An Introduction to Electronic Voting

Lelia Barlow
November 2003

Introduction
This paper is intended to introduce the subject of electronic voting. Electronic voting will be described in
the context of other voting technologies. The potential benefits and risks of electronic voting systems are
discussed. There will be some brief discussion of the current environment in terms of standards and
testing programs, current and pending legislation, and electronic voting systems manufacturers. Desirable
characteristics of voting systems will also be discussed.
In addition to introducing the subject to the reader, a further objective of this paper is to provide
background for an upcoming paper which will compare and contrast ideas for improving electronic voting
systems utilizing cryptographic protocols.
Motivation
As a citizen of the United States of America and a registered voter, I am interested in ensuring that my
vote, my voice in the democratic process, is counted in a way that agrees with my intentions. Further, I am
concerned that if voters do not have confidence in the mechanisms by which their votes are counted, the
legitimacy of elections (and thus the legitimacy of elected officials and of voted issues) could be called into
question.
As an engineer, I see an important but challenging set of problems to explore. Some of these problems are
technical in nature, others are more closely related to people and the processes they choose to implement.
Both types of problems impact the overall system, therefore both types of problems must be considered.
As a student, I see an opportunity to explore a topic of interest to me personally, and to share what I learn
with others. However, due to the limited amount of time available for research, I must acknowledge an
inability to do justice to a complicated subject. Instead, my goal is to learn as much as possible in the
time allotted, and present that information to the reader in a relatively concise form.
Voting Technologies
To introduce the subject of electronic voting, and also to provide some historical context, we begin with an
overview of voting technologies. These include paper ballots, mechanical lever machines, punch cards,
marksense, and direct recording electronic voting systems. (Sources for this section include references
cited as [FEC2003] and [IEEE2003].)
Paper Ballots
Paper ballot systems use official ballots with the names of all candidates and issues printed on them.
Voters mark boxes next to the candidates or issues of their choice in private, and drop the completed ballot
into a sealed ballot box. This system, also known as the Australian ballot because it was first adopted in
the Australian State of Victoria in 1856, was first used in the United States in a statewide election in New
York in 1889.
Mechanical Lever Machines
In mechanical lever voting systems, the voter makes a selection by pulling a lever assigned to a candidate
or issue choice identified by a printed strip. When the voter opens the privacy curtain and exits the voting
booth, the levers are automatically returned to their original positions. As the levers return to position, each
causes a wheel to turn one-tenth of a full rotation for the counted vote. This wheel serves as the ones
position of the count for the particular lever. After each full rotation of this wheel, this wheel causes a
tens wheel to turn one-tenth of a full rotation. Similarly, the tens wheel updates a hundreds wheel.
If the mechanical connections work properly and the counting wheels are initially set to zero, the number of
votes cast is measured by the position of each counter when the polls close.

Mechanical lever machines were invented by Thomas Edison as a way to deter the vote fraud (such as
ballot stuffing) that was occurring at the time. The first official use of a mechanical lever voting machine
was in New York in 1892. By 1930, they were in almost every large city in the United States. In the
1960s, over half of the countrys votes were counted by mechanical lever machines. These machines are
no longer made, and are being replaced with marksense or direct recording electronic voting systems.

Figure 1. Mechanical lever machines

[Source: http://www.co.oswego.ny.us/election/Directions%20on%20avm%20use.pdf]
Punch Cards
In punch card voting systems, voters punch holes in cards to indicate their candidate or issue choice. The
cards are printed with numbers (with the list of candidates and issue choices printed separately in a book),
or the candidate names and issue choices may be printed directly on the ballot next to the location of the
hole to be punched. The ballot is either dropped in a ballot box or fed into a computerized tabulating
device.
The first punch cards and computerized tally machines were used in Georgia in 1964, soon followed by
jurisdictions in Oregon and California. Many jurisdictions are switching from punch cards to marksense or
direct recording electronic voting systems.

Figure 2. Punch Card Ballot

[Source: http://inventors.about.com/library/weekly/aa111300b.htm]
Marksense
Marksense voting systems allow voters to record their choices by filling in a circle, rectangle or oval, or by
completing an arrow on a ballot card with candidate names and issue choices printed on it. Ballot cards are
then dropped in a ballot box or fed into a computerized tabulating device. This device selects the darkest
mark in a group as the vote using dark mark logic. Marksense technology, often referred to as optical
scan, has also been used for applications such as standardized testing.

