Executive Summary

Today's electronic voting machines are so insecure that their widespread use could cause a country-wide lack of confidence that would make Florida 2000 look like a casual, friendly disagreement.

Electronic voting machines look great on the surface: they promise voters a flexible and convenient way to cast ballots, and they promise voting officials fast and accurate reporting of the voting counts. But recent scandals and investigations have shown the machines sold by the four manufacturers that dominate the market are not only unreliable, they are easily manipulated and their databases corrupted. Many voting districts are scrambling to retrofit their machines with paper backups before the November 2004 election, but this is not a long-term solution. What is needed is a new voting machine that is simple, economical, and inherently trustworthy. We present such an approach here: the Secure-Vote Method.

Our device looks and acts like a contemporary electronic voting machine: it's a small box equipped with a touchscreen display. The voter uses it like any other voting machine or ATM. What makes our system secure is what's happening under the hood. The essence of our idea is that two computers share a write-once memory. Like chiseling a message into stone, once something is written into such a memory, it cannot be changed or deleted without destroying the medium. One computer accepts the voter's ballot, and writes it into the memory. The other computer reads that memory and shows the voter what was saved. The voter then approves or rejects what was stored. This decision, once written in the memory, is also preserved and cannot be altered or changed. If a voter rejects the saved ballot, he or she is given the chance to vote again.

The Secure-Vote Method is simple, modular, economical, and friendly to voters. But most important, it is inherently trustworthy and safe. All of the source code, hardware schematics, and other details of the device may be made public without reducing the integrity of the system.

The systems that we use for voting must earn our trust. That trust cannot come from the promises of vendors. A truly trustworthy system must be transparently and inherently accurate and secure. Our system achieves this goal by writing all information in a fixed, write-once medium and then confirming the validity of the vote by getting approval from the voter using an independent computer. The Secure-Vote Method is an inherently trustworthy design for safe voting.

Overview

Introduction

We use the term vote errors to refer to all possible errors in a voting system that lead to a final tally that is not a correct representation of what the voters intended. Vote errors include all forms of incorrectly-recorded votes, as well as missing and extraneous votes. As far as the election results are concerned, it doesn't matter if the causes of vote errors are deliberate or accidental. If the results of an election are to be trusted, then vote errors must be reliably prevented.

To avoid a repeat of the Florida 2000 fiasco, Congress passed the Help America Vote Act (HAVA), which authorized almost $4 billion for states to purchase new, electronic voting machines. Most states chose to buy devices that use a touchscreen for their primary input and output device, so these machines are collectively known as "touchscreen machines." They are also called Direct Recording Electronic systems (DREs) and Electronic Voting Machines (EVMs).

DREs offer many features which are appealing to both general and special-needs voters. For example, ballots may be laid out by a graphic designer who can incorporate color, a variety of typefaces, and other visual elements to create legible, easily-understood ballots for different groups of voters. DREs can warn voters if they vote for too many people in a race (called over-voting) or too few or even none (called under-voting). DREs can offer ballots in a wide variety of languages. They can even offer ballots that use pictures, sounds, and animation, to serve illiterate and visually-impaired voters. DREs allow voters to change their minds until the moment they commit their vote, (called "second-chance" voting). Finally, voters who are used to ATMs and supermarket scanners are comfortable with these kinds of devices, and trust them to be accurate and reliable.

DREs also offer the promise of easing the lives of poll workers, county and district supervisors, and other voting officials. They do this by promising a complete, trustworthy, and unambiguous record of all votes. Such a system would eliminate any need for recounts or audits, and human judgment would be eliminated from the vote-counting process, freeing us from ever again wondering just how pregnant or hanging a chad must be to be considered a vote.

Although the four major DRE vendors hold the workings of their machines as trade secrets, enough information has leaked out over the last few years to allow us to summarize how they store votes. These DREs record the voter's choices internally either on a magnetic disk (like the disk in a personal computer) or a cartridge (like the card in a digital camera). The votes in that memory are then read back at the end of the day to produce a total for that machine.

Those totals are then typically reported to a centralized tally machine, for example a single computer that combines votes from all the precincts of a given county. Of course, it's vital that this communication be safe and accurate, and that the central machine process votes in a way that is as trustworthy as the DREs reporting to it.

DREs appeal to voters because of their rich user-interface options, and they appeal to poll workers because of their promised precision, speed, and accuracy in vote recording, storage, and counting. The user interface part of the machines is not error-proof, but problems in the the vote recording and storage mechanisms are very worrying.

