Personal tools
You are here: Home ACE Encyclopaedia Topic Areas Elections and Technology Technology for Voting Operations
 
Document Actions
Table of Contents

Technology for Voting Operations

Voting operations is understood in this section as the procedures that have to be put in place to ensure that all qualified citizens can exercise their right to vote within established schedules. Different technologies can be used to assist all tasks needed to successfully organize the voting operations.

 

With the evolution of electoral systems and the increase of the number of voters, most democracies are experiencing pressure to use appropriate technologies as they become available. This is not only to make sure that all voters, regardless of possible disabilities, can exercise their right to vote but also to ensure that election results are known quickly.

 

At the same time, while some of these technologies have resulted in greater efficiency, they have proven to be controversial since there are opportunities for fraud that might be difficult to trace.

 

In addition, technology evolves very rapidly, so what is discussed today might be obsolete tomorrow. The ACE project tries to introduce technologies as they appear or at least to provide links to information about new technologies for those who are interested.

 

The main groups of voting operation technologies refer to:

 

  • logistics of voting operations

 

  • recording votes

 

  • counting votes

 

  • consolidating results regionally and nationally

 

It is also necessary  to take into account that the different technologies adopted for voting operations can have an impact on voting arrangements, on planning of the voting procedures, on acquisition, storage, transportation and distribution of materials and equipment, logistics of the operations and the staffing and training of the polling workers.

 

In addition, any technology can fail, but in the case of voting operations the impact on the democratic process can be considerable, depending on the level of mistrust among the stakeholders and the political groups. The failure of a voting machine can be considered in a country as a malfunctioning, but in another country it can be suspected as an act of sabotage or even fraud.

 

As an election management body (EMB) considers appropriate technology for voting operations, it has to evaluate the technology itself and how it guarantees that every vote is counted. It also needs to scan the socio-political environment to ensure that the technology can indeed contribute to the implementation of a free, fair and transparent democratic process.

 

Voting Operation Steps

Voting operations procedures usually depend on the electoral system and therefore on the relevant legal and regulatory framework, but there are steps common to all voting operations, namely:

 

  • procurement of equipment and supplies needed for allowing voters to cast their vote during the established voting period

 

  • storage of voting equipment and supplies

 

  • transportation of all voting supplies to final destination

 

  • recruitment and management of polling officers

 

  • identification of voting places and publication of respective list

 

  • voter identification and authentication

 

  • recording of votes cast

 

  • vote counting

 

  • publication of election results

 

  • These steps can use specific technologies, such as:

 

  • procurement systems to facilitate and control procurement of equipment and supplies to be used in the voting boots

 

  • inventory systems to control the storage of voting equipment and supplies

 

  • logistic systems to assist the planning of the transportation of all voting supplies to final destination

 

  • database systems to store and manage information related to polling officers and the voters’ lists

 

  • GIS and database systems to facilitate the identification of voting places and respective listing

 

  • voting systems for identification and authentication of voters

 

  • voting systems using optical scanning or direct electronic recording to record and count the votes

 

  • communications systems to support telephone, fax, computer and printers networks.

 

While considering technology for voting operations it is useful to keep in mind these different technologies, which may be in use already for other electoral administration tasks. Since several independent software systems can run in the same computer, most of these systems can share computer hardware. The same is true for the software, since it is possible to develop different applications to run under the same basic software. For instance

 

  • The GIS software and hardware used for boundary delimitation can also be used to identify polling stations and print the respective lists, although these two applications would run under different and independent programs.

 

  • Database management systems software and hardware used to store voters information and produce the voters’ list can also be used to manage electoral administration human resources.

 

  • Procurement systems software used to manage voting operations procurement can also manage all EMB procurement.

 

Machines used for the voting itself, on the other hand, are too specific to serve other purposes, but some sharing can be envisaged between districts and even between countries with similar voting requirements.

 

Technology for Voting

The objective of  voting is to allow voters to exercise their right to express their choices regarding specific issues, pieces of legislation, citizen initiatives, constitutional amendments, recalls and/or to choose their government and political representatives. Technology is being used more and more as a tool to assist voters to cast their votes. To allow the exercise of this right, almost all voting systems around the world include the following steps:

 

  • voter identification and authentication

 

  • voting and recording of votes cast

 

  • vote counting

 

  • publication of election results

 

 

Technology for voter identification and authentication

 

Voter identification is required during two phases of the electoral process: first for voter registration in order to establish the right to vote and afterwards, at voting time, to allow a citizen to exercise their right to vote by verifying if the person satisfies all the requirements needed to vote (authentication).

