An independent research laboratory working under the supervision of a panel
                          of security and voting experts would develop the specifications of the vote-casting
                          device. These specifications would be public information, and the device could
                          be built by anyone.     A Modular Voting Architecture (“Frog Voting”)  103
                            The vote-casting equipment would not be divided into “test” mode and “real”
                          mode. The only difference between a “test” and a “real” election would be the
                          cryptographic keys inserted into the device.
                            The vote-casting device does not need to understand the races being run and
                          the candidates running for each race. The device merely displays the choices
                          recorded on the Frog, which would be recorded and displayed in a standard text
                          format, such as in the accompanying Figure 2. The voter would be able to scroll
                          up and down if necessary to see everything.


                          State of Massachusetts, Middlesex County, Precinct 11
                          Ballot Initialized by Election Official 10
                          Election Closes November 7, 2004 at 8pm EST
                          Ballot: MA/Middlesex/1; English; No rotation
                          You have chosen:
                              U.S. President: Mary Morris
                              U.S. Vice President: Alice Applebee
                              Middlesex Dog Catcher: Sam Smith (write-in)
                              Proposition 1 (Casino): FOR
                              Proposition 2 (Taxes): AGAINST
                              Proposition 3 (Swimming Pool): FOR

                           Fig. 2. An illustration of a possible format for the information recorded on a Frog


                            We feel that such standardization of electronic formats for ballots will be a
                          major step forward in the evolution of voting systems. It enables the separation
                          of vote capture and vote casting. It provides a path towards remote voting, when
                          and if the security of remote voting systems can be sufficiently ensured. It is both
                          human and machine-readable, and so forms a bridge between these worlds. It
                          enables different vendors to produce interoperable equipment for a voting system.
                          We repeat our previous concern that systems that do not produce a separate
                          (preferably physical) audit trail are prone to security problems.
                            Similarly, we feel that monolithic systems that try to incorporate everything
                          may compromise security.
                            So, our design places most of the complicated user interface software in the
                          vote-capture system, which is considered to be somewhat less “security-critical.”
                          It does need to be reviewed, but it might be acceptable to have such a device
                          contain proprietary code. The vote-capture system might even be run on newly
                          purchased computers or laptops which could then be sold after the election as
                          used equipment.
                            On the other hand, the security of vote-casting equipment is absolutely criti-
                          cal. This is the last chance for a voter to see her vote before it becomes a truly