Electronic voting can be better than paper

The last few elections have seen more than their share of vote count scandals in the United States. The fix is probably easier than you think.

Beginning with hanging chads in the 2000 US Presidential election, the entire first decade of this century has been fraught with questionable voting practices. The highly publicized problems paper ballots had in Florida led to widespread moves to adopt electronic voting technologies across the country. Those attempts to step into the twenty-first century have met with mixed success, at best. In fact, that might be overstating the success quite a lot.

Diebold Election Systems, Inc. (DESI) was a subsidiary of Diebold, Inc. that became famous because of its major market share in the burgeoning electronic voting systems industry this century. It then became infamous because of its relentless secrecy about how its technology was designed and implemented, questions surrounding its procurement of major government contracts, and allegations that it was involved in skewing election results. Since then, the company has passed through a number of parent corporations, and became Premier Election Systems.

DESI's legacy is severe damage to the reputation of electronic voting as a concept. Millions of Americans, to varying degrees, distrust the whole idea of electronic voting now. Many simply believe it cannot possibly be as trustworthy as paper ballot voting, ever. They are wrong.

The majority of proposed solutions to the problems already seen in electronic voting involve printed receipts. The electronic voting machines used in previous elections have proved difficult to audit and to keep honest because, when a voter presses buttons or touches a touch screen, there is really no obvious indicator of what is going on inside the machine. For all the voter knows, it may discard the voter's selection and substitute something else for it. People reason that by having the machine print a tangible receipt, there is final, auditable proof that the vote cast was the vote registered.

This approach is trying to solve exactly the wrong problem. It is, in short, little more than security theater -- an attempt to provide the illusion and feeling of security, but with little substance to back it up. Unless the receipts themselves are actually the ballots, and must be inserted into a ballot box, all they prove is that the machine remembered the voter's selections. It does not prove those selections were what got registered for the final count. If a ballot is printed by the electronic voting machine, with no other alterations to the current system, all we have accomplished with the use of electronic voting machines rather than pens is the unnecessary payment of large sums of money to achieve the same result as paper ballots.

Electronic voting offers opportunities for improving the trustworthiness of the voting process far beyond the potential of paper ballot voting. Modern cryptography creates these opportunities. A video recording of a TED Talk by David Bismark, E-voting without fraud, offers the beginnings of an approach to verifiable voting procedures using cryptographic representations of votes on a receipt, allowing the voter to double-check the results later because the results can be published without having to link the voter's name to the vote in the publicly released data.

Some, like the audience in that video, will be surprised by the simple fact that a little cryptographic technology offers a system wherein votes can be verified by those who cast the votes, using their receipts, without violating the anonymity of the voting process. The only problem is that it is still a relatively cumbersome process wherein voters will most likely never verify their votes. What surprises me about it is not the effectiveness of this solution, but the fact that it does not go nearly far enough.

For about three years I have been pondering a system for voting that is more easily verified, more comprehensively verifiable, and less prone to violating the anonymity protections of the system by simply observing the correspondence of the time a vote is cast and who was in the voting center at the time -- a potential weakness of Bismark's system. Perhaps more surprising to most people, the vast majority of voters could easily cast a vote without the government having to purchase and deploy expensive voting machines, staff polling locations all over town, or print any paper receipts at all. More to the point, we can have a completely verifiable system that protects voters' anonymity wherein they can cast their votes from home, using their Web browsers.

The key -- pun intended -- lies in the use of public key cryptography. The larger key sizes needed for public key (that is, asymmetric) cryptography to approach the strength of symmetric key cryptography pose little difficulty for this usage, because unlike the case of digitally signing, encrypting, and decrypting email on a regular basis, casting votes in a given election only happens once (in theory, at least). The process would look something like this:

  1. Each voter, at the time of registration to vote, generates a key pair that is stored on a USB flash media storage device.
  2. The public key IDs and their associated public keys are tracked by a public keyserver, just as how OpenPGP keys are often stored by people who wish to use them for digital signatures in email. The difference in this case is that the keyserver in question would only contain keys for the current election.
  3. That key is used to encrypt and "sign" the vote when it is cast in the browser. For added anonymity protection, the connection used to cast the vote can pass through an anonymizing system such as The Onion Router network (also known as Tor).
  4. Digitally signed votes are checked against the associated public keys, tallied, and published online for anyone who wants to get the complete voting results database.
  5. Each voter can verify that the votes he or she signed carry the vote selection values he or she chose.

There are scads of fiddly details that need to be ironed out as part of the design, implementation, and deployment of this system, and while it should prove at least an order of magnitude cheaper than purchasing and deploying millions of electronic voting machines, it would certainly not be free. The basic premise is simple and straightforward to anyone who has a basic understanding of public key cryptography, though, and the benefits for relatively honest, transparent, verifiable elections are obvious and substantial.

Whether plurality voting within the current political system is the best approach or not -- and that is certainly open to debate -- the fact remains that it is difficult to honestly argue against the desirability of verifiably accurate vote counting without compromising anonymity protections. These are the goals for which people started trying to adopt electronic voting, and they could have been achieved by now if the task of pursuing those goals had been approached intelligently and honestly.

They are also the reasons that, after the failure of incredibly bad ideas for how to implement electronic voting, many people reject the whole concept of electronic voting. The irony of this is the fact that, in the end, electronic voting -- if implemented properly, using modern cryptographic technologies to ensure verifiability and protect anonymity -- is our only reasonable hope of restoring a little trustworthiness to the system right now.