While a wide variety of voting systems and protocols exist, the basic procedure for conducting a democratic election is fairly standard. This procedure generally involves four tasks:
To have confidence in the election results, people must believe that these tasks are performed properly. However, there are numerous opportunities for corruption during the performance of each of these tasks. For example:
Traditionally, election fraud has been prevented through the use of physical security measures, audit trails, and observers representative of all parties involved. But the prevention of election fraud is made more difficult by the frequent requirement that votes remain private. Observers may not observe a ballot until after it has been placed in a ballot box, and audit trails must not provide the ability to link a ballot back to the voter who cast it. Even so, these security measures generally work well enough that the possibility of widespread fraud is small and people have confidence that election results are accurate.
When designing an electronic polling system, it is essential to consider ways in which the four tasks mentioned above can be performed electronically without sacrificing voter privacy or introducing opportunities for fraud. In addition, it is useful to consider all desirable polling system properties, including those not always achievable in traditional systems.
Our design goals are based on our survey of the literature on traditional and proposed electronic polling systems. We reviewed several sets of ``ideal'' election system characteristics found in the literature [1,10,15,18,20] and developed a set of four ``core properties'' that are likely to be desirable in almost any election system:
In the most accurate systems the final vote tally must be perfect, either because no inaccuracies can be introduced or because all inaccuracies introduced can be detected and corrected. Partially accurate systems can detect but not necessarily correct inaccuracies. Accuracy can be measured in terms of the margin of error, the probability of error, or the number of points at which error can be introduced.
The second privacy factor is important for the prevention of vote buying and extortion. Voters can only sell their votes if they are able to prove to the buyer that they actually voted according to the buyer's wishes. Likewise, those who use extortion to force voters to vote in a particular way cannot succeed unless they can demand that voters prove that they voted as requested.
The most verifiable systems allow all voters to verify their votes and correct any mistakes they might find without sacrificing privacy. Less verifiable systems might allow mistakes to be pointed out, but not corrected or might allow verification of the process by party representatives but not by individual voters.
In addition, we developed three extra properties that an electronic polling system should possess. Two of these properties are important for ensuring a high voter turnout, something which is often desired but not always achieved.
We designed Sensus to possess all of the above properties, with one exception. Sensus does not address the second part of the privacy property. Unless voters are required to cast their votes from inside a solitary voting booth, voters will be able to prove how they voted by allowing another party to observe them while they are casting their votes. We do not believe this problem can be addressed without sacrificing mobility or convenience.
In addition, like most distributed cryptographic systems, Sensus does not address problems related to ballots being intercepted or delayed while in transit. The design of the Sensus system assumes that voters have a reliable mechanism for delivering messages to the election authorities in a timely manner.