The root of the problem is that computers (and DREs are, in fact, specialized computers) can be compromised in many ways. Just because a computer says that it has correctly stored a vote doesn't mean that it really has; due to accident or deliberate manipulation, the vote could be stored incorrectly or even lost entirely. Additional, extraneous votes could be created. People could affect the stored votes and change, delete, or augment them at the end of the day. Simply put, there is no reason to trust these devices.

Several recent events where machines and vendors have behaved in questionable ways only reinforces the idea that it is premature to entrust our votes to the devices built and marketed by the four dominant vendors. A great objective overview of the history of election machines, the recent laws, and some of the recent scandals surrounding DREs is available in a Congressional Research Service report. A thoughtful discussion of the present technology, and its implications appears in a Brennan Center report. The ACLU of California has produced an excellent discussion that covers almost every aspect of this issue in a thoughtful and informed manner. More information and developing news can be found at two excellent activist's sites: Verified Voting and Black Box Voting.

Simply put, a vendor's assertion that their machines are trustworthy and secure does not make it so. And even if they are designed fairly, DREs can be compromised in the field.

Awakened to the dangers, many states are looking to somehow retrofit the DREs they have already bought in order to make them trustworthy. Open-source software and paper trails are the two most common retrofit methods being discussed today. Open-source is a method of distributing and examining source programming in order to validate the DRE's software, and paper trails involve adding a printer and paper-storage facility to DREs in an attempt to give poll workers a means to spot-test individual machines after the polls close. Neither of these retrofits prevents machines from being compromised or committing vote errors in the field.

What is needed is a new approach that is inherently trustworthy.

Trustworthy Voting

To be free of vote errors, a DRE should have at least these qualities:

• Completeness: Every vote is recorded.
• Accuracy: Every vote is recorded correctly.
• Parsimony: Each vote is recorded only once.
• Secrecy: Nobody can discover a voter's choices.
• Actuality: Only actual votes are recorded.
• Persistance: Recorded votes cannot be lost.
• Indelibility: Recorded votes cannot be changed.
• Self-Checking: The system stops working if compromised.

For practical purposes, it should also offer:

• Simplicity: The design is easy to understand.
• Economy: The cost is reasonable.
• Portability: The device can be easily set up and taken down.

The Secure-Vote Method, or SVM, satisfies all of these criteria. Let's first look at the voter's experience, and then see what's under the hood that makes the system reliable and trustworthy.

The User Experience

Voting with an SVM system is similar to using any contemporary touchscreen voting machine.

The voter first gets a unique activation key from the poll worker. This can be a one-time swipe card, a numerical or textual password, biometric data (such as a thumbprint), or any other object or method that serves to bring the voting machine out of its idle loop and start the voting process.

A voter is presented with one or more screens with different races; the races may be yes/no votes, slates of candidates from which only one can be chosen, slates of candidates from which several can be chosen, and so on. In other words, each race can be run under its own voting policy. The user interface for presenting the races to the voter, and for obtaining the voter's choices, is as free-form in style and technology as any contemporary DRE. So rather than simply present text to a voter, the races can be presented as animations or video clips, on headphones or audio speakers, or using any other technology for input and output.

Once a voter has made his or her choices for a particular screen's race (or races), he or she indicates that the vote should be recorded. A different screen (which for aesthetic reasons may appear to to the voter be part of the same screen) presents the voter with a summary of his or her vote. This presentation may again use any form of input and output technology.

If the voter agrees that this report matches his or her intended vote, the system moves on to the next screen. If the voter instead rejects this report, the system presents the most recent screen again (showing the voter's most recent choices) and the process repeats.

Finally, when the voter has approved the final screen in the election, the system thanks the voter, and goes back into idle until it is re-activeated by a new voter.

How It Works

A block diagram of the SVM is shown in Figure 1. There are four main components: two voting computers V (for "voter") and C (for "confirmation"), a read-only ballot memory B, and a write-once memory M.

Figure 1

The voting computers V and C can offer the same variety of input and output techniques as any DRE, but for simplicity we'll refer to them here as touchscreen devices.

Figure 1 reveals two critical features of the SVM. First, each of the two voting machines has its own touchscreen. Voters need not be aware of this; the screens could be mounted so that they're touching each other, giving the impression of a single screen (perhaps with a visible seam or divider). Second, the two computers V and C cannot communicate directly. They can each read and write the shared write-once memory M, but otherwise they have no means to pass any information.

The ballot memory B is a simple read-only memory that is prepared by the poll workers, district or county commissioner, or other officials. It contains the descriptions of the races for the current election, the policies (or rules) for each race, and any additional text, audio, video, and other media. For example, a referendum might be represented by text describing its number and title, and requiring a yes or no vote. Alternatively, a race for school board might offer voters a slate of a dozen candidates, each identified with a picture, text for their name, and an audio clip; voters would be allowed to vote for up to five candidates. Ballots can be laid out by designers using all the tools and devices of graphic design. The memory B can take many physical forms, such as a read-only-memory chip (ROM), a CD-ROM, or a DVD-ROM.

