The Scantegrity Voting System and its Use in the Takoma Park Elections

D. Chaum, R. Carback, J. Clark, A. Essex, T. Mayberry, S. Popoveniuc, R. L. Rivest, E. Shen, A. T. Sherman, P. L. Vora, J. Wittrock, F. Zagórski

(2016)

PDF ← All Publications
The Scantegrity Voting System and its Use in the Takoma Park Elections

Securing Democracy: How Scantegrity Revolutionized Voting with Invisible Ink and Cryptography

Imagine casting your vote confident that it’s counted exactly as you intended, with the ability to verify this without revealing who you voted for. This isn’t a fantasy—it’s the promise of end-to-end (E2E) verifiable voting systems, and the Scantegrity project brought this vision to life in real-world elections. The research paper The Scantegrity Voting System and its Use in the Takoma Park Elections chronicles a decade-long journey to design a voting system that marries the security of cryptography with the familiarity of paper ballots, culminating in groundbreaking deployments in Takoma Park, Maryland.

The Problem: Trust in the Digital Age

Traditional voting systems face a fundamental dilemma: ensuring security often comes at the cost of usability or transparency. Optical-scan systems, while common, lack robust mechanisms for voters to confirm their votes were recorded correctly. E2E systems, which use cryptography to allow anyone to audit the tally, were often seen as too complex or alien for real elections. The core question driving Scantegrity was: Can we build a system that is both cryptographically secure and intuitive for voters? This matters deeply because public trust in elections is eroded by fears of tampering, errors, or lack of transparency—issues that E2E systems are designed to address.

The Solution: Invisible Ink and Cryptographic Receipts

Scantegrity II, the system’s centerpiece, cleverly integrates cryptography into a standard optical-scan ballot. Here’s how it works:

  • Invisible Confirmation Codes: Next to each candidate’s name, a unique alphanumeric code is printed in invisible ink.
  • Voting as Usual: Voters mark their choice with a special pen. As they do, the ink reacts, darkening the bubble and revealing the code (e.g., “ML” for Candidate 2).
  • Privacy-Preserving Receipt: Voters can jot down these codes on a detachable receipt. Crucially, the receipt alone doesn’t reveal the vote—only the combination of the code and the ballot’s serial number (hidden in a barcode) allows verification.
  • Post-Election Audit: After polls close, election officials publish encrypted tallies and revealed codes online. Voters check if their codes appear correctly, ensuring their vote was counted. Cryptography ensures no one can link codes to specific candidates, preserving secrecy.

This design solved Punchscan’s usability flaws (e.g., two-sheet ballots, confusing marking) by using a single sheet and familiar marking. It also added “dispute resolution”: if a voter claims their vote was misrecorded, they can prove it without revealing their choice, while officials can refute false claims.

Real-World Deployment: Takoma Park 2009

Scantegrity’s first binding governmental use was Takoma Park’s 2009 election. Key adaptations included:

  • IRV Compatibility: The system was modified for Instant Runoff Voting (ranked-choice), a local requirement.
  • Bilingual Ballots: English and Spanish instructions were integrated without extra ballots.
  • Mock Election Refinements: A test run revealed bottlenecks (e.g., 8-minute voting times). Solutions included streamlining the scanning process and using separate verification cards, cutting voting time to under 3 minutes.
  • Open-Source Transparency: All software was publicly available, a first for a governmental E2E election.

On election day, 1,728 voters used the system. The process felt familiar—marking bubbles with a pen—but with a cryptographic safety net. Officials conducted print audits (randomly checking ballots against published codes) and tallied results, which matched the optical scanner’s count closely.

Key Findings: Trust Without Understanding Cryptography

The Takoma Park deployment yielded critical insights:

  1. High Voter Confidence: Surveys showed strong support for verification, even among voters who didn’t grasp the cryptography. The receipt’s simplicity (copying codes) made participation easy.
  2. Dispute Resolution in Action: One voter disputed a code digit (“0” vs. “8”). Cryptographic verification confirmed the official result, demonstrating the system’s ability to resolve conflicts fairly.
  3. Practicality: The system handled real-world complexities (absentee ballots, provisional votes) and integrated with existing workflows.
  4. Usability Wins: Modifications from the mock election (e.g., faster scanning) proved essential for smooth operation.

Notably, the hand count and scanner count differed slightly (48 votes in the mayoral race), highlighting that optical scans can miss valid marks—an issue Scantegrity’s cryptography doesn’t solve but underscores the need for human oversight.

Legacy and Future

Scantegrity’s success in Takoma Park (redeployed in 2011) inspired global interest. Victoria, Australia, and Travis County, Texas, later tested similar systems. The project also spawned variants like Remotegrity (remote voting) and Audiotegrity (accessible voting), showing adaptability.

For democracy, Scantegrity proved that E2E verifiability isn’t just a theoretical ideal—it’s deployable. By making verification opt-in and using familiar interfaces, it balanced security with accessibility, offering a blueprint for restoring trust in elections. As the paper concludes, the journey from Punchscan to Scantegrity shows that innovation, iteration, and real-world testing can transform how we safeguard one of democracy’s most sacred acts: voting.