1. Field of the Invention
The present invention relates generally to election systems and more specifically to security and privacy in such systems.
2. Description of the Prior Art
Various techniques for producing, rendering, controlling access to, voting, capturing, posting, counting, and auditing election systems are known.
It is believed that a central issue in election systems is their ability to convince voters that the votes of all valid voters participating in the election are correctly counted.
Another issue in voting systems is ballot secrecy, which should prevent other than the voter from learning how the voter voted, with or without cooperation of the voter. When paper ballots are used, it is believed desirable in many settings that the form used to capture the vote does not bear the cleartext vote but rather an encrypted vote. For instance, this allows those transporting ballots and polling place scanners to be kept from learning the cleartext votes. Partly related, at least in some settings, is the issue of to what extent ballots voted by different groups are readily distinguished. Some systems can process ballots from multiple sources into a single batch of outcomes, but the ability of those operating the system and supplying the forms to discriminate or track batches of ballots can be an issue in some settings.
It is known that election outcomes can be substantially affected by the order in which candidates are placed on ballots. So-called “ballot rotation” systems are presumably aimed at addressing this, but often are imperfect in concept and introduce additional costs and errors in implementation. Also, where voters can be seen from a distance, the order of candidates being readily determined, such as even with standard rotation systems, allows their choices to be more readily recognized. Nevertheless, in some settings, particular ballot orders are required by law and/or desirable for ease in locating candidates. Systems that allow full control over order has the advantage of being well suited to the range of such settings.
Another desirable characteristic of voting systems in some settings is universal applicability of a ballot form. Thus, the voter votes the same form whether using a polling place with automation, a polling place with only a ballot box, a polling place in which automation has failed, or mail in or otherwise delivered ballots. From the perspective of voter experience, a common ballot form has advantages in terms of voter education as well as for voters that would otherwise have to use different forms in different settings.
Demand printing of ballots is attractive, particularly for large number of “ballot styles” where flexibility in election processes is desired. For instance, voters who wish ballots in particular languages and/or those who would like to vote at a polling place that has a different ballot style from their “home” polling place. The ability to use ordinary commercial printers, such as those currently made for offices or even consumers, is believed attractive from a cost and scalability perspective.
Substances added to ballots, such as coatings, can have environmental and/or toxic effects and be problematic for recycling, and thus may have additional costs and/or be undesirable in some settings.
It is generally believed, and actively advocated, that voters with disabilities should be able to vote in a way that is autonomous, makes their votes indistinguishable from those of other voters, and provides them with the same level of verification and protection against improper influence as other voters. The present application is in one aspect oriented towards obtaining the advantages of encrypted ballot/receipt systems for voters who cannot read the ballots and/or mark it. This is directed at attendance voting settings using machine-read ballots, such as where voters vote at polling places using so-called “optical scan” systems.
There are, generally speaking, three known approaches for obtaining marked paper ballots where the voter is present but need not see indicia on ballots, and in only one do the voters actually mark their own ballots.
The first approach may be called “human assisted” marking, and varies by jurisdictions. It does not provide autonomy, because one or more persons assist the voter in the act of voting. Some jurisdictions, for example, require voting with the assistance of a poll worker, who typically is to read the ballot aloud to the voter and to record the responses uttered by the voter. Unfortunately, it may be particularly difficult for a blind person to ascertain with certainty who overhears their votes. Not only does this give poor voter privacy, but it also facilitates various types of so-called “improper influence,” such as at least potential confirmation in vote buying or coercion schemes. Integrity issues are also raised, since there may be little to ensure the voter or others that the poll worker records the votes faithfully. In other jurisdictions, representatives of multiple parties are required to assist the voter, thereby improving integrity but at the expense of further reduced autonomy and secrecy. In yet other jurisdictions, the voter may bring a person of the voter's choice. This is potentially better as far as voter concerns, although it enables some improper influence schemes. In some countries it is allowed for more than one person to enter the booth (or even for proxies to vote), such as family members or those in possession of certain documents. While such permissive schemes may offer some convenience, they facilitate various kinds of fraud and improper influence, and are not considered further here.
