Computing Community Consortium Blog

The goal of the Computing Community Consortium (CCC) is to catalyze the computing research community to debate longer range, more audacious research challenges; to build consensus around research visions; to evolve the most promising visions toward clearly defined initiatives; and to work with the funding organizations to move challenges and visions toward funding initiatives. The purpose of this blog is to provide a more immediate, online mechanism for dissemination of visioning concepts and community discussion/debate about them.


“Emerging Election Technologies Enhancing Integrity, Transparency, and Confidence” AAAS Panel Recap

March 23rd, 2023 / in AAAS, CCC / by Haley Griffin

Elections that are safe, secure, and verifiable by the public are an essential part of every democratic government. There have been public outcries for changes in the election process in the US and around the world as citizens have been frustrated with the lack of transparency. Election confidence from the majority of the public is not easy to obtain, but the panelists of a CCC-organized panel at the AAAS Annual Meeting made many suggestions on steps we can take to do just that.

The panelists of the session, “Emerging Election Technologies Enhancing Integrity, Transparency, and Confidence” were Philip B. Stark (University of California, Berkeley), Josh Benaloh (Microsoft Research), and Poorvi L. Vora (George Washington University). Elizabeth (Liz) Howard (Brennan Center for Justice) was the moderator.

Dr. Howard kicked off the session by describing that democracies around the world are under attack, and it is critical to the future of these systems that we have election confidence. She explained that technology can combat these threats through substantive evidence of election integrity, specifically with evidence-based elections, end-to-end-verifiable voting systems, and risk-limiting audits.

Dr. Stark began the panel discussion by positing that “whether or not you believe the 2020 election was accurate, the fact that many people do not shows that we need to run elections in a way that generates convincing evidence that reported election outcomes are correct.” The antidote to a lack of trust according to Dr. Stark? Evidence. It isn’t enough for election officials to determine who won an election and declare it, the public deserves convincing evidence. Not all evidence about elections is affirmative evidence that outcomes are right. For instance, a forensic examination of voting system software might find no malware–but that is not evidence that the results are correct, only that one kind of problem did not occur.  Similarly, an accurate, full hand count of the paper trail provides no evidence that the outcome is correct unless there is also evidence that the paper trail accurately reflects how people voted. There are multiple ways to collect convincing evidence that an election was called correctly while maintaining ballot anonymity. The key is that elections should be evidence-based, not procedure-based which is the current standard. One way to provide affirmative evidence is a risk-limiting audit (RLA) of securely curated hand-marked paper ballots.

RLAs require a demonstrably trustworthy paper trail. (The trustworthiness depends on how the paper trail is created, accounted for, and cared for. No audit that relies on untrustworthy paper can give affirmative evidence that the reported winners really won.) RLAs have been piloted throughout multiple elections since 2008, and the National Academies officially recommended them in 2018. RLAs are a key ingredient in evidence-based elections because they can generate affirmative evidence that the political outcome is accurate, rather than just fault detection (e.g., noticing a problem with the tabulation). Elections and audits need durable, complete, and trustworthy vote records that are kept physically secure throughout the canvass and audit. Then elections can be publicly verifiable, which is a goal of the next panelist, Dr. Benaloh, as well.

Dr. Benaloh reiterated that there is a crisis of election confidence in the US and around the world, and blames the death of public evidence for these widespread issues. In the majority of elections today, he explains, we are not providing voters with substantive evidence that votes are correctly counted. We are asking voters to trust local election officials, the equipment, the equipment vendors, and others – whether or not these entities are trustworthy. He proposes a solution to this lack of public evidence: end-to-end (E2E) verifiability. When an election is E2E-verifiable, voters receive direct evidence that their votes were accurately counted. It requires a verifiable election record that allows voters to confirm the accurate counting of their ballots without having to trust the people or technology running the election. There are two core principles of E2E-verifiable elections:

  1. Voters can verify that their own selections have been correctly recorded
  2. Anyone can verify that the recorded votes have been correctly tallied

These elections make one crucial modification to a typical election: voters receive a confirmation code while voting that they can use to confirm the correct recording of their selections. Voters can later confirm on a public website that their confirmation codes are present and the listed confirmation codes are consistent with the announced tallies. Voters have the choice to just vote and not check the correct recording and/or counting of their votes, or to check as thoroughly as they desire. (Note here that voters cannot view the contents of their ballots once they have been cast – only that they have not been changed from the time they were cast and optionally verified. This prevents coercion and vote-selling.)

