NAE Perspectives
NAE Perspectives offer practitioners, scholars, and policy leaders a platform to comment on developments and issues relating to engineering.
Moving to Evidence-Based Elections
Perspectives | March 16, 2023Barbara Simons is retired from IBM Research and is board chair of Verified Voting. Poorvi Vora is professor of computer science at George Washington University and a member of the board of directors of Verified Voting.
In most jurisdictions things went relatively smoothly in the November 2022 midterms, but serious issues, both technical and political, remain. As we discuss below, elections may be made more transparent and secure through the use of voter-marked[1] paper ballots and rigorous postelection audits.
Concerns in the Midterm Elections
The midterm elections were not as contentious as many had feared, but harassment of election officials and poll workers of both political parties has persisted. For example, on election night Bill Gates, the Republican chair of the Maricopa County (AZ) governing board, had to go into hiding because of threats. In Cobb County, GA, a suspect was arrested for interfering with poll workers and slapping a voter. Police were called in Cascade County, MT, because protesters were circling outside waiting for election officials. And an Arizona judge ordered masked and armed “observers” to keep some distance from ballot drop boxes. Safety fears have triggered election official resignations and made recruitment of poll workers more difficult.[2]
In addition, unanticipated technical problems occurred and are likely to continue to occur in every large election. Fast and accurate information is needed to explain both the problems and, where feasible, the workarounds. For example, in Maricopa County, some polling place printers produced blank ballots (for voters to mark by hand) that were too faint for the polling place scanners to read (they were readable by central scanners). Although the printing problem generated conspiracy theories among some, election officials and the press quickly informed voters that they could deposit their completed ballots in ballot boxes for later tabulation. Or they could vote at a different location if they first surrendered their marked ballot.
Other problems were not so benign. In Harris County, TX, all polling place voters use computerized ballot marking devices (BMDs). The voter makes her selection on the BMD which then prints out a paper copy of her ballot for scanning. Because many Harris County BMDs did not have enough paper, some voters were asked to leave and return later to vote. It’s likely that some voters who couldn’t return were thus disenfranchised.
Similar problems, combined with skepticism about computerized voting systems, can lead a portion of the electorate to distrust legitimate election results. We describe how the use of paper ballots and postelection audits can improve election transparency and help inform public discourse.
How Did Computers Become Ubiquitous in US Elections?
The punch card machine debacle in Florida’s 2000 presidential race triggered the widespread belief that paper should be replaced by computers—even though the problem with the punch card machines was bad technology, not paper.
Computerized voting systems can be designed to improve accessibility and efficiency when compared to the traditional approach of manually counting hand-marked paper ballots. But no matter how well developed and carefully designed a computerized voting system is, software bugs and malware can change results in an undetectable manner.
Nonetheless, the 2002 Help America Vote Act provided almost $4 billion for upgrading old voting systems, generating a rush to purchase computerized direct recording electronic (DRE) voting machines.[3] Most early DREs were paperless and provided a touch screen for the voter to make her selections, which were stored in the computer memory. By 2006 over 30 percent of US voters cast their ballots on paperless DREs and another 7.5 percent used paperless lever machines. In six states—Delaware, Georgia, Louisiana, Maryland, New York, and South Carolina—paperless machines were the only option. Four states—Kentucky, New Jersey, Pennsylvania, and Tennessee—were almost entirely paperless. Many other states had paperless counties.
Because malicious software and other technology issues could change or misrepresent votes, there is no way to know whether the selections stored in the computer’s memory accurately reflect the voters’ choices. Therefore, it is impossible to conduct a statewide recount or otherwise check the election outcome in any state with paperless voting systems. In other words, many states were using voting systems that did not provide any independent evidence that the election outcome was correct.
Owing to the work of many scientists, engineers, voting integrity activists, and election officials, as well as policy organizations, the national trend has been to move to paper-based voting systems, enabling more evidence-based elections across the country. While several states still have paperless counties, Louisiana is the only remaining state where all elections are paperless.
Evidence-Based Elections
Evidence-based elections are defined as those in which the voting system provides “convincing, affirmative” evidence to the public that the outcome was correctly computed.[4]
The challenge of designing secure voting systems is to provide public evidence of outcome correctness while yielding no information about individual votes beyond that contained in the tally.[5] A common instance of such evidence is a securely stored voter-verified[6] paper ballots (along with registration logs).
