Are Votes Cast on Electronic Voting Machines Stored in a Manner That Preserves Voter Anonymity?
Alfie Charles, former Vice President of Sequoia Voting Systems, described the security features of their electronic voting machine AVC Edge in his May 5, 2004 testimony before the U.S. Election Assistance Commission:
"Since the AVC Edge retains a ballot image record for each voter, it is important that these ballot images not be saved in the order in which they were cast as that would provide the ability to learn how an individual cast their vote. When the AVC Edge allocates storage space for ballot images and write-in data, it takes the following steps to assure storage of this data is sufficiently random to avoid identification of voter data with individual voters:
1. Storage space is allocated in large blocks rather than on a per-voter basis. When an allocation is required, a random number of storage blocks between 50 and 100 are allocated.
2. Access to the storage blocks is via an indirect table of block numbers. This table is shuffled randomly when the blocks are allocated, so that the sequence of storing ballot images with the storage blocks is random.
The randomizing function in the AVC Edge uses a mathematical pseudo-random number generator that is further randomized by the value of the AVC Edge's internal real time clock at a the time of the random number request. The pseudo-random number generator has been reviewed by independent computer experts and been deemed sufficiently random that it would not reasonably be reversible based on the amount of data that would serve as the bases for the reversal."
Compuware Corporation's Columbus, Ohio office prepared the "Direct Recording Electronic (DRE) Technical Security Assessment Report," Nov. 21, 2003, at the request of the State of Ohio. This report assessed features of four different electronic voting systems, including the Diebold AccuVote TS:
"In the Diebold AccuVote TS, the votes are stored in a random order into separate vote buckets. The vote records are hashed in a random order to prevent determination of the vote order."
Diebold Election Systems website included a "Frequently Asked Questions" section (accessed June 2, 2006), which explained:
"When a voter casts their ballot using the Diebold touch screen system, the ballot selections are immediately encrypted and stored in multiple locations within the voting station. When stored, the order of cast ballots is scrambled to further insure ballot anonymity. The image of each and every ballot cast on the voting stations is captured, and can be anonymously reproduced on standard paper."
Sequoia Voting Systems' website (accessed June 2, 2006) included a description of their electronic voting machine AVC Edge, which stated:
"Built-in side panels shield the ballot from other voters, assuring total voter privacy. Internally, the Edge electronically randomizes voter records so that it is impossible to trace a specific voter's selections."
Aviel Rubin, PhD, Technical Director at Johns Hopkins University Information Security Institute, and Dan Wallach, PhD, Associate Professor of Computer Science at Rice University explained in their 2003 technical report "Analysis of an Electronic Voting System," Johns Hopkins University Information Security Institute Technical Paper TR-2003-19, July 23, 2003:
"Each vote is written sequentially to the file recording the votes. This fact provides an easy mechanism for an attacker, such as a poll worker with access to the voting records, to link voters with their votes. A poll worker could surreptitiously track the order in which voters use the voting terminals. Later, in collaboration with other attackers who might intercept the 'encrypted' voting records, the exact voting record of each voter could be reconstructed...
Randomizing the order of votes after they are uploaded to the tabulating authority does not prevent the possibility of linking voters to their votes. Nevertheless, it appears that the designers wanted to use a cryptographically secure pseudorandom number generator to generate serial numbers for some post-processing purposes. Unfortunately, the pseudorandom number generator they chose to use is not cyrptographically secure."
Arthur Keller, PhD, Co-founder and Secretary of Open Voting Consortium, and David Mertz, PhD, Vice President and Chief Technical Officer, Open Voting Consortium, stated in their 2006 chapter "Privacy Issues in an Electronic Voting Machine" in Privacy and Technologies of Identity: A Cross-Disciplinary Conversation:
"It is not sufficient for electronic voting systems to merely anonymize the voting process from the perspective of the voting machine. Every time a ballot is cast, the voting system adds an entry to one or more software or firmware logs that consists of a timestamp and indication that a ballot was cast. If the timestamp log is combined with the contents of the ballot, this information becomes much more sensitive. For example, it can be combined with information about the order of votes cast collected at the polling place with overt or covert surveillance equipment - from cell phone cameras to security cameras common at public schools - to compromise the confidentiality of the ballot."
Ellen Theisen, CEO of the Vote-PAD Company, stated in her 2005 report "Myth Breakers: Facts About Electronic Elections":
"Voters in many states have complained that DRE voting systems do not provide adequate ballot secrecy. There are no voting booth curtains, DRE voting displays are nearly vertical, and in many cases, voters voting on adjacent DREs or other voters waiting in line could view their selections.
In other cases, when voters encounter a problem in mid-ballot and called for the assistance of a poll worker, they often have to give up the secrecy of their ballot in order to page back and forth through their electronic ballot to demonstrate the problem to the poll worker."