Voting Systems

Welcome! Anyone can edit this page.

Norway
This system is to be used in the 2011 local elections, and was developed in part by Scytl.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
There is a fair amount of protection against outside hacking attempts. If the ballot box was corrupted, the auditor would notice something going awry unless it was corrupt as well. It would be very hard for both of these systems to fall prey to outside hacking attempts assuming that they are programmed well. Given Norway's transparency about the matter (the code is open source so anyone can try to find vulnerabilities) this constraint is likely met.

Malware and virus protection
There is moderate protection against viruses. While viruses can change the vote of a user, the receipt generator offers voters another channel to ensure that the vote has been recorded correctly. If it looks like they have a virus, voters can vote on another machine or vote in person.

Man in the middle attack protection
The system should be difficult for a man in the middle to tamper with, so long as there is a certificate authority for the voter to trust. Votes are encrypted, and the computer waits for a signed response from the receipt generator so it looks suspicious if there's a major delay (or if the message doesn't arrive). If the wrong message comes from the receipt generator then the voter knows that something is wrong. But could this message be spoofed itself? (Jefferson et. al mention that "attackers could engage in election fraud by spoofing the voting server and observing how the voter votes," and could then redirect the voter if the vote is to their liking, at least in the SERVE protocol) The receipt generator serves as a defense against this - it sends the user a message over another channel verifying his or her vote. This message would be difficult to spoof because it uses a set of codes to communicate with the voter.

Insider attack protection
Protection against insider attacks is an issue in any voting system, especially one that involves voting online. However, there are defenses against this. First, the Norwegian government has decided on "nearly complete transparency"(Gjosteen) - making the voting system open source, etc. Further, there are multiple modules that would need to be compromised in order to pull off a successful insider hacking attempt: both the decryption service and the auditor would have to be corrupt. Yet the threat still exists.

Coercion resistance
There is a moderate level of protection against coercion. Depending on how the receipt is set up, it may not serve as an exact receipt to the election (i.e. it may depend on a card the voter has that can easily be falsified). Further, voters can still vote more than once (canceling previous votes) or in person.

Ensuring one person, one vote
Assuming the security of the system holds, voters should be only allowed to vote once. Gjosteen writes that "With signed ballots, it is also easy for the ballot box and the auditor to ensure that at most one ballot is counted per voter."

Counting and tallying accuracy
The vote has a very high chance of being accurately counted and recorded thanks to the auditor. Also the voter is messaged a receipt by the receipt generator.

Voter anonymity
Gjosteen writes that "condentiality is preserved, even if the auditor is corrupt." This is because ciphertexts seen by the auditor contain no information about the ballots. Also, even if the decryption service is compromised, the ballots still remain confidential. Further, the "corrupt receipt generator learns nothing about the submitted ballots, except what the receipt codes tell him." Therefore, multiple parts of the election infrastructure need to be corrupt in order to breach anonymity.

Voter verifiability
A receipt generator is in place to send a message to the voter verifying their vote. This could be transmitted through snail mail, SMS, or online. This verification indicates a high probability that someone's vote will be counted.

Immediate results protection
In order to decrypt the votes a set of key shares given to notable government figures would need to be assembled. Only then would the election officials be able to obtain election results.

Ease of performing a recount
With backups of the ballot box it should be possible to perform a recount. However this may not be very useful because it assumes the ballot box isn't corrupted. The auditor checks for that, but it's not 100% perfect.

Usability
A significant amount of people voted in the local elections in part because of how easy the Norwegian internet voting system is to use.

Transparency
The Norwegian government decided on "nearly complete transparency" for their elections.(Gjosteen). For more information, take a look at slide 7 of this powerpoint by election officials: http://www.coe.int/t/dgap/democracy/Source/EVoting/Evoting2010/Norway%20CoE16112011.ppt

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail). In the case of Estonia (in 2007), Guido Schryen remarks "there did not appear to be a formal plan to monitor network traffic and deal with the risk of DoS attacks against the Internet Server." A plan could be implemented without changing the other components of the system in theory however.

Outsider hacking protection
I can't find much info on this. Based on a lack of an auditor and verifiability it would be hard to know if an adversary has broken into the system. There are adequate protections (i.e. storing encrypted ballots) but this may not be enough. Could the ballots be deleted and replaced with fake ballots (like in the DC voting trials)?

Malware and virus protection
There is almost no protection against malware and viruses. Guido Schryen writes that "malware, which makes the card reader sign other data than displayed on the screen, [was] not seriously addressed or even not considered." http://www.icsi.berkeley.edu/pubs/networking/practicalsecurity08.pdf Voters can vote in the elections, but given that there is no way for them to know whether their vote has counted, they likely won't even if there is malware on their machine.

Man in the middle attack protection
In theory, votes are encrypted and thus should be difficult for a man in the middle to tamper with. While SSL isn't perfect it effectively negates eavesdropping by use of Diffie-Hellman Key Exchange (which is secured from MITM attacks by the usage of certificate identities - the user just needs to trust the certificate authority) For more info on this, see Dierks and Rescorla 2008: http://www.ietf.org/rfc/rfc5246.txt    This, however, may not solve the issue that Jefferson et. al mention namely that "attackers could engage in election fraud by spoofing the voting server and observing how the voter votes," and could then redirect the voter if the vote is to their liking. Would this issue cross over? It's likely that there's a possibility of this happening.

Insider attack protection
Protection against insider attacks is an issue in any voting system, especially one that involves voting online. Yet this problem is worsened by the lack of transparency of Estonia. Guido Schryen writes that "The Internet Server and the Vote Storage Server were located in a locked room which was guarded by a policeman and continuously filmed" but is this an adequate solution? Especially if the public can't see the film. The results of the audit of Estonia's voting system are not public (see the section on transparency)

Coercion resistance
Voters won't want to trade their Estonian ID cards away because they can be used to create legally binding digital signatures. Coercion is mitigated by the fact that voters can re-vote in person or online. This system is likely the best internet voting system around in terms of protection against coercion/vote selling (at a cost of anonymity and verifiability)

Ensuring one person, one vote
The infrastructure in regards to the ID card seems to fullfill the constraint of only letting people only vote once, because there is only one Estonian ID card per person.

Counting and tallying accuracy
Votes may not be counted correctly. There's no auditor to help verify that votes received are counted correctly. There are security precautions to check "the installed voting software... to ensure that it was identical to the software reviewed," but the lack of transparency is problematic here. So long as the rest of the system holds up votes will be tallied pretty accurately (but there's no guarantee of that).

Voter anonymity
Guido Schryen: "the separation of voter's decision and identity is realized at organizational level, not providing the voters any option to monitor this separation." http://www.icsi.berkeley.edu/pubs/networking/practicalsecurity08.pdf In theory, it's anonymous - but we really have no idea if this is the case due to a lack of transparency. This is especially problematic in Estonia because digital id cards can generate legally binding digital signatures under Estonian law. Since voters sign in using these cards that infrastructure makes it easier for individual votes to be traced back to individual users.

Voter verifiability
The Estonian system is not voter verifiable. Guido Schryen writes that "the voters got no proof of the separation of their decision and their identity. As no voter verified paper audit trail was implemented, voters did not know whether their vote had been correctly counted." Even if there are other means to verifiability besides the VVPAT, it's clear the Estonian system has not implemented them.

Immediate results protection
In order to decrypt the votes using the Hardware Security Module at least half of the NEC members must be present to count and decrypt the votes. Thus, no results should be obtainable before the voting period ends, assuming the rest of the system holds up. If the rest of the system doesn't, however, releasing vote counts will be the least of the election officials' problems.

Ease of performing a recount
Performing a recount is not possible because there is no auditing trail. Sure, the votes can be counted again (they are transferred around on CD-ROMs from the Vote Storage server to the Counting Server) but this doesn't solve for the insecurity issues present throughout the system.

Usability
The voting system is only available in the Estonian language which is problematic for Russian voters. Voters use an ID card which is legally accepted to digitally sign documents. The voter must have a smart card reader (but maybe this is more common in Estonia) and installation software. Windows users vote using a web browser, on OSX and Linux the interface is a standalone program. It's convenient if your situation satisfies this criteria and inconvenient if it doesn't.

Transparency
It was audited, but this was by an external auditing company. But ""the final result is not public, and the external auditing company was not requested to conduct any post-election audits."

