The computer ate my vote

Abstract

Public confidence in voting technologies has been badly shaken over the past years by, amongst other events, the problems with the 2000 and 2004 US presidential elections and the 2007 French presidential election. Serious vulnerabilities have been exposed and documented in all the existing electronic voting systems. Many of these systems use proprietary, protected code and the voters and election officials are expected to take assurances of the suppliers and certifiers on trust. In the face of this, many activists argue that all voting systems employing information technology in place of humans to process the votes must be flawed and we should return to pen-and-paper along with hand counting. The critiques of existing voting technologies are undoubtedly well-founded, but to infer from this that all technology must be flawed is an elementary error of logic. In this chapter, I present an alternative response and describe schemes that derive their trustworthiness from maximal transparency and auditability. Designing voting systems that provide high levels of assurance of accuracy and ballot secrecy with minimal trust assumptions is an immensely challenging one. The requirements of accuracy and auditability are in direct conflict with those of ballot secrecy. A voting system must deliver high assurance of accuracy and privacy in a highly hostile environment: the system may try to cheat the voters, voters may try to circumvent the system, officials may try to manipulate the outcome and coercers may attempt to influence voters. Furthermore, we must recognise that this is not a purely technical problem: a technically perfect solution that is not usable or does not command the confidence of the voters is not a viable solution. Recently significant progress has been made and a number of schemes developed that provide verifiability of the election. These seek to provide end-to-end verifiability of the outcome, i.e., the accuracy of the outcome is independent of the code or hardware that implements the ballot processing. The assurance is derived from maximal transparency and auditability. Voters are provided with mechanisms to check that their vote is accurately included in the final tally, all the while maintaining ballot secrecy. Thus, the assurance depends ultimately on the voters rather than the probity of election officials, suppliers of voting systems, etc. In this chapter, I describe the requirements for voting systems, the required cryptographic building blocks and a variety of threats they have to deal with. I then describe the Prêt à Voter scheme, a particularly voter-friendly example of a voter-verifiable, high assurance scheme. I also describe a number of enhancements to the basic scheme that are designed to counter those threats to which the basic version of Prêt à Voter is potentially vulnerable. © 2010 Springer-Verlag London.