Figure 3. Sequoia EAGLE Precinct-Based Optical Scan Ballot Tabulator

[Source:http://www.sequoiavote.com/photo.php?photo=eagle.jpg&title=Sequoia%20EAGLE%20Pre
cinct-Based%20Optical%20Scan%20Ballot%20Tabulator]
Direct Recording Electronic (DRE)
Direct Recording Electronic, or DRE, voting systems are an electronic implementation of mechanical lever
voting systems. As in lever voting systems, there is no ballot and the choices are visible to the voter on the
front of the machine. Voters use touch-screens, push-buttons, possibly keyboards (to enable write-in votes)
or other devices to enter their choices into electronic storage (such as smart cards, diskettes, or memory
cartridges). Choices are added to the choices of all other voters.

Figure 4. Diebold AccuVote-TS

[Source: http://www.diebold.com/dieboldes/accuvote_ts.htm]

Figure 5. Trends in usage of each voting technology over time.

[Sources: Caltech/MIT Voting Technology Project (2001), The Election Data Book (1993).]
A few observations can be made based on the previous information. The only technologies that are
currently growing in popularity are Marksense and DRE. Paper ballot, mechanical lever machines, and
punch card technologies are being replaced by these newer technologies.
DRE is not the first voting technology that lacks an audit-able paper trail. Mechanical lever machines,
which have been in widespread use for many decades, also produced no voted paper ballots. In contrast,
punch card and marksense ballots are tabulated using computer systems, but the original voted ballots
remain to provide a paper trail.
Although mechanical lever machines leave no paper trail, there are differences between them and DRE
machines. For example, because lever machines are fully mechanical, you can open them up and examine
the interactions between the levers and wheels. You can verify that moving the lever results in moving the
wheel. With DRE machines, it is not quite as simple. Because votes cast with DRE machines are stored
electronically, it is difficult to tell whether the button you push on the touch screen directly translates to that
vote being recorded. You cant open the machine and see a physical record of the vote.
In addition, to manipulate an election conducted with mechanical lever machines, a person would have to
tamper with a large number of machines. The person would have to change a physical property of each
machine. However, an error in programming, intentional or not, could affect the entire batch of DRE
machines.
Risks Associated with Electronic Voting
Errors in programming can be very simple. Adding a semi-colon in the wrong place can completely
change a program.
For example, a recent midterm election in Dallas, Texas used touch-screen DRE machines. Voters
discovered that no matter where they touched on the Democratic side of the screen, it would vote for the
Republican candidate [PITT2003]. The Democratic Party went to court, with affidavits demonstrating that
the machines were making this error. It was decided that some of the voting machines were misaligned,
and those machines were taken out of service.

It has also been reported [BUZZ2003], that in one Iowa county a single electronic voting machine
miscounted by three million votes due to an error.
There seems to be no shortage of reports describing problems with electronic voting, and I will not attempt
to summarize them here. One source for information is [BBV2003], where you can read about current
events and download a copy of Bev Harris book entitled Black Box Voting. Harris has spent the last
year researching the subject of electronic voting, and has produced an extensive collection of information.
Whether the errors in electronic voting systems are accidental or intentional, it is important to note that the
door is open to misuse in all of the voting systems described above, not just in electronic voting systems.
Marksense systems and punch card systems, for example, are also subject to programming problems.
Although the votes are cast on paper ballots, those ballots are tabulated electronically. The potential exists
for manipulation of results by programming (or reprogramming) the tabulating machine. Even paper
ballots are not immune from election fraud. Ballot stuffing, destroying or stealing ballots, and declaring
eligible ballots ineligible are just a few examples of tampering techniques that have existed for centuries.
However, with electronic voting, the scale has changed. It no longer needs to be a labor-intensive process
of tinkering with physical assets such as ballots or vote-tabulating machines. Now it can be a simple matter
of software to tamper with election results.
The IEEE P1583 Standards group (discussed later in this paper) has developed a Threat Summary, which
they describe in Section 5.1.2.3 of the v4.3 document [IEEE2003]. That Threat Summary is summarized
here, to provide further description of risks that may be associated with electronic voting.
The Threat Summary begins by stating the assumptions that there are people who are motivated to
compromise the election process, and those people are sophisticated and well financed.
Specific threats are described during development, product delivery, maintenance between elections, and
the pre- and post-election intervals. Most threats identified involve a person gaining access to voting
systems and inserting malicious code into the voting system software. The malicious code would allow one
or more of the following to occur:

