect the votes locally. For others it means those kiosks sending the votes to some central collection system. To others, e-voting is about being able to vote remotely, typically over the Internet. In all cases, the key element of e-voting is that the vote is captured and processed electronically. This has several perceived benefits:

  1. More people will be minded to vote. This has obvious advantages as the turnout in developed democracies around the world is often very disappointing, except in countries where it is a legal requirement to vote, such as Austrlia.

  2. Accessibility: technology can assist blind and partially sighted voters, and those with mobility impairments, to cast their vote. It can also offer instructions in a range of languages without the cost of printing large numbers of ballot forms in each language.

  3. Handling votes at long distances can be done much more quickly and reliably. Voters can vote from anywhere in the world without the need to post ballots or ship ballot boxes.

Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?

It comes down to two principles which are peculiar to these types of elections:

  1. Guarantee of integrity with verifiability: an individual who votes needs to be sure that their vote was cast for the person they intended, and has been lodged appropriately. Stories abound from some voters that a system they were using has thanked them for casting their vote for a candidate that they didn’t believe they had voted for, and they have not been able to rectify the situation. There will always be tension within this principle, as security and usability are often seen as opposing forces in system design.

  2. Secrecy: online transactions at present, including voting for your favourite act on a TV show, will involve some form of receipt so that the user can see if something has gone wrong. In a voting system, issuing this kind of thing means that some form of audit trail will also be formed, which can tie your action (how you voted) to you personally. Obviously this is something you don’t want in a “secret ballot”. This is possibly the hardest aspect to “guarantee” in an electronic system.

The key difference between this and, say, online banking rests on the fact that we can check bank statements and retain records of transactions, which lets us catch any errors and unauthorised transactions. We can’t do this for voting systems because of the need for ballot secrecy, so we have to trust the voting system instead. This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.

The Holy Grail for electronic voting is “verifiability” which provides the highest level of trust by publishing the election data in a way that can be checked independently. Finding a way to do this is a challenge, but some systems have been proposed which make use of cryptography to secure votes while preventing them from being changed, whilst allowing vote processing to be done in an open and verifiable way.

Scantegrity were the first to run a municipal election in this way, at Takoma Park in November 2009 (and again in 2011), which was independently audited and resulted in no serious objections. Similarly, Helios has run several verifiable elections over the Internet, the largest being for the election of the Recteur (Principal) of the Catholic University of Louvain in Belgium.

Another voter-verifiable system is Prêt à Voter, originally proposed by Peter Ryan of the University of Luxembourg, and which is currently being implemented by the University of Surrey. In Prêt à Voter, “verification” comprises publishing each step in the election process, from the point where the vote is first cast right through to the final tally. It’s just like paper based elections where observers can see votes physically placed in the ballot boxes and watch that they are not tampered with throughout the collection and counting process.

Prêt à Voter makes use of cryptographic techniques to preserve the secrecy of the ballot. It secures the information so that it cannot be tampered with, nor can the person who cast the vote claim it wasn’t them that made a specific vote. All of this is done in such a way that voters can track their vote without providing a casual observer with the linkage between individuals and a specific vote. The processing steps come with mathematical proofs that the votes have been processed, decrypted and tallied correctly.

It’s clear that successful e-voting systems work on the principle of “assume voters will trust but allow them to verify if they wish”. As more e-voting is implemented using this this principle it will become something demanded by voters, as it is not just an automated version of the current manual systems, but something that offers truly verifiable democracy. In an era when people are jaded about the political process, that must surely be a good thing.

 

Professors Steve Schneider and Alan Woodward are at the Department of Computing in the University of Surrey, UK. Alan writes extensively in the wider press trying to explain cyber security to those who have little or no computing experience. Steve is an investigator currently working on an initiative entitled "Trustworthy Voting Systems", funded by the UK Engineering and Physical Sciences Research Council . Both specialise in security where Steve has built an international reputation in the analysis and verification of protocols, and Alan has become well known for his work in analysing the cyber threat, and forensics. Alan continues to spend part of his time outside of the University advising organisations, including governments, on cyber security.

More by Steve Schneider and Alan Woodward