 

In most countries this process of voter authentication and verification of identity is done manually, but some countries have implemented and others are experimenting with an automated or at least semi-automated method to verify the identity of voters and their right to vote. This implies the existence of an electronic voter register. In fact, the technologies used for voter identification at election time depend on the technologies used to establish the voter register.

 

Most recent voter identification technologies need to use digitalized voter information and may include the use of:

 

  • smart cards that record a person’s personal information and even biometric data

 

  • database management systems where the digitalized data is stored and managed

 

  • biometric information, such as finger print identification

 

 

Smart cards

 

Smart card technology permits the storage of digital information that can be updated and accessed with an inexpensive reading device that may or may not be linked to a computer network. The smart card, itself, is a plastic card that resembles a credit card and contains a small chip, which includes memory and sometimes a microprocessor. Gold contacts connect the smart card to the reading device. Since it can store more data than a magnetic strip, a smart card can keep the voter’s relevant data, including biometric data, and can also store non permanent data, such as the polling station where the voter is supposed to vote, for instance. Encryption techniques secure the data, and the tiny processor, if it is there, allows the smart card to be programmed for different applications.

 

Data Base Management Systems

 

This technology enables the recording, storage and management of required voter data.

 

Finger printing recognition

 

While this technology is not new, the electronic methods of recording and recognizing an individual finger print advanced substantially during the last decade of the 20th century. Today, identification can be achieved in a few seconds with reasonable accuracy. As a result, the use of automated fingerprint identification systems (AFIS) that record, store, search, match and identify finger prints is rapidly expanding. AFIS can be integrated in a suite of applications that work together to provide a comprehensive fingerprint and palm print identification system.

 

 

Technology for voting and recording of votes cast Launch of Voter Registration Campaign for IT Functional Constituency

 

Once the voter’s right to vote has been established, the person proceeds to the voting itself. Any credible and reliable voting procedure needs to ensure the voter’s anonymity translated on a secret ballot and freedom of choice meaning that the voter is free of undue pressures. Votes have to be correctly recorded to make certain that every vote counts without being modified.

 

Through the centuries, different technologies have been used to ensure that a vote is recorded correctly and that it can be accurately counted afterwards. Manual systems using stones, marbles, and paper ballots led to mechanical voting machines and punch cards to achieve faster vote counting. Now electronic voting machines and Internet voting promise more accuracy and convenience.

 

Voters trust in the voting method is probably the most important consideration in choosing a voting system. In some countries, ballot papers are the most trusted voting method, while others prefer mechanical or electronic machines. Although most countries distrust Internet voting, others are quickly moving to adopt it.

 

Some countries, especially so called “old democracies”, where voting is not compulsory and that have seen a significant decline in voter’s participation in elections, are aggressively experimenting, with electronic voting machines and  with allowing voters to vote using the Internet, usually within a longer period of time.

 

In the United Sates, mechanical voting machines and punch card systems, which were widely used all over the country to record votes, are being replaced by optical scanning devices and direct electronic recording devices (DRE).

 

Technology for vote counting

 

Over the years there has been an increase in pressure to get election results, or at least provisional results, within hours of the closing of the official voting period. This has led to an effort to improve voting systems efficiency and capacity to deliver election results in a short time while ensuring the secrecy of the vote and the accuracy of vote counting.

 

Many people around the world believe that printed paper ballots (some in Braille for the blind), no matter what the short comings, are still the most accurate way of voting and are the most reliable for vote counting. Others believe that the use of technology protects against fraud and is more accurate and reliable for vote tabulation. In an effort to respond to the pressures of delivering election results in a short period of time, Electoral Management Bodies (EMBs) all over the world seem to be following the technology trend. 

 

Technologies used for voting and vote counting are closely related since most voting machines, besides recording a person’s vote, usually have some mechanism, either mechanical or electronic, to count the votes cast into the machine.

 

The most serious problem with the use of voting machines that count votes can be the lack of a log or paper trail, which could enable a reliable recount in the case of machine failures, suspicion of fraud during vote counting or any other problem. Many vendors of voting systems worldwide are trying to address this problem by providing some kind of paper trail or other trail mechanism to ensure that a vote recount can be done and that election stakeholders can audit both the vote recording and the vote counting at any time during or after the voting session.