Loosely speaking, there are two approaches to generating evidence-based elections using voter-verified paper ballots: risk-limiting audits (RLAs) and cryptographic evidence.
Risk-Limiting Audits
Paper ballots can be produced through either hand marking or BMD use. In both cases the paper ballots are scanned, computationally tallied, and ideally stored securely. In the final stage of an evidence-based election the security of the storage and procedures for secure custody are checked using compliance audits,4 which are followed by a rigorous ballot tabulation audit.
Hand-marked paper ballots (HMPBs) are the more common and less expensive approach to marking ballots. Because BMDs involve the use of computers to mark paper ballots on behalf of the voter, they make it possible for voters with some types of disabilities (e.g., visual, motor) to mark ballots without relying on another person.
Unlike HMPBs, BMDs typically encode the voter’s selections in a QR code that facilitates scanner tabulation but is not verifiable by the voter. Therefore, ballots also should have human-readable text to enable voter verification and postelection audits, neither of which should rely on QR codes.
Because the BMD is a computational device capable of producing an incorrect printed ballot, voters should, whenever feasible—and especially if BMDs are required for all voters—check their printed ballots. Studies[7] have demonstrated that most voters do not check their printed BMD ballots,[8] but that the number of those who do can be increased through education, instruction, and other changes, such as having a station in the polling center for checking the printout.
Because a computational device can produce an incorrect printed ballot, voters should, whenever feasible,
check their printed ballots.
A full manual recount of paper ballots is not needed to verify an election outcome. A subset of securely stored ballots can be manually sampled in a public tabulation audit using the rigorous statistical approach of RLAs,[9] which have been supported in a 2018 report of the National Academies of Sciences, Engineering, and Medicine[10] and by the federal Election Assistance Commission.[11] In an RLA, a random sample of the ballots is manually examined to determine that the outcome is correct within rigorous statistical error bounds or, if the examination points to the likelihood of an incorrect outcome, to find the correct outcome via a hand count.
Significant effort has been invested by nonprofit policy advocacy organizations (e.g., Verified Voting, the Brennan Center, Common Cause, and Democracy Fund) to educate election officials about RLAs and to help them carry out pilots and statutory audits as well as develop legislation. The nonprofit VotingWorks often has been a partner, providing both open-source audit software (Arlo) and training in its use. As a result of these efforts, six states (Colorado, Georgia, Nevada, Pennsylvania, Rhode Island, Virginia) require RLAs; three have statutory pilot programs (Indiana, Kentucky, Texas); four allow RLAs to satisfy a more general audit requirement (California, Ohio, Oregon, Washington); and two have an administrative pilot program (Michigan, New Jersey).[12]
Colorado, Georgia, and Rhode Island completed RLAs of at least one statewide contest each in the 2022 election, and Virginia completed an RLA of a House contest. Notably, in all these cases the audit was conducted prior to the finalization of the outcome. Several other tabulation audits have been conducted after contests were certified, allowing for the possibility that an outcome found to be incorrect by the audit had already been certified.[13]
Experts and advocates are excited about the recent improvements in audit laws and processes in many states, but much remains to be done to enhance both integrity and efficiency.
Unfortunately, too many states still do not examine ballots at all. While an RLA is ideal, any systematic manual examination of ballots for a tabulation audit, in combination with rigorous ballot accounting procedures and public compliance audits, would greatly increase the transparency of elections and is urgently needed.
Cryptographic Evidence
End-to-end-verifiable (E2E-V) voting systems generate cryptographic evidence and post it on a secure website. E2E-V systems have been used in pilot elections in which paper ballots were generated or hand-marked and could be examined in a statistical audit after the election.
Unlike RLAs, the evidence in an E2E-V system must be checked by individual voters and the public. While voting, each voter is provided a cryptographic confirmation number representing her vote. The number is generated in a manner that prevents her from disclosing her votes, even if she reveals the number and any other information she possesses. She also can test that the numbers correctly represent candidates. If voters perform these tests and check that the numbers are correctly posted on the election website, they can determine that their votes were accurately registered. =
The E2E-V voting system provides a digital audit trail on the public election website. The trail may be checked using software written by anyone and bears evidence that the election tally was correctly computed from the numbers representing individual votes. Thus, election evidence is available to all, while individual votes are protected.