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses to these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail). But SERVE makes this problem worse: most other internet voting systems close a few days before the election (Norway's closes before Election day: see Christian Bull/Hendrik Nore: http://www.coe.int/t/dgap/democracy/Source/EVoting/Evoting2010/Norway%20CoE16112011.ppt ) but SERVE stays open during election day. As Jefferson et. al conclude in the SERVE security analysis - ""This introduces the threat of last-day denial-of-service attacks in which the attacker mounts a denial-of-service attack starting on the morning of Election Day and lasting until polls close."" Therefore, voters may not have time to choose another option to vote if this occurs. Exacerbating the problem is the fact that many of them are overseas voters - if they were to switch to VBM at the last minute their ballots may not be counted.

Outsider hacking protection
As Jefferson et. al write in the SERVE security analysis "Since the servers are a central single point of failure, it is absolutely vital that they resist attack. The risk of intrusion into SERVE's centralized computers is, unfortunately, significant. SERVE has deployed a careful and well-designed firewalling architecture designed to prevent many kinds of direct attacks; however, there remain possible vulnerabilities in the software exposed to the outside world that could enable attackers anywhere on the Internet to penetrate SERVE's defenses and gain control of the servers.... Designers of safety-critical systems typically avoid the use of commercial software, because it is widely accepted that standard commercial programming practices pose an unacceptable risk for such applications. Designers of safety-critical software employ known techniques for building highly reliable software. These elaborate and costly techniques have not been used in the development of SERVE." What's problematic here is that there is a central point of failure and once they are offline the whole system is taken down. There's no auditor to tell if the results have been skewed, changed, or partially deleted. Even if the SERVE security analysis overstates the risk, it's still a major one.

Malware and virus protection
SERVE does not seem to have any protection against attacks from viruses. Users can't verify their vote using another channel (like in the Norwegian system with the receipt generator, or like in bulletin board systems), and can't re-vote.

Man in the middle attack protection
In theory, votes are encrypted and thus should be difficult for a man in the middle to tamper with. While SSL isn't perfect it effectively negates eavesdropping by use of Diffie-Hellman Key Exchange (which is secured from MITM attacks by the usage of certificate identities - the user just needs to trust the certificate authority) For more info on this, see Dierks and Rescorla 2008: http://www.ietf.org/rfc/rfc5246.txt    This, however, may not solve the issue that Jefferson et. al mention, namely that "attackers could engage in election fraud by spoofing the voting server and observing how the voter votes," and could then redirect the voter if the vote is to their liking.

Insider attack protection
There is not adequate protection against insider hacking attempts. Triinu Magi's game theory analysis noted that not only is it possible for insiders to control the Votes Storing Server, they could be incentivized to do so. Jefferson et. al note in the SERVE security analysis that "insider attacks are the most common, dangerous, and difficult to detect of all security violations" and that there are no countermeasures within SERVE architecture. Though this is a problem for voting system, it's especially problematic for SERVE because there is a centralized point of attack that can get compromised: the votes storing server. Because votes aren't stored encrypted they could be easily changed.

Coercion resistance
There is little protection against vote selling and coercion. Not only is this possible (through selling credentials or through selling modified ActiveX software) but it's also rational for attackers to buy people's votes (see Triinu Magi's paper: http://www.ligadelconsorcista.org/files/practical_e_voting_final.pdf )

Ensuring one person, one vote
The system should not allow multiple votes, assuming that keys are passed out successfully. (However, people can still break into the system and change votes via other means.)

Counting and tallying accuracy
Assuming everything runs perfectly, it should accurately count and record votes. But this is a big assumption. Votes in the vote storing system are not encrypted, and there's little to no voter verifiability. There's no auditor to help ensure that votes received are counted correctly as well.

Voter anonymity
Local election officials can deduce who voted for which candidate, votes exist unencrypted on the vote storing system, and there are giant databases with encrypted ballots + names (which poses a risk because they can be downloaded and then later cracked.) Also, man in the middle attacks could be easily performed when the goal is to compromise privacy - "any man in the middle could act as an SSL gateway, forwarding data between the voter and the vote server unaltered." See the SERVE security analysis by Jefferson et. al.

Voter verifiability
There is verifiability, but it only comes into play after the voting period ends. As Jefferson et. al not, "is not clear what the procedure would be if after the election, a large percentage of absentee voters said that they had voted but did not see their names."

Immediate results protection
Because votes are stored unencrypted, results could be obtained before the voting system ends so long as the adversary in question has access to the votes storing server.

Ease of performing a recount
Performing a recount is not possible because there is no auditing trail. Votes can be counted again, but this doesn't solve for the insecurity issues present throughout the system.

Usability
It's unknown how usable SERVE was because it was never implemented, and there don't seem to be any articles that mention its ease of use.

Transparency
The Department of Defense allowed an independent set of security researchers (Jefferson et. al) to publish the SERVE security report, which is good in terms of transparency. The source code isn't open, however (it's based on commercial software). Overall, it's a great step forward in terms of transparency but it doesn't match what Norway is currently doing (for example).

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
All internet voting systems are, at least potentially, vulnerable to outside attack on the servers running the software. Yet there is a high degree of protection against such attempts because of the public bulletin board. Auditors and individuals will notice if information gets deleted from the board for no apparent reason, or if anything is edited. The server doing the tallying must remain secure, but the tallying can be re-done if the bulletin board stays online.

Malware and virus protection
This is a problem. If the voters' computers run viruses, they might display corrupt information at verification and mislead voters. Still, users can verify their votes online by checking the public bulletin board. It's also possible that there could be a utility to allow them to verify their vote using another channel (like SMS), or they could just use another machine. If they have any doubt about the integrity of their vote, they can re-vote in person or online.

Man in the middle attack protection
This is mitigated by the fact that the man in the middle doesn't know the content of the vote that is being transmitted. The voter could check to ensure that his or her vote went through the system as well before the election ends.

Insider attack protection
This hasn't been addressed because this system is theoretical. This is a big issue however. It can be partially addressed by 1) open source software and 2) security of the systems themselves - at least there are less machines to deal with compared with DREs.

Coercion resistance
This is a problem. Because voters can verify their votes, they can prove to vote buyers how they voted. This is partially solved because they can change their vote at a polling station, or online (though this may not help when an adversary demands the voter's username and password.)

Ensuring one person, one vote
As Dubuis et. al write, "To prove eligibility, voters must use the [given] credential to digitally sign the encrypted vote." Thus, only registered voters can vote. The bulletin board ensures that only the last vote counts.

Counting and tallying accuracy
The system should accurately count and record votes. Dubuis et al write that "the integrity can... be ensured by letting voters digitally sign their votes cast." Verifiability helps ensure this - anyone can ensure that their vote has been included in the final tally. Auditors monitoring the system can identify suspicious activity (i.e. if ballots are being deleted)

Voter anonymity
When the election is tallied, "no link between the input and output of the mix-net can be established, which ... guarantees the anonymity of the vote." This depends on regulatory authorities being honest here but there are significantly less things to regulate when compared to other means of voting. Yet there's a caveat that may or may not be significant: given enough time it's likely that you'll know how people (say, 100 years ago) voted because all the data on the bulletin board is public information. Whether that's important or not is something that must be resolved before implementing this approach.

Voter verifiability
"Verifiability is... achieved by publishing all votes cast (together with... cryptographic proofs) on a public bulletin board." This could be checked automatically. Voters can't delete/change anything and can verify that their vote was counted.

Immediate results protection
So long as there are multiple "key shares split among several independent tally authorities" then no election results should be obtainable before the voting period ends.

Ease of performing a recount
Theoretically anyone with the data should be able to tally it themselves provided that they have all the necessary decryption keys. Some may object to this type of recount, however. In particular, if the bulletin board is running the wrong software (assuming this goes undetected which isn't likely) then this kind of recount seems to beg the question. Ultimately, this question seems to not have been explored as to whether recounting the data on the bulletin board would solve back all of the potential harms that could appear during the voting process.

Usability
The exact usability of the system isn't fully known because while there have been uses of a modified Selectio Helvetca protocol there isnt much on the way of how easy it was to register and vote this way. However, it likely wasn't too difficult.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
All internet voting systems are, at least potentially, vulnerable to outside attack on the servers running the software. Yet there is a high degree of protection against such attempts because of the public bulletin board. Auditors and individuals will notice if information gets deleted from the board for no apparent reason, or if anything is edited. The server doing the tallying must remain secure, but the tallying can be re-done if the bulletin board stays online.