 

Technology for vote tabulation

 

While vote counting at the lowest level can be manual, tabulation is usually done through a computer or a computer network that may even use basic software such as a spreadsheet, although sometimes a database management system or a custom made program is used.

 

These vote counting programmes need to be closely scrutinized by software experts to ensure that no fraud is introduced via counting software, which actually can deviate votes to a specific candidate. Programmes with a few lines of code are less likely to introduce vicious code then more complex ones], where it becomes easier to hide fraudulent code.

 

Another issue is data entry errors, which affects election results. There is a need to have a mechanism to help check data entry error. Usually two different people enter the same data in a computer network and then these two independent versions of the same data are compared: if they do not match, the data is rejected; the error verified against the manual values and re-entered.

 

This is a tedious process that can be simplified if the vote is recorded in a way that it can be automatically counted. This makes the case for the use of voting machines.

 

There are several ways to get the vote counted by the voting machine to the next level of vote tabulation, which can be a vote counting regional centre or the local, regional or national election authorities. In some countries, the voting machines are connected to a central computer system through a secure local, regional or national network where all the votes can be automatically tabulated at local, regional and national level.


Creative Commons License Image:

Launch of Voter Registration Campaign for IT Functional Constituency by Charles Mok is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.0 Generic License.

Mechanical Voting Systems

Mechanical voting systems can take many forms. This includes the use of stones in ancient Greece and the use of marbles in The Gambia It also includes—now considered “old technology” —mechanical voting machines that were once used extensively in the United States and, to a lesser degree, in a small number of other countries around the world. The advent of these mechanical voting machines], when they first appeared, resulted in faster and relatively accurate vote counting.

 

**Mechanical voting/tabulation systems**

 

Mechanical lever voting machines were used for the first time in a United States election in Lockport, New York in 1892, and known at the time as the "Myers Automatic Booth". By the 1960s they were used by more than half of the U.S. voting population. In the 1996 US Presidential election they were used by 20.7% of voters.

 

These voting machines are no longer built and therefore they have been gradually phased out of use. No mechanical voting machines are expected to be operating in the United Sates by the end of 2006.

 

On a typical mechanical lever voting machines, the name of each candidate or ballot issue choice is assigned a particular lever in a rectangular array of levers on the front of the machine. A set of printed strips visible to the voters identifies the lever assignment for each candidate and issue choice. The levers are horizontal in their unvoted positions.

 

Upon entering the voting compartment, the voter pulls a handle that activates the machine and closes a privacy curtain. The voter then pulls down selected levers to indicate choices. The machines are designed to prevent the voter from voting for more choices than are permitted. When the voter has finished voting and exits the voting booth by opening the privacy curtain with the handle, the levers are automatically reset to the original horizontal position for the next voter.

Once voting is completed and the levers are reset to zero, it causes a connected counter wheel within the machine to turn one-tenth of a full rotation corresponding to “one” vote. This counter wheel similarly drives a "tens" counter wheel that in turn drives a "hundreds" counter allowing for counting of up to one thousand votes. The counters are supposed to be set to zero prior to being sent to the voting sites, and this is verified by election inspectors and polling officers.

 

At the close of the voting period, if all mechanical connections were fully operational, the position of each counter indicates the number of votes cast on the lever that drives it and the counters are supposed to remain locked until final results of the election are published or for a period set by the respective electoral code. Polling officers and sometimes an electoral inspector are supposed to take note of the status of the counters and communicate the results to the local electoral authorities in charge of tabulating the votes. In general, party representatives and electoral observers are also allowed to take note of the votes counted by the machines.

Electronic Voting Systems

Electronic voting or e-voting is a way to get the people=s vote electronically. There are different kinds of electronic voting systems used in several countries around the world.  Most of these systems adapt existent technologies or develop specific technologies to be used for electoral purposes.

 

The main types of electronic voting systems include:

 

  • Punch card voting/tabulation systems
  • Optical scanning systems 
  • Direct recording electronic systems (DRE) 
  • Internet

 

Electronic voting systems have been in use since the 1960s, with the introduction n the market of the punch card systems, followed much later by the optical scanning systems, the DRE and the Internet.