Recording a different ballot than the ballot displayed by the voting system which is used by the voter
Modifying previously recorded votes or vote totals
Rendering a voting machine inoperable (denial of service)
Casting ballots that did not originate from eligible voters
Observing recorded votes or vote total before the authorized time
Modifying audit trails
Identifying the ballots cast by specific voters, with or without help from the voters themselves
Causing a voting machine to fail to record votes, in either a general or specified way
Failing to comply with legal requirements of the ballot style
Calculating vote totals in a way that is inconsistent with legal requirements

It occurs to me that there are additional ways to compromise the election process, such as by allowing
eligible voters to vote multiple times or by modifying the ballot contents (for example, a person who
wishes to make a statement and disrupt the election process could change the candidate names to Bugs
Bunny, Daffy Duck, Porky Pig, and Elmer Fudd). The sophisticated and well-financed attackers
may also be creative individuals with plenty of time to invent attacks the standards committee and system
manufacturers never imagined.
Further, it is insufficient to claim that examining the source code for electronic voting system software will
solve these problems. It has been demonstrated, in an ACM classic paper on trusting software
[THOM1984], that it is not possible to trust code that you did not write yourself. In this paper, programmer
Ken Thompson warns,

No amount of source-level verification or scrutiny will protect you from using untrusted code. In
demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have
picked on any program-handling program such as an assembler, a loader, or even hardware
microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A
well installed microcode bug will be almost impossible to detect.
The example described in the paper inserts a type of bug called a Trojan horse into a program. This bug
leaves no trace in the source code.
It is not difficult to conclude that sophisticated and well-financed attackers may possess the technical
knowledge to cover their tracks in this manner, and that malicious code in electronic voting system
software may be impossible to discover.
Potential for Benefits
Although there is significant potential for misuse of electronic voting equipment, there is also the potential
for these systems to improve certain aspects of the election process.
Certainly, it is desirable for new voting systems to produce tallies faster than their predecessors. It should
be possible to reduce human error in generating election results, while also reducing the cost of conducting
an election.
The potential exists, using electronic voting, for voters to be alerted when they make simple mistakes in
casting their vote. Examples include instances when the voter selects more candidates than are allowed,
called overvoting, and instances where the voter accidentally skips selections or selects fewer candidates
than are allowed, called undervoting. [MERC2002]
Electronic voting systems could be designed to improve accessibility, so that all eligible voters can cast
their vote in privacy. For instance, by including software that reads the ballot out loud and adding an
appropriate device for voter input, the blind and visually impaired could use voting machines without
assistance. [NORR2000] Electronic voting machines could accommodate different languages, to facilitate
voting by non-English speakers.
An idea that I personally think is interesting, which could be more easily enabled by electronic voting
technology, is known as instant-runoff voting. Instead of choosing a single candidate, voters rank the
candidates as their first choice, second choice, third choice and so on. In an election where no candidate
receives a majority of first choice votes, the candidate with the least total of first choice votes is eliminated
and the second choice votes from these ballots are added to the totals of the other candidates. Candidates
are eliminated in this manner until one winner has a majority of the total vote. (An example of this process,
which is detailed but also clever, is available from [PIER2003].)
Using instant-runoff voting, a runoff recount can be conducted without the time and expense of a new
election. Independents and candidates from third parties can be involved in the election without being
accused of spoiling the election, and no voters input is wasted. [IRV2003] Henry Norr, in a San
Francisco Chronicle article [NORR2000], suggests, The best argument for such a system, at least to my
mind, is that it would open up our politics to new ideas, new people, and maybe even new parties by
eliminating the spoiler problem.
Voting System Standards and Testing Programs
From a FEC website [FEC1998],
During the 1970s, nearly anyone could cobble together a "voting machine", and sell it to local
election officials. Few States had any guidelines for testing or evaluating these devices. Local