Malware and virus protection
This is a problem. If the voters' computers run viruses, they might display corrupt information at verification and mislead voters. Still, users can verify their votes online by checking the public bulletin board. It's also possible that there could be a utility to allow them to verify their vote using another channel (like SMS), or they could just use another machine. If they have any doubt about the integrity of their vote, they can re-vote in person or online.

Man in the middle attack protection
This is mitigated by the fact that the man in the middle doesn't know the content of the vote that is being transmitted. The voter could check to ensure that his or her vote went through the system as well before the election ends.

Insider attack protection
This hasn't been addressed because this system is theoretical. This is a big issue however. It can be partially addressed by 1) open source software and 2) security of the systems themselves - at least there are less machines to deal with compared with DREs.

Coercion resistance
Hanni and Spycher admit that their protocol isn't receipt-free, thus it provides minimal defense against vote selling and coercion. After voting, the voter possesses his private key which can be combined with his encrypted ballot on the bulletin board to prove to any adversary how he voted. This is partially solved because they can change their vote at a polling station, or online (though this may not help when an adversary demands the voter's username and password.)

Ensuring one person, one vote
Like in Selectio Helvetica, voters must sign their votes. As the authors write, "multiple ballots from the same eligible voter contain the same anonymous key and are therefore detected during the tallying phase."

Counting and tallying accuracy
The system should accurately count and record votes. For Selectio Helvetica (but applicable here) Dubuis et al write that "the integrity can... be ensured by letting voters digitally sign their votes cast." Verifiability helps ensure this - anyone can ensure that their vote has been included in the final tally. Auditors monitoring the system can identify suspicious activity (i.e. if ballots are being deleted)

Voter anonymity
The protocol provides a high degree of privacy. As Haenni and Spycher write, "Every plaintext vote is unambiguously linked to an anonymous key, but linking the anonymous key back to its owner is prohibited by the anonymous channel and the unlinkability property of the public key shuffling procedure." This also prevents an adversary from finding out whether a particular voter has voted. The anonymous channel discussed "may be hard to implement," but use of mix nets before vote encryption could solve this.

Voter verifiability
As the authors wrote for Selectio Helvetica (though applicable here) "Verifiability is... achieved by publishing all votes cast (together with... cryptographic proofs) on a public bulletin board." This could be checked automatically. Voters can't delete/change anything and can verify that their vote was counted.

Immediate results protection
So long as there are multiple "key shares split among several independent tally authorities" then no election results should be obtainable before the voting period ends.

Ease of performing a recount
Theoretically anyone with the data should be able to tally it themselves provided that they have all the necessary decryption keys. Some may object to this type of recount, however. In particular, if the bulletin board is running the wrong software (assuming this goes undetected which isn't likely) then this kind of recount seems to beg the question. Ultimately, this question seems to not have been explored as to whether recounting the data on the bulletin board would solve back all of the potential harms that could appear during the voting process.

Usability
The exact usability of the system isn't fully known because this system is more of a general protocol at this stage rather than something that has been implemented and tested.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
All internet voting systems are, at least potentially, vulnerable to outside attack on the servers running the software. Yet so long as there exists one honest tabulation teller and assuming that the voter submits his vote to at least one correct ballot box it should not be possible for an outsider to compromise the voting system.

Malware and virus protection
Civitas assumes a trusted voting client. There might be a way to modify the protocol to provide more defenses against viruses at a cost, but these mechanisms have not been implemented yet. One defense is the fact that each voter can check that their vote is included (correctly) in the final tally. Would there be some way for such a voter to change their vote ex-pos facto if a virus interferes?

Man in the middle attack protection
This is mitigated by the fact that the man in the middle doesn't know the content of the vote that is being transmitted. The voter could check to ensure that his or her vote went through the system as well before the election ends.

Insider attack protection
This hasn't been addressed because this system is theoretical. This is a big issue however. It can be partially addressed by 1) open source software and 2) security of the systems themselves - at least there are less machines to deal with compared with DREs.

Coercion resistance
In theory, voters can construct fake credentials by running an algorithm and can give that to the adversary. This, however, seems difficult for voters to utilize in practice. However, voters can vote more than once online (or possible at a polling place as well) which seems to partially solve this problem.

Ensuring one person, one vote
If voters can register securely (this could be done in person) then only those registered should be permitted to vote. Those with the proper keys would not be able to have their vote counted more than once.

Counting and tallying accuracy
The system should accurately count and record votes. The tabulation tellers verify the proof of well formedness for each vote, and votes with invalid credentials are discarded. Also, anyone can verify that their vote was recorded correctly.

Voter anonymity
"The list of submitted votes and the list of authorized credentials are anonymized by... mix net[s]." Currently each teller performs 2 permuations - the revealed information can be made statistically small by requiring 5 permuations each (this would increase tabulation time be 3%) or by using mix nets based on zero-knowledge proofs. Anonymity holds even if a number of the tellers are corrupt.

Voter verifiability
"Tabulation is made publicly verifiable by requiring each tabulation teller to post proofs that it is honestly following the protocols. All tabulation tellers verify these proofs as tabulation proceeds. ... Anyone can verify these proofs during and after tabulation, yielding universal verifiability. A voter can also verify that his vote is present in the set retrieved by the tabulation tellers, yielding voter verifiability."

Immediate results protection
So long as there are multiple "key shares split among several independent tally authorities" then no election results should be obtainable before the voting period ends.

Ease of performing a recount
Anyone can verify that their vote was included in the proper tally. Though this data may be unusable for the purpose of conducting a recount, however.

Usability
The exact usability of the system isn't fully known because this system is more of a general protocol at this stage rather than something that has been implemented and tested.

Infrastructure attack protection
It would be hard but possible for a party with enough resources to sufficiently cripple the postal system. It costs about 44 cents to ship a letter, and having an influx of tens of thousands of letters might slow down post offices tremendously. This could also be easily targeted to certain districts to skew the vote.

Outsider hacking protection
It would be very hard for an adversary to infiltrate and corrupt the proceedings wherein ballots are counted. Adversaries would likely instead use man in the middle attacks - see that section for more information. Yet that doesn't mean it's impossible. These type of high-output optical scan machines are quite conspicuous and someone might be able to break in and compromise the tallying software. Despite the chances of this being rather slim, there is a paper record to serve as a backup and as an auditing tool of the optical scanners.

Malware and virus protection
In an ideal VBM system, there are no "viruses" that can modify people's vote. Votes would be counted accurately by machine with officials from both sides carefully watching. Yet this isn't what happens in most states simply because there aren't the necessary resources available. Votes are tallied using optical scanners, but these optical scanners can suffer from viruses too. see: http://vote.nist.gov/threats/papers/opscanconfig.pdf. Election staffers may notice this even if the paper record is in front of them. Adding to the problem is the fact that 1) paper is bad as a recording medium and 2) it can be unclear when threats are sufficiently bad to completely scrap the optical scan system, see: Ted Selker's paper here: http://urban.csuohio.edu/cei/reports/Ted%20Selker%20Old%20Voting.pdf. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Man in the middle attack protection
An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed (in Oregon, polls looking exactly like ballots were distributed in 2010 before a tax measure - http://blog.oregonlive.com/mapesonpolitics/2010/01/secy_of_state_vows_crackdown_o.html ), and ballots held for counting could be physically destroyed (to name a few options.) To some degree, these fears have already happened. In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river: http://www.baycitizen.org/elections-2010/story/missing-san-francisco-ballots-recovered. And, in Chicago during the 2002 primary, "man reportedly helped 35 seniors apply for absentee ballots at a senior housing center during the 2002 primary, then returned several weeks later to illegally punch their signed ballots." http://news.illinois.edu/NEWS/06/0413ballot.html There's plenty more info on these type of problems with VBM and they're only the tip of the iceberg. Many of these attacks (such as the fake ballots being distributed in Oregon) are legal, further adding to the problem.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. But given the amount of votes the process isn't necessarily perfect. If the voter does something like crosses out a mark with an X on his ballot, it gets sent to a bipartisan board to what the voter intended to vote for, and to change the vote accordingly. In addition to the still finite possibility of changing votes here, badly formed ballots could just not get filtered out by the officials scanning for "irregularities", perhaps leading to biases. Yet in many election districts "mail ballots are counted by staff and temporary workers in a backroom rather than publicly by citizen election judges as is done in precincts. This violates the "many eyes" principle and makes election fraud easy." See Charles Corry, http://www.ejfi.org/Voting/Voting-78.htm#facilitates

