Voter-verified paper audit trail: Difference between revisions

Voter Verified Paper Audit Trail (VVPAT) or Verified Paper Record (VPR) is an independent verification system for voting machines designed to assure voters that their vote was cast correctly, detect possible election fraud or malfunction, and to provide a means to audit the original machine.

The added security of the VVPAT derives from two fundamental differences between paper and computer memory as a recording medium when storing votes. Paper is readable by the human eye, reading computer memory needs a device and software which has to be trusted. This property allows voters to verify their votes on VVPAT records before casting their vote. Also a printed vote on paper would be very hard to change by the voting machine opposed to a stored vote in computer memory which can be changed in an instant without a trace. Corrupt or malfunctioning electronic voting machines that do not have VVPAT capabilities might store votes other than as intended by the voter unnoticed. A VVPAT enables voters to verify that their votes are cast as intended and serves as an additional barrier to changing or destroying votes.

Overview

Voter Verified Paper Audit Trail (VVPAT) or Verified Paper Record (VPR) is a method of providing feedback to voters using any ballotless voting systems, including electronic direct record voting system (DRE) to assure them that their votes have been recorded as intended. It is intended, and some argue necessary, as a means by which to detect fraud and equipment malfunction. Depending on election laws the paper audit trail may constitute a legal ballot and therefore provide a means by which a manual vote count can be conducted if a recount is necessary.

In Non-document ballot voting systems (both the mechanical voting machines and DRE voting machines), the voter does not have an option to review a physical ballot to confirm the voting system accurately recorded his or her intent. In addition, an election official is unable to manually recount a ballot in the event of a dispute. Because of this, critics claim there is an increased chance for electoral fraud or malfunction and security experts, such as Bruce Schneier, have demanded voter-verifiable paper audit trails.^[1]. Non-document ballot voting systems allow only a recount of the "stored votes." These "stored votes" might not represent the correct voter intent in case of a manipulated voting machine.

A fundamental hurdle in the implementation of paper audit trails is the performance and authority of the audit. Paper audit systems increase the cost of electronic voting systems, can be difficult to implement, often require specialized external hardware, and can be difficult to use. Many districts require a paper audit trail by statute for all electronic direct record voting machines used in public elections.

VVPAT Application

Various technologies can be used to implement a paper audit trail.

• Attachment of a printer to electronic direct record voting machines that print paper records stored within the machine. Such designs usually present the record to the voter behind a screen (known as the "Mercuri method") to enable a voter to confirm a printed record matches the electronic ballot. The records can be manually counted and compared to the electronic vote totals in the event of a dispute.
• Attachment of a printer to electronic direct record voting machines that print an encrypted receipt that is either retained by the voter or stored within the machine. If the receipt is retained, the receipts can be manually counted and compared to the electronic vote totals in the event of a dispute.
• Creation of an encrypted audit trail at the same time the electronic ballot is created in an electronic direct record voting machine. The audit trail can be accessed and compared to the electronic vote totals in the event of a dispute.

Dr. Rebecca Mercuri, the creator of the VVPAT (Voter Verified Paper Audit Trail) concept (as described in her Ph.D. dissertation in October 2000 on the basic voter verifiable ballot system), proposes to answer the auditability question by having the voting machine print a paper ballot or other paper facsimile that can be visually verified by the voter before being entered into a secure location. Subsequently, this is sometimes referred to as the "Mercuri method".

An audit system can be used in measured random recounts to detect possible malfunction or fraud. With the VVPAT method, the paper ballot is often treated as the official ballot of record. In this scenario, the ballot is primary and the electronic records are used only for an initial count. In any subsequent recounts or challenges the paper not electronic ballot would be used for tabulation. Whenever a paper record serves as the legal ballot, that system will be subject the same benefits and concerns of any paper ballot system.

Matt Quinn, the developer of the original Australian DRE system, believes that in the future there should be a Voter Verified Paper Audit Trail, "There's no reason voters should trust a system that doesn't have it, and they shouldn't be asked to. Why on earth should [voters] have to trust me -- someone with a vested interest in the project's success? A voter-verified audit trail is the only way to 'prove' the system's integrity to the vast majority of electors, who after all, own the democracy." ^[2]

There are cryptographic solutions that can assure voters their votes are correctly tabulated. In 2004, David Chaum proposed a solution to the verifiability issues that allows a voter to verify that the vote is cast appropriately and that the vote is accurately counted.^[3] After the voter selects their candidates, the DRE machine prints out a specially formatted version of the ballot on two transparencies. When the layers are stacked, they show the human-readable vote. However, each transparency is encrypted with a form of visual cryptography so that it alone does not reveal any information unless it is decrypted. The voter selects one layer to destroy at the poll. The DRE retains an electronic copy of the other layer and gives the physical copy as a receipt to ensure the ballot is not later changed. The system guards against changes to the voter's ballot and uses a mix-net decryption procedure to ensure that each vote is accurately counted.

Private company VoteHere suggests a cryptographic solution that involves the voter choosing a number with which the system does some verifiable shuffling.^[4] Sastry, Karloff and Wagner have pointed out that there are issues with both of the Chaum and VoteHere cryptographic solutions.^[5]

Implementation Challenges of VVPAT

In the implementation of the VVPAT the manufacturer should use a printer which is technically unable to reverse the paper feed. This avoids that manipulated software can overwrite the VVPAT after the voter checked it. Another security measure should be to make it physically impossible to print while no voter is observing the paper trail to avoid ballot stuffing by tampered software. This can be accomplished by a switch which deactivates the printer, as long as there is voter card inserted.

