the first step—that the ballot was cast as intended. That’s good, but not good enough. It does not matter to voters if the voting system correctly cast their ballots, if they cannot verify that election officials correctly counted them.

In fact, narrowly focusing on paper trails ignores the importance of securing all steps in the voting process. Improving election security will involve improving multiple security controls including software testing, physical security, parallel testing, and pre- and post-election auditing. Moreover, paper audit trails are not the only option to verify that ballots are cast as intended. Many types of audit trails will suffice, including those that use audio and video. For example, a research team at Auburn University has developed the Prime III voting system, which produces a private, independent, voter-verified video audit trail of the on-screen interactions between the voter and the voting system.

Additionally, an entirely new class of voting systems has been designed by cryptographers that offer end-to-end (E2E) verifiability of all three steps of the voting process. These E2E systems give voters a paradoxical combination of proof and privacy—proof their ballot is included in the final vote tally and privacy to prevent vote selling and voter coercion. Examples of E2E voting systems include PunchScan (see www.punchscan. org), VoteHere ( www.votehere.com/vhti. php), and Scratch & Vote. ¹ (In addition, see the news story “Clean Elections” on page 16. —Ed.)

PHO TOGRAPH BY JOE RAEDLE

Unfortunately, many of these considerations have been absent from the debate, which has narrowly focused on whether or not to require paper audit trails rather than the larger question of how to improve voting systems. In order to provide a convincing answer to this question security experts and election officials must develop a quantifiable risk analysis framework for evaluating and comparing risk in voting systems. In addition, they must conduct a cost-benefit analysis of the proposed policies for improving voting systems. These two initiatives will provide the evidence and knowledge base on which to base any decisions on proposed design changes to voting systems. Most debate on voting system improvements is premature given that security experts and elections officials have not yet developed a com-

prehensive risk analysis to compare voting systems. To skip these steps is not only bad science, but bad policy.

The crucial first step to improving voting systems is for the Election Assistance Commission—the federal commission charged with improving elections— to conduct a rigorous and methodical risk assessment of each class of voting system (such as DRE, optical scan, and lever). To date, there has been no comprehensive risk assessment of this type that would allow a meaningful comparison of the relative risks of different voting systems. No voting system is perfect, but as with any system, the key is to find an acceptable level of risk. In addition, a risk assessment would give policymakers a realistic picture of the differences in security between different voting systems. A number of projects have laid the foundation for such a framework, including the NIST’s Developing an Analysis of Threats to Voting Systems³ and the Brennan Center report The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost. ²

The second step for improving voting systems is to conduct a cost-benefit analysis of proposed voting system improvements. A cost-benefit analysis would reveal the hidden impact of these

mandating paper
audit trails could
preclude any chance
of implementing
these systems in
the near future.
Rather than turn
back the clock on
voting technology,
we should
develop policies
that encourage
innovation in our
voting systems.

proposals on security, usability, accessibility, and cost. For example, paper audit trails reduce some risks from software threats but introduce new risks from the chain-of-custody of the paper trails. In addition, paper audit trails decrease accessibility, as blind voters are unable to independently verify the paper audit trail. Paper audit trails are also expensive—in addition to the cost of printers, counties must pay to securely collect, transfer, track, store, and count the paper trails.

While voting system security receives a lot of attention, it is only one of many requirements that voting systems must satisfy. For example, a completely secure voting system is worthless if it is so complex that nobody can use it. Similarly, voters will reject an extremely user-friendly voting system if it is not secure. In voting systems, as with any other type of system, competing values should be balanced against each other. Only with both a risk assessment and a cost-benefit analysis in hand can policymakers implement those design changes that offer the best overall improvements in security, usability, accessibility, and cost.

Finally, security experts and election