Remotegrity: Design and Use of an End-to-End Verifiable Remote Voting System

F. Zagórski, R. Carback, D. Chaum, J. Clark, A. Essex, P. L. Vora

(2013)

PDF ← All Publications
Remotegrity: Design and Use of an End-to-End Verifiable Remote Voting System

Securing Remote Voting: How Remotegrity Combats Malware and Corruption

Imagine casting your vote from home—whether you’re sick, traveling, or simply prefer the convenience—only to worry that your computer’s malware could secretly change your choice, or that election officials might tamper with your ballot. For millions of absentee voters, this isn’t a hypothetical: remote voting (via mail or the internet) introduces unique risks that in-person systems don’t face. A 2008 U.S. election study found 19% of mail-in ballots arrived too late to be counted, and online systems are vulnerable to phishing, server hacks, or malicious software on voters’ devices. Existing solutions often address one threat (like malware) but not another (like corrupt election authorities), or fail to let voters prove who’s at fault if something goes wrong.

Enter Remotegrity, a hybrid mail-internet voting system designed to solve these gaps. Developed by researchers from institutions including Carleton University and The George Washington University, Remotegrity was deployed in a 2011 municipal election in Takoma Park, Maryland—the first real-world test of a system that protects against both voter-side malware and corrupt election officials, while giving voters a way to prove fraud if it occurs. Below, we break down how it works, why it matters, and what we learned from its deployment.

The Problem: Two Threats, One Solution Needed

Remote voting is here to stay. In the U.S., 27 states offer mail voting to any voter, and 21 allow it to those with “need”—a trend accelerated by the COVID-19 pandemic. But mail ballots are vulnerable to loss or tampering, and online voting introduces new risks: malware on a voter’s computer could undetectably alter their choices, while a hacked election server could modify thousands of votes. Even worse, if a vote is disputed, how do we know if the problem was the voter’s device, the server, or a corrupt official?

Most existing systems fall short. For example, “code voting” (using random codes to prevent malware from altering votes) protects against voter-side threats but not corrupt officials (who know all the codes). Other systems focus on coercion resistance (preventing voters from being forced to vote a certain way) but assume the voter’s device is trusted. Remotegrity was built to handle both malware and corruption, while enabling “dispute resolution”—letting voters prove who’s responsible if their vote is tampered with.

How Remotegrity Works: Code, Seals, and Cryptography

Remotegrity isn’t a standalone voting system—it’s an extension of Scantegrity, an in-person system that uses invisible ink and random codes to let voters verify their votes. For remote voters, Remotegrity adds two key innovations: code voting (to block malware) and a lock-in code (to catch corrupt officials).

Step 1: The Ballot Package

Voters receive a mail package with two parts:

  • A paper ballot (like Scantegrity’s) with a unique serial number and random “vote codes” (one per candidate, printed in invisible ink).
  • An authorization card with scratch-off codes: multiple “authentication codes” (to verify the vote) and a “lock-in code” (to prove the election authority didn’t tamper with the ballot).

Step 2: Voting Online

When a voter uses the online system, they:

  1. Enter the serial numbers from their ballot and authorization card.
  2. Select the vote code for their chosen candidate (from the ballot) and a random authentication code (from the card).
  3. Submit these to a public “bulletin board” (a tamper-proof online log).

Step 3: Verifying and Locking In

Election trustees (trusted observers) check the submitted codes. If valid, they add an “acknowledgment code” and sign the entry. The voter then:

  • Verifies the acknowledgment code and signature (to ensure the system didn’t alter their vote).
  • Scratches off the lock-in code and posts it to the bulletin board.

Here’s the magic: If the election authority tries to change the vote after the voter locks it in, the lock-in code remains sealed. The voter can use the unscratched card as physical proof the authority cheated. For malware, the random codes make it nearly impossible for malicious software to guess the right vote code—so the system rejects the vote, and the voter knows their device is compromised.

Why This Matters: Trust in Remote Elections

Remotegrity addresses two critical gaps in remote voting:

  1. Malware Protection: Code voting ensures even if a voter’s computer is infected, the system can detect (and reject) altered votes.
  2. Corruption Accountability: The lock-in code lets voters prove if election officials tampered with their ballot—without revealing who they voted for (ballot secrecy is preserved).

This is a game-changer for trust. In 2016, a U.S. government report found 42 states had experienced election cyberattacks, and voters increasingly worry about digital fraud. Remotegrity shows that remote voting can be secure and verifiable—giving voters the same confidence they have at the polling place.

Real-World Deployment: Takoma Park, 2011

To test Remotegrity, researchers partnered with Takoma Park, Maryland (a city of 17,000 with 11,000 registered voters). The city had already used Scantegrity for in-person voting, so extending it to remote voters made sense. Here’s what happened:

  • Preparation: The team worked with the city’s Board of Elections to adapt the system for usability (e.g., simplifying code entry). They tested it with 20 volunteers, who provided feedback on the interface.
  • Deployment: Voters received mail packages with Scantegrity ballots and Remotegrity authorization cards. They could vote by mail or use the online system to “audit” their vote (though only mail ballots were counted).
  • Results: Only 5 voters used the online system (2 weren’t counted because they didn’t mail their paper ballot), but the deployment proved the system worked. Post-election audits confirmed no fraud, and the city’s officials gained confidence in cryptographic voting.

Lessons Learned: Real-World vs. Theory

The Takoma Park test revealed two key takeaways:

  1. Usability Trumps Perfection: The team had to simplify the system (e.g., not requiring voters to “lock in” their vote) to encourage participation. This slightly reduced security but made the system more accessible—showing that real-world constraints (like voter convenience) matter as much as technical rigor.
  2. Collaboration Is Key: Working closely with election officials helped the team address practical concerns (e.g., printing costs, voter confusion) and built trust. The officials, in turn, learned about the system’s security benefits, fostering buy-in.

The Future of Remote Voting

Remotegrity isn’t perfect—future work will focus on scalability (for larger elections) and coercion resistance (preventing voters from being forced to vote a certain way). But its deployment in Takoma Park proves that secure, verifiable remote voting is possible. As more people vote remotely, systems like Remotegrity could restore faith in elections by giving voters:

  • Proof Their Vote Counted: The bulletin board lets voters check their vote code was recorded correctly.
  • Accountability: The lock-in code lets them hold officials responsible if fraud occurs.

In a world where trust in institutions is eroding, Remotegrity offers a path forward: secure, transparent, and inclusive voting for everyone—whether they’re at the polling place or their kitchen table.

The Takoma Park experiment was a small step, but it’s a big leap toward making remote voting as trustworthy as in-person voting. And in a democracy, that’s something worth celebrating.