Coercion resistance
There really isn't any protection to vote attribution. For example, in the 2008 election groups tried to encourage young voters to request absentee ballots and then bring them to "debate and vote parties" where issues were discussed and ballots marked without access to privacy booths. http://www.nytimes.com/2008/10/17/us/politics/17colorado.html

Ensuring one person, one vote
Many jurisdictions require elections officials to duplicate damaged or difficult to read VBM ballots. These may be counted in addition to the originals: more than 25 precincts in Minnesota had more ballots than voters signed in to vote. Another issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times. http://oregoncatalyst.com/3003-Voter-Fraud-Made-Easy-in-Oregon.html

Counting and tallying accuracy
Charles Stewart from the MIT/Caltech VTP notes that the average the return rate of vote by mail ballots is about 90.8%. See http://www.law.nyu.edu/ecm_dlv4/groups/public/@nyu_law_website__journals__journal_of_legislation_and_public_policy/documents/documents/ecm_pro_068045.pdf

Also, there are a multitude of problems regarding voter intent on VBM ballots: what if the voter accidentally marks both candidates down? Since votes aren't opened before a few days prior to election day this issue may be unresolved. Not to mention the proprietary nature of the voting machines, the signature verification process which may disenfranchise some voters, the ease at modifying votes in the mail, and so on. Items are often lost in the mail - the Clearwater post office lost 1100 absentee ballots in a 2008 election. In the presidential election in 2008, 4.2% of all VBM ballots that made it through the post office were rejected in Minnesota due to procedural errors by voters. And, in Minnesota, 13% or more rejected absentee ballots were done so in error.

Voter anonymity
Each VBM ballot must be directly bound to identify the voter to ensure one person-one vote. There are procedures to protect voter privacy but the inherent vulnerability still exists. Because votes have to be directly counted it's likely these procedures aren't applied 100% of the time. Yet, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) Is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and it's not very useful information for an individual election official.

Voter verifiability
In most VBM systems it is impossible to verify that your ballot was both a) received and b) counted correctly. This presents a problem because ballots may not always go through.

Immediate results protection
I see no reason why this couldn't occur, except for perhaps human error. I'm unsure of the significance of this issue however.

Ease of performing a recount
It's possible but it might not be very useful - these elections aren't fully auditable because there could be problems with the post office, etc. However performing a recount could check back problems arising from optical scan machines.

Usability
Voters may forget to sign the envelopes containing their ballots - in this case, they are required to go their election office and sign their ballot, or else it's not counted. The election office will try to contact the voter in that case via phone. These signatures must pass verification which is performed manually by an election official - this process isn't 100% accurate because voters will often sign things differently on different days. If the signatures don't seem to match then the voter must come in and resign their envelope.

Many votes are discounted because voters don't follow the instructions. Many military ballots aren't counted because they can't get them in by the proper deadline or are "lost" (1/4 in 2008 - http://www.digitaljournal.com/article/272565 ).For the general population, "of 103,000 ballots mailed, 30,000 were lost, 4,000 were rejected, and 3,000 were undeliverable"

Transparency
Many VBM systems don't have transparency. In many places "ballots are counted in the 'back room' at the county or city clerk's office, a concerted effort is often made to cover up problems and only the most obvious and egregious errors become public." See http://www.ejfi.org/Voting/Voting-78.htm#facilitates

Infrastructure attack protection
It would be hard but possible for a party with enough resources to sufficiently cripple the postal system. It costs about 44 cents to ship a letter, and having an influx of tens of thousands of letters might slow down post offices tremendously. This could also be easily targeted to certain districts to skew the vote. Making it worse is the fact that in Oregon VBM is the only system used to vote, so this could potentially be a lot more effective. However, in Oregon ballots can be dropped off at collection booths which partially solves this problem.

Outsider hacking protection
It would be very hard for an adversary to infiltrate and corrupt the proceedings wherein ballots are counted. Adversaries would likely instead use man in the middle attacks - see that section for more information. Yet that doesn't mean it's impossible. These type of high-output optical scan machines are quite conspicuous and someone might be able to break in and compromise the tallying software. Despite the chances of this being rather slim, there is a paper record to serve as a backup and as an auditing tool of the optical scanners.

Malware and virus protection
In an ideal VBM system, there are no "viruses" that can modify people's vote. Votes would be counted accurately by machine with officials from both sides carefully watching. Yet this isn't what happens in Oregon (and most other states), simply because there aren't the necessary resources available. Votes are tallied using optical scanners, but these optical scanners can suffer from viruses too. see: http://vote.nist.gov/threats/papers/opscanconfig.pdf. Election staffers may notice this even if the paper record is in front of them. Adding to the problem is the fact that 1) paper is bad as a recording medium and 2) it can be unclear when threats are sufficiently bad to completely scrap the optical scan system, see: Ted Selker's paper here: http://urban.csuohio.edu/cei/reports/Ted%20Selker%20Old%20Voting.pdf. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Man in the middle attack protection
An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed (in Oregon, polls looking exactly like ballots were distributed in 2010 before a tax measure - http://blog.oregonlive.com/mapesonpolitics/2010/01/secy_of_state_vows_crackdown_o.html ), and ballots held for counting could be physically destroyed (to name a few options.) To some degree, these fears have already happened. In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river: http://www.baycitizen.org/elections-2010/story/missing-san-francisco-ballots-recovered. And, in Chicago during the 2002 primary, "man reportedly helped 35 seniors apply for absentee ballots at a senior housing center during the 2002 primary, then returned several weeks later to illegally punch their signed ballots." http://news.illinois.edu/NEWS/06/0413ballot.html There's plenty more info on these type of problems with VBM and they're only the tip of the iceberg. Many of these attacks (such as the fake ballots being distributed in Oregon) are legal, further adding to the problem. Yet in Oregon, there is one solution, however: campaigns are given the contact info of people whose votes aren't sent in, which could get voters to realize that their votes haven't been counted yet. But it's not a perfect one because 1) voters may not know what's going on and 2) it doesn't defend against the changing of votes in transit.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. But given the amount of votes the process isn't necessarily perfect. If the voter does something like crosses out a mark with an X on his ballot, it gets sent to a bipartisan board to what the voter intended to vote for, and to change the vote accordingly. In addition to the still finite possibility of changing votes here, badly formed ballots could just not get filtered out by the officials scanning for "irregularities", perhaps leading to biases. Because there are sufficient people surrounding vote counters though, this condition should be satisfied, however. To some degree insiders will be able to change or manipulate votes, but the defenses are likely good enough.

Coercion resistance
Vote by mail lacks solutions to the issues of coercion and vote selling. For example, in the 2008 election groups tried to encourage young voters to request absentee ballots and then bring them to "debate and vote parties" where issues were discussed and ballots marked without access to privacy booths. http://www.nytimes.com/2008/10/17/us/politics/17colorado.html To an example from Oregon, in the 2008 primary elections Oregon democrats were asked to attend a "bring our own ballot" party with former President Bill Clinton. http://www.npr.org/templates/story/story.php?storyId=90354956

Ensuring one person, one vote
One issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times. http://oregoncatalyst.com/3003-Voter-Fraud-Made-Easy-in-Oregon.html

Counting and tallying accuracy
Though Oregon didn't report the number of ballots returned for counting, based on other data from states that did report this statistic, Charles Stewart from the MIT/Caltech VTP estimates the return rate was 90.8%. See http://www.law.nyu.edu/ecm_dlv4/groups/public/@nyu_law_website__journals__journal_of_legislation_and_public_policy/documents/documents/ecm_pro_068045.pdf      .This may be higher in Oregon as voters don't have the option to vote in person, but it is still significant. Also, there are a multitude of problems regarding voter intent on VBM ballots: what if the voter accidentally marks both candidates down? Since votes aren't opened before a few days prior to election day this issue may be unresolved. Not to mention the proprietary nature of the voting machines, the signature verification process which may disenfranchise some voters, the ease at modifying votes in the mail, the fact that some things can get lost in the mail, and so on.