officials either had to take the salesmans word that the system worked or else depend on the
opinion of colleagues who had already bought it. Voting equipment horror stories -- some of them
funny, some of them downright chilling -- soon began circulating through the election community.
They triggered concerns about the integrity of the voting process.
The problems in the 1970s led to the creation of voluntary technical and procedural performance standards
for computer-based voting systems. In January 1990, the first national standards for punch card,
marksense, and direct recording electronic voting systems were approved. The standards focused primarily
on how the inner workings of the computer devices performed. Today, the Federal Voting System
Standards (FVSS) contain requirements for punch card, mechanical lever, marksense, and DRE systems.
After publication of these standards, a process was established by the National Association of State
Election Directors (NASED) for vendors to submit equipment to Independent Test Authorities (ITA) for
evaluation against the standards. Currently, Wyle Laboratories is approved by NASED to test vendors
proprietary hardware and firmware. Ciber and SysTest Labs are approved by NASED to examine any
software that tabulates or reports votes and vote totals, such as source code for vote tabulation software and
election management software. It is also noted [NASED2003] that,
The ITAs DO NOT and WILL NOT respond to outside inquiries about the testing process for
voting systems, nor will they answer questions related to a specific manufacturer or a specific
voting system. They have neither the staff nor the time to explain the process to the public, the
news media or jurisdictions. All such inquiries are to be directed to The Election Center on behalf
of NASED.
The NASED website describes the Election Center as the focal point for coordination among the FEC,
NASED, ITAs, and state and local jurisdictions. Although it has no authority to pass or fail a product, the
Election Center answers questions about products that are qualified or not qualified under the Federal
Voting System Standards.
In addition, because specific states may have other requirements (such as the ability to do candidate
rotation on a ballot), testing of these requirements is performed by each individual state. Thus, although
qualification is done at a national level, certification of voting systems occurs at the state level.
A criticism of the qualification testing process comes from David Dill, a professor of computer science at
Stanford University, in [PITT2003]:
My friend David Jefferson has been involved in internet voting and some other election-related
issues for a while now. A couple of years ago, he got the right passwords to call up WYLE and
ask them what they do, and he got a description. The basic description, according to David, is that
they bake the machines to see if they die. The drop them to see if they break. And then what they
do is run scripts over the computer program to check for bugs. A script is just another computer
program to check for superficial things. There is no human involved. They don't want functions
that are too long, and they don't want functions with multiple exit points. They say 'Modules,' but
they are basically talking about chunks of code. It is basically nothing more than a style-checker,
like running a spell-check. ... The concept of running one of these style-checkers on a program is,
at the end of the day, you know the functions are short and they don't have multiple exit points.
You don't have any clue if they are doing the right thing at security holes or anywhere else. After
this process, there are several other steps. There is something called an 'Acceptance Test.' When
the machines get delivered to either the state or county government, they power them up and put
them through the paces to make sure they work. Basically, they sign a form that says they got the
thing and it's not busted. Before each election, and sometimes after each election, they have
something called a Logic and Accuracy Test where, to one degree or another, they will try casting
some votes on the machine to make sure they come out right. That's basically all there is to it.
In short, Davids analysis is that the current testing performed on electronic voting system software is
insufficient to address the variety of potential threats to the system.