The second known approach may be called “automated” marking, such as with machines developed by Vogue Election Products & Services of Glen Ellyn, Ill. These are essentially so-called “DRE” (Direct Recording Electronic) voting machines. Instead of recording the vote electronically for later transmission by those running the election (often through a physical device anyway such as a memory card), however, they print the vote as a form that is provided to the voter for casting. In some cases a pre-printed form may be scanned in or otherwise loaded by the device and only the votes are marked on it by the device's print engine; in other cases the form may be rendered and printed completely by the device. In addition to audio voting interaction, as with DRE's, displays may offer enlarged or otherwise enhanced images readable by those who would not be able to read the ballot directly. One additional considerable advantage of audio capability generally is that sited but illiterate voters can also use it. Furthermore, it is believed often less costly, time consuming and cumbersome to generate audio in various languages compared to typesetting and laying out corresponding forms. There are, however, believed to be substantial procurement, storage, and transportation costs, as well as reliability issues for such hardware devices, which apparently integrate printers and scanners with touchscreen user interfaces. A fundamental shortcoming of the approach generally is believed to be that, even in the best case, when the device marks standard ballots, the ballots are readily recognized as having been marked by machine.
The third approach may be called that of “tactile” marking. One example is Braille ballots. These can only be used, however, by the small fraction of the blind population (believed sometimes estimated at roughly 5% of the legally blind in the United States) who are currently able to read Braille adequately. Of course the ballots would also stand out as having been voted by the blind. A hybrid Braille and ink ballot would address this issue, but would not be very practical, as it would greatly increasing the size, thickness, handling difficulty, and cost of ballots and processing.
The other major example of the third approach, called here “tactile audio,” relates to the so-called “tactile ballot templates.” These are believed to at least have been used, for example, in public sector elections in Rhode Island, Canada, Peru and Sierra Leone. They provide in essence what may be called a “guide,” such as a sheet of relatively rigid material held in alignment with the ballot paper, which includes openings where marks are allowed. In addition to the tactile nature of those openings themselves, other tactile indications are included formed in the guide, such as in Braille or simpler codes. An audiotape or the like is typically provided that informs the voter of which candidates or question responses correspond to which coded openings on the guide. The audio aspect brings with it the advantage, already mentioned earlier, that sighted voters who are illiterate or wish a language that is not available in printed form can use the system to vote. Such an approach is believed attractive for unencrypted votes.
The tactile audio approach does not provide voters using it with the integrity and secrecy protections of the encrypted vote/receipt systems mentioned earlier. For instance, voters are unable to check, after leaving the poling place, that: they were provided with correct information about what to mark, that their marks are accurately scanned, and that the scanned values are properly included in the final tally. As another example, readable ballots do not provide the secrecy advantages of encrypted ballots, such as: for handling while in a polling place or for so-called provisional ballots or what may be referred to as “vote-from-any-precinct,” which both require that the voter identity be linked to ballots during protracted handling/processing.
Accordingly, objects of the invention in this aspect include bringing advantages of encrypted ballot and/or receipt systems to audio tactile ballots at polling places and other settings, including audio assisted and assistant-marked balloting generally.
A further aspect relates to processing of encrypted votes. Known voting systems make extensive use of sophisticated types of cryptographic functions and protocols (such as, for instance, public key, secret-shared homomorphic systems), limiting the ease with which they can be widely understood by the public. Those previously proposed by the present applicant are believed to have privacy substantially exponentially good in the number of rounds and detection of cheating substantially exponentially high in the number of votes improperly changed. (Underlying this, a choice for statistical integrity, compared to that based on cryptography, with privacy based on cryptography, is often made to protect against the chance that an adversary wishing to change the outcome of the election might have access to unexpected algorithms or resources.) A system introduced here offers substantially perfect privacy and probability of detection of improper changes exponential in the number of rounds (in a similar underlying model). The amount of computation and data storage is reduced, while maintaining strong integrity properties. Moreover, it optionally only uses a basic type of encryption, that is believed more familiar to and more readily understood by the public.
Encrypted vote systems are known in which voters mark paper ballots and retain receipts that allow them to check online that their votes were recorded correctly. Privacy and secret ballot properties have been provided, although there is room for improvement in this regard. Some systems have a single entity that performs operational aspects and that obtains as a consequence special access to privacy of votes. In some systems and settings, the checking information posted can reveal some information about the vote to other than the voter.
