Frequently Asked Questions
From Scantegrity Wiki
Don’t serial numbers, confirmation codes, and online checking facilitate vote selling or coercion of voters?
No. What voters leave with does not reveal the votes: the serial number and confirmation codes are not related to the actual vote the voter cast, unless the election officials work together to trace it. Thus, short of illegally making a photograph in the booth or collusion of election officials, there is no way for voters to convince others of who they voted for. (See the “Voter Protection” section for related issues.)
Couldn’t a clever hacker or a corrupt software insider, perhaps by gaining control of the election computers, change the election outcome undetectably?
No. The combination of public posting of data and the public audit make it impossible for the Scantegrity system software to cheat without a high probability of getting caught by public audits. It’s like cheating by, say, publishing false sports statistics. If everyone interested can verify the published statistics from raw data, such cheating should be detected. It is actually enough to randomly choose and obtain raw data for spot checking, while data not chosen might never become public. Scantegrity is similar in allowing checking a random sample of raw data, where the amount of raw data revealed and checked is enough to ensure with overwhelming probability that the outcome is correct but not quite enough to reveal anything about who voted which way.
Does each voter have to make an extra effort in order to protect his or her vote or to check the election outcome?
Most voters probably won't check their vote, but all voters are allowed to. Voters can check online from home or elsewhere, simply by entering the serial number and verifying that the confirmaton codes displayed match the notes they kept. If only a few percent of voters actually do check, they ensure integrity of the election for everyone (because the system does not know in advance who will check). When a race is close, more people need to check but would naturally be incentivized to do so. Similarly, only a few people need to run independent audit software, such as the candidates themselves, but anyone is free to run or even write their own audit software. Scantegrity determines which raw data to check by using the unpredictability of published stock market prices and can even allow additional independent checks requested by candidates.
Isn’t the cryptography too hard for most people to understand?
Just like the little padlock in the corner of browser windows, users benefit without having to understand the inner workings of the crypto, especially where the software is public as with Scantegrity. The encryption in Scantegrity is actually simpler than the kind used by browsers, and of the same type found in current voting machines, though used in a different way. It works like the “secret codes” kids play with: a key is used to encode and the same key is needed to decode. Each piece of raw data in Scantegrity is encoded with a different key and posted online; afterwards, audit determines some of the keys that are then required to be posted to reveal the corresponding raw data. The principles can be illustrated by running a small election just by privately writing secrets on a white board and covering them with tape symbolizing the encryption, and removing some tape later as determined by coin flips. The actual system could, we expect, with such a mock election as introduction, be taught in advanced high school science or college classes. This is many times simpler than convincing anyone of how the software in current voting systems works—even if people were allowed to see it!
If someone, maybe a code breaking agency or clever hacker, were to break the cryptography, couldn’t they then choose the winner?
No. Breaking the crypto would allow linking votes to serial numbers, but not changing the posted votes. Even unlimited computing power can’t keep someone from getting caught changing the votes, since the posted encryptions effectively determine the raw data. It is very unlikely (or in some variants, proven impossible) that any encrypted raw data item can be decrypted in more than one way. Thus, in order to change the outcome significantly, much false data would have to be posted and most would almost certainly be discovered in audit.
Isn’t the larger issue in elections, rather than integrity of the outcome, really confidence in the overall election process including registration and participation?
Well, yes. But an election system that helps create a lack of confidence in integrity of the outcome tends to reduce registration and turnout among those who believe their votes won’t be counted properly. Such disenfranchisement works particularly well against members of parties not controlling the election machinery. So the ultra-high integrity of Scantegrity against even those operating the election system is in effect needed to enfranchise voters, improve participation, and guarantee fair elections!
Wouldn’t all this high security cost too much?
Actually, Scantegrity can be far less costly in both capital expenditure and total cost of ownership. Generally, systems like Scantegrity that share a single computer among many booths at a polling place have significant price advantages over computer-per-booth systems. Scantegrity uses commodity hardware instead of proprietary hardware, in today’s voting industry an additional 70%-80% savings! The operational cost of security is lowered, since much less has to be securely stored and transported. Optical scan ballots today are printed by a limited number of companies to exacting standards at high prices with long delays, whereas Scantegrity ballots can be printed locally using ordinary office printers. The cost per voter for Scantegrity, even renting the needed computers and scanners, can probably be about the same as what is paid just for the printing of scan ballots today.
Could this type of system work for general elections in large US counties?
Yes. The Scantegrity software on this site is intended for student elections; nevertheless, the approach scales and appears able to support all features needed. The amount of cryptographic computation would be modest for elections even in the largest counties. Multiple “ballot styles” required for multiple languages and the different combinations of contests for each precinct are straightforward software developments. Similarly readily achieved are provisional and absentee ballots as well as early voting and electoral rules such as instant runoff and straight party voting. Promising research underway is aimed at the remaining aspects: accommodation of write-ins and voters with disabilities.