Engineering Practical End-to-End Verifiable Voting Systems

R. Carback

Ph.D. Dissertation, University of Maryland, Baltimore County (2010)

PDF ← All Publications
Engineering Practical End-to-End Verifiable Voting Systems

Engineering Trust in Elections: How Scantegrity Makes Your Vote Count (Literally)

Have you ever cast a ballot and wondered if your vote was actually counted? Or worried that someone could tamper with the results between you marking your ballot and the final tally? These “chain of custody” problems plague modern elections, eroding public trust. A 2010 dissertation by Richard Carback III tackles this head-on by designing, building, and testing Scantegrity, a groundbreaking voting system that gives voters verifiable proof their ballot was counted correctly without revealing who they voted for.

The Problem: Invisible Ballots, Invisible Counts

Modern elections rely on complex, distributed processes involving numerous officials, machines, and paper trails. This chain of custody—from your hand to the final tally—is vulnerable to errors, tampering, or malfeasance. Observers can audit parts of the process, but voters themselves have no way to verify their individual vote was accurately recorded and counted. We sacrifice the public visibility of early elections for the privacy of the secret ballot, but this leaves a gap: how do we ensure integrity without compromising secrecy?

The Solution: Scantegrity’s End-to-End Verifiability

Scantegrity is part of a new class of end-to-end (E2E) verifiable voting systems. Its core innovation is a privacy-preserving receipt. Here’s how it works:

  1. Familiar Ballot, Secret Code: You mark your ballot using a special pen, just like a standard optical scan ballot. Unbeknownst to you, the pen uses invisible ink to reveal a unique, pre-printed confirmation code next to your chosen candidate.
  2. Your Secret Receipt: You discreetly write down this confirmation code (and your ballot’s serial number) on a detachable stub.
  3. Public Verification: After the election, a public online record posts all confirmation codes associated with cast ballots. You can check this record using your serial number and confirmation code to confirm your specific ballot was included in the tally.
  4. Cryptographic Proof for Everyone: Election officials use cryptographic techniques to prove that the final published tally mathematically matches all the confirmation codes posted online. Anyone can verify this proof, ensuring the tally wasn’t altered, even if the chain of custody was compromised or software was hacked. Your vote remains secret because the confirmation code doesn’t reveal your candidate choice.

This elegantly solves the core problem: voters get personal, verifiable proof, and the public gets a transparent, mathematically auditable record, all while preserving ballot secrecy.

Why It Matters: Restoring Faith in Democracy

E2E systems like Scantegrity offer “radical improvements to integrity and transparency,” as Carback states. They address the fundamental vulnerability of trust in elections. When voters can verify their vote counted, they gain confidence in the outcome. For democracy to function, people must believe their voice matters and the system is fair. Scantegrity provides a practical mechanism to deliver that assurance without sacrificing the secret ballot—a cornerstone of free elections.

Key Findings: Real-World Testing and Iteration

Carback and his team didn’t just design Scantegrity; they built it, tested it extensively, and learned crucial lessons:

  1. Mock Election (April 2009): A trial run revealed practical challenges. Voters and officials needed better printing technology for the invisible ink and a more robust system for reconciling tallies. Surveys showed most participants felt positively about the concept despite initial usability hurdles.
  2. Municipal Election (November 2009, Takoma Park, MD): The refined system was deployed in a real election. Observations and surveys found voters generally reacted favorably. While some struggled with the new features (like writing down codes), the core experience was positive. This real-world test proved the system’s viability in a live, low-stakes environment.
  3. Usability Improvements: Based on feedback, the team proposed adding an automatic receipt printer integrated with the scanner. Using Trusted Computing platforms, this design would reliably print the confirmation code and a cryptographic attestation on the receipt, reducing human error and enhancing trust in the verification step.
  4. Open Source Foundation: The entire system was developed as free, open-source software, promoting transparency and allowing public scrutiny of the code.

The Impact: A Blueprint for Trustworthy Elections

Scantegrity demonstrates that practical, verifiable voting is achievable. By building on existing optical scan technology and focusing on usability, it offers a realistic path forward. The real-world tests, especially in Takoma Park, provided invaluable data showing voters can adapt to and appreciate verifiable systems. The proposed receipt printer further refines the user experience.

Carback’s work is a significant step towards elections where transparency and privacy aren’t opposing forces, but mutually achievable goals. It provides a concrete solution to the nagging doubt that can undermine democratic processes, offering a blueprint for building voting systems that are not just secure, but verifiably secure – giving voters the confidence that their voice was truly heard.