Page 113 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 113
A Modular Voting Architecture (“Frog Voting”)
105
Of course, signatures work with paper systems also. The election officer might
stamp all of the relevant information on the top of the ballot. When the vote
is cast, the ballot is placed in a paper sleeve that only shows the top part. The
election administrator would then sign the top of the ballot without observing
the votes to certify that everything about the ballot (precinct, etc.) is correct.
The voter’s anonymity is nonetheless protected. Her ballot is identified only
by the name (or identification number) of the election official who authorized
her to vote, and the identity of the vote-casting machine that digitally signed
her vote. As long as a reasonable number of voters fall into each such category,
anonymity is ensured.
8 Postscript and Discussion
This section provides some comments on this proposal based on what has hap-
pened in the years 2001–2008.
The “electronic ballot marker” (essentially the vote-capture device as de-
2
scribed here) has appeared on the market; the Automark is one example. Pro-
posed federal standards for certifying electronic ballot markers are given in the
Voluntary Voting System Guidelines [4]. However, the federal government is
not yet proposing certifying voting system components, only complete voting
systems.
This proposed federal standard also prescribes the use of digital signatures
for use with voting system records, in a manner similar to what is proposed in
this paper. Digital signatures do however need to be handled carefully. It should
not be the case that a voter can be disenfranchised by malicious software that
intentionally produces invalid digital signatures. Invalid digital signatures should
cause an alarm to be raised for election officials to investigate, to see if there
is additional evidence supporting the hypothesis that a ballot (or collection of
ballots) is fraudulent. But the failure of a signature verification should probably
not by itself be enough to invalidate a ballot.
The standards requisite for information interchange between voting system
components is developing, most notably in the Election Markup Language
(EML) [1].
The present paper could perhaps have benefitted from the useful terminology
in the proposed VVSG [4], distinguishing between voting systems having direct
verification (i.e., with the voters own eyes, as for paper ballots), and indirect
verification (i.e. through the mediation of some device).
Another useful term introduced in [4] is that of “software independence” (see
also [3]); a voting system is said to be “software independent” if it is not the
case that an undetected software error can cause an undetectable change in
the election outcome. The system proposed in the present paper is software
independent when the ballots support direct verification; otherwise (when the
vote-casting device is necessary for the voter to confirm that her choices are
2
http://www.automarkts.com/