 

Electronic voting machines are used on a large scale in Belgium, Brazil, India, Venezuela and the United States among others. Although there is a trend for adopting this technology there are still many countries that prefer hand-marked and manually counted paper ballots.

 

While the efficiency of some of these electronic systems is not disputed they have suffered from different degrees of security problems as well as a perception that they are not reliable and that they can introduce substantial counting errors. One of its main advantages though, it is that facilitates voting access to persons with disabilities.

Punch Cards

With punch card systems, voters punch holes in cards using a supplied punch device, to indicate votes for their chosen candidates. After voting, the voter may feed the card directly into a computer vote tabulating device at the polling place, or the voter may place the card in a ballot box, which is later transported to a central location for tabulation.

 

Two common types of punch cards used in the United States are the "Votomatic" card and the "Datavote" card. With the Votomatic card, the locations at which holes may be punched to indicate votes are each assigned numbers. The number of the hole is the only information printed on the card. The list of candidates and directions for punching the holes are printed in a separate booklet. With the Datavote card, the name of the candidate is printed on the ballot next to the location of the hole to be punched.

 

Punch cards and computer tally machines were first used in the U.S. for the 1964 Presidential primary election in two counties in the State of Georgia.

 

Although many U.S. punch card systems are being replaced by more advanced systems, many voters still use them. Punch card systems were used by 37.3% of voters in the U.S. 1996 Presidential election.

Optical Scanning Systems

An optical scanning device combines specialized computer hardware and software. The hardware devices capture an image and software converts the image to computer-readable data.

 

Voters using machine-readable ballots are given a ballot card with the names of candidates printed on it. Next to each candidate a symbol is printed, such as a rectangle, circle or incomplete arrow. The voter indicates a choice for a candidate by filling in the appropriate rectangle or circle or by completing the arrow.

 

After voting, the voter may feed the card directly into a computer vote tabulating device at the polling place, or the voter may place the card in a ballot box, which is later transported to a central location for tabulation.

 

The computer tabulating device identifies the marks made by voters on the cards and records votes accordingly. The individual votes are recorded in a database and aggregated to give total results.

 

Marksense systems were used by 24.6% of registered voters in the U.S. 1996 Presidential election. Use of these systems in the U.S. is increasing as older lever and punchcard systems are replaced.

There are four main types of optical scanning technologies:

  • Optical Mark Reading (OMR)
  • Optical Character Recognition (OCR)
  • Intelligent Character Recognition (ICR)
  • Imaging technology Optical Mark Reading (OMR) scanning systems

 

Most machine readable/optical scanning voting systems use OMR technology. OMR technology has been widely used since the 1970s for a variety of purposes, including school and university tests, censuses, surveys and lotteries, as well as for voting. It is also used in barcode readers, which are in widespread use in retailing, stock taking, libraries and schools.

 

OMR typically involves a scanner reading particular kinds of marks in a defined set of locations on a page. The computer software used by the OMR scanner is programmed to recognise the meaning of the various marks and to convert scanned images into computer-readable data using the location of those marks.

 

OMR systems are well suited to first-past-the-post and list electoral systems, where voters are asked to make simple choices when voting, easily represented by a simple mark. In more complex electoral systems, such as alternative voting systems and single transferable vote systems, where voters are asked to choose candidates by showing sequential preferences, it is more difficult to apply OMR technology. As a result, scanning technology has not been used widely for counting these kinds of ballots. However, the increasing accuracy of ICR may make it a viable technology for these kinds of ballots in the 2000s.

 

Apart from voting systems, there are other potential applications for OMR technology. In Australia, for example, OMR systems are used to scan electoral rolls marked in polling places to indicate the names of electors who have voted. This permits Australian electoral authorities to automate the enforcement of Australia's compulsory voting system, as well as identify any instances of multiple voting.

 

OMR barcode systems are also used extensively for mailing applications. Many postal authorities place barcodes on mail to automate the delivery process. Some countries have mail systems that allow users to print address barcodes on mail so that postal authorities can process the mail without having to print barcodes in their mail-rooms, thereby creating a discount for the user.

 

Electoral authorities are also making use of barcodes on mail. Since barcodes can identify both the name and address of the voter, they can be used by electoral authorities to process the mail when it is returned. This is particularly useful for postal ballots to automate the recording of voter names. These barcodes can also be used where addressed mail is returned “not known at this address” in order to capture those details for electoral roll update purposes.