Voter anonymity
Each VBM ballot must be directly bound to identify the voter to ensure one person-one vote. There are procedures to protect voter privacy but the inherent vulnerability still exists. Because votes have to be directly counted it's likely these procedures aren't applied 100% of the time. Yet, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) Is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and it's not very useful information for an individual election official.

Voter verifiability
There is partial verifiability in that campaigns get the contact info of voters if they don't vote or if their vote has not been received - this may let some know that their votes were lost in transit. However, there's no way for voters to A) know that the vote that they submitted is exactly the same as the vote that the election officials count (i.e. whether it was lost in transit) and B) know that it was counted correctly.

Immediate results protection
In Oregon, votes are opened and counted on election day. The problem of having no immediate results doesn't seem to matter that much in Oregon since a) many voters will likely fill out their ballots in advance and b) immediate results may not reflect the full election because they would likely be concentrated to the results of certain districts rather than the whole state. Given that Oregon only uses VBM it's likely precautions have been taken to ensure that no immediate results can be obtained before the voting period is over.

Ease of performing a recount
Performing a recount wouldn't be very useful using a vote-by-mail system because elections aren't auditable.

Usability
Voters may forget to sign the envelopes containing their ballots - in this case, they are required to go their election office and sign their ballot, or else it's not counted. The election office will try to contact the voter in that case via phone. These signatures must pass verification which is performed manually by an election official - this process isn't 100% accurate because voters will often sign things differently on different days. If the signatures don't seem to match then the voter must come in and resign their envelope.

Many votes are discounted because voters don't follow the instructions. Many military ballots aren't counted because they can't get them in by the proper deadline or are "lost" (1/4 in 2008 - http://www.digitaljournal.com/article/272565 ).For the general population, "of 103,000 ballots mailed, 30,000 were lost, 4,000 were rejected, and 3,000 were undeliverable"

Transparency
Oregon's mail-voting system is pretty transparent. "Optically scanned machine counts are verified by random hand-counts." See http://richardcharnin.com/OregonVotingSystem.htm And it seems like from the video on youtube that there are suffient bodies in the room to ensure that votes aren't changed or modified.

Infrastructure attack protection
Little infrastructure is needed for people to vote using an optical scan system. Even if the power's out or if equipment fails, voters can vote on paper and have the optical scanner record it later.

Outsider hacking protection
It would be very hard for an adversary to infiltrate an elections building as to modify its optical scan machine(s). Yet that doesn't mean it's impossible. In addition to these chances being very slim, there is a paper record to serve as a backup and as an auditing tool of the optical scanners.

Malware and virus protection
It would seem to be the case that VBM would be invulnerable to viruses. Yet this isn't the case - just as DREs can be compromised, so can optical scan systems: see http://vote.nist.gov/threats/papers/opscanconfig.pdf. Election staffers may notice this even if the paper record is in front of them. Adding to the problem is the fact that 1) paper is bad as a recording medium and 2) it can be unclear when threats are sufficiently bad to completely scrap the optical scan system, see: Ted Selker's paper here: http://urban.csuohio.edu/cei/reports/Ted%20Selker%20Old%20Voting.pdf. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Man in the middle attack protection
This would be hard - the optical scan machines would be difficult to fiddle with. But even then is the issue of doing so without getting caught which is a problem as the adversary could be found out via either audits or by security guards.

Insider attack protection
Optical scan machines are vulnerable to insider attacks. See http://vote.nist.gov/threats/papers/opscanconfig.pdf - the firmware can easily be tampered with. This is mitigated by 1) the paper ballot record and 2) checks on individual election staffers. But even with such an audit trail it can be unclear when threats are sufficiently bad to completely scrap the optical scan system, see Ted Selker's paper here: http://urban.csuohio.edu/cei/reports/Ted%20Selker%20Old%20Voting.pdf. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Coercion resistance
Optical scan voting has a high level of protection against vote selling because it is essentially receipt free. It's impossible to create a verifiable record that someone has voted in a certain way given that voters fill out their ballots behind a curtain. Even if voters could sneak a camera in and take pictures or a video of their ballot, they could always just cross out that vote (while still behind the curtain) and bubble in another candidate. A technology that solves this problem (i.e. a hidden shirt camera that is always recording) would still make it hard to sell votes, because the "receipts" generated this way would be hard to verify.

Ensuring one person, one vote
Paper ballots solve this "because each voter is given only a single paper ballot when they sign in."(VerifiedVoting) Existing optical scan systems have many security measures like serial numbers and watermarks as to prevent ballot stuffing.

Counting and tallying accuracy
A report from the Caltech/MIT VTP (see http://www.vote.caltech.edu/Reports/2001report.html ) shows that optical scan ballots deliver the lowest rate of invalid votes of any technology form 1988-2001. Voters are asked for confirmation if they undervote. And this technology is improving: during the Minnesota Senate race in 2009 gross accuracy was 99.91% - see https://freedom-to-tinker.com/blog/appel/optical-scan-voting-extremely-accurate-minnesota

Voter anonymity
In person optical scan voting systems are anonymous because the ballot contains no information about the identity of the voter. The voter signs in at a polling place, but there is no way for those signatures to be mapped to the content of individual votes.

Voter verifiability
Paper ballots are voter verified in a sense because they are marked directly by the voter. But there's no way for a voter to verify that their vote was counted correctly.

Immediate results protection
Having no intermediate results before the voting period ends is not very significant for a non-absentee voting system. Even if there aren't any practical restrictions to prevent obtaining intermediate results, straw polls in the status quo achieve the same end of producing intermediate results on election day. These are usually accurate,though not so in the 2004 election.

Ease of performing a recount
It should be possible to perform a recount, however it is still very cumbersome to do so. There's human error involved and it may be unclear when it's necessary for a recount. These aren't major problems however.

Usability
While there are costs associated with voting this way, in person paper voting with an optical scanner is easy enough so most anyone can use it.

Infrastructure attack protection
Basic infrastructure is needed for voters to vote using an electronic touch-screen system. The power must be on, and the equipment must work flawlessly.

Outsider hacking protection
It looks very suspicious if a regular civilian is tampering with the voting machine. However it's theoretically possible for someone to break into their polling place and change the firmware - with disastrous effects.

Malware and virus protection
Technically there aren't any viruses, but DREs are often compromised. It is very easy to design malware that changes votes on a DRE, see http://www.cs.princeton.edu/~appel/papers/appel-audits.pdf. Having a voter verified paper trail helps, but there's no guarantee that it will be used. It's somewhat unclear when votes should tallied using the paper trail as opposed to the electronic record, however.

Man in the middle attack protection
Tampering with the voting machines is possible after votes have been counted, and would not be very difficult - see http://www.cs.princeton.edu/~appel/papers/appel-audits.pdf. Having a voter verified paper trail helps, but there's no guarantee that it will be used. It's somewhat unclear when votes should tallied using the paper trail as opposed to the electronic record.

Insider attack protection
It would be very easy for an insider to change the firmware of the DRE - see http://www.cs.princeton.edu/~appel/papers/appel-audits.pdf. Having a voter verified paper trail helps, but there's no guarantee that it will be used.

Coercion resistance
"Voters...have complained that DRE voting systems do not provide adequate ballot secrecy due to the lack of voting booth curtains coupled with the fact that the DRE voting displays are ... vertical." See New Yorkers for Verified Voting here: http://www.nyvv.org/doc/AdvantagesPaperBallots.pdf. Engineering a system that fixes this problem isn't hard, but it costs money to replace or modify old DRE machines.

Ensuring one person, one vote
"Many DRE machines'... smart cards might be compromised" ( http://www.nyvv.org/doc/AdvantagesPaperBallots.pdf ) so a voter could vote multiple times. A solution may exist, and it looks suspicious if someone spends an hour at a voting machine, but it's still problematic.

Counting and tallying accuracy
In "single-contest elections, DRE voting systems registered roughly 8 times as many under-votes as" optical scan systems - see http://www.nyvv.org/doc/AdvantagesPaperBallots.pdf. These might be fixable but there are still a number of counting/recording issues in the status quo that need to be solved.