E2E-verifiability generally requires advanced cryptographic tools like Threshold Homomorphic Encryption, Non-Interactive Zero-Knowledge Proofs, and more. Current U.S. Election Assistance Guidelines include requirements for E2E-verifiability. This technique is starting to be used in the US and around the world today, and has been piloted in multiple US elections since 2009 (including the U.S. House Democratic Caucus leadership elections in 2020).

Dr. Vora expanded on the use of E2E-verifiability in other elections in the US, starting with Takoma Park’s municipal election in 2009. It was the first government election in the United States with privacy preserving end-to-end verifiable technology where anyone could confirm the tally correctly represented the votes. The voter filled in ovals that corresponded with their selections for the mayor and council member. They used special pens which revealed confirmation numbers printed in invisible ink in the ovals, and had the option of writing them down so they could later check them on the website, or they could just cast their ballots and leave. The election guaranteed voter verifiability because voters could check their confirmation numbers on the election website, and it had universal verifiability because the information was publicly available to check the tally was correctly computed from the confirmation numbers. 

Dr. Vora emphasized that maintaining some aspects of the traditional methods of elections is important: “We don’t know how to make elections fully secure without people and physical processes. Without them, a voter who notices a problem cannot prove it, and observers cannot distinguish a truthful voter from one who is lying.” She also explained that the incorporation of mathematical models which better represent the real audit process on the ground can improve RLAs.

Dr. Vora wrapped up the panel by recounting that legislation requiring or allowing RLAs and other election-verifying requirements is currently in place in many states in the US today, and that has resulted in audits of many binding elections. However, much remains to be done. It takes a massive amount of dedicated individuals to identify and deploy these techniques in environments that can turn hostile very quickly, but it is crucial that we invest in these technologies in order to make every election publicly verifiable.

During the Q&A following the panel, an audience member asked if we have more information now about a lack of election security, or do we just hear more about it? 

  • Dr. Stark explained that while there isn’t evidence of more problems today than in the past, the reliance on technology has changed which adds more vulnerabilities to the election process, enabling wholesale remote attacks, while historically, changing a substantial number of votes would have required physical access and numerous accomplices. Even when relying on technology it is possible to gather affirmative evidence to evaluate the outcome, but the hard part is convincing government officials to do the work of generating a trustworthy paper trail, ensuring it stays trustworthy, and using it in appropriate audits.
  • Dr. Benaloh noted that there has long been election fraud in the US and internationally, but election officials have concluded that the last few national elections in the US have been far cleaner than most. However, just because there seems to be very little evidence of fraud doesn’t mean that our elections are safe. In fact, because of the thousands of concurrent, individually run elections it is relatively easy to attack some of them. It is not easy to do so without leaving evidence behind, but there is an urgent need for technology to patch holes in the way elections are currently conducted. It is crucial that we design elections so that the general public can validate them.
  • Dr. Howard pointed out that it is important to recognize the environment that election officials find themselves in. Despite the lack of evidence of election fraud, 77% of election officials said that they have felt unsafe, and 1 in 6 was threatened. The average election official is a 50-64 year old white woman that makes an annual salary of 60k, and they are expected to combat domestic and international enemies. Partnering with election officials and getting them to buy into these technologies at the local level is essential. Decentralization of the election system is a strength against an attack. There are many challenges both in implementing this technology and mandating procedures.
  • Dr. Benaloh countered Liz’s point about decentralization, stating that many people think the heterogeneity of our systems is a strength, and it would be if an attacker had to attack all of them. But we are just offering a menu of different systems for a hacker to attack. So they can just choose the weakest link and attack that.

CCC Council Member Katie Siek asked another question: What are you doing for accessibility in election technology?