 

OMR technology is very useful for and efficient at gathering relatively simple, pre-determined data. However, it is not very good at gathering complex, variable data, such as large amounts of text. OCR and ICR systems are more suited to this purpose.

 

Optical Character Recognition (OCR) scanning systems

 

OCR scanning systems take scanned images and use computer software to recognise the shapes of printed or handwritten characters such as numbers and letters and store them as computer-readable data. OCR is typically used to convert printed text into computer-readable text.

 

This capability has many potential applications in the electoral field. For example, in the early 1980s, the Australian Electoral Commission produced an extensive set of procedures manuals. Some years later, when the manuals were due to be revised, the original computer files containing the manuals were not able to be used by the Commission's upgraded computer software. Rather than retype the original manuals, OCR software was used to convert the printed manuals into computer files suitable for editing and revision.

 

Another important use of OCR is for data capture of information printed on forms. Rather than manually typing information contained on forms, OCR can be used to automatically convert information from forms into computer-readable data.

 

OCR works by “training” the scanning software to recognise particular shapes as letters and numbers. Since different print fonts are different shapes, OCR systems have to be trained to recognise that a particular letter or number can take several different forms. Given the regularity of printed fonts, this is a relatively straight forward process. OCR systems can also be trained to recognise hand writing. However, given the infinite variety in hand writing styles, this is a much more difficult task.

 

Early OCR systems had a relatively high error rate when converting printed text to computer-readable data, particularly hand written text. This required a high level of human intervention to proof-read and correct the converted data. As optical scanning hardware and software improved towards the end of the 1990s, the error rates dropped. However, the next generation of scanning systems, ICR systems, went even further in increasing scanning accuracy rates.

 

Intelligent Character Recognition (ICR) scanning systems

 

ICR takes OCR systems one step further by using computer software to apply intelligent logic tests to scanned characters so as to more reliably convert them into computer-readable data.

 

ICR systems apply rules of spelling, grammar and context to scanned text in order to make “intelligent” assessments as to the correct interpretation of the data. This enables much more accurate conversion of scanned text than does the more simple OCR system, particularly with handwriting.

 

ICR software requires fast, powerful computers to perform efficiently. Reliable ICR systems only became available in the mid to late 1990s with the development of cheap, powerful computer products.

 

As ICR systems become more reliable, their use for electoral applications will increase. They are particularly suitable for capturing data from forms. ICR systems are also being examined for their suitability to capture hand written numbers from ballots used for more complex electoral systems, such as alternative vote and single transferable vote systems. To date, automatic data capture systems have not been used for these electoral systems owing to the complexity of the task.

 

Imaging technology

 

In addition to capturing images for conversion into data, scanners can also capture images to be stored as computer-readable images. Photographs, drawings and images of text can be stored and reused in computer-readable form.

 

Computerised images have many electoral applications. Images can be included on websites and printed in publications. Staff photographs can be placed on an electoral authority's “Who we are” Internet page and in its Annual Report. Photographs of polling stations can include on websites and instruction manuals. Examples of completed forms can be scanned as images and printed in training manuals.

 

Paper-based forms can be imaged and stored in electronic form. Copies of the images can then be downloaded over a computer network without the need to access the original paper copies. The Australian Electoral Commission is currently engaged in imaging all of its millions of voter registration forms and placing them on a computer network accessible from any of its offices nationwide. This system will be used to check signatures or any other details included on the forms by accessing the imaged forms on demand.

 

Corporate logos can be stored electronically as images and printed on a range of corporate publications. Where an organization may once have used expensive pre-printed stationery containing the corporate logo, stationery can now be printed from the desktop with professional letterhead using blank paper, a colour printer and a digitized image of the logo.

 

Imaging technology can also be used for identity verification purposes. Photographs can be digitized and placed on identity cards. Images of finger prints or facial features can be digitized and stored on smart cards. Software identity systems can be used to compare the image of the person presenting a smart card with the image of the person encoded on the card to determine whether it is the same person.

Direct Recording Electronically (DRE)

The increasing sophistication of computer technology towards the end of the 1990s led to the most recent development in the evolution of voting systems: Direct Recording Electronic (DRE) systems.

Use of DRE systems is expanding and in Belgium, Brasil, India and Venezuela most if not all voters use a DRE device to vote while in the United States and other coutries the percentage of voters using DRE devices to vote is increasing.

