Elections that are safe, secure, and verifiable by the public are an essential part of every democratic government. There have been public outcries for changes in the election process in the US and around the world as citizens have been frustrated with the lack of transparency. Election confidence from the majority of the public is not easy to obtain, but the panelists of a CCC-organized panel at the AAAS Annual Meeting made many suggestions on steps we can take to do just that.
The panelists of the session, “Emerging Election Technologies Enhancing Integrity, Transparency, and Confidence” were Philip B. Stark (University of California, Berkeley), Josh Benaloh (Microsoft Research), and Poorvi L. Vora (George Washington University). Elizabeth (Liz) Howard (Brennan Center for Justice) was the moderator.
Dr. Howard kicked off the session by describing that democracies around the world are under attack, and it is critical to the future of these systems that we have election confidence. She explained that technology can combat these threats through substantive evidence of election integrity, specifically with evidence-based elections, end-to-end-verifiable voting systems, and risk-limiting audits.
Dr. Stark began the panel discussion by positing that “whether or not you believe the 2020 election was accurate, the fact that many people do not shows that we need to run elections in a way that generates convincing evidence that reported election outcomes are correct.” The antidote to a lack of trust according to Dr. Stark? Evidence. It isn’t enough for election officials to determine who won an election and declare it, the public deserves convincing evidence. Not all evidence about elections is affirmative evidence that outcomes are right. For instance, a forensic examination of voting system software might find no malware–but that is not evidence that the results are correct, only that one kind of problem did not occur. Similarly, an accurate, full hand count of the paper trail provides no evidence that the outcome is correct unless there is also evidence that the paper trail accurately reflects how people voted. There are multiple ways to collect convincing evidence that an election was called correctly while maintaining ballot anonymity. The key is that elections should be evidence-based, not procedure-based which is the current standard. One way to provide affirmative evidence is a risk-limiting audit (RLA) of securely curated hand-marked paper ballots.
RLAs require a demonstrably trustworthy paper trail. (The trustworthiness depends on how the paper trail is created, accounted for, and cared for. No audit that relies on untrustworthy paper can give affirmative evidence that the reported winners really won.) RLAs have been piloted throughout multiple elections since 2008, and the National Academies officially recommended them in 2018. RLAs are a key ingredient in evidence-based elections because they can generate affirmative evidence that the political outcome is accurate, rather than just fault detection (e.g., noticing a problem with the tabulation). Elections and audits need durable, complete, and trustworthy vote records that are kept physically secure throughout the canvass and audit. Then elections can be publicly verifiable, which is a goal of the next panelist, Dr. Benaloh, as well.
Dr. Benaloh reiterates that there is a crisis of election confidence in the US and around the world, and blames the death of public evidence for these widespread issues. In the majority of elections today, he explains, we are not providing voters with substantive evidence that votes are correctly counted. We are asking voters to trust local election officials, the equipment, the equipment vendors, and others – whether or not these entities are trustworthy. He proposes a solution to this lack of public evidence: end-to-end (E2E) verifiability. When an election is E2E-verifiable, voters receive direct evidence that their votes were accurately counted. It requires a verifiable election record that allows voters to confirm the accurate counting of their ballots without having to trust the people or technology running the election. There are two core principles of E2E-verifiable elections:
- Voters can verify that their own selections have been correctly recorded
- Anyone can verify that the recorded votes have been correctly tallied
These elections make one crucial modification to a typical election: voters receive a confirmation code while voting that they can use to confirm the correct recording of their selections. Voters can later confirm on a public website that their confirmation codes are present and the listed confirmation codes are consistent with the announced tallies. Voters have the choice to just vote and not check the correct recording and/or counting of their votes, or to check as thoroughly as they desire. (Note here that voters cannot view the contents of their ballots once they have been cast – only that they have not been changed from the time they were cast and optionally verified. This prevents coercion and vote-selling.)
E2E-verifiability generally requires advanced cryptographic tools like Threshold Homomorphic Encryption, Non-Interactive Zero-Knowledge Proofs, and more. Current U.S. Election Assistance Guidelines include requirements for E2E-verifiability. This technique is starting to be used in the US and around the world today, and has been piloted in multiple US elections since 2009 (including the U.S. House Democratic Caucus leadership elections in 2020).
Dr. Vora expanded on the use of E2E-verifiability in other elections in the US, starting with Takoma Park’s municipal election in 2009. It was the first government election in the United States with privacy preserving end-to-end verifiable technology where anyone could confirm the tally correctly represented the votes. The voter filled in ovals that corresponded with their selections for the mayor and council member. They used special pens which revealed confirmation numbers printed in invisible ink in the ovals, and had the option of writing them down so they could later check them on the website, or they could just cast their ballots and leave. The election guaranteed voter verifiability because voters could check their confirmation numbers on the election website, and it had universal verifiability because the information was publicly available to check the tally was correctly computed from the confirmation numbers.
Dr. Vora emphasized that maintaining some aspects of the traditional methods of elections is important: “We don’t know how to make elections fully secure without people and physical processes. Without them, a voter who notices a problem cannot prove it, and observers cannot distinguish a truthful voter from one who is lying.” She also explained that the incorporation of mathematical models which better represent the real audit process on the ground can improve RLAs.
Dr. Vora wrapped up the panel by recounting that legislation requiring or allowing RLAs and other election-verifying requirements is currently in place in many states in the US today, and that has resulted in audits of many binding elections. However, much remains to be done. It takes a massive amount of dedicated individuals to identify and deploy these techniques in environments that can turn hostile very quickly, but it is crucial that we invest in these technologies in order to make every election publicly verifiable.
Many thanks to the panelists for sharing their knowledge with the community about how computing technology can serve as an aid in securing elections.
Click here to read the full blog post including the complete Q&A with the panelists.