Researchers have been unable to provide simple, usable ways for E2E-V systems to be used without paper. A main unsolved problem is that of dispute resolution: it is not possible to easily and definitively determine the legitimacy of a voter’s complaint that her vote was incorrectly recorded. In addition to potentially disenfranchising an honest voter, the inability to accurately assess an incorrectly registered ballot can enable dishonest or disgruntled voters to cast doubt on a correctly called election.
Comparisons
The use of voter-verified paper ballots in evidence-based elections relies on election officials to perform the audit and securely store the ballots. No voter participation is needed beyond casting the vote.
In contrast, cryptographic evidence in E2E-V elections using paper ballots is stored on a secured election website and voters do not need to rely on election officials to examine it. If voters check their confirmation numbers, the election outcome cannot be changed without detection (although a website hacker could generate confusion without changing the election outcome). Also, because cryptographic techniques are at the heart of E2E-V systems, voters struggle to understand how E2E-V elections work.
Internet Voting: A Bad Idea
There is an ongoing push for internet voting that reflects a blind trust in technology. Arguments in favor of internet voting—online banking implies that online voting should work[14]; smartphone voting would increase voter participation, especially by young people; blockchains make internet voting secure—are appealing, but fallacious.
Such arguments ignore a fundamental difference between e-commerce and internet voting. If I bank online, I can challenge errors in my bank statement and the bank and I can come to an agreement on the transactions. But if I vote online, I want my vote to remain confidential. My local election official should not know my choices. The seemingly simple fact that voted ballots are confidential is a foundational obstacle to creating secure internet voting systems. Furthermore, if funds are stolen from my bank account in an online attack, the bank will cover my losses. But if my internet-voted ballot is modified by hackers, I may not even know. And there is no way that an election official can repair the damage.
The fact that voted ballots are confidential is a foundational obstacle to creating secure internet voting systems.
Problems with internet voting are compounded by well-documented internet insecurities.10 Malware could modify the ballot on the voter’s machine, in transit to the election official’s machine, or on the election official’s machine. It also could record (and send to a third party) the voter’s selections, thereby compromising ballot secrecy.
Another threat is a ransomware attack, which not only could be costly but also would cast doubt on the election outcome, assuming the ballots could even be retrieved.
Blockchains are often mentioned as possible solutions to the security challenges of internet voting. But an entry in a blockchain ledger is only as secure as the computer that stores it, because the entry can be changed by malware on the computer before being inserted in the blockchain. Thus the use of blockchains does not address the main challenges in securing internet voting.
Finally, it is not (yet) possible to enable all voters to securely authenticate themselves on the internet[15] or to protect against denial of service attacks targeted at certain groups of voters, thereby disenfranchising them.
Given all the perils of internet voting, it is not surprising that there are no federal standards or testing. The National Academies of Science, Engineering, and Medicine (p. 122)10 determined that “We do not, at present, have the technology to offer a secure method to support internet voting. It is certainly possible that individuals will be able to vote via the internet in the future, but technical concerns preclude the possibility of doing so securely at present.” The Department of Homeland security, FBI, Election Assistance Commission, and NIST explicitly concurred with the Academies’ statement.[16]
Yet multiple states and the US Virgin Islands allow some form of electronic return of voted ballots for subsets of voters, such as overseas military personnel and voters with disabilities.[17] The methods of transmittal include email attachments, which are notoriously insecure, voting via a web portal, and faxes, which are now almost always transmitted over the internet and therefore are not secure.
More Secure Options
There are far more secure options. The 2009 MOVE Act requires states to provide downloadable blank ballots over the internet at least 45 days before an election. Military and overseas voters can download the ballots, mark them, print them out, and mail them in. Military voters also can avail themselves of free expedited mail to their local election office.
By law all polling places provide accessible technology for voters with disabilities. To improve the accessibility of vote by mail, there are voting systems that allow voters with disabilities to download electronic versions of their ballots, mark them using their own assistive technology, print them out, and mail them in.