The IEEE project group P1583 is actively developing a standard for the evaluation of voting equipment. Its
purpose is to identify tests and criteria to ensure equipment confidentiality, security, reliability, accuracy,
usability, and accessibility.[IEEE2003] Project authorization for P1583 was granted in June 2001, and the
group is now working on revisions to Draft 5 of their standard.
After an admittedly brief review of the nearly 200-page document, this IEEE standard-in-progress appears
to be simply an update of the Federal Voting System Standards. In fact, it is informative to review the
appendix which cross-references the VSS 2002 requirements with the IEEE P1583 requirements. There are
many instances of no change between the documents, or of requirement dropped because it was out of
the scope of the standard. I counted very few substantial new changes or new requirements. Of course,
this standard is a work in progress, and therefore it should be reviewed again once the final version is
published.
While I believe it is impossible to guarantee perfect security in these complicated systems against all
possible attacks, I believe it is possible to raise the bar against attackers. Ideally, by making it
increasingly difficult for all but the most time- and resource-intensive attacks to occur, we should be able to
gain confidence in the resilience of the system against attacks. My hope is that standards groups make
continued efforts to increase the difficulty of attacking electronic voting systems.
History of Legislation
The 2000 presidential election spotlighted issues with election systems. This prompted Congress to pass
the Help America Vote Act (HAVA) [HAVA2002], to mandate voting process reform.
This Act is described by Rebecca Mercuri, who earned her Ph.D. for work on electronic voting systems, on
her very detailed website [MERC2003]. The Act authorizes $3.8 billion in federal funds, with a substantial
portion of this spending allocated to US states and territories to replace their punch card and mechanical
lever voting machines, and make their voting systems accessible to the disabled. Although there is no
requirement for states to buy electronic voting systems, states must submit plans by January 1, 2004 for
replacing all of their punch card and mechanical lever systems by the first election held after January 1,
2006 for Federal office.
The Act also calls for a Presidentially-appointed HAVA Election Assistance Commission. This
Commission will be responsible for approving each of the state plans, overseeing a Technical Guidelines
Development Committee and a Standards Board, and making provisions for testing and certification of
voting systems by accredited labs.
The HAVA Commission was supposed to have been created by February 2003. To date, it has yet to be
appointed by the President. Therefore, it is unlikely that Technical Guidelines will be available by the time
the states are required to submit their plans. The result is that states are contracting to purchase voting
systems that are not HAVA-compliant because the HAVA standards do not yet exist. Thus, some of the
potential benefit of this legislation may not be realized because the Act appears to be stalled in its
implementation.
Congressman Rush Holt of New Jersey has recently introduced a bill in the House of Representatives
called the Voter Confidence and Increased Accessibility Act of 2003, H.R. 2239. [VCIAA2003] This bill
would prohibit the use of undisclosed software source code and wireless communication devices, require
mandatory surprise recounts in 0.5% of jurisdictions, and require that electronic voting systems are
available for persons with disabilities one year earlier than currently required by HAVA. It would also
require all voting machines to produce an actual paper record by 2004 that voters can view to check the
accuracy of their votes and that election officials can use to verify votes in the event of a computer
malfunction, hacking, or other irregularity. Experts often refer to this paper record as a voter-verified
paper trail. [HOLT2003]

Although this bill has been endorsed by security experts and activists alike, and currently has over 40
cosponsors in the House of Representatives, it is unclear at this time whether the bill will make it out of the
Committee on House Administration. Support for the bill is decidedly partisan, with virtually no current
supporters among Republicans. It seems unlikely that the bill will pass unless it is able to gain bipartisan
support.
Electronic Voting Products
There are several companies manufacturing and selling electronic voting equipment. The top three
manufacturers are Election Systems & Software, Diebold, and Sequoia. For more information on these
companies, visit the web pages listed in Table 1.
Election Systems & Software (ES&S)
http://www.election.com/us/
It is difficult to find technical details of these
electronic voting systems. Company web pages
Diebold Election Systems
have plenty of information about features and
http://www.diebold.com/
benefits of their systems, press releases, news
articles, case studies, and pictures of the machines
Sequoia Voting Systems
and the graphical user interfaces. However,
http://www.sequoiavote.com/
technical specifications and information about the
testing process of these proprietary systems is hard
Hart Intercivic
to come by. David Dill states, What kind of testing
http://www.hartintercivic.com/
that goes on in these companies is something we
don't know. They won't tell us a thing about their
VoteHere
code or what they do to test it. [PITT2003]
http://www.votehere.com/products.htm
On their website, ES&S describes their offering as,
Avante
complete election management solutionsvoter
http://www.aitechnology.com/avantetech/about.asp
registration and database management, poll site and
remote electronic voting, advance security solutions,
AccuPoll
accurate tabulation, and custom demographic
http://www.accupoll.com/
reporting for political jurisdictions and private
sector clients.
--------------------------------------------------------------Table 1. Electronic Voting System Manufacturers
ES&S is owned by Michael McCarthy, who is
Senator Chuck Hagels campaign finance director.
Hagel was the CEO of the voting machine company while the company built the machines that would later
count his votes. [BUZZ2003]
Diebold is headed by CEO Wally ODell. ODell is part of an elite group of supporters of George W. Bush
called the Rangers and Pioneers, and has been quoted [SMYT2003] that he is committed to helping
Ohio deliver its electoral votes to the president next year.
Diebold has been in the news quite a bit recently. A recent Wired article [ZETT2003] describes an act of
electronic civil disobedience as students at Swarthmore College refused to remove a collection of
Diebolds internal company memos from their website. The memos, leaked by a hacker who broke into an
insecure Diebold server, indicate Diebold was aware of security flaws in its software but sold the systems
anyway. Diebold tried to force Internet Service Providers to remove the memos by invoking the Digital
Millennium Copyright Act (DMCA), but has not yet been completely successful in removing the memos
from the Internet.
Unencrypted source code, likely used in Diebolds AccuVote-TS machine, was discovered on a publicly
available FTP site in January 2003. Students at Johns Hopkins University uncovered what they call
significant and wide-reaching security vulnerabilities, which they describe in detail in a paper published
in July of 2003. [KSRW2003]

