Sensus Design Goals

While a wide variety of voting systems and protocols exist, the basic procedure for conducting a democratic election is fairly standard. This procedure generally involves four tasks:

Registration.

The registration task involves compiling a list of people eligible to vote.

Validation.

The validation task involves checking the credentials of those attempting to vote and only allowing those who are eligible and who have not already voted to proceed.

Collection.

The collection task involves collecting the voted ballots.

Tallying.

The tallying task involves counting the votes.

To have confidence in the election results, people must believe that these tasks are performed properly. However, there are numerous opportunities for corruption during the performance of each of these tasks. For example:

• Election authorities may cheat by knowingly allowing ineligible voters to register, registered voters to cast more than one vote, or ballots to be systematically miscounted or destroyed.

• Ineligible voters may register (often under the name of someone who is deceased) or eligible voters may register under multiple names.

• Registered voters (eligible and otherwise) may be impersonated at the polls.

• Ballot boxes, ballots, and vote counting machines may be compromised.

Traditionally, election fraud has been prevented through the use of physical security measures, audit trails, and observers representative of all parties involved. But the prevention of election fraud is made more difficult by the frequent requirement that votes remain private. Observers may not observe a ballot until after it has been placed in a ballot box, and audit trails must not provide the ability to link a ballot back to the voter who cast it. Even so, these security measures generally work well enough that the possibility of widespread fraud is small and people have confidence that election results are accurate.

When designing an electronic polling system, it is essential to consider ways in which the four tasks mentioned above can be performed electronically without sacrificing voter privacy or introducing opportunities for fraud. In addition, it is useful to consider all desirable polling system properties, including those not always achievable in traditional systems.

Our design goals are based on our survey of the literature on traditional and proposed electronic polling systems. We reviewed several sets of ``ideal'' election system characteristics found in the literature [1,10,15,18,20] and developed a set of four ``core properties'' that are likely to be desirable in almost any election system:

Accuracy.

A system is accurate if (1) it is not possible for a vote to be altered, (2) it is not possible for a validated vote to be eliminated from the final tally, and (3) it is not possible for an invalid vote to be counted in the final tally.

In the most accurate systems the final vote tally must be perfect, either because no inaccuracies can be introduced or because all inaccuracies introduced can be detected and corrected. Partially accurate systems can detect but not necessarily correct inaccuracies. Accuracy can be measured in terms of the margin of error, the probability of error, or the number of points at which error can be introduced.

Democracy.

A system is democratic if (1) it permits only eligible voters to vote, and (2) it ensures that each eligible voter can vote only once.

Privacy.

A system is private if (1) neither election authorities nor anyone else can link any ballot to the voter who cast it, and (2) no voter can prove that he or she voted in a particular way.

The second privacy factor is important for the prevention of vote buying and extortion. Voters can only sell their votes if they are able to prove to the buyer that they actually voted according to the buyer's wishes. Likewise, those who use extortion to force voters to vote in a particular way cannot succeed unless they can demand that voters prove that they voted as requested.

Verifiability.

A system is verifiable if voters can independently verify that their votes have been counted correctly.

The most verifiable systems allow all voters to verify their votes and correct any mistakes they might find without sacrificing privacy. Less verifiable systems might allow mistakes to be pointed out, but not corrected or might allow verification of the process by party representatives but not by individual voters.

In addition, we developed three extra properties that an electronic polling system should possess. Two of these properties are important for ensuring a high voter turnout, something which is often desired but not always achieved.

Convenience.

A system is convenient if it allows voters to cast their votes quickly, in one session, and with minimal equipment or special skills.

Flexibility.

A system is flexible if it allows a variety of ballot question formats including open ended questions (this is important for write-in candidates and some survey questions).

Mobility.

A system is mobile if there are no restrictions (other than logistical ones) on the location from which a voter can cast a vote.

We designed Sensus to possess all of the above properties, with one exception. Sensus does not address the second part of the privacy property. Unless voters are required to cast their votes from inside a solitary voting booth, voters will be able to prove how they voted by allowing another party to observe them while they are casting their votes. We do not believe this problem can be addressed without sacrificing mobility or convenience.

In addition, like most distributed cryptographic systems, Sensus does not address problems related to ballots being intercepted or delayed while in transit. The design of the Sensus system assumes that voters have a reliable mechanism for delivering messages to the election authorities in a timely manner.