Canadian voting machine technology enters American political scene

A secure electronic voting system conceived at the University of Ottawa is making its way onto the American political stage.

Next-generation Canadian voting technology is making its way on to the American political stage.

The secure electronic voting system based on cryptographic principles was conceived at the University of Ottawa about two years ago.

Scantegrity's electronic voting technology is designed to provide end-to-end verifiable voter results. ((Courtesy Scantegrity))
Dubbed Scantegrity, the system has since evolved dramatically.

"This is a quantum improvement over any other voter system proposed," says team leader David Chaum, an L.A.-based cryptographic scientist and founder of DigiCash Inc.

Scantegrity's team comprises a core group of collaborating members from Canadian and American universities, and is loosely organized along open-source software development principles, says Aleks Essex, a team member and PhD student in cryptography and information security at the University of Ottawa.

"We're making the transition from an academic effort to actual use case scenarios in public elections," he says, noting the system has already been used successfully in university elections.

Essex says the team is in the final stages of discussions with officials at an American city that's interested in using Scantegrity.

The system has been showcased at a number of conferences in the U.S., including the Future of Voting exhibition held this year on Capitol Hill in Washington, D.C.

"A huge selling point is Scantegrity's security," says Daniel Castro, senior analyst at the Information Technology and Innovation Foundation (ITIF), the not-for-profit think-tank that sponsored the event.

Congressional staff and members of the public were particularly intrigued by the special ink and decoder pens used as added security measures in the take-home receipts generated by the system.

"There's never been a system before that allows you to verify that your vote was actually counted," Castro says. "If they can get it to market, this will be a huge change in how we do elections."

How it works

Scantegrity is designed to provide end-to-end verifiable voter results, Essex says.

The key problem in automated voter technology is ensuring voter anonymity — by unlinking ballots from citizens' identities — while still providing them a way to check that their ballots have been cast properly.

"Scantegrity gives voters a privacy-preserving receipt," he says. "It doesn't show other people how you voted, but it does allow you to have a way to check to ensure your vote gets counted."

The concept is similar to hotels that issue confirmation numbers, he says. "You can go online and look up your confirmation number, but it doesn't display your room number."

Another key security feature Scantegrity provides is software independence, Essex says. "This means if an error is made in the software, that mistake can't go through the process undetected. There's a software tool that does a cryptographic self-audit to verify computations."

Scantegrity is designed as an add-on to existing optical scanning voting systems such as Diebold, he says. But the difference is that mathematical formulas are used to generate the randomized confirmation codes issued to voters, and cryptographic principles are used in the software to tabulate and verify the results.

To fortify its processes, Essex says, the Scantegrity team invited the Ottawa Linux users group to review them and make recommendations.

When voters enter the polling booth, they're issued ballots with detachable chits showing their serial codes. The areas they're meant to fill in next to candidates' names are printed with a  special ink. As they fill in the bubbles that correspond with their selected candidates with special "decoder" pens, confirmation codes become visible in lighter text in the areas they've darkened.

This ensures other people can't deduce the selections if they see their confirmation codes, Essex says.

"Each confirmation code is different for a given candidate for each voter. If you and I vote for [U.S. Democratic presidential candidate Barack] Obama, we will have different codes."

Voters who wish to verify their ballots were cast correctly are instructed to write their confirmation codes on their detachable chits. The marked ballots are then read into the optical system as usual, but they're processed using Scantegrity's software. The paper ballots are retained as back-up.

The results are posted in online databases so voters can check to ensure their ballots were cast as intended. To do this, voters compare their serial numbers and confirmation codes found online with the ones they wrote down on their chit. Should a dispute arise, the original paper ballot can be matched to the detached chit via the serial number to confirm the vote was processed correctly.

These measures defend the system against any attempts to discredit election results when they're in fact accurate, says Eric Lazarus, author of The Machinery of Democracy. "So a voter can't say I got a receipt that says I voted for A, B, C but when I check the results, it says X, Y, Z."

Cryptographic principles are also used in processing to prevent hackers from tampering with results.

"The encrypted vote is shuffled, decrypted and counted," Lazarus says. "The cleverness lies in the way the shuffling is done so the system can mathematically prove nothing was added, removed or modified."

The Diebold debacle

Canadians accustomed to an election system featuring paper ballots and matronly scrutineers may wonder why clever machines are needed at all, since Canada's elections have run smoothly with a low-tech approach for years.

"That's the weirdness of America," Lazarus says, noting the U.S. election system is unique among democratic countries.

"There are a lot of contests on a single ballot. There can easily be 25 races in the upcoming presidential election — people will be voting for members of the Senate, House of Representatives, judges, school boards and so on."