Instead of providing some voters with insecure hackable internet voting, the MOVE Act provisions for military voters should be expanded, and states should accept ballots postmarked by Election Day for several days thereafter. In addition, further investment is needed to improve the security of accessible voting for voters with disabilities.
Given election threats from nation-states and other adversaries, as well as the closeness of many races, the continued use of insecure and unverifiable internet voting is a national security threat.
Conclusion
Fortunately, noninternet elections are becoming increasingly secure and verifiable, but there is still a lot of work to do. Ongoing research on cryptography-based voting systems may produce more verifiable systems.
For now, states should work urgently toward making elections much more transparent by eliminating all forms of internet voting and deploying voter-marked (ideally hand-marked wherever possible) paper ballots. In addition, state regulations should ensure rigorous ballot accounting procedures, compliance audits, and RLAs to check the scanners that tabulate paper ballots.
Citizens should advocate for these changes and encourage transparency in election processes wherever possible.
Notes
[1] We use “voter-marked” to mean hand-marked paper ballots by and large, and ballots marked with assistive devices primarily for those who need them.
[2] Edlin R, Baker T. 2022. Poll of local election officials finds safety fears for colleagues—and themselves, https://www.brennancenter.org/our-work/analysis-opinion/poll-local-election-officials-finds-safety-fears-colleagues-and
[3] The Verifier (https://verifiedvoting.org/verifier/) provides a great deal of information on election day technology.
[4] Stark PB, Wagner DA. 2012. Evidence-based elections. IEEE Security and Privacy 10(5):33–41.
[5] Bernhard M, Benaloh J, Halderman JA, Rivest RL, Ryan PYA, Stark PB, Teague V, Vora PL, Wallach DS. 2017. Public evidence from secret ballots. E-Vote-Id ’17. Full version at CoRR abs/1707.08619.
[6] Electronic votes stored in a computer cannot be verified by voters. While it is possible for voters to verify ballots marked and printed by a computational device, most voters currently do not actually do so. So although voted paper ballots printed by computers are voter-verifiable, they may not be voter-verified. By contrast, there isn’t a computational intermediary when ballots are hand-marked by a voter, and these are more likely to be voter-verified, though voters may make errors in completing their ballots.
[7] Bernhard M, McDonald A, Meng H, Hwa J, Bajaj N, Chang K, Halderman JA. 2020. Can voters detect malicious manipulation of ballot marking devices? Proceedings, 41st IEEE Symposium on Security and Privacy (Oakland '20), May. Best Student Paper Award, https://amcdon.com/papers/bmddetect-sp20.pdf
[8] Because BMD output is often designed badly and difficult or impossible to check, most BMD output needs significant improvement.
[9] Lindeman M, Stark PB. 2012. A gentle introduction to risk-limiting audits. IEEE Security & Privacy 10(5):42–49.
[10] Securing the Vote: Protecting American Democracy. National Academies Press.
[11] Technical Guidelines Development Committee. Voluntary Voting System Guidelines Version 2.0, 2021.
[12] Verified Voting, Audit Law Database, https://verifiedvoting.org/auditlaws/
[13] In fact, until April 11, 2022, Virginia’s law explicitly prohibited an audit from changing an election outcome. See https://lis.virginia.gov/cgi-bin/legp604.exe?221+ful+CHAP0443&221+ful+CHAP0443, 24.2-671.2, I for the new law.
[14] Jefferson D. 2014. If I can shop and bank online, why can’t I vote online? Verified Voting.
[15] The use of a public key infrastructure presents its own challenges; see https://www.businessinsider.com/estonia-freeze-e-residency-id-cards-id-theft-2017-11.
[17] See the Verifier: https://verifiedvoting.org/verifier/#mode/navigate/map/ppEquip/mapType/normal/year/2024. Verified Voting.
Disclaimer
The views expressed in this perspective are those of the author and not necessarily of the author’s organizations, the National Academy of Engineering (NAE), or the National Academies of Sciences, Engineering, and Medicine (the National Academies). This perspective is intended to help inform and stimulate discussion. It is not a report of the NAE or the National Academies. Copyright by the National Academy of Sciences. All rights reserved.