The electronic voting machines that one-third of American voters will be using in November are no more reliable than your home computer. Technology has actually taken us a step backward. Paper itself was never fraudproof (remember those chads?), but a stolen, lost, or stuffed ballot box risks mere hundreds of votes while a hidden computer glitch risks millions. Transparency—not just of the software code, but of the whole voting system—has never been more important.
Each voter should be able to verify that his or her own vote has been counted correctly from the booth all the way to the final tally. But how can you lay bare the secret ballot without sacrificing the privacy that makes democracy work?
Invisible ink, according to top security experts. Really.
Our current digital democracy leaves massive fraud and massive error imperceptible and untrackable. Direct-recording electronic voting machines in particular are easy to hack; Princeton University security expert Ed Felten proved it by accessing a Diebold machine’s memory card with a hotel minibar key he bought online. In less than one minute, Felton was able to install undetectable vote-stealing software. And since viruses can spread, one machine’s infection can quickly cross county lines.
Then there is the garden-variety computer error. Touch-screen machines in Sarasota, Florida, recorded an 18,000-vote undercount in a congressional race decided by fewer than 400 votes. It doesn’t take malicious intent for crucial information to go missing.
Computer scientists led by cryptographer David Chaum claim to have the solution. Their latest scheme, called Scantegrity II, would make elections both transparent (to catch error or vote-alteration fraud) and private (to prevent coercion, intimidation, and vote buying). They presented Scantegrity II (the “II” stands for “invisible ink”) at the USENIX/ACCURATE Electronic Voting Technology Workshop in July and plan to test it in a municipal election in 2009.
Here’s how it works: Poll personnel hand you a normal-looking optical scan ballot and a special decoder pen. When you fill in the bubbles next to your preferred candidates, the ink reveals a previously invisible two- or three-letter code. The optical scanner records the vote via the marked bubbles. No new machinery or procedures are required.
If you want to verify your vote at home, you write out the now-visible codes on the receipt portion of the ballot and take it with you. (Poll workers keep the paper ballot itself.) At home, you can visit an election Web site and enter the ballot serial number from the receipt to see whether all your codes, and only your codes, were recorded. Since the codes are different on every ballot, you have proof that your votes were collected as cast—but there is no indication of whom you voted for, so the privacy of your vote is preserved.
Not everyone will verify. In fact, a recent study found that 63 percent of participants who were handed fraudulent summaries didn’t even notice. But that is OK. “Generally, you need only 1 or 2 percent to check to get a confidence level of better than 95 percent that no fraud occurred,” Chaum says.
What about the tally? No one has to tamper with individual votes for the total to change. The beauty of Scantegrity II is that anyone—not just an election official—can see from any online computer whether the posted votes correspond to actual ballots and whether the number of votes counted is identical to the number of votes cast. If a set of encryptions that correspond to the ballots printed are posted online before the election, it is almost impossible to fake the ballots or manipulate the count—and each vote remains secret.
Power to the people.