Using DRE systems, voters mark their votes directly into an electronic device, using a touch screen, push buttons or a similar device. Where write-in ballots are permissible, an alphabetic keyboard is sometimes provided to allow voters to cast write-in votes.

With DRE systems there is no need for paper ballots. Voting data is stored by the electronic device, on a computer hard disk or a portable diskette, CD-ROM or smartcard. For backup and verification purposes, some systems copy voting data onto more than one storage medium. For example, in Belgium, voting data is written both to a hard disk and to a smartcard issued to the voter. After voting, the voter places the used smartcard in a ballot box. The smartcard can be used as backup should the hard disk copy fail, or as a way of auditing the data recorded on the hard disk.

When the polls close, the data from the various voting locations are amalgamated in a central computer, which calculates the vote totals. Data can be transmitted to the central computer either on removable portable devices such as diskettes, or by a computer network.

Since the 1990s the telephone has also been used as a type of DRE voting system. Voters are able to record votes directly into computer systems using the key pads on their telephones, and to identify themselves with Personal Identity Numbers (PINs), by following a series of recorded instructions.

The introduction of DRE voting options at locations away from polling places, like internet voting and telephone voting, raises the issue of identifying the voter remotely which has not yet been solved to security standards required by the need to ensure that the person voting is indeed a voter, that he can not vote more than once and that the vote is secret.

Internet Voting

The explosion of the Internet and the World Wide Web in the late 1990s led many individuals both inside and outside of the electoral administrations field to speculate about the possibility of using this new public resource to improve the efficiency, effectiveness, and legitimacy of democratic elections. Following on this discussion, several studies and experiments were developed, in independent jurisdictions and with mixed results. The overwhelming consensus which emerged from these studies is that Internet Voting presents numerous risks which need to be properly addressed before widespread deployment can take place.

Why Consider Internet Voting?

The most obvious advantage of internet voting is convenience for the voter. Regardless of how well polling places are designed and distributed, there could be no more convenient place to vote than from the comfort of one's home. By making electoral participation as easy as logging in to a website, checking a few boxes on a form, and clicking the "Vote" button, it is likely that voter turnout, and hence the overall legitimacy of the results, may be improved significantly. It could also allow significant cost-savings in the deployment and operation of physical polling stations, if the "adoption rate" of internet voting is at a sufficient level. The counting and tabulating of electronic ballots is potentially much faster and easier than counting traditional paper-based or even optical-scan or punch-card ballots, which may represent significant cost savings as well.

It is possible to distinguish three different forms of internet voting:

  • Polling Site Internet Voting - in which voters cast their ballots via the internet from client machines physically situated in official polling places, in which both the hardware and software of the client is controlled by election officials, and the authentication of the voters may take place by traditional means.
  • Kiosk Internet Voting - in which voters cast their ballots via client machines, in which the hardware and software are controlled by election officials, but distributed in public places (shopping malls etc.) in which the physical environment and voter authentication are not directly under official control.
  • Remote Internet Voting - in which neither the client machines nor the physical environment are under the control of election officials. Whereas the first two methods are potentially much more secure, they also present few advantages over more traditional voting methods. The "allure" of internet voting is only fully encapsulated in systems in which users are able to authenticate themselves and cast their ballots at their convenience, via home, workplace, or public internet terminals. Unfortunately, it is this method which presents the most serious and intractable security risks.

Security Implications of Remote Internet Voting

The possible benefits of internet voting must be weighed against the risks to which this polling method is exposed. As has been emphasized elsewhere, but bears repeating, every election conducted by whatever means should comply faithfully with the same basic principles of secrecy and anonymity, fairness, accuracy, and transparency.

Every polling system, whether it uses pencil and paper, punch cards, touch-screen (DRE), or any other method, must assure that voters are identified accurately and that their votes are counted accurately. In most cases this must be done without allowing any means to associate a particular vote with a particular voter. It is also essential that the citizenry have confidence in the results; in other words, that the system chosen not only comforms to these basic requirements, but that it does so in a manner that is clear and well understood by all participants. Every polling method should be as secret and anonymous, fair, accurate, and transparent as a well-managed paper-and-pencil balloting system:

"Indeed, if perfect clerks would conduct an election using paper-ballots, this would provide the best model we have for a public election. Such an election would be, for example: anonymous (avoiding collusion, coercion), secret (all cast votes are unknown until the election ends) and yet correct (all votes are counted) and honest (no one can vote twice or change the vote of another), oftentimes also complete (all voters must either vote or justify absence). In such a system, if we know the voter (e.g., in voter registration) we cannot know the vote and if we know the vote (e.g., in tallying) we cannot know the voter. After an election, all votes and all voters are publicly known – but their connection is both unprovable and unknown."