Voter anonymity
DREs are anonymous because the voting protocol does not ask for any information about the identity of the voter. The voter signs in at a polling place, but there is no way for those signatures to be mapped to the content of individual votes. However, there are concerns about the privacy of many DREs - see the section on coercion for more info.

Voter verifiability
Many voters don't verify their voter verified paper ballot for usability reasons. It's difficult to compare two columns of numbers to verify that no number was missed. Also there might be ink shortages, paper jams, etc. that get in the way of voter verification.

Immediate results protection
Having no intermediate results before the voting period ends is not very significant for a non-absentee voting system. Even if there aren't any practical restrictions to prevent obtaining intermediate results, straw polls in the status quo achieve the same end of producing intermediate results on election day. These are usually accurate,though not so in the 2004 election.

Ease of performing a recount
With the paper trail it's possible to perform a recount in states that recognize the VVPAT as a real ballot. Still, it's cumbersome and may not be done. Also if voters don't verify their ballot then there's no guarantee this will be correct.

Usability
Elderly individuals might find it hard to read and use these touchscreen systems.

Transparency
There is little transparency for DREs besides the fact that many of them have been bought, as the source code was released online.

Email Voting
No one is advocating this method, we're just using it as a baseline.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail). The problem is made even worse by VBM because millions of emails can be sent to the voting email address. The problem is exacerbated if vote by email is only allowed on election day - there's no chance to revote.

Outsider hacking protection
Anyone can attack the server collecting emailed votes - "if the attackers are competent... there is essentially no chance that they will fail" Even if this isn't the case email might allow malware into the election network.

Malware and virus protection
This is a problem, and such malware would be easy to program - just create a virus that sends mail intended for the voting email address to the attacker's address where it can be tampered with. There's no verifiability either, so there's no solution.

Man in the middle attack protection
It would be very easy for someone to perform a man in the middle attack. Email is sent in the clear - it would be easy for someone who owns one of these routers to make a program that changes/deletes votes. Also, Yahoo, Google, or any other email provider could easily tamper with votes themselves - making election results depend on the niceness of corporations is a bad idea.

Insider attack protection
It's an issue that might be resolvable in part with enough resources (it's unlikely this will be so however.) Further, based on the scale of the other problems with email voting this isn't going to be a major issue.

Coercion resistance
Vote selling would be simple with an email voting system. Voters can just forward their ballot to the vote seller who will fill it out for them. Maybe the system could allow for re-voting, however? This point is kind of moot because it would be a lot more economical to just break into the system rather than bribe everyone.

Ensuring one person, one vote
I haven't seen much regarding passing keys out so I assume that that you can only vote once in theory - again, it's kind of a moot point though based on the insecurity of email voting in the other categories.

Counting and tallying accuracy
Based on the other categories email voting doesn't accurately count and record votes - even if votes do go through correctly there's a possibility for malware to be injected into the vote collection system.

Voter anonymity
It's not anonymous at all - email is sent in the clear. David Jefferson: "It is common for national intelligence agencies (including our own) to collect and store all email that crosses national boundaries, and that would include emailed ballots along with the names of the voters"

Voter verifiability
There is no voter verifiability in email based systems. They're unauditable, and there's no way to send (through email) securely a confirmation note verifying that the vote was a) cast and b) done so correctly.

Immediate results protection
Because votes are stored unencrypted or at least sent unencrypted it would be easy for someone to obtain results before the voting period is over.

Ease of performing a recount
A recount would be useless because it would merely exacerbate the same problems that email voting suffers from.

Usability
Even though most people have email usability is still a concern - what if voters botch up the template that they are supposed to send? The usability of email voting is harder than it looks. Maybe there are ways of fixing it, but I doubt it.

Transparency
The transparency of this system is unknown because it outlines a general framework for a voting system rather than the details of a specific implementation. Though there are remote voting trials in about 32 states, little data has been published about them.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
The DC voting trials have been empirically proven to be insecure in regards to outside hacking attempts. It was vulnerable to shell injection - users can upload files with any extension/name which the server will execute as code. It's a simple problem to fix, but as J. Alex Halderman (Professor at UMich. and head of the team that broke into the system) wrote, "it will be vastly more difficult to make the system secure."

Malware and virus protection
It may be tricky to devise a virus that is able to change the results on hand-filled out PDF files. That said, some ballots are filled out with PDF tools and those are quite vulnerable to viruses. A virus could also facilitate man in the middle attacks.

Man in the middle attack protection
Network attackers can intercept ballots and modify them in theory - this may be hard to do with scanned ballots however. Though there could be just one ballot file that other ballot files get replaced by - this may or may not work. I am unable to find whether there was end-to-end encryption in place for the DC trials - See http://www.educatedguesswork.org/2010/07/dcs_internet_voting_pilot.html.

Insider attack protection
Suffers from the same problem as optical scan systems in terms of installing the right software, and then some (because the website has to be dealt with). Having the right software on the optical scan machine is one thing - what about on the DC BOEE website? Doubly insecure here. Also votes can be easily deleted.

Coercion resistance
Since the DC voting trials are very similar to vote by mail (you print out a PDF of a blank ballot and then upload that to the DC website) they suffer from the same problems regarding coercion and vote selling. There was no effective solution in place to deter voters from doing so.

Ensuring one person, one vote
I can't find a good resource answering the question of how authentication takes place, and whether it is sufficient to prevent voters from voting multiple times. But assuming the rest of the system holds then I would assume that in theory only registered voters could vote, and that voters could vote only once.

Counting and tallying accuracy
Even assuming the security of the system it's unlikely that it will record votes accurately. Voters may not have access to a scanner of high quality - in this regard it suffers from the same problems as VBM but with the added issue of scanning/printing of ballots.

Voter anonymity
Theoretically the printed ballots wouldn't need to have the name of the voter on them (as that's handled by the BOEE site) thus no single part of the system can know what individuals vote for. However, it might be possible to mass-download ballots off the BOEE website (if you had the necessary access) which would give the adversary the voters' name, contact information, and vote content.

Voter verifiability
Ultimately for the DC voting trials, no method was in place that allowed voters to ensure that their vote was a) actually recieved and b) recorded correctly. See http://www.educatedguesswork.org/2010/07/dcs_internet_voting_pilot.html

Immediate results protection
Votes are stored encrypted on the server (but they can be easily deleted) so it's likely that this condition is met (provided that key shares are distributed correctly)

Ease of performing a recount
It's impossible to perform a recount with this system. Once the adversaries from the University of Michigan broke into the system and changed the real votes to fictitious ones there was no backup in place with which they could use to restore the old votes. Even then, having backup copies would not fully solve the problem.

Usability
The DC voting trials, in terms of ease of use, suffer from the same problems as vote by mail with the added factor of having voters deal with a scanner.

Transparency
The DC voting trials never got to the stage where they allowed voters to cast their ballots. However, officials who ran the election openly invited the community to see if they could find any security vulnerabilities. This was a great step as otherwise the vulnerabilities might have gone unnoticed, possibly allowing an adversary to exploit the same security holes during the actual election.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
The election authority is catchable if the voters' receipt differs from data in the table. Also, Proxy (which communicates to the EA) commits to the voter's choice before it knows the serial number. Both systems would have to be compromised which would be difficult.

Malware and virus protection
Users have a fair amount of protection against viruses. This is because the computer itself doesn't know which candidate the voter is voting for - that information is on the coding card. However, it would be possible for a virus to just scramble the content of the voter's vote, making it random which candidate the voter's computer chooses. Voters can verify their vote was included in the final tally, yet it may be unclear when the amount of people who claim they had a virus on their computer is high enough to warrant a recount via other means.

Man in the middle attack protection
This would be somewhat difficult because an observer wouldn't know the content of a voter's choice. They could try to intercept and then not send the message but that would be noticeable by Proxy. In the worst case the voter has a receipt. Ultimately, there's nothing useful that the man in the middle can do.

Insider attack protection
This hasn't been addressed because this system is theoretical. This is a big issue however. It can be partially addressed by 1) open source software and 2) security of the systems themselves - at least there are less machines to deal with compared w/ DREs

Coercion resistance
There are protections against coercion - a voter could use a coding card separate from the one shown to the observer, or could connect to a "decoy service" - but these may not be practical. Such a system might allow voters to vote at a polling station as well which may help mitigate this issue as well.

