By Dan Wallach on 2 Nov 2009.
Takoma Park, Maryland, for its local election today, is embarking on something of a radical experiment. They’re using Scantegrity‘s verifiable voting technology. The “normal” voter’s experience is that they get what looks like a standard optical-scan bubble ballot, but the bubbles have invisible ink in them that reveal a code when the voter selects the bubble with the proper pen. Voters can optionally write down these codes and use them later to verify their ballot appears on a public web site, yet without being able to prove how they’ve voted to anybody else. MIT Tech Review has nice summary of how it works.
Cryptographer Ben Adida, who is unaffiliated with the Scantegrity project or any other party in the election, has agreed to act as an independent auditor of the election. Working from nothing but the public specifications of how the system works, he’s independently verifying that the results are correct.
It’s important to note that, for this particular election technology, the votes are being cast on traditional paper ballots that could always be counted, recounted, or otherwise inspected manually. That’s not strictly necessary for election security — our own VoteBox system works more like a paperless electronic voting system and has the same security guarantees as Scantegrity — but it’s essential when rolling out a new technology where a real election with real politicians’ careers is at stake. We need to know that real elections can be really verified, and we need a fallback position if the crypto somehow goes wrong.
Of course, for these technologies to truly get out of the lab and into the field, we can’t expect Ben Adida to personally verify every election, worldwide, nor should we trust him to. What we can expect is that tools that Adida and others like him build will be picked up and used by local election watchers, party officials, news outlets, and the like. We’re not there yet, but we’re on our way.
(Note: Truly, the first ever binding e2e election was a web-based election for the president of a Belgian university, based on Adida’s Helios system (full paper). This used similar cryptographic mechanisms, but no web-based election system can ever have the coercion resistance or privacy guarantees of voting in a classical voting booth.
Edit: The University of Ottawa Graduate Students Association had a binding e2e election in 2007 using PunchScan, a predecessor to Scantegrity.)