SafeVote Inc., Voting System Requirements, The Bell, Feb. 2001

Any purely electronic voting system must take into account the necessity of safeguarding the accuracy of the vote count, in the absence of a physical representation of the ballot. For a complete discussion of this issue, see Direct Recording Electronic Systems . In addition to these concerns, Internet voting is subject to other potential risks due to the inherent insecurity of both the user's machine and the network connection by which it connects to the central server or tabulator.

At the present time, over 90% of home computers use a version of the Microsoft Windows operating system. As this operating system was never intended for highly sensitive "mission critical" applications, its primary goal is to be as easy as possible for a novice or casual user to operate. As such, little effort has been made to "compartmentalize" the operating system to prevent "rogue" applications from performing unwanted actions or making unwanted changes to the overall operation and configuration of the computer. This fundamentally insecure environment, along with the widespread deployment of "macro languages" in applications like Word or Outlook, has provided a fertile breeding ground for many different forms of computer viruses, "worms", "spyware", or "trojan horse" applications. Despite the widespread use of firewalls and anti-virus software, it has been estimated that 20% of all personal computers are infected with some type of "malware" (see Your PC May Be Less Secure Than You Think ). In other words, there is no way at present for designers of internet voting systems to ensure that the voters' home computers have not been compromised in such a way as to call into question the reliability of the voting process.

Securing the connection between the voter's home computer and the central server is also problematic, but in this area at least the correct use of public-key cryptography allows a degree of confidence in the integrity of this communication channel. Specifically, the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols used by web browsers and servers to create secure channels for e-commerce and internet banking, for example, were designed to prevent the so-called "man in the middle" attack whereby a network transmission is hijacked by an attacker who has managed to control the channel through which the two end-points of the transaction communicate with one another. SSL uses signed encryption keys which have been verified by a trusted "Certificate Authority" to make it impossible for such an attacker to modify the contents of this communication, without revealing that the attack has taken place. Unfortunately, even if this technology is used correctly, it is still vulnerable to other types of attack, which may be characterised as either "denial of service" attacks or "spoofing" attacks. A denial of service attack is said to take place when the attacker, even if unable to alter or interfere with the substance of a communication, is able to prevent the communication from taking place, typically by overloading one or the other endpoint of the communication. A spoofing attack is said to occur when one of the communicating parties is tricked into opening a secure connection to a site controlled by an attacker. A variety of spoofing attack, popularly known as "phishing", has become extremely widespread in recent years, typically involving an email containing an obfuscated link to a site which has been created to perfectly mimic a particular target website (eg. that of a financial institution,) along with an urgent request to "re-enter" sensitive personal information (credit card numbers, passwords, etc.) This is related to a more general form of attack commonly referred to as "social engineering"; that is, bypassing technical security measures by targetting the users of the system, who often have a poor understanding of these security measures. For an informed discussion of the false sense of security created by the widespread deployment of SSL/TLS, see The Maginot Web .

Despite the widespread deployment and use of the internet for banking and other sensitive transactions, it must be emphasised that guaranteeing the security of voting via the internet is a fundamentally more difficult problem, for two important reasons. First, unlike financial transactions, in most constituencies no connection may be made between the voter and his or her vote; record-keeping and auditing capabilities which are standard in the financial world are therefore not applicable to online polling systems. Secondly, discovery of anomolies or errors in the transmission or recording of votes cannot feasibly result in a correction of these results after the fact. At best, such discovery can only result in the invalidation of any votes so affected; at worst, in the invalidation of the election itself. Needless to say such an outcome could have disastrous effects in terms of public confidence in the legitimacy of the entire process.

For a more complete discussion of the security implications of Internet voting in general, see Security Considerations for Remote Electronic Voting over the Internet by Dr. Avi Rubin of Johns Hopkins University.

