EVM 2003 : What's EVM | Project page | Useful Links | Architecture | Security | Mailing List

EVM Security Design Issues


What is the difference between a paper receipt and a paper ballot?


We speak of OVC creating a paper ballot, not a receipt, nor simply a "paper trail." That is, for OVC machines, the printout from a voting station is the primary and official record of votes cast by a voter. Electronic records may be used for generating preliminary results more rapidly, but the paper is the vote.

Some writers discuss producing a paper receipt, which a voter might carry home with them, as they do an ATM receipt. There are two significant problems with this approach. In the first place, if we suppose that a voting station might have been tampered with and/or simply contain a programming error, it is not great jump to imagine that it may print out a record that differs from what it records electronically. A receipt is a "feel good" approach that fails to correct the flaws of DREs.

But the second problem with receipts is even more fundamental. A voting receipt that can be carried away by a voter enables vote buying and vote coercion. An interested third party--even someone as seemingly innocuous as an overbearing family member--could demand to see a receipt for voting in a manner desired. With OVC systems, ballots must be placed into a sealed ballot-box to count as votes. If a voter leaves with an uncast ballot, even if she went through the motions of printing it at a vote station, that simply does not represent a vote that may be "proven" to a third party.

What some vendors refer to as a paper trail suffers from a weakness similar to the first problem paper receipts suffer. Under some such models, a DRE voting station might print out a summary of votes cast at the end of the day (or at some other interval). But such a printout is also just a "feel good" measure. If a machine software or hardware can be flawed out of malice or error, it can very well print a tally that fails to accurately reflect the votes cast on it. It is not paper that is crucial, but voter-verifiability.


Some voting systems I have heard about use a system where a paper ballot is displayed under glass, but not handled directly by a voter. It seems like those systems would prevent ballot-stuffing, since voters do not have direct access to ballot-boxes. Why doesn't OVC use that approach?


There are several narrowly technical problems with "ballot under glass" systems. For one thing, such a system will almost inevitably be more expensive than one like ours that can use commodity printers and paper stock. But voting is too important to be decided on cost, so that is an incidental issue. Along a similar line, a "ballot under glass" system has some extra mechanical problems with allowing rejection of incorrect ballots; some sort of mechanism for sending a spoiled ballot somewhere other than to the ballot-box is needed. Again, this adds cost and more points of physical failure.

A more significant issue for "ballot under glass" systems is their failure to provide the quality of accessibility to vision- or reading-impared voters that OVC's design does. Ordinary sighted voters who happen to need reading glasses are likely to find "ballot under glass" systems more difficult to check than are OVC printed ballots. Even if these machines add provisions for audio feedback on final ballots, users are dependent on the very same machine to provide such audio feedback. Potentially, a tampered-with machine could bias votes, but only for blind voters (still perhaps enough to change close elections). In contrast, OVC positively encourages third parties to develop software to assure the barcode encoding of votes matches the visibly printed votes--every voter is treated equally, and all can verify ballots.

From a more sophisticated cryptology perspective, "ballot under glass" systems are likely to compromise voter anonymity in subtle ways. One of the issues the world-class security researchers with OVC have considered is the possibility that sequential or time-stamp information on ballots could be correlated with the activity of individual voters. Even covert videotaping of the order in which voters enter a polling place might be used for such a compromise. Security experts are folks who get paid to think about even the most nefarious attacks on systems, and voting is important enough to merit such paranoia.

While "ballot under glass" does indeed do a pretty good job of preventing ballot-box stuffing with forged physical ballots, this approach is not the only--nor even the best--technique to accomplish this goal. We plan for OVC systems to incorporate cryptographic signatures and precinct-level customization of ballots that can convincingly prove a ballot is produced on authorized machines, at the voting place, rather than forged elsewhere. A simple customization of ballots is a variation of the page position of our ballot watermarks in a manner that a tamperer cannot produce in advance. Surprisingly much information can be subtly coded by moving two background images a few millimeters in various directions. Another option is to encode a cryptographic signature within the barcode on a ballot--in a manner that can be mathematically proven not to disclose anything about the individual voter who cast that vote, but simultaneously that cannot be forged without knowledge of a secret key. There is a lot you can do with fancy mathematics.


Professor Amit Sahai directs a Wiki (discussion site) where OVC developers analyze threat models.

Contact David Mertz <mertz@gnosis.cx> for suggestions on updating these documents, new questions/answers, and so on.