Workshop Program

Voting technologies have undergone intense scrutiny in recent years. In contrast, the human components of these socio-technical systems, including the policies and procedures that guide and bind behavior have received less attention. To begin to understand pollworker behavior, we conducted a two stage qualitative investigation in a single jurisdiction to explore the challenges pollworkers face on election day, their recollection of relevant policies and procedures, and their high-level ability to perceive and remedy threats to security and privacy whether they relate directly to policies and procedures or not. We first observed 4 polling places in one California county during the general election in November 2010, recording security and privacy related events. Based on our observations we developed 10 "vignettes", each focusing on a privacy or security risk that we witnessed. In August 2011, we used this instrument to interview twenty pollworkers — recruited from the four polling places we observed the previous year and four additional demographically-similar polling places — in order to understand how they would respond to the vignettes. We report 1) qualitative findings from our observations; and, 2) qualitative findings from our vignette-based interviews of pollworkers. We find that awareness of security-related policies and procedures and comprehension of security risks is low compared with privacy policies, procedures and risks. We find divergent polling place management styles, which we tentatively suggest relate to different perspectives on risk management and trust. We propose that training materials be oriented around the risks they are designed to address, to promote pollworkers' general knowledge of risks to election integrity as well as the specific policies their roles support in order to mitigate risks on election day.

It is often argued in the e-voting community that in the presence of write-in candidates, forced abstention attacks are always possible. Therefore, write-in candidates are often excluded in existing definitions of coercion-resistance arguing that those definitions cannot be achieved by write-in supporting schemes. This is only true if the tally is made public directly. Coercion-resistance may well be achieved if only a fuzzy version of the tally is published. This paper provides a formalization of fuzzy tally representations which enables definitions for coercion-resistance to take into account write-in candidates without being weakened. We also show how the cryptographic voting scheme Bingo Voting can be applied to write-in candidates with respect to this formalization, providing what we believe to be the first evoting scheme that prevents forced abstention while allowing for write-in candidates. We then give a general construction of coercion-resistant schemes that provide a verifiable fuzzy tally representation from mix-based and homomorphic election schemes with trusted authority.

In this paper we propose a novel front-end for Prêt à Voter that aims to maintain the privacy and integrity guarantees found in the paper based version, whilst simultaneously improving the accessibility of Prêt à Voter. Namely, we maintain the Prêt à Voter property that no machine learns your vote, whilst providing improved accessibility. We term this new front-end Hybrid Touch and have implemented it on both a Microsoft Surface and a multi-touch screen. Hybrid Touch combines the privacy benefits of paper with the accessibility benefits of a touch screen. It is this combination that provides more accessibility opportunities as well as allowing Prêt à Voter to handle larger and more complicated elections. Our goal is to develop a single unified front-end, which can be easily augmented with additional accessibility technology, to provide the same core interface for both able-bodied and disabled voters.

In this paper we propose improvements on the Helios voting protocol such that the audit data published by the authority provides everlasting privacy, as opposed to the computational privacy provided currently. We achieve this with minor adjustments to the current implementation. For the homomorphic Helios variant we use Pedersen commitments to encode the vote, together with homomorphic encryption over a separate, private channel between the user and Helios server to send the decommitment values. For the mix-net variant we apply a recent result which shows that mixing with everlasting privacy is possible. 

Observe that we do not claim everlasting privacy towards the server, which, if dishonest, could try to break the homomorphic encryption scheme used in the private channel. Thus towards the authority the voter’s level of privacy is identical to what Helios currently offers. However, our protocol is much harder to attack by an outsider: apart from having to break the computational assumption, an adversary must intercept the communication between the voter and the server to violate ballot privacy of that voter. The feasibility of such an attack depends on the way both parties choose to implement this channel. Both contributions are generic in the sense that they can be applied to other voting protocols that use homomorphic tallying or mixnets.

This paper describes a systematic approach for incrementally improving the security of election processes by using a model of the process to develop attack plans and then incorporating each plan into the process model to determine if it can complete successfully. More specifically, our approach first applies fault tree analysis to a detailed election process model to find process vulnerabilities that an adversary might be able to exploit, thus identifying potential attacks. Based on such a vulnerability, we then model an attack plan and formally evaluate the process's robustness against such a plan. If appropriate, we also propose modifications to the process and then reapply the approach to ensure that the attack will not succeed. Although the approach is described in the context of the election domain, it would also seem to be effective in analyzing process vulnerability in other domains.

Risk-limiting post-election audits guarantee a high probability of correcting incorrect electoral outcomes, regardless of why the outcomes are incorrect. Two types of risk-limiting post-election vote tabulation audits are comparison audits and ballot-polling audits. Comparison audits check some of the subtotals reported by the vote tabulation system, by hand-counting votes on the corresponding ballots. Ballot-polling audits select ballots at random and interpret those ballots by hand until there is strong evidence that the outcome is right, or until all the votes have been counted by hand: They directly assess whether the outcome is correct, rather than assessing whether the tabulation was accurate. Comparison audits have advantages, but make large demands on the vote tabulation system. Ballot-polling audits make no such demands. For small margins, they can require large samples, but the total burden may still be modest for large contests, such as county-wide or state-wide races. This paper describes BRAVO, a flexible protocol for risk-limiting ballot-polling audits. Among 255 state presidential contests between 1992 and 2008, the median expected sample size to confirm the plurality winner in each state using BRAVO was 307 ballots (per state). Ballot-polling audits can improve election integrity immediately at nominal incremental cost to election administration.