Page 16 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 16
E. Gerck
8
Electronic Voting
4.1
The state-of-the-art, and recently a legal requirement in some jurisdictions, with
electronic voting is called voter-verified audit paper trail (VVAPT) [24, 31]. The
VVAPT is a printout of the final voting screen with all the votes confirmed by
the voter.
The purpose of the examination of the VVAPT by the voter is to verify
that the selections shown on the VVAPT are identical to the selections shown
to the voter on the final voting screen. However, unknown sampling by voters
(it is unknown whether enough voters verify) and violation of voter privacy to
report a problem (see end of Section 4) have been noted [19]. This method also
eventually discloses all the cast ballot choices, which is vulnerable to “voter
pattern fingerprinting” (see Section 7.1).
More critically, and in spite of its name, the VVAPT does not allow the voter
to verify that the vote was stored correctly. This denies reliance on the voter in
detecting a malfunction as a way to prevent fraud —a programmer can make the
printout and the screen seen by the voter coincide exactly, and yet a different
result is stored for tallying.
TheVVAPT may beused ina hand recount, or as the actual ballot for hand
counting the votes (the machine count would just provide a knowingly-unreliable
indication of the vote count). However, if all that one has is a paper ballot, it
may make more sense in terms of cost, time, human errors and fraud prevention
factors to use optical-scan paper ballots in the first place.
4.2 Optical-Scan Paper Ballots
The state-of-the-art in paper ballots is the optical-scan paper ballot. Some partic-
ipants in this dialogue consider that there is no better way to vote. For example,
California Secretary of State Debra Bowen said in a Keynote address at USENIX
2008 that “Voting and counting paper ballots are things that all citizens can un-
derstand and in the case of random hand tallies, something that all citizens can
observe and understand”. [39]
There are two types of optical-scan ballots: voter-filled and machine-printed
[19]. In either case, a voter is able to visually verify the voted ballot before
casting the vote, which may be done for example by postal mail or by inserting
it in an optical-scan unit. A visually-impaired voter may not be able to read or
mark the ballot, but that type of voter may use an audio assist unit.
Optical-scan ballots may be recounted by hand or on an independently-
managed computer system, and thus are considered adequate [19] to provide
the basis for a recount, either partial or full, to check the initially reported
results.
We question this conclusion for a number of reasons.
First, the consideration that optical-scan ballots can be used as the au-
diting source for the ballots themselves, even if recounted by hand or on an
independently-managed computer system, is at odds with the basic principle in
auditing —independent verification. A record cannot be used to audit itself. A