Ensuring one person, one vote
So long as the cards are passed out correctly, then voters should only be allowed to vote once. How to implement this process is an open question - voters need a username+password to log into an election website run by a Proxy (account registration might be tricky to implement)

Counting and tallying accuracy
Pre-election and post-election audits are put in place to help ensure accuracy of vote tallying. Theoretically anyone can verify that their vote was counted using their receipt.

Voter anonymity
So long as the Proxy and the Election Authority aren't both corrupt the condition of anonymity should be met. Proxy doesn't know the permutation used on the ballot, and EA doesn't know the voter's identity.

Voter verifiability
The system is voter verifiable after the election in theory - the voter gets a receipt which can be used to check if it appears in the table containing election results. But it may be unclear as to what should happen in the event that a voter discovers that their receipt differs from the value published in the election results. Unless receipts can't be falsified (which would harm anonymity) there is always a chance someone will 'cry wolf' and say that the system recorded their vote incorrectly. This possibility needs to be addressed.

Immediate results protection
Immediate results are on the election authority server - they have to be trusted not to be published. This assumes that the election authorities aren't curious. Of course, it's a theoretical system and so there might be a possible solution to this that's not mentioned in the paper introducing Scratch, Click, and Vote.

Ease of performing a recount
The election can be audited but provides no service for a recount to be done. Voters would have to vote at a polling place if the election is deemed corrupt. However, it may be hard to determine if the election was corrupt or not without disclosing its results (which would violate the principle of Fairness.) So long as voting is done sufficiently in advance (and assuming the election can be certified in this way) recountability will not be a major problem.

Usability
It's a theoretical system, but even the authors conclude that it might not be simple to use - a voter would need to click next to every candidate and find the right candidate on the scratch-sheet. Scratching the film off the sheet may be hard for voters with disabilities. But there are likely solutions to these problems.

Infrastructure attack protection
Voters can return their ballots through internet or mail. The likelihood of both infrastructures being shut down is quite slim.

Outsider hacking protection
The FAQ explains that "A hacker who breaks into either... server cannot tell how voters voted (because there are only confirmation numbers on the servers).If the hacker tries to change the numbers on the website before they are locked-in, the voter will notice this... If the hacker tries to change these after they are locked-in,... this will be noticed by those watching the Bulletin Board. It will also be noticed during the consistency check performed when new data is posted "

Malware and virus protection
Users have a fair amount of protection against viruses. This is because the computer itself doesn't know which candidate the voter is voting for - that information is on the coding card. However, it would be possible for a virus to just scramble the content of the voter's vote, making it random which candidate the voter's computer chooses. Voters can verify their vote was included in the final tally, yet it may be unclear when the amount of people who claim they had a virus on their computer is high enough to warrant a recount via other means.

Man in the middle attack protection
This would be somewhat difficult because an observer wouldn't know the content of a voter's choice. They could try to intercept and then not send the message but that would be noticeable by the server. In the worst case the voter has a receipt and can re-vote online or at a polling place. Ultimately, there's nothing useful that the man in the middle can do.

Insider attack protection
Because the content of the bulletin board is public information, voters can track it constantly. In the worst case (if everything goes offline) "The system keeps a paper record of all confirmation numbers and lock-ins as they are cast, and/or corresponding paper ballots, except for those entered in the last cycle. The system can recover from these, which are equivalent to paper ballots. An honest offline server and secure chain of custody of the paper print-outs is equivalent to a secure chain of custody of ballots." https://scantegrity.org/wiki/index.php/Remotegrity_Frequently_Asked_Questions

Coercion resistance
There are protections against coercion: voters can vote multiple times and can cancel previous votes by obtaining another coding card or by voting in person. Both of these may be a hassle, however.

Ensuring one person, one vote
So long as the cards are passed out correctly, then voters should only be allowed to vote once. How to implement this process is an open question - voters need a username+password to log into an election website (account registration might be tricky to implement)

Counting and tallying accuracy
This would be very accurate - audits are in place and voters could verify their votes. Plus, it doesn't suffer from the inherent problems of recording marks on paper.

Voter anonymity
"Your vote is never revealed to a computer on the internet. The confirmation numbers are generated to print ballots but thereafter all information is wiped off the computer generating the numbers. The numbers are re-generated in order to compute the tally, and again wiped off.Further, your ballot arrives in a sealed envelope so that the election official sending you the package does not see the numbers on your ballot.Similarly, the election official cannot see the authentication codes that are also under scratch-off. "

Voter verifiability
Anyone can check the bulletin board to see if their vote was cast correctly. However, this requires at least one computer free of a virus (since a virus could manipulate how a voter sees the bulletin board), or some other protocol (such as SMS or snail mail.) Further, "Independent observers... can use their own software or software written by Remotegrity to verify that the tally is correctly computed from the confirmation numbers." https://scantegrity.org/wiki/index.php/Remotegrity_Frequently_Asked_Questions

Immediate results protection
Immediate results are on the election authority server, and the codes that could decrypt these votes have to be trusted not to be published before the election is complete. There are real-world security solutions to this problem (hiring police, installing surveillance cameras, etc.) but those aren't discussed as they don't have to do with the protocol through which Remotegrity operates.

Ease of performing a recount
There is a paper record (printers provide a paper copy of all data received), but it may not (a) have all the data needed to completely tally the election and (b) may not fix the causes a recount seeks to solve.

Usability
Remotegrity over the internet should be fairly simple to use - the voter just has to type a few numbers that are on the cards passed out. However, this isn't a point that's very well addressed.

Infrastructure attack protection
Voters can return their ballots through internet or mail. The likelihood of both infrastructures being shut down is quite slim.

Outsider hacking protection
An adversary with enough resources could in theory send out fake mail carriers to collect mail. Also, the post office needs to be trusted - In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river: http://www.baycitizen.org/elections-2010/story/missing-san-francisco-ballots-recovered

Malware and virus protection
The optical scan machines counting the ballots sent in via mail would still vulnerable to malware, if someone could break into the physical machines themselves. However, Remotegrity counters this both because there is an auditable paper vote record (even if these votes are intercepted and replaced while in the postal system, they can still be used to audit optical scan machines) and because there is end to end voter verification. Though either system isn't perfect by itself, this two pronged solution is probably the best around in the status quo.

Man in the middle attack protection
Like with other VBM systems, An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed, and ballots held for counting could be physically destroyed (to name a few options.) Allowing voters to audit their ballots serves as a partial solution. If votes are counted quickly enough, then voters could go to the polling station and change their vote if their vote was counted incorrectly.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. Yet there could be fraud at other levels of the voting process.

Coercion resistance
There are protections against coercion: voters can vote multiple times and can cancel previous votes by obtaining another coding card or by voting in person. Both of these may be a hassle, however.

Ensuring one person, one vote
One issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times - see http://oregoncatalyst.com/3003-Voter-Fraud-Made-Easy-in-Oregon.html This is a problem inherent in all VBM systems.

Counting and tallying accuracy
Vote by mail may throw out some votes due to procedural errors. For instance, in the presidential election in 2008, 4.2% of all VBM ballots that made it through the post office were rejected in Minnesota due to procedural errors by voters. And, in Minnesota, 13% or more rejected absentee ballots were done so in error. Yet the optical scan technology is pretty accurate - during the Minnesota Senate race in 2009 gross accuracy was 99.91% - see https://freedom-to-tinker.com/blog/appel/optical-scan-voting-extremely-accurate-minnesota

Voter anonymity
If you return your ballot by the mail, "election officials follow a time-honored procedure for separating the ballot from any information that identifies you before the ballots are counted." (according to the Remotegrity FAQ) Perhaps there could be codes that don't associate the voter with the information on ballots. Also, as with VBM, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and the contents of one person's vote aren't very useful for an individual election official to have.

Voter verifiability
Anyone can check the bulletin board to see if their vote was cast correctly. However, this requires at least one computer free of a virus (since a virus could manipulate how a voter sees the bulletin board), or some other protocol (such as SMS or snail mail.) Further, "Independent observers... can use their own software or software written by Remotegrity to verify that the tally is correctly computed from the confirmation numbers." https://scantegrity.org/wiki/index.php/Remotegrity_Frequently_Asked_Questions

Immediate results protection
Immediate results are on the election authority server, and the codes that could decrypt these votes have to be trusted not to be published before the election is complete. There are real-world security solutions to this problem (hiring police, installing surveillance cameras, etc.) but those aren't discussed as they don't have to do with the protocol through which Remotegrity operates.