When the voter starts the voting process, machine V reads the first screenfull of races from B and presents it for the voter's consideration. On each screen is a mechanism that allows the voter to submit the current choices as a completed vote. For simplicity, we'll refer to this as the "Submit Button", though it can have any label or appearance.

If the voter has accidentally over- or under-voted, or otherwise failed to match the policy for each race, computer V can report this and give the voter another chance. When a vote is complete, V writes it into the sahred, write-once memory M.

A "write-once memory" is any technology that allows a piece of data to be written into a given part of memory once and once only. For example, a normal recordable CD-R used for backing up home computers is a write-once memory (rewritable CD-RW disks are not). The computer burns a series of pits into the substrate of the CD-R. Once a pit is burned, it cannot be unburned; this is why the memory is called "write-once."

Another write-once memory is a chip referred to as a Programmable Read-Only-Memory, or PROM. There are a variety of technologies for implementing PROMs, but one of the simplest is analogous to traditional home fuses. Such a PROM contains a large number of tiny wires, each representing a single bit of information. Under computer control, the PROM can be instructed to literally burn away one of these wires electrically, vaporizing it. Conventionally, wires that have been vaporized often represent a zero, and wires that have not been vaporized represent a one. There's no practical way to unburn a fuse once it's been vaporized. Many different technologies for secure, write-once memories exist today. Those forms that are appropriate for SVM save their data in a means that is physically secure: short of radical physical manipulation or destruction of the device, the data it stores cannot be altered.

Although write-once memories allow systems to store data into a given location of memory once and only once, the entire memory can still be read freely.

In the SVM, the write-once memory M is structured so that only voting machine V may write to one part of the memory, and only voting machine C may write to the rest. Both machines may read the entire memory. For this discussion, we'll refer to the memory M as a table made up of two columns. Voting machine V may only write data in column 1, and machine C may only write to column 2. Each row of the table represents a voter's choices for one screenfull of races. Of course, the memory may actually be organized in any physical form within the system; this table is simply a useful abstraction for this presentation. Figure 2 shows the idea.

Figure 2

Returning to the operation of the SVM technique, when a voter presses the Submit Button for a given screen, machine V verifies that the vote is consistent with the policy for that screen's races; if it's not, the voter is given a chance to decide again. Once a complete vote has been submitted, machine V writes the data that represents that vote into column 1 of the next available row in M. Unused bits in the vote are all set to 0 so they cannot be used for other purposes. Machine V then goes into a monitoring mode where it watches column 2 for this row, waiting for data to be burned into it by C. The screen for machine V may go temporarily dark.

Until this point, voting machine C's screen has been dark. It's been monitoring memory M, waiting for machine V to write a new vote. Now that a vote has been written into column 1, machine C goes into action. It reads the vote information from column 1, and the screen information from the ballot memory B. Machine C then displays on its own screen a presentation of the recorded vote.

Note that C has no direct communication with V. The confirmation screen presented to the viewer is built from the information in the ballot memory B, and the vote information stored in M.

If the voter approves the display, machine C burns a bit in column 2 for this vote that indicates "approved." Otherwise, C burns a bit that indicates "rejected." Once one of these choices has been made by the voter and burned into the memory, C goes back its monitoring mode, watching the next row of the memory M for a new vote. It may dim or black out its screen so it's not distracting to the voter.

During this phase, V has been monitoring column 2 for this vote. Once C has burned either the accepted or rejected bits, V becomes active again. If the voter rejected the saved vote, then V presents the same screen again; otherwise it moves on to the next one.

When the ballots are summed up at the end of the day to produce totals, only ballots that are marked as "accepted" by the voters are included.

Districts may choose to enforce local voting policies on this procedure. For example, the machines may signal a poll worker if a single voter has rejected too many ballots, or is consistently undervoting or overvoting. Districts may choose to count all voter-approved votes, or they may choose to only count complete ballots, where a voter has made a choice on every race.

Why It's Secure

Let's compare SVM against our list of desired criteria.

• Completeness: Every vote is recorded. Machine C will only present the confirmation screen to a voter after V records the vote. Voters who don't receive the confirmation will know that something has gone wrong.
• Accuracy: Every vote is recorded correctly. If V records an incorrect vote, the voter will see that and reject the ballot. An incorrect vote can only get approved if the voter isn't paying attention, or if computers V and C are in conspiracy. What would such a conspiracy look like?

