An Overview of Electronic Voting and Security Matt Bishop Department of Computer Science University of California, Davis One Shields Ave. Davis, CA 95616-8562 bishop@ucdavis.edu Introduction There are two types of “electronic voting” or “e-voting.” The first type is voting over the Internet, using (for example) home computers. The second type is using electronic voting systems in “standalone” mode, unconnected to any network. This note focuses on the second type. Throughout this note, the term “e-voting” means the second type of electronic voting unless explicitly stated otherwise. This paper has two themes. The first is to consider what qualities e-voting systems must provide in order to be used effectively. The second is to present information about the state of the art of voting equipment based on information that is publicly available. The author of this note has been accused of being a computer scientist, never an election official. Thus, this paper provides a discussion of various requirements to illustrate how one would determine desirable qualities. Election officials will have their own perspective, honed by experience, of the importance of these requirements, and can weigh them appropriately. Some seem universal; others may apply only under specific circumstances. The astute reader will note the order of these themes: requirements and qualities first, then analysis. This is deliberate. Development of all systems proceeds in that fashion. First, one states the requirements to be met; then, one designs and implements the system, showing that the requirements are met at each stem. The third section of this note elaborates on this matter to a greater extent. This paper is organized as follows. First, we discuss the goal of e-voting systems to derive requirements. We focus specifically on those requirements relevant to e-voting machines used in the context of current elections, and not on the use of e-voting machines to provide support for all of the voting process. The third section discusses how those suggest properties of e-voting sys- tems. The fourth uses available public materials to examine current voting machines in the light of the questions developed in section 3. The last section summarizes the qualities that e-voting sys- tems must preserve to maintain both the integrity of elections and the appearance of integrity of elections. A word about terminology is appropriate. In an election, there may be many candidates and propositions for a voter to vote on. For example, in the October 7, 2003, California guberna- torial election, there was one recall, 135 candidates for governor, and two propositions. Each voter could cast up to 4 votes (one for or against the recall, one vote for governor, and one “yes” or “no” vote for each of the propositions). In this paper, a “race” is the smallest unit upon which a voter will vote, and a “ballot” is the collection of races to be decided during the election. To con- tinue our example, the California election consisted of four races. Each voter may, or may not,