Diebold is not the only electronic voting system manufacturer to find their software code leaked on the
Internet. In October 2003, software used in the Sequoia AVC Edge touch-screen system was exposed on a
publicly available server owned by Jaguar Computer Systems, a company providing election support to a
county in California. Peter Neumann, of the Stanford Research Institute, said the exposed code could allow
a Trojan horse to be implanted in the systems compiler that would not be detectable to a person looking at
the code. [ZETTER2003]
It is interesting to note some price tags for these products. The Akron Beacon Journal [SMIT2003] reports
that the cost of each touch-screen DRE machine (with technical support, a warranty, and training included)
is $2,964 for Diebold machines, $2,896 for ES&S, $2,966 for Sequoia, and $2,997 for Hart InterCivic.
Desirable characteristics of an ideal voting system
To begin a discussion of ideal voting system characteristics, it is interesting to look at a few different
perspectives.
Bruce Schneier, a well-known security expert, describes five attributes of an ideal voting technology:
anonymity, scalability, speed, audit, and accuracy. [SCHN2000]
IEEEs P1583 group, in their Draft Standard for Evaluation of Voting Equipment [IEEE2003], identifies
tests and criteria to ensure equipment confidentiality, security, reliability, accuracy, usability, and
accessibility.
An article in ACM Crossroads Student Magazine by Lorrie Faith Cranor [CRAN1996] discusses the
following characteristics of a good electronic voting system: accuracy, democracy, privacy, verifiability,
convenience, flexibility, and mobility.
Each account includes the characteristic of accuracy, but the authors define accuracy in different ways.
For example, Schneier defines accuracy as direct mapping from intent to counted vote. The IEEE
Standard defines accuracy as the extent to which a given measurement agrees with an accepted standard
for that measurement and includes significant discussion of acceptable error rates in the body of the
document. For Cranor, A system is accurate if (1) it is not possible for a vote to be altered, (2) it is not
possible for a validated vote to be eliminated from the final tally, and (3) it is not possible for an invalid
vote to be counted in the final tally. Combining these definitions produces: An accurate voting system
counts all valid votes with minimal processing error such that the intent of eligible voters is reflected in the
final tally.
Each account also discusses the requirement that voters be able to cast their vote in secret, without a link
between the voter and the cast ballot. This characteristic is referred to as anonymity, confidentiality, or
privacy.
Both characteristics, accuracy and privacy, are essential in an ideal voting system. Yet, it is a non-trivial
matter to achieve both simultaneously. For example, how do we insure that the intent of eligible voters is
reflected in the final tally, without a back-channel to the voter after the vote has been counted? But
wouldnt a back-channel to the voter compromise privacy?
Conclusions
DRE systems are emerging as a new technology at a time when the controversial 2000 election is still fresh
in voters minds. Electronic voting using DRE systems has been a subject of much debate in recent years,
and I expect the debate to continue as we approach the 2004 presidential election.