  • Dr. Stark: Election technologies being promoted as “accessible” oftentimes are not. Moreover, some ballot-marking devices (BMDs) compromise privacy because they print a vote record that doesn’t look like a hand-marked paper ballot. Some say that to combat this issue we should use all BMDs but I disagree: general use of BMDs undermines the trustworthiness of the paper trail, because BMD printout is a record of what the machine did, not a record of what the voter did. Current BMDs do not provide a means for voters with visual disabilities to check whether the printout accurately reflects their selections: they have to trust that what the machine “said” is the same as what it printed.  A serious flaw with the security model of BMDs is that only the voter is in a position to tell whether the BMD accurately printed their votes, but if a voter notices that the BMD printed their selections incorrectly, there is no way the voter can prove to anyone else that it did. The voter can request a fresh chance to print their selections, but there’s no way for the election official to tell the difference between voter error, machine malfunction, or a voter crying “wolf.” If an official believes the voter that the machine malfunctions, the official’s only option is to cancel the election and run a whole new one, because there’s no way to tell which printouts were affected by the machine’s misbehavior. In technical terms, elections conducted with ballot-marking devices aren’t “strongly software independent.” The system cannot recover from detected errors.  
  • Dr. Benaloh: There are different approaches, but overall we do a deplorable job in the US for people with visual, motor, etc. disabilities. They usually have to use a separate device in the corner. For example, Noel Runyon is a technically-astute blind voter who is tenacious about using accessible devices for voting and writes articles in his blog about it. It often takes hours for him to vote when it should be simple. A barrier to making voting easier for people with disabilities is that the accessibility community is saying that paper ballots don’t work, and the security community is saying paper is the only way.

Next, Daniel Lopresti, CCC Council Chair, asked: “How do you deal with people who are convinced that these technologies are dangerous or untrustworthy?” 

  • Dr. Benaloh: Those people need to be taken seriously. I’ve had a lot of discussions with election officials and they are very careful and conservative. When I explain end-to-end verifiability to them, they generally like it even realizing that it is going to reveal any little mistake they make. However, some people trust math less than people and this remains a challenge.
  • Dr. Stark: I agree that it is a problem, but I think the framing should be that it is a problem for educators; it is my job to explain things in a way that anybody can understand. I spend a lot of time trying to find metaphors, analogies, and examples. For instance, to explain random sampling–how one can learn something useful about a huge population from a small sample–I use the analogy of learning how salty soup is based on tasting just a spoonful (after stirring the soup well), no matter how big the pot.
  • Dr. Howard: It is critical for us to be able to explain how it works to the audience, if we can’t explain it in plain terms then we didn’t achieve our goal.
  • Dr. Stark: Many of us are saying that you shouldn’t trust the vendors currently doing the programming, but you shouldn’t trust us either. Voters should be able to check the process for themselves.
  • Dr. Benaloh: The difference is in principle you could do it all yourself; right now dishonest election officials could likely steal an election. With this technology you can choose who to trust and check yourself.
  • Dr. Vora: Democratizing the information around the election, including the code being used, is the idea. You might not write the code yourself, or be able to process it at all, but the information won’t be restricted to a few. Getting political parties together, and having them check the process would be helpful. Having news channels promote checking your confirmation numbers or observing risk limiting audits would be good too.

The last question of the session was “How long does it take to have a risk limiting audit happen? Are there any studies that have looked at whether they change minds, or are there other confounding variables that limit trust anyway?”

  • Dr. Stark: One problem with RLAs is before the election, you don’t know how much work there will be because there are so many variables. You don’t know how narrow the margins will be or how many errors you will find in the audit, so it’s hard to say how much work to expect. Ballpark numbers with efficient audits is the first ballot from a batch takes 3 minutes, then 1 minute per ballot for additional ballots from that batch. You have to find a batch of ballots, check/record the seals, count into a pile, transcribe data, return the ballots to their places, and re-seal. An example of a percent of ballots you would need to sample is in Orange County for 191 individual races is that they could have looked at 1.3% of ballots to be able to validate every race. The methodology is improving and it is getting easier to run these audits.
  • Dr. Benaloh: An RLA is typically done only after all of the votes are counted. E2E verification can match whatever granularity is done by election officials. Every time vote counts are released you can verify it at that time. Usually they just do it at the end anyway.

Many thanks to Drs. Stark, Benaloh, Vora, and Howard for sharing their knowledge with the community about how computing technology can serve as an aid in securing elections. Stay tuned for another CCC-sponsored AAAS annual meeting scientific session recap next week Thursday.

“Emerging Election Technologies Enhancing Integrity, Transparency, and Confidence” AAAS Panel Recap

Comments are closed.