The present invention relates to method and apparatus for electronic voting.
As it has been apparent observing recent events, the voting process in the United States is non-standardized, full of flaws and subject to possible errors and vote tampering. The recent (2004) election showed many possible solutions, some electronic, but even the electronic voting method was felt to be non-secure and flawed. Other methods such as paper, machines, etc., also result in many votes not being properly counted or the actual tally (and possible challenges) could take a very long time.
Another flaw in the system is the concern of people voting multiple times, of Deceased Voting (dead or non-existent people voting), of Unregistered/Unqualified Voters voting, etc. This is mainly a result of the local voting personnel using archaic methods for verifying the voter. Various techniques are used, but it is relatively easy to fake ID or possibly vote in multiple locations.
Other issues such as absentee ballots, receipts verifying electronic votes, etc, confuse the issue even further.
The article “Analysis of an Electronic Voting System”, by Kohno et al., IEEE Symposium on Security and Privacy 2004. IEEE Computer Society Press, May 2004 (This paper previously appeared as Johns Hopkins University Information Security Institute Technical Report TR-2003-19, Jul. 23, 2003) (hereinafter, “IEEE Article”) describes an electronic voting system.
Elections allow the populace to choose their representatives and express their preferences for how they will be governed. Naturally, the integrity of the election process is fundamental to the integrity of democracy itself. The election system must be sufficiently robust to withstand a variety of fraudulent behaviors and must be sufficiently transparent and comprehensible that voters and candidates can accept the results of an election. Unsurprisingly, history is littered with examples of elections being manipulated in order to influence their outcome. (source, IEEE Article)
The design of a “good” voting system, whether electronic or using traditional paper ballots or mechanical devices, must satisfy a number of sometimes competing criteria. The anonymity of a voter's ballot must be preserved, both to guarantee the voter's safety when voting against a malevolent candidate, and to guarantee that voters have no evidence that proves which candidates received their votes. The existence of such evidence would allow votes to be purchased by a candidate. The voting system must also be tamper-resistant to thwart a wide range of attacks, including ballot stuffing by voters and incorrect tallying by insiders. (source, IEEE Article)
As a result of the Florida 2000 presidential election, the inadequacies of widely-used punch card voting systems have become well understood by the general population. Despite the opposition of computer scientists, this has led to increasingly widespread adoption of “direct recording electronic” (DRE) voting systems. DRE systems, generally speaking, completely eliminate paper ballots from the voting process. As with traditional elections, voters go to their home precinct and prove that they are allowed to vote there, perhaps by presenting an ID card, although some states allow voters to cast votes without any identification at all. After this, the voter is typically given a PIN, a smartcard, or some other token that allows them to approach a voting terminal, enter the token, and then vote for their candidates of choice. When the voter's selection is complete, DRE systems will typically present a summary of the voter's selections, giving them a final chance to make changes. Subsequent to this, the ballot is “cast” and the voter is free to leave. (source, IEEE Article)
The most fundamental problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. Should that code have security-relevant flaws, they might be exploitable either by unscrupulous voters or by malicious insiders. Such insiders include election officials, the developers of the voting system, and the developers of the embedded operating system on which the voting system runs. If any party introduces flaws into the voting system software or takes advantage of pre-existing flaws, then the results of the election cannot be assured to accurately reflect the votes legally cast by the voters. (source, IEEE Article)
Currently the most viable solution for securing electronic voting machines is to introduce a “voter-verifiable audit trail”. A DRE system with a printer attachment, or even a traditional optical scan system (e.g., one where a voter fills in a printed bubble next to their chosen candidates), will satisfy this requirement by having a piece of paper for voters to read and verify that their intent is correct reflected. This paper is stored in ballot boxes and is considered to be the primary record of a voter's intent. If, for some reason, the printed paper has some kind of error, it is considered to be a “spoiled ballot” and can be mechanically destroyed, giving the voter the chance to vote again. As a result, the correctness of any voting software no longer matters; either a voting terminal prints correct ballots or it is taken out of service. If there is any discrepancy in the vote tally, the paper ballots will be available to be recounted, either mechanically or by hand. (A verifiable audit trail does not, by itself, address voter privacy concerns, ballot stuffing, or numerous other attacks on elections.) (source, IEEE Article)
The IEEE Article analyzes the Diebold AccuVote-TS 4.3.1 electronic voting system and found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and janitors is even greater.
US Patent Publication No. 20030006282 discloses systems and methods for electronic voting. An electronic voting system has a voting administrative module connected to a plurality of voting modules connected via a network. A voter initiates the voting process by inserting a voting key into a voting key reader of a voting module. The voter then makes voting selections, which include casting votes, on a touch screen display of the voting module. Alternatively, the voting module may verbally guide the voter through the voting process using an audio headphone. The voter may also make voting selections verbally through a microphone using voice recognition technology, or by using a tactile keypad. After the voter is finished casting votes, a voter verifiable paper ballot is printed and an electronic ballot is saved on the electronic voting system. The voter can review the paper ballot. If the voter is not satisfied with the voting selections reflected on the paper ballot, then the paper ballot and the electronic ballot may be spoiled and the voter given a new voting key to use to re-cast the votes on the electronic voting system.