There is another major difference between elections in the Canada and U.S., Essex says: "We have a federal body, Elections Canada, that dictates the rules right down to the pencils. But in the U.S., it's decided at the county level, and there are thousands of variations. Some places still use old lever machines that crank gears, like starting a locomotive."

However, while voting machines have been used in the U.S. for years, many counties are gun-shy about adopting new electronic voting technology due to controversies in recent years. Flawed voting machines developed by Diebold Inc., a North Canton, Ohio manufacturer, created uproars in the 2000 and 2004 elections, raising many questions about the integrity of the results. (To distance itself from the controversies, Diebold changed the name of the division to Premier Election Solutions Inc.  in 2007 after failing to find a buyer for its voting machine business.)

Many security experts have documented the problems.

"I would characterize Diebold's vulnerabilities as obvious, egregious and completely avoidable," says Ed Adams, CEO of Security Innovation, a software evaluation lab in Wilmington, Me., that's reviewed various voting systems.
Edward Adams, CEO of Security Innovation. ((Courtesy Scantegrity))

Gambling machines in Las Vegas have better controls, Lazarus adds: "Every one of those machines is randomly grabbed every year, taken apart and checked for problems. There are no similar rules for voting machines."

As a result of the debacles, California decertified its Diebold machines in 2007, and Ohio mounted a lawsuit in 2006 to recoup the $83 million it invested in its machines. However, the company still has about 25,000 optical scan units and 126,000 touch-screen units in use around the U.S. They're also used in Canada in some cities - Ottawa uses Diebold optical units, Essex says.

These machines weren't designed with the security features developed for Scantegrity, he says.

However, they do have advanced accessibility features that initially made them attractive to election officials, because voting machines in the U.S. must accommodate a wide range of disabilities.

For example, the use of an assistant in voting is forbidden. In Canada, people who have visual or other impairments can sign a release allowing another person to vote on their behalf. Not so in the U.S.

"Diebold's systems have advanced accessibility features like touch-screens and headsets for the visually impaired, but they're not as good at integrity and privacy," Essex says. 

About 150 million Americans will be voting on optical scan voting machines in the upcoming November presidential elections, he says. Although some fixes have been made, these are mostly Band-aid measures that don't address many fundamental problems.

"Will we see another debacle in the next election? That's the wrong question because you won't necessarily know if something goes wrong. In the 2000 election, [Democratic presidential candidate] Al Gore got negative 16,000 votes in Florida, which alerted people because it was an obvious error. But if it's a subtle error, no one may pick up on the problem."

The Scantegrity team is working to improve its system's accessibility features and gain certification for use in the U.S., he says. And the team is also looking into courting Canadian cities to test the system, as municipal elections have multiple contests for various positions much like the U.S.

Next-generation voting

Yet despite the problems with Diebold machines, there's no clamour for next-generation voting technology with robust security in the U.S.

County officials are ultimately the purchasers of voting technology but they aren't generally tech-savvy, Lazarus says.

Ease of use has been the primary selling point, Adams adds, simply because it's hard enough to get people to vote at all without adding security burdens.

Various academic research projects are underway to develop new approaches, Essex says, but technology companies aren't investing in R&D and cash-strapped counties are making do with what they have: "There's no capitalistic motivation for companies or compelling reasons for counties to adopt new technology."

But the impetus for change could come from the U.S. federal government, Adams says.

The Elections Assistance Commission, a U.S. agency that provides voluntary election guidelines, solicited proposals this year for threat-risk analysis of various voting technologies, software evaluator Adams says. "The EAC is trying to take a hard look at all this. But remember the hanging chads in Florida back in 2000? And here we are, with a major election imminent."

While developing technology to automate in-person voting is surprisingly difficult, online voting has even thornier issues, cryptographer Chaum says.

"Many experts believe there's a fundamental inability to prevent online voters from selling their votes or being coerced into voting a certain way. And there are also subtle problems, like the possibility that a computer virus could infect the machines and change the way people vote without their knowledge."

And there are already examples of not-so-subtle problems, says Essex. He notes that Estonia tried to have online elections two years ago, but there are allegations that foreign sources attacked their network connections.

Voting experts aren't saying online issues are impossible to resolve, just that all methods proposed to date have failed to resolve all the issues comprehensively, Chaum says.

"Scantegrity's mechanisms are well-suited for part of the online voting security issue, but not the whole thing," he says "But I believe the problems with online voting will be solved eventually."

As internet connections become universal over the next decade, Essex believes governments will be increasingly pressured by their constituents to make voting and citizen participation more convenient via online voting. "Just like hydrogen cars, there's recognition that online voting is something we need to develop for the future.

The author is a Canadian freelance writer.