Real-world Deployment of Internet Voting

The State of Geneva in Switzerland is perhaps the first constituency in the world to deploy internet voting in any widespread fashion. Beginning in 2003 citizens of Geneva have had the option to cast their ballots online. The motivations behind this deployment, as well as the strategies for overcoming the sorts of security issues outlined above, relate at least partly to circumstances particular to Geneva, which may reduce the applicability of this experiment to other constituencies.

Geneva differs significantly from many localities in that citizens are asked to vote much more frequently, typically 4 to 6 times per year rather than once every 2 or more years, as is the norm elsewhere, due to a "direct democracy" system in which any parliamentary vote may be subject to ratification or refusal by the citizenry. As a consequence of this, electoral authorities in Geneva are under greater pressure than their counterparts elsewhere to make the voting process as simple and convenient as possible. In response to this pressure, in 1995 election officials in Geneva implemented a remote voting system based on postal voting, which quickly became the most popular method of voting, and which is credited with increasing voter turnout by 20%. Accepting the viability of postal voting has the effect of "lowering the bar" somewhat in terms of the security and public acceptance issues facing other forms of remote voting; any new system would only need to achieve the same level of security and acceptance as postal voting. For example, registered voters in Geneva already receive voting cards by mail which contains information allowing them to cast their ballots by return post. Internet voting is simply seen as an extension of this well-established service; as such, system designers have simply not addressed potential problems such as vote-buying or coercion by any technical security measures whatsoever, relying instead on socio-cultural norms and legal mechanisms to provide protection against this possibility.

For an overview of Geneva's experiences with internet voting, see the State of Geneva's E-Voting web site ; for a detailed account of security risks and countermeasures considered by the implementors of Geneva's internet voting system, see Addressing the Secure Platform Problem for Remote Internet Voting in Geneva .

Another significant experiment in internet voting, with a more negative outcome, was conducted by the U.S. Military for use by overseas active-duty military personnel. An initial pilot project was conducted during the general election in November 2000 in which a mere 84 military voters participated, despite a cost of 6.2 million dollars, and which was widely considered to have failed to address key security issues. (See Internet Voting Project Cost Pentagon $73,809 Per Vote )

Despite these misgivings, the project was further developed, under the administration of the Federal Voting Assistance Program (FVAP), as the Secure Electronic Registration and Voting Experiment (SERVE), for broader deployment in the general election of November 2004. In advance of this planned deployment, a group of computer security experts produced a detailed study of the system, which concluded that

"The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the FVAP has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough. The SERVE project is thus too far ahead of its time, and should not be reconsidered until there is a much improved security infrastructure to build upon."

A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)

In the aftermath of this report, in February 2004 U.S. Defence Secretary Paul Wolfowitz accounced the cancellation the project, citing these unresolved security issues as the primary reason. (See Pentagon halts Internet voting system )

Conclusions

While it is likely, perhaps even inevitable, that voting via the internet will one day become commonplace, for reasons outlined above it is clear that designers and implementors of internet voting systems face major difficulties which must be overcome before it will be suitable for broad deployment. The most important consideration is the degree to which many crucial elements of any internet voting scheme are completely outside the control of election authorities, with the result that it will be difficult to have any degree of confidence in such voting systems until the architecture of both the personal computer and the internet itself have evolved to a state far beyond that which is currently in place.

Dr. David Jefferson of Lawrence Livermore National Laboratories in Berkeley California, one of the authors of the SERVE Report, has stated that

"Internet voting systems are vulnerable to denial of service attacks, spoofing attacks, malicious code attacks, spyware attacks, remote management attacks, and automated vote selling schemes. These attacks are powerful enough compromise large numbers of votes, either disenfranchizing voters, spying on their votes, changing their votes, or buying votes. These attacks can often succeed, possibly changing the results of an election, and yet go completely undetected. And they can be launched by anyone in the world, from a disturbed teenager to a foreign government. These vulnerabilities are quite fundamental. They cannot be designed around or fixed with the current generation of PC hardware and software and the current Internet protocols. Until such time as the security architectures of the Internet and the PC have been completely redesigned and the new designs widely deployed, which is probably at least a decade away, Internet voting in public elections must remain out of the question."

David Jefferson, The Inherent Security Vulnerabilities with Internet Voting (Abstract)

And according to American computer security and cryptography expert Bruce Schneier, referring specifically to the American context,

"Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it."

Bruce Schneier, Crypto-Gram February 15, 2001

Document Actions

© 1998-2010 ACE project

Powered by Plone CMS, the Open Source Content Management System