Various user interface approaches have been proposed, as exemplified by two types. In the one type, users mark next to a candidate and in the second type they mark in a position indicated by a symbol matching that next to the candidate. The former presents candidates in substantially randomized order and the latter in whatever order is wished by those conducting the election, such as alphabetical order. As a consequence it is believed that neither is clearly preferably for all applications or even all contests within a ballot. Moreover, system for the two types of interface have addressed different settings and with apparently different mechanisms. Simplicity of mechanism has advantages in election system applications.
Carbon paper and so-called carbonless paper are well known for making copies of marks made on forms, such as those made by voters. One known problem with such techniques, however, is that the original may be apparently well marked, but the copy does not come through well. With demand printed ballots, physical structure related to so-called “ballot style,” such as holes or scratch-off may be problematic and can lead to general formats that are less than optimal in terms of clarity, economy, and aesthetics. Moreover, demand printed ballots are ideally substantially indistinguishable from those printed otherwise. Physical structures have increased associated direct and handling costs.
The use of self-adhesive “stickers” by voters to indicate their choices through the selection of stickers placed on a ballot template was proposed by Boram in U.S. Pat. No. 4,717,177. The resulting ballot exposes the votes to those who might see it in transport and handling, which in some settings is not a desirable feature. Moreover, such forms to not provide an encrypted vote function. Furthermore, the unused portion of stickers in known systems also reveals the vote and does not serve as a receipt in an encrypted voting system.
It is often desired in voting systems to hide how a particular voter has voted, providing privacy and/or so-called secret ballot properties, as mentioned. A related technology is envelopes and/or material layers, such as covering sheets adhered in place or the like. So-called “scratch-off” layers typically formed from materials including latex on paper cardstock or the like are known and familiar to the general public particularly because of their use in lotteries and the like. In some settings, it may be desired to provide integrity of the election that is verifiable including by voters who are in possession of the ballot form, while maintaining ballot secrecy. In an example inventive aspect, accordingly ballot secrecy is maintained in some cases including even if the voter does not follow procedures and in some cases including side information and/or virtual transmission of ballots, using scratch-off and/or other removable layers. Desired would be forms that allow the voter to discover codes that can be authenticated as valid when supplied over telephone or Internet, in part at least because the forms need not by physically transported back to, and then also process when received by, those running the election.
Control of access to attendance voting is typically done through the known device of a physical poll book, which are being replaced in some jurisdictions by automated and even online systems. Verification by voters, however, is cumbersome with manual poll books, since the information is often neither optimally complete nor well organized for the task at hand. As with voting machines, automated registration systems provide little transparency to voters.
In a further inventive aspect, voters who are to be allowed to vote in a polling place are displayed in the sequence in which they are admitted, at least the most recent part of the display being visible to voters. Certain sensitive information, such as private addresses and/or signatures on file, is allowed to be viewed by voters present. In some example settings the poll book is on paper, in others it is automated, and in yet others the book for the particular polling place is in paper but automated information is available for other polling locations within some political subdivision.
Known encrypted vote systems that can accommodate so-called “write-in” votes use automated equipment in the voting booth, and such equipment can be substantially more costly than manual systems. Receipts in known encrypted vote schemes use information related to each independently processed contest or ballot question, their size is substantially proportional to the amount of such information. Also, in known cryptographic receipt systems, although arguably not substantial issues, compromise of cryptographic protection can link receipts to ballots and the sophistication of cryptographic systems has been an impediment to their early adoption.
Objects of the present invention in one aspect, accordingly, include secure receipts whose size is substantially independent of the number of contests or questions and that accommodate write-in votes without in-booth automation. Another object, in some embodiments, is an augmentation of manual encrypted vote systems to include write-in vote without introducing additional automation to be used by voters. A further object, at least in some embodiments, is less reliance on cryptographic techniques and in particular a receipt-to-ballot linking that cannot be learned by compromise of such techniques.
The present invention aims, accordingly and among other things, to provide novel and improved voting and related systems. Transparent integrity, ballot secrecy, usability, accessibility, and robustness in such systems are important goals generally. Objects of the invention also include addressing all the above mentioned as well as providing practical, robust, efficient, low-cost election systems. All manner of apparatus and methods to achieve any and all of the forgoing are also included among the objects of the present invention.
Other objects, features, and advantages of the present invention will be appreciated when the present description and appended claims are read in conjunction with the drawing figurers.