1. Field of the Invention
The invention disclosed and claimed herein is generally directed to a method and system for carrying out elections and verifying the results thereof. More particularly, the invention pertains to a method and system of the above type wherein a trusted computing platform is used to provide secure electronic voting, and to enable aspects of the election results to be verified by members of the general public. Even more particularly, the invention pertains to a method and system of the above type wherein members of the public are enabled to verify that all cast ballots are accounted for and that only valid ballots have been tallied, or else members of the public are enabled to verify that their own individual votes were received by the pertinent election authority.
2. Description of the Related Art
Although voting systems must satisfy several critical requirements, including security, accuracy, usability, reliability, and cost-effectiveness, the ultimate measure of a voting system is whether voters trust the system to deliver a fair election. An important aspect of building trust in a voting system is the ability to perform meaningful audits and recounts of elections. This ability to double-check or verify election results usually requires both system support and the appropriate administrative procedures that define how to carry out verification.
With the increasing use of electronic voting systems in public elections, the importance of verifiability can hardly be overstated. Many ATM-style, direct-recording electronic (DRE) systems in use today provide vote tallies based on computations performed in computer memory. Verification on these systems is often limited to rerunning the same computation with the same input, a process that would not detect whether the input was tampered with or whether the software performing the calculation was executing correctly. Several incidents in recent years indicate that the level of verification in DRE voting system is not adequate to allay the concerns of many about the accuracy of such systems. For example, in a U.S. House of Representatives contest in Florida in November, 2006, an 18,000 ballot undervote could not be rectified because there was no way to perform a recount without trusting the same machines suspected to be at fault to begin with.
Many people believe that some form of a paper record is needed to provide verifiability. Dozens of U.S. states have passed laws requiring paper records of voter selections so that useful audits and recounts can be performed. In addition, some systems allow voters to double-check their choices on paper media before casting their ballots. This belief that paper records will result in more trustworthy voting systems has fueled a trend towards optical-scan systems and DRE systems with voter-verified paper trails (VVPT). The former systems rely on scanning technology similar to that used in standardized tests. The latter systems add printers to DRE systems, and define the administrative and legal policies for managing the electronic and paper representations of voter ballots.
Unfortunately, paper records are no panacea for providing trustworthy electronic voting systems. Indeed, it was not long after introduction in the late 1800's of the modern paper ballot, known as the Australian ballot, that many effective schemes for subverting elections were put into practice. These schemes included ballot box stuffing, ballot destruction, and ways to tamper with ballots during vote counting so that particular ballots could be disqualified (Encyclopedia Britannica, 11th Edition, 1910, Voting Machines). In more recent times, it has been recognized that optical-scan equipment can produce inaccurate tallies (The Brennan Center for Justice, The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost, 2006, p 28); that procedures for processing optical-scan ballots can lead to errors (New York Times, Audit Find Many Faults in Cleveland's '06 Vote, Apr. 20, 2007); that printers used in some election environments fail at a rate of nearly 10% (Associated Press, Paper Jams Hamper Electronic Voting, Dec. 21, 2006), thus making them unreliable for verification purposes; that the management, processing, storage, and expense of paper ballots can be challenging (New York Times, Ballot Flaws and Technical Errors Have California Still Counting Heavy February 5 Vote, Feb. 17, 2008); and that relying on voter verification to catch voting machine errors is an unproven hypothesis (Selker and Cohen, An Active Approach to Voting Verification, Caltech/MIT Voting Technology Project, May 2005).
Another recent approach, which is embodied in the Punchscan (http://punchscan.org) system, uses cryptographic techniques involving two-layer paper ballots, ballot receipts, and the publication of various transformation tables. These tables can be used by voters after an election to verify that their votes were counted. However, systems of this type raise issues that include the cost of the special paper ballots; the complexity of the cryptographic protocols and procedures; the difficulty in handling write-in votes; and concerns regarding accessibility.