23 MAY 2009 COMPUTING PRACTICES Published by the IEEE Computer Society 0018-9162/09/$25.00 © 2009 IEEE The authors describe an electronic voting approach that takes a system view, incorporating a trustworthy process based on open source software, simplified procedures, and built-in redundant safeguards that prevent tampering. A fter the voting debacle in the Florida presiden- tial election of 2000, many jurisdictions turned to electronic voting machines that were not much more than PCs with touch screens. These machines were as problematic as punch-card systems, plus they made recounts impossible—a complica- tion that drove many jurisdictions back to paper ballots. But a return to marking choices on paper is also a return to the problems that prompted the use of electronic machines; 1 it is essentially a step backward. Electronic voting has real advantages over paper ballots as long as the focus is on a voting system, not a voting machine. Rather than concentrating solely on more advanced cryp- tographic algorithms, designers should be viewing the problem from a system perspective, considering all the pieces and striving for defense in depth. At each design step, they should anticipate attacks at a level that borders on paranoia. With these aims in mind, Vrije Universiteit has devised an electronic voting system that is both practical and resistant to tampering. We are currently implementing the electronic voting machine software and intend to make the source code freely available this year. SYStEM goAlS Electronic voting offers myriad benefits—from multi- lingual operation to the prevention of overvoting—but to be trustworthy, a voting system must satisfy three main goals: ensure the election’s integrity, • allow results to be audited, and • be sufficiently understandable that voters and politi- • cians will have confidence in using it. The election process involves diverse groups, each with sufficient motive and opportunity to influence results. The Secretary of State, who runs the election, is a partisan elected official who (secretly, but fervently) hopes that his party’s candidate will win. A partisan county registrar can alter registration data to cause problems on election day; the voting machine’s manufacturer might include software to cast, say, every 30th vote for its favorite candidate. The compromise would be large enough to throw a close elec- tion but small enough to put the results within the exit polls’ margin of error. The system must allow audits because, if there is a dispute, 2 a recount is mandatory. Requesting a machine to reread the result is pointless because it will merely read out the initial result. Finally, the voters and the politicians must have con- fidence in the system. A prerequisite to that confidence is the ability to understand how the system works. Many papers on voting systems describe cryptographic tech- niques, but cryptography alone does not build confidence in voters. Cryptography is only one method for achieving trustworthiness, and designers should view it as but one aspect of a larger system. A NINE-StEP ProCESS Our voting system adds transparent operational pro- cedures and open-source code to standard, well-tested, Trustworthy Voting: From Machine to System Nathanael Paul and Andrew S. Tanenbaum Vrije Universiteit, Amsterdam