  Suppose we have a yes/no referendum, and V has been compromised to cause the referendum to fail. So No votes will be recorded correctly, but some percentage of Yes votes would need to be stored as No. Suppose that a voter does choose Yes, and V stores No. When C reads the vote, it reads that the voter selected No. If V and C are not conspiring, then C will show the No vote and the voter will reject that ballot. If C is conspiring with V, it might change the No vote to a Yes for the display. But such a policy would backfire, since voters who actually did vote No would be shown their votes as Yes, and they would reject the ballot. This deception can only work correctly if V and C had some means of secretly signalling when a vote should be displayed differently than it was recorded. Such a scheme is possible, but remember that all communications between V and C are saved forever in memory M.

  After an election, the write-once memory from every machine could be made part of the public record, since these memories contain no means for connecting votes and the voters who cast them. Open-source methodology would be a perfect tool for confirming that there's nothing secret in the communications between V and C; with a large number of highly motivated people looking for patterns and messages, they're unlikely to be undetected for long.

• Parsimony: Each vote is recorded only once. Even if V writes a vote into mulple rows of M, the only votes that are counted are those that are manually approved by the voter and receive the approval bit in column 2.
• Secrecy: Nobody can discover a voter's choices. Voter's identities are not stored.
• Actuality: Only actual votes are recorded. Since C cannot record votes, only V can generate extra votes. But such votes will fail to be counted in the end for the same reason discussed above under "Parsimony."
• Persistance: Recorded votes cannot be lost. Votes recorded in M cannot be erased, short of radical physical manipulation or destruction of the memory.
• Indelibility: Recorded votes cannot be changed. As above, the memory M would have to be subject to a hardware attack to change votes.
• Self-Checking: The system stops working if compromised. The system works only if V and C each do their jobs in alternating sequence. If either one malfunctions, the other will not come back from its monitoring loop. Voters will see the machine freeze up and will call for assistance.
• Simplicity: The design is easy to understand. The basic mechanisms of the system are easily understood by anyone familiar with voting machines.
• Economy: The cost is reasonable. The system costs more than a single, simple DRE, but it doesn't require the paper printer and storage mechanism many believe is essential for today's DREs.
• Portability: The device can be easily set up and taken down. There are no unusual or tricky physical elements to the system.

Discussion

Each of the four pieces of the system can be completely specified in both its physical and mechanical needs (e.g., power and venting requirements, connectors, and maximum weight), and its electronic and electrical behavior (e.g., timing requirements and data formats). This would allow polling places to buy several units from each manufacturer, and then mix and match the pieces to make up each machine. This makes a conspiracy between units V and C even more unlikely.

The SVM system compares favorably to what we know of the machines made by the four major vendors. The SVM does not use a software database; such programs are complex and can be broken into and modified, often without detection. The SVM does not require a paper trail, so it is free of the expense and difficulty of maintaining paper, the burden a paper receipt places on some special-needs voters, and the ambiguity of a manual paper recount. All the programming of all SVM devices can be released to the public for open-source review with no impact on the quality of the system's security.The system uses the most accurate and reliable way to confirm that a recorded vote maches a voter's intent: the voter views the ballot on a machine other than the one on which it was created and stored, and the voter determines for himself or herself whether or not the ballot was recorded correctly.

Like any real system, the SVM approach is not invulnerable. Sufficiently motivated hackers can disrupt any system given enough motivation, time, and money. Social hacking can allow some people to vote multiple times, or prevent legitimate voters from the opportunity to cast a ballot. Such exploits are common to any voting technology, from handwritten paper ballots onward.

A specific attack on the SVM would require some means of communication between machines V and C. For C to send a message to V, it would have to encode it in the pattern of rejected and accepted ballots to send a message to V. However, the voter would detect this, as rejected screens would not get redisplayed and/or accepted screens would be. A voter who rejects a recorded ballot but doesn't get the chance to correct it will know something has gone wrong.

Suppose that V wants to send a message to C, perhaps that the next No vote should be reported as Yes. We can imagine a system of deliberately-created, erroneous votes generated by V and placed into the shared memory. Computer C could read these votes and use the bits to deduce a message carrying secret instructions. A voter would see this show up as an incorrect vote, and would simply reject it and try again, unaware that this was actually a backdoor communication from V to C. But this message is saved in the memory M, as are all communications between the computers. If V and C indeed are conspiring, an examination of M would reveal that pattern of messages. If the memories are released to the public, the chance of such secret communications remaining undetected would be very small indeed.

Conclusions

This introductory web page was designed to present the basics of the secured-voting method. The SVM system is currently patent pending. We welcome inquiries from voting officials, the press, computer scientists, electronic voting activists, and all others who wish to preserve the integrity of voting. For more information, please contact us. Direct inquiries to