Page 92 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 92
J.A. Goler and E.J. Selker
84
separated from the user interface, then a greater variety of assistive user interface
are possible to aid visually or physically impaired voters.
Changes in technology have solved or pushed security issues to different points
in the election process. For example, lever machines simultaneously eliminated
the individual ballots, which made counting less error-prone, while introducing
the possibility of manipulation of the odometers on the machines. Both punch
cards and optical-scan ballots permitted the ease of counting (and manipula-
tion at the counting level) but maintained the both the logistical difficulty and
integrity of individual ballots. So, large-scale fraud became possible, and if no
alert was raised, the original count was not compared to the individual ballots.
DRE systems eliminated ballots and provided immediate feedback to the
voter, allowing voters to correct problems with their votes. DRE feedback re-
duced the residual (voter error) rate to 0.4%, an improvement of over 50% over
optical scan ballots [3]. However, the elimination of individual ballots prevents
a meaningful audit trail.
A solution to security vulnerabilities posed by various mechanical and elec-
trical voting systems is SAVE (Secure Architecture for Voting Electronically).
SAVE is resilient to faults and malicious actors while maintaining voting secrecy
requirements. The primary principle of SAVE is that there can be no single point
of failure after the ballot leaves the control of the voter. It is modular, such than
an election commission can select a variety of modules from vendors, assemble
them, add the desired user interfaces and have a system that is inherently more
reliable and resistant to both failure and attack. SAVE employs n-version pro-
gramming, in which multiple versions of each module are written independently.
The key advantage of this n-version architecture is that each independently writ-
ten part is checking the others, ensuring that the system is well-behaved unless
a very large percent of its modules are compromised.
Furthermore, in order to achieve the n-version program model and help ensure
security, the system is broken into modules which each conduct a relatively
simple operation.
2 Background
The voting process dates back to the Greeks, who used different pieces of pottery
to indicate their votes for or against measures. The original voting process itself
had several characteristics that made it desirable: the choices were obvious in
that they were limited to a binary set, votes were represented by actual objects
that could be seen and felt, and it was easy to verify the vote tally due to these
two features. Today’s voting scenario is far different from the direct democracy of
the distant past. While typical ballots might have 12 races, some ballots contain
in excess of fifty selections, and in the case of the 2003 California Recall, the
candidate list for Governor was 135 candidates over six pages.
The current voting scene contains myriad technologies: lever machines from
the 19th century, punch cards from the ’60s, written ballots, optical scan ballots
