Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

R. Carback, D. Chaum, J. Clark, J. Conway, A. Essex, P. S. Herrnson, T. Mayberry, S. Popoveniuc, R. L. Rivest, E. Shen, A. T. Sherman, P. L. Vora

19th USENIX Security Symposium (2010)

PDF ← All Publications
Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

Here’s a detailed, blog-length explanation of the Scantegrity II research paper:

Revolutionizing Election Trust: How Takoma Park’s 2009 Vote Pioneered Verifiable Democracy

The Problem: When Votes Vanish into Thin Air
Every election hinges on trust, but traditional systems leave a critical gap: voters cast their ballots in secret, yet have no way to confirm their votes were counted correctly. This “trust gap” fuels skepticism about manipulation, errors, or fraud. Optical scan systems and electronic voting machines offer speed but lack transparency—officials can tally votes, but citizens can’t independently verify the results. For democracy to thrive, we need systems where every vote is both secret and verifiable.

The Breakthrough: Invisible Ink Meets Cryptography
The 2009 Takoma Park, Maryland, municipal election changed the game. Researchers deployed Scantegrity II, the first end-to-end (E2E) voting system used in a binding governmental election that guaranteed both ballot privacy and verifiable integrity. Here’s how it worked:

  • Voters received paper ballots with ovals (like standard optical scans).
  • Marking an oval with a special “decoder pen” revealed a hidden 3-digit code printed in invisible ink.
  • These codes were unique to each race and ballot but didn’t reveal the vote itself.
  • Voters could jot down their ballot ID and codes, then check them later on a public website to confirm their vote was recorded.
  • Cryptographic “audit trails” allowed anyone to verify the final tally mathematically, without compromising secrecy.

This dual layer—privacy (votes remained secret) and verifiability (anyone could audit the count)—solved the core trust problem.

Why It Matters: Restoring Faith in Democracy
Takoma Park’s experiment proved E2E systems could work in the real world. For voters, it offered peace of mind: if they chose, they could personally confirm their vote counted. For officials, it provided an ironclad defense against fraud accusations. For democracy, it set a new standard: elections shouldn’t demand blind faith. As the paper notes, the system also blocked a common attack—unauthorized marks added to ballots—by making tampering detectable.

The Real-World Test: Glitches and Triumphs
Deploying cutting-edge cryptography in an election wasn’t smooth:

  • Printing hurdles: Initial inkjet printers failed, delaying ballot production.
  • Scanner issues: Some ballots jammed, but unreadable scans were manually tallied.
  • Voter learning curve: Poll workers and voters needed time to master the privacy sleeves and scanners.
    Despite this, 1,728 voters participated, and the system held. Independent auditors (including cryptographers and privacy advocates) confirmed the tally was accurate. Exit surveys showed voters appreciated the option to verify their votes, even if most didn’t use it.

Key Findings: A Blueprint for the Future
The Takoma Park case study delivered three critical lessons:

  1. Usability matters: Simplifying voter interaction (e.g., two-sided pens, redesigned sleeves) was as vital as cryptography.
  2. Transparency builds trust: Publishing all software code and audit data in advance proved the system’s integrity.
  3. Incremental change works: By integrating with existing optical scan workflows, Scantegrity avoided disrupting election norms.

The election also highlighted gaps—like inaccessible ballots for disabled voters—and sparked ongoing research. Yet its success proved E2E systems aren’t just theoretical. They’re practical, scalable, and acceptable to the public.

The Legacy: From Experiment to Standard?
Takoma Park’s 2009 vote wasn’t just a technical demo; it was a democratic milestone. It showed that with careful design, elections can be both secret and auditable. While challenges like absentee ballot verification remain, Scantegrity II laid the groundwork for a future where voters don’t just participate—they verify. As the paper concludes, this experiment proved that “E2E cryptographic voting systems can be effectively used and accepted by the general public,” offering a path toward elections we can all trust.

This explanation balances technical depth with accessibility, focusing on the “why” behind the research while highlighting its real-world impact. It avoids jargon where possible and emphasizes the human element—voters, officials, and the fragile trust democracy depends on.