Verifiability is not really a goal or property of voting systems on its own. It is an added constraint on the properties we have discussed so far which many systems fail to achieve. When we say a system meets the criteria that it has verifiable coercion resistance, or that the recorded as cast property is verifiable, we mean that someone can check or audit to make sure that the property is working as the system is being used.

The question of who, how, and when is important when discussing the verifiability of any property. Recall that cast as intended means a voter is able to properly record her vote. If this property were always verifiable, then the system cannot be coercion resistant, however, we can reasonably conclude that this should be verifiable in the voting booth.

The proper recording and transmission of that vote to the counting authority is something that would be nice to be verifiable by the voter, but this is where many systems fall short. Likewise, we would want everyone to be able to verify the counting process, but that is not typically available with current technology.

Observe that there is a careful relationship between verifiability in voting systems and coercion resistance. If too many things are verifiable, then we may lose coercion resistance. The goal should be to make things as verifiable as possible without losing basic coercion resistance.

Coercion resistance, otherwise known as voter privacy or receipt-freeness, is the inability of someone other than the voter to know how she voted. It is meant to protect each voter from the sometimes powerful outside influence of a spouse, boss, political leader, or other individual who seeks to gain legitimate political power by threat of force or other undesirable consequences for the voter. It is the key concept behind the secret ballot when it was (re)introduced in the 1800s.

Unfortunately, given an entity with enough power to control all aspects of the process, no voting system in existence fully meets this property, and it might be impossible, particularly if we expect to maintain our goals for integrity. Thus, it is debatable how strong we should make our privacy property so that it is a useful, attainable goal. At a minimum, we
should expect to be reasonably protected from 3rd party thugs that are not involved with the voting process. After that, the degree to which an insider must be involved to reliably violate a voter’s privacy and where we should draw the line is unclear because so much of a voting system’s privacy depends on the environment in which it is used.

That said, it is also important to take into account the capabilities of a voter or attacker. If we assume that a voter could have some sort of undetectable futuristic ocular implant that allows an outsider to see what she saw, how could we reasonably protect against such a thing without, of course, assuming a similarly futuristic device is available to combat this threat?

Integrity in a voting system means that votes are counted as cast and can be split into three different properties: cast as intended, recorded as cast, and counted as recorded. This split represents three (3) different phases of the transfer of intention from the voter to the counting authority: the voter’s expression of their intention, the recording device’s acceptance of that intention, and the actual counting of that intention.

Notice that the counting step and intention step are always necessary in a voting system, or we could not produce election results. We need to count, and in order to do that we must know the intention of each voter. Also, observe that dropping the intermediate step can cause problems. Suppose we count as we receive intention without recording. If we make mistakes there is no way to go back to a record to correct our count. Therefore, these three properties are necessary, but not sufficient, goals for any voting system. As we will see, most voting systems can be said to meet all three of these properties, but the degree to which they do is suspect. We attempt to formally define and discuss each property below.

Cast as Intended

This property represents the ability of the voter to properly convey her intentions, and cast her vote as she intended it to be cast. Some voting systems can achieve this property better than others, as it is in some respects an issue of usability. However, we limit this property to mean that a voter can properly transfer her intention, and not necessarily that she succeed in doing so in real world conditions.

An example of a system in which this is not possible would be one that does not always list all of the candidates in each race, or one in which there is only one spot to record a vote for two separate candidates. Using this definition there are no known systems in existence that do not meet this property (we’ll talk more about this later).

By contrast, many systems do not to support this property very well. This can be seen with the butterfly ballot. It was used in the 2000 presidential election in Florida, and is said to have cost Al Gore the U.S. presidency.

Recorded as Cast

When a vote is recorded as cast, the device used by the voter has properly recorded her intention and this record has made it to the counting authority. This can encompass a conversion from analog to digital representation, if that conversion is not an aggregation (i.e. there is no counting).

A system that weakly supports this property will faithfully record a vote as cast by the voter and will provide a mechanism for delivering it to the counting authority. Most systems are capable of this property, but the caveat of this and all of the integrity properties is that they are rarely verifiable, which we’ll discuss later.

Again, if judged on a sliding scale metric, there are many systems that would not satisfy this property very well. There are also numerous problems with automated counting of paper records where votes are not counted, and this would be a recorded as cast problem. Most notable is the “hanging chad”. In this situation, properly maintained equipment would have prevented the problems, but built up wastepaper in the machines caused them not to properly record each voter’s intentions.

Counted as Recorded

This means that from the record of votes cast, the counting authority is able to provide an accurate aggregation of the data. The counting authority can be a group of volunteers or machines, or a mix of both. The key property is that the results at this point in the process are reliably accurate, and to do so may require redundant counting by several imperfect entities to verify a proper total.

As is the case with the other two properties, some systems may achieve this property better than others. The biggest concern in this property is how easily the record can be violated. This is a problem in most systems. Paper can be altered to invalidate votes, replaced, or destroyed and digital storage is, in general, easily manipulated.

Digital Recording Electronic (DRE) devices and their memory cards have consistently been shown not to properly support even basic protection mechanisms on their records. This is particularly problematic as they typically only store aggregate counts, and not full ballots for each voter. So, some counting is done on the machine, and totals from the machine are added with those from the other machines. The cards themselves have also been shown to be easily misplaced.

Many DREs try to combat these problems with redundant storage, but there is no reason why redundant storage that can be manipulated by the same processor would solve these issues. One solution to this problem is to have independent redundant storage devices, but outside of an investigation, it is not clear how voting officials should or would deal with total mismatches on these independent storage devices. The cost of such a setup would be significant.

For a multipart discussion, i’d like to talk about the goals of a voting system. Intuitively, the goal behind any good voting system is to accurately produce a result, but while this is common sense, it is vastly oversimplified — what exactly does “accurately” mean, and how is that accomplished? Others have tried to put this into context with witty anecdotes like this:

The purpose of voting is not to convince the winner that he or she has won, but to convince the losers that they have lost. reference

In other words, a successful voting system will prevent legal challenges or armed takeover of the state in which it was used by the losers. However, this too seems oversimplified. Just because the losers know they lost does not exempt their supporters from being convinced otherwise, or not caring, and causing problems anyway. There are many examples of democratically elected governments being overthrown, and election fraud is a common accusation of the overthrowers, even if it is completely unfounded. The best thing a voting system could do is convince everyone of the results, wether they are voters, candidates, or people wholly unaffiliated with the election. This may not prevent a coup, but it will not give it legitimacy it would otherwise enjoy.

We adopt a similar philosophy. The goal of our ideal voting system is that if it works properly it should deny any legitimacy to claims of foul play, however, we also add that it should provide significant proof if such foul play exists. From this, we conclude that a good voting system will strive for accuracy and transparency, and we create more specific properties that voting systems should have keeping these two high level ideas in mind.

There is not yet a standard set of properties or goals that voting systems must meet, so we instead list the 3 key properties and goals that were the focus while building the Punchscan system, with an eye for keeping things transparent and accurate. Those properties are integrity, coercion resistance and verifiability, and I will discuss these and other goals in a future post.