Remotegrity

Remotegrity is a proposed remote voting system from the makers of Scantegrity.The system is constructed a lot like that of Scratch, Click, and Vote. Unlike what was mentioned in the Scratch, Click, and Vote paper however, under Remotegrity voters can either cast their ballots via mail or internet. This could help mitigate issues regarding infrastructure and DDoS attacks.

Infrastructure attack protection
Voters can return their ballots through internet or mail. The likelihood of both infrastructures being shut down is quite slim.

Outsider hacking protection
The FAQ explains that "A hacker who breaks into either... server cannot tell how voters voted (because there are only confirmation numbers on the servers).If the hacker tries to change the numbers on the website before they are locked-in, the voter will notice this... If the hacker tries to change these after they are locked-in,... this will be noticed by those watching the Bulletin Board. It will also be noticed during the consistency check performed when new data is posted "

Malware and virus protection
Users have a fair amount of protection against viruses. This is because the computer itself doesn't know which candidate the voter is voting for - that information is on the coding card. However, it would be possible for a virus to just scramble the content of the voter's vote, making it random which candidate the voter's computer chooses. Voters can verify their vote was included in the final tally, yet it may be unclear when the amount of people who claim they had a virus on their computer is high enough to warrant a recount via other means.

Man in the middle attack protection
This would be somewhat difficult because an observer wouldn't know the content of a voter's choice. They could try to intercept and then not send the message but that would be noticeable by the server. In the worst case the voter has a receipt and can re-vote online or at a polling place. Ultimately, there's nothing useful that the man in the middle can do.

Insider attack protection
Because the content of the bulletin board is public information, voters can track it constantly. In the worst case (if everything goes offline) "The system keeps a paper record of all confirmation numbers and lock-ins as they are cast, and/or corresponding paper ballots, except for those entered in the last cycle. The system can recover from these, which are equivalent to paper ballots. An honest offline server and secure chain of custody of the paper print-outs is equivalent to a secure chain of custody of ballots."

Coercion resistance
There are protections against coercion: voters can vote multiple times and can cancel previous votes by obtaining another coding card or by voting in person. Both of these may be a hassle, however.

Ensuring one person, one vote
So long as the cards are passed out correctly, then voters should only be allowed to vote once. How to implement this process is an open question - voters need a username+password to log into an election website (account registration might be tricky to implement)

Counting and tallying accuracy
This would be very accurate - audits are in place and voters could verify their votes. Plus, it doesn't suffer from the inherent problems of recording marks on paper.

Voter anonymity
"Your vote is never revealed to a computer on the internet. The confirmation numbers are generated to print ballots but thereafter all information is wiped off the computer generating the numbers. The numbers are re-generated in order to compute the tally, and again wiped off.Further, your ballot arrives in a sealed envelope so that the election official sending you the package does not see the numbers on your ballot.Similarly, the election official cannot see the authentication codes that are also under scratch-off."

Voter verifiability
Anyone can check the bulletin board to see if their vote was cast correctly. However, this requires at least one computer free of a virus (since a virus could manipulate how a voter sees the bulletin board), or some other protocol (such as SMS or snail mail.) Further, "Independent observers... can use their own software or software written by Remotegrity to verify that the tally is correctly computed from the confirmation numbers."

Immediate results protection
Immediate results are on the election authority server, and the codes that could decrypt these votes have to be trusted not to be published before the election is complete. There are real-world security solutions to this problem (hiring police, installing surveillance cameras, etc.) but those aren't discussed as they don't have to do with the protocol through which Remotegrity operates.

Ease of performing a recount
There is a paper record (printers provide a paper copy of all data received), but it may not (a) have all the data needed to completely tally the election and (b) may not fix the causes a recount seeks to solve.

Usability
Remotegrity over the internet should be fairly simple to use - the voter just has to type a few numbers that are on the cards passed out. However, this isn't a point that's very well addressed.

Infrastructure attack protection
Voters can return their ballots through internet or mail. The likelihood of both infrastructures being shut down is quite slim.

Outsider hacking protection
An adversary with enough resources could in theory send out fake mail carriers to collect mail. Also, the post office needs to be trusted - In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river. Still, since Remotegrity is end to end verifiable, such an attack would be noticeable.

Malware and virus protection
The optical scan machines counting the ballots sent in via mail would still vulnerable to malware, if someone could break into the physical machines themselves. However, Remotegrity counters this both because there is an auditable paper vote record (even if these votes are intercepted and replaced while in the postal system, they can still be used to audit optical scan machines) and because there is end to end voter verification. Though either system isn't perfect by itself, this two pronged solution is probably the best around in the status quo.

Man in the middle attack protection
Like with other VBM systems, An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed, and ballots held for counting could be physically destroyed (to name a few options.) Allowing voters to audit their ballots serves as a partial solution. If votes are counted quickly enough, then voters could go to the polling station and change their vote if their vote was counted incorrectly.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. Yet there could be fraud at other levels of the voting process.

Coercion resistance
There are protections against coercion: voters can vote multiple times and can cancel previous votes by obtaining another coding card or by voting in person. Both of these may be a hassle, however.

Ensuring one person, one vote
One issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times - see This is a problem inherent in all VBM systems.

Counting and tallying accuracy
Vote by mail may throw out some votes due to procedural errors. For instance, in the presidential election in 2008, 4.2% of all VBM ballots that made it through the post office were rejected in Minnesota due to procedural errors by voters. And, in Minnesota, 13% or more rejected absentee ballots were done so in error. Yet the optical scan technology is pretty accurate - during the Minnesota Senate race in 2009 gross accuracy was 99.91%

Voter anonymity
If you return your ballot by the mail, "election officials follow a time-honored procedure for separating the ballot from any information that identifies you before the ballots are counted." Perhaps there could be codes that don't associate the voter with the information on ballots. Also, as with VBM, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and the contents of one person's vote aren't very useful for an individual election official to have.

Voter verifiability
Anyone can check the bulletin board to see if their vote was cast correctly. However, this requires at least one computer free of a virus (since a virus could manipulate how a voter sees the bulletin board), or some other protocol (such as SMS or snail mail.) Further, "Independent observers... can use their own software or software written by Remotegrity to verify that the tally is correctly computed from the confirmation numbers."

Immediate results protection
Immediate results are on the election authority server, and the codes that could decrypt these votes have to be trusted not to be published before the election is complete. There are real-world security solutions to this problem (hiring police, installing surveillance cameras, etc.) but those aren't discussed as they don't have to do with the protocol through which Remotegrity operates.

Ease of performing a recount
There is a paper record, but it may not (a) have all the data needed to completely tally the election and (b) may not fix the causes a recount seeks to solve. This is especially problematic when voting by mail - the problem of votes getting lost in transit isn't solved by counting the other votes again.

Usability
This could be an improvement over VBM in the status quo - signature recognition is rather imprecise so handling voter verification at another level would seem to solve that problem. But voters still might not follow the directions which is always a problem with a VBM system. Also, the deadlines problem of voters overseas not having enough time to cast their ballots isn't solved here - it's made even worse by the fact that voters need time to be able to verify their ballots. What if a military voter only realizes that his/her vote doesn't count when it's too late? What seems to solve this issue is the fact that voters can vote via mail or internet.