It can be significantly more difficult to implement a VVPAT as an after-the-fact feature. For jurisdictions currently using direct record voting machines that lack a VVPAT, implementation can be expensive to add and difficult to implement due to the specialized external hardware required. To add a VVPAT component to a DRE machine, a jurisdiction would be required to purchase the system designed by the vendor of the DRE machine with a no bid, sole source purchase contract. That assumes the vendor has designed a component that is compatible with the DRE machine in use. The vendor may not have developed a VVPAT component that is compatible with the DRE machine in use, thus requiring the jurisdiction to purchase an entirely new voting system.

For jurisdictions not currently using direct record voting machines, the introduction of a new voting system that includes a VVPAT component would have less implementation challenges.

In addition, a VVPAT component may not be easily usable by poll-workers, many of whom are already struggling with DRE maintenance and use and new elections law requirements. In the 2006 primary election in Cuyahoga County, Ohio, a study found that about ten percent of the VVPAT ballots were unreadable, in one case because the thermal paper was loaded into the printer backwards. [1]

The idea that a receipt could be given to the voter to verify the DRE may violate the notion of a secret ballot and increase the chance for voter intimidation and vote selling. While current systems do not allow a take-home receipt, they do print the audit ballots out in the order in which they were cast. Critics argue a corrupt poll worker could keep track of the sequence in which people voted in order to match an individual directly to his or her ballot.

Also problematic is that voters are not required to actually check the paper audit before casting a ballot, which is critical to "verifying" the vote. While the option to look at the paper may provide comfort to an individual voter, the system cannot "verify" the results of an election unless every voter participates.

The idea of creating and storing an encrypted audit trail at the same time the electronic ballot is created a stored by the DRE machine may enable an audit by election officials after the election but may not reassure voters that their intentions were recorded correctly. With the same machine creating and storing the ballot and the audit trail, even though a different computational sub-routine is be used, may still leave doubt in the minds of voters in the event of a dispute.

Legal Questions Around VVPAT

One important question of VVPAT systems is when should an audit be performed? Some have suggested that random audits of direct record voting machines be performed on Election Day to protect against machine malfunction. However, the partial tallying of votes before the polls have closed could create a problem similar to the occurrence in American national elections where a winner is declared based on East Coast results long before polls have closed on the West Coast. In addition, the partial tallying of votes before the polls have closed may be illegal in some jurisdictions. Others have suggested that random audits of direct record voting machines be performed after the election or only in the event of a dispute.

In the event an audit is performed after the election and a discrepancy is discovered between the ballot count and the audit count it is unclear which count is the authoritative count. Some jurisdictions have statutorily defined the ballot as the authoritative count leaving the role of an audit in question. Because VVPAT is a recent addition to direct record voting systems the authority question remains unclear.

ThreeBallot Voting System

A sample ThreeBallot multi-ballot, with a first race for President with candidates Jones, Smith, and Wu and a second race for Senator with candidates Yip and Zinn.

A new theoretical system called "ThreeBallot" was introduced in September 2006 by MIT's Turing-award-winning cryptographer Ron Rivest. It accomplishes the seemingly incompatible goals of:

1. Each voter's vote is secret, preventing vote-selling and coercion.
2. Each voter can verify that his vote was not discarded, and was correctly used and not altered, in the computation of the election result. (And if not, the voter is in a position to prove the vote counters cheated.)
3. Everybody can verify the election result was computed correctly.
4. Everybody can verify that extra fake "voters" were not added, and the full list of voters is publically known.
5. The method is designed for use paper ballots and requires a primarily low-tech devices, but is compatible with more advanced technologies.

In the ThreeBallot Voting System voters mark three identical blank ballots casting each of them. To vote for a candidate the voter must select that candidate of two of the three ballots. To vote against a candidate (the equivalent of leaving a ballot blank in other systems) the voter must select that candidate on exactly one ballot.

No candidate can be left blank if the ThreeBallot Voting System, and no candidate can be selected on all three ballots.

The complete paper is available via Rivest's website.

Conclusion

A VVPAT component of a DRE is not a prophylactic against equipment malfunction or every form of election fraud but it may assure voters that their votes have been recorded as intended. It is a usable way to enable a recount of the intended votes, without VVPAT only the stored votes might be recounted. In case of a manipulation that might not be the same.

Notes and References

1. The Problem with Electronic Voting Machines
2. Kim Zetter, "Aussies Do It Right: E-Voting" Wired.com, November 3, 2003. http://www.wired.com/news/ebiz/0,1272,61045-2,00.html
3. David Chaum, "Secret-Ballot Receipts: True Voter-Verifiable Elections," IEEE Security and Privacy, vol. 02, no. 1, pp. 38-47, 2004. DOI= http://doi.ieeecomputersociety.org/10.1109/MSECP.2004.1264852
4. Jim Adler, Andy Neff and others: http://www.votehere.net/documents.php
5. Chris Karlof, Naveen Sastry, and David Wagner. Cryptographic Voting Protocols: A Systems perspective. Proceedings of the Fourteenth USENIX Security Symposium (USENIX Security 2005), August 2005. URL= http://www.cs.berkeley.edu/~nks/papers/cryptovoting-usenix05.pdf

See also

• 2004 U.S. presidential election controversy and irregularities
• Help America Vote Act
• Electoral reform
• Vote counting system
• Voting machine
• Electronic Voting
• DRE voting machine
• Black Box Voting

External links

• Independent Verification: Essential Action to Assure Integrity in the Voting Process, Roy G. Saltman, August 22, 2006
• Brennan Center Voting Technology Initiative
• ProCon.org's Review of paper audit trails
• Verified Voting
• National Committee on Voting Integrity
• Secret-Ballot Receipts: True Voter-Verifiable Elections (mirror) by David Chaum^[1], http://punchscan.org/

1. http://www.wired.com/wired/archive/2.12/emoney_pr.html