Although there is potential for misuse in all voting systems used to date, electronic voting systems possess
characteristics that expose them to significant risks above and beyond these other voting systems. While
there is also potential for substantial new benefit to be derived from electronic voting systems, it remains to
be seen whether the benefits outweigh the risks. Meanwhile, companies are manufacturing and selling
DRE systems to counties, and these counties are using the DRE systems in elections. Legislation designed
to mitigate the risks of electronic voting has been proposed, and standards development is in progress.
I wish to give the reader some background and resources for further investigation of electronic voting
systems, and provoke thought on ways to improve these systems. In particular, unlike other currently used
electronic systems for high-value transactions (i.e. electronic banking via Internet applications and ATM
terminals), electronic voting systems must ensure not only accuracy but the privacy of the voter. A
literature search indicates that engineers and scientists have been considering this topic for some time.
Ideas for electronic voting systems that attempt to balance accuracy of results with the privacy of the voter
will be discussed in an upcoming paper.
References:
[BBV2003] Black Box Voting website. http://www.blackboxvoting.org. (Caution, the web site seems to be
somewhat unstable. The reader is encouraged to search for Black Box Voting if the provided web site is
unavailable.)
[BUZZ2003] BuzzFlash interview with Bev Harris, September 30, 2003.
http://www.workingforchange.com/article.cfm?ItemID=15722
[CRAN1996] Cranor, Lorrie Faith. Electronic Voting: Computerized polls may save money, protect
privacy, ACM Crossroads Student Magazine, 1996. http://www.acm.org/crossroads/xrds2-4/voting.html
[FEC1998] History of the Voting System Standards Program, November 1998.
http://www.fec.gov/pages/vsshst.htm
[FEC2003] Federal Election Commission web pages on voting systems available from
http://www.fec.gov/elections.html
[HAVA2002] Help America Vote Act of 2002. Public Law 107-252, October 29, 2002.
http://www.electionline.org/site/docs/pdf/hr3295.pl107252.final.pdf
[HOLT2003] Congressman Rush Holt website describing The Voter Confidence and Increased
Accessibility Act of 2003, http://holt.house.gov/issues2.cfm?id=5996
[IEEE2003] IEEE P1583/D4.3, Draft Standard for the Evaluation of Voting Equipment, July 2003.
[IRV2003] Instant Runoff Voting website, http://www.instantrunoff.com/
[KSRW2003] Kohno, Stubblefield, Rubin, Wallach. Analysis of an Electronic Voting System, July 23,
2003.
[MERC2002] Mercuri, Rebecca. A Better Ballot Box. IEEE Spectrum, October 2002.
http://www.notablesoftware.com/Papers/1002evot.pdf
[MERC2003] Mercuri, Rebecca. Website on Electronic Voting last updated September 1, 2003.
http://www.notablesoftware.com/evote.html
[NASED2003] National Association of State Election Directors General Overview for Getting a Voting
System Qualified. http://www.nased.org/ITA_process.htm

[NORR2000] Norr, Henry. The Risks of Touch-Screen Balloting, SFGate.com, December 4, 2000.
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/12/04/BU91811.DTL
[PIER2003] Pierce, Matthew. Website created for the Center for Voting and Democracy.
http://www.fairvote.org/irv/muppets/muppets.htm.
[PITT2003] Pitt, William Rivers. Electronic Voting: What You Need to Know, Interview with Rebecca
Mercuri, Barbara Simons, and David Dill, October 20, 2003. http://truthout.org/docs_03/102003A.shtml
[SCHN2000] Schneier, Bruce. Crypto-Gram Newsletter, December 15, 2000.
http://www.schneier.com/crypto-gram-0012.html#1
[SMIT2003] Smith, Erika D. Field grows for voting machines. Akron Beacon Journal, September 11,
2003. http://www.ohio.com/mld/beaconjournal/6743592.htm
[SMYT2003] Smyth, Julie Carr. Voting Machine Controversy, Plain Dealer Bureau, August 28, 2003.
http://www.cleveland.com/election/index.ssf?/base/news/106207171078040.xml
[THOM1984] Thompson, Ken. Reflections on Trusting Trust, Communication of the ACM, Vol. 27, No.
8, August 1984, pp. 761-763. Copyright 1984, Association for Computing Machinery, Inc. Also appears
in ACM Turing Award Lectures: The First Twenty Years 1965-1985 Copyright 1987 by the ACM press
and Computers Under Attack: Intruders, Worms, and Viruses Copyright 1990 by the ACM press.
Available from http://www.acm.org/classics/sep95/
[VCIAA2003] Voter Confidence and Increased Accessibility Act of 2003. H.R. 2239, May 22, 2003.
http://www.theorator.com/bills108/hr2239.html
[ZETT2003] Zetter, Kim. Students Fight E-Vote Firm, Wired News, October 21, 2003.
http://www.wired.com/news/business/0,1367,60927,00.html
[ZETTER2003] Zetter, Kim. E-Vote Software Leaked Online, Wired News, October 29, 2003.
http://www.wired.com/news/privacy/0,1848,61014,00.html

Copyright 2003 by Lelia Barlow