The New York Times
Did Your Vote Count? New Coded Ballots May Prove It Did
March 2, 2004
By SARA ROBINSON
More than two centuries of elections in the United States have resulted in paper-based voting systems secured by a multitude of checks and procedures. New electronic voting systems require voters to trust computers and the people who program them, a trust that computer security experts say is unwarranted.
The subject is not hypothetical. Millions of voters will cast ballots on electronic machines today in the biggest test so far of the technology. To address security concerns, researchers are proposing new ways of voting that do not require voter trust in people or software.
"A trustworthy system of elections must rest on one central principle: trust no one," said Dr. Douglas W. Jones, a professor of computer science at the University of Iowa and a member of the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems.
Devising such a system is challenging because it would have to satisfy opposing demands. Ideally, each voter should be able to verify that his vote was counted. But also, to ensure that voters could not show others how they voted, there could not be receipts or records of individual voters' actions.
While traditional paper ballot systems achieve secrecy, each voter has to trust election officials to include his ballot in the final tally. The process is secured by the opposing interests of the major political parties, which work together to monitor every step of the process.
Though this system works reasonably well, paper ballots have other problems, experts and voting officials say. People often mark them incorrectly, invalidating their vote, and the ballots are expensive to print and securely store.
Electronic machines are also favored by voters with certain disabilities, because audio functions and other special features allow them to vote unassisted. The problem with current all-electronic systems is that they can be compromised undetectably, and there is no reason to trust that they will correctly count votes, experts say. "It's not a matter of finding better programming languages or writing better software," Dr. C. Andrew Neff, a mathematician and the chief scientist of VoteHere, a company in Bellevue, Wash., said of electronic voting. "Computer systems are inherently insecure."
Thus, the only safe way to vote electronically, computer scientists say, is to use methods that do not require trust in complex software.
One such solution, soon to be mandated in several states, is a voter-verified paper trail.
Dr. Rebecca Mercuri, a research fellow at the John F. Kennedy School of Government at Harvard, proposed a method that would require voting machines to produce paper printouts of the filled-in ballots, which would be checked by voters before being deposited in the ballot boxes. Only the paper ballots would be counted, bypassing the need to trust the voting machine.
An alternative is the "frog" voting system, proposed in a working paper released by the Caltech/M.I.T. Voting Technology Project in 2001. An all-electronic version of this approach -- described by Dr. Rivest, Dr. Shuki Bruck of the California Institute of Technology and Dr. David Jefferson of Lawrence Livermore National Laboratory -- would use two different types of electronic voting machines and a simple memory card, the frog.
Before the election, each voter would get a frog filled with all the candidates and other ballot options. Using the first type of electronic machine, which could be at an office or local supermarket, the voter would make his choices, and they would be stored on the frog.
The day of the election, the voter would go to his precinct and take the second step: inserting the frog into a secured "vote caster" machine. That machine would read the frog and display the voter's choices on the screen. If he was satisfied, the voter would push a button and cast his vote. The frog would then be "frozen," so that its data could no longer be altered, and deposited in a ballot box as a backup record.
With frogs, as with a voter-verified paper trail, voters would still have to trust people to secure the counting process. Mathematical voting systems -- developed independently by Dr. Neff and Dr. David Chaum, an independent cryptographer and privacy expert -- would ensure that votes were correctly counted, even in the presence of untrustworthy machines and officials.
These systems, based on two decades of cryptography research, would simultaneously satisfy the opposing demands for ballot secrecy and voter records.
Dr. Josh Benaloh, a cryptographer at Microsoft Research, said he was confident that the two systems would be workable and that the security and privacy claims by Dr. Neff and Dr. Chaum were mathematically verifiable.
But other researchers said that the cryptographic approaches would be unlikely to be accepted because they were too complex for most voters to understand.
"You have to trust the cryptographer," said Dr. Jones of Iowa. "It may be that you could have a crypto-based voting technology that rests on something that could be understood by a high school senior. If that happens, I'll say `huzzah!' but I don't think we're there."
Dr. Benaloh disagreed. "You don't have to trust the cryptographer," he said. "If you're a conspiracy theorist, you can take the time to educate yourself and gain absolute trust in the system."