Ease of performing a recount
There is a paper record, but it may not (a) have all the data needed to completely tally the election and (b) may not fix the causes a recount seeks to solve. This is especially problematic when voting by mail - the problem of votes getting lost in transit isn't solved by counting the other votes again.

Usability
This could be an improvement over VBM in the status quo - signature recognition is rather imprecise so handling voter verification at another level would seem to solve that problem. But voters still might not follow the directions which is always a problem with a VBM system. Also, the deadlines problem of voters overseas not having enough time to cast their ballots isn't solved here - it's made even worse by the fact that voters need time to be able to verify their ballots. What if a military voter only realizes that his/her vote doesn't count when it's too late? What seems to solve this issue is the fact that voters can vote via mail or internet.

Infrastructure attack protection
Little infrastructure is needed for people to vote using an optical scan system. Even if the power is out or if equipment fails, voters can vote on paper and have the optical scanner record it later.

Outsider hacking protection
Outside hacking shouldn't be effective against paper/optical scan ballots because voters don't have access to the scanning machines which tally votes. The cryptography itself would be very hard to break into because changing the posted encryptions would be quite noticeable.

Malware and virus protection
Scantegrity's optical scan machines would still vulnerable to malware, if someone could break into the physical machines themselves. However, it counters this both because there is an auditable paper vote record and because there is end to end voter verification. Though either system isn't perfect by itself, this two pronged solution is probably the best around in the status quo.

Man in the middle attack protection
There's not really an equivalent except for tampering with the data from the optical scan machine after the voting period is over (or during the voting period). This is possible but somewhat mitigated by the paper records and the auditing system.

Insider attack protection
http://vote.nist.gov/threats/papers/opscanconfig.pdf - the firmware can easily be tampered with. However this is mitigated by the public audit and public posting of data. Also, it's mitigated by the paper ballot record.

Coercion resistance
Scantegrity is receipt free - voters get a receipt but these receipts can be easily falsified - so the only way someone could sell their votes this way is to illegally take pictures of their ballot while in the voting booth.

Ensuring one person, one vote
Paper ballots solve this because each voter is given only a single paper ballot when they sign in. Existing optical scan systems have many security measures like serial numbers and watermarks.

Counting and tallying accuracy
http://www.vote.caltech.edu/Reports/2001report.html - optical scan ballots deliver the lowest rate of invalid votes of any technology form 1988-2001. Voters are asked for confirmation if they undervote. Technology is improving: from the Minnesota Senate race in 2009 gross accuracy was 99.91% - https://freedom-to-tinker.com/blog/appel/optical-scan-voting-extremely-accurate-minnesota And there's verification to ensure votes have been recorded.

Voter anonymity
It's anonymous because there's no name on the ballot. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend.

Voter verifiability
Paper ballots are marked by the voter. The voter she can verify that their vote was actually counted by using the confirmation code / their ballots' serial number. But because the system is receipt free (there's no way for voters to prove without a doubt that they voted a certain way) it might be hard to verify if someone is really telling the truth when they call for an audit or for a recount. The solution to that issue is using invisible ink decoder pens so that the voter will be aware of one code when taking his or her receipt. Depending on how the system is implemented there may be a practical way to efficiently handle this kind of dispute resolution (when one voter thinks the system has been compromised.)

Immediate results protection
Having no intermediate results before the voting period ends is not very significant for a non-absentee voting system. Even if there aren't any practical restrictions to prevent obtaining intermediate results, straw polls in the status quo achieve the same end of producing intermediate results on election day. These are usually accurate,though not so in the 2004 election.

Ease of performing a recount
It should be possible to perform a recount, however it is still very cumbersome to do so. There's human error involved and it may be unclear when it's necessary for a recount. But these problems don't deny that it's possible for a recount to be performed in theory.

Usability
While there are costs associated with voting this way, it's not that much more complicated than normal optical scan voting (plus, it may motivate more people to vote if they can be assured that their votes will count.) The authors concede that many people won't use the verification system, but universal adoption may not be necessary: even if a small amount of voters verify their ballots then it would be beneficial.

Infrastructure attack protection
Not addressed - Helios isn't intended for high stakes elections and it's not worth it for them to spend a lot of money to protect against giant DOS attacks.

Outsider hacking protection
Someone would have to compromise Helios itself which is unlikely given the small scale of elections. Even then, it would be easy to catch if this was going on - voters/auditors can verify that votes are counted correctly.

Malware and virus protection
Few people would go to the trouble of programming a virus specifically to vote in elections over Helios. Auditing serves as a defense to viruses, as does the server (which emails the voter with a confirmation of his or her encrypted vote)

Man in the middle attack protection
This would be somewhat difficult because due to encryption an observer wouldn't know the content of a voter's choice. They could try to intercept and then not send the message but that would be noticeable - the voter wouldn't get confirmation of their vote being recorded. Further, there exists a means to audit election results. Of course, this system isn't perfect but it's good enough for low-stakes elections.

Insider attack protection
This is Helios's job. On small elections it's likely that Helios can be trusted to not be corrupt - in the worst case it's noticeable by auditors/voters.

Coercion resistance
Helios is designed for "low-coercion elections" so the coercion problem isn't addressed. In fact, Helios contains a "coerce me" button which sends all the relevant info to an adversary (but this is designed to promote knowledge of how "coercible" voters are under a system like VBM)

Ensuring one person, one vote
The administrative user is in charge of adding and removing users at will. Only these users are allowed to vote, and auditing ensures this.

Counting and tallying accuracy
Auditability ensures that votes are tallied accurately. A verification program re-performs the tally to ensure that it was correctly performed. This suffices for local elections.

Voter anonymity
As Ben Adida writes "Once the voting period ends, Helios enables the anonymization, decryption, and proof features for the admin" ( http://www.usenix.org/event/sec08/tech/full_papers/adida/adida.pdf ) The admin isn't in control of the servers running the election, which makes it harder for them to learn such information about the content of people's votes.

Voter verifiability
Anyone can audit the results of an election on Helios - votes are placed next to a voter ID, and voters have a receipt with which they can verify the results.

Immediate results protection
The administrator can't access results until the voting period ends.

Ease of performing a recount
Voters can audit their ballots to ensure that their vote was cast correctly. This is sufficient for small elections where voters can directly go and talk to those in charge of running the election. Also, an auditing system re performs the tally so voters can be assured that their votes were counted.

Usability
Registration is as easy as registering on a typical website. But this is in part because the system's security is relaxed.

Transparency
Voters have to trust Helios in order for the system to work. It would be unpractical for the organizers of a local election to have to visit Helios' data servers to check that the correct software is running.

Infrastructure attack protection
Basic infrastructure is needed for voters to vote using an electronic touch-screen system. The power must be on, and the equipment must work flawlessly.

Outsider hacking protection
From the FAQ: "the integrity of the system is always preserved... consider the unlikely, worst-case scenario where a hacker gets full control of both the software and all the secret keys of the system. Even in this case, the system guarantees that if the hacker tries to change the posted votes or the tallied result, then auditors would detect the attempt and reveal the forgery. Thus, if the elections pass audit and are successfully verified by voters, then.... the election results are correct."

Malware and virus protection
Wombat's machines would still vulnerable to malware, if someone could break into the physical machines themselves. However, it counters this both because there is an auditable paper vote record and because there is end to end voter verification. Though either system isn't perfect by itself, this two pronged solution is probably the best around in the status quo.

Man in the middle attack protection
There's not really an equivalent except for tampering with the data from the machines after the voting period is over (or during the voting period). This is mitigated by the paper records and the auditing system.

Insider attack protection
If the wrong software is installed then when the "audit button" is pressed the machine might not be able to reveal the randomness used to encrypt the vote. The only way the election could be "stolen" is if an adversary controlled both the voting machines and the ballot box server. That would be problematic under any system.

Coercion resistance
Voters have no knowledge of the information that their code contains, except that it records the same value as the traditional paper ballot.

Ensuring one person, one vote
Polling place officials are entrusted with making sure voters only vote once.

Counting and tallying accuracy
It should record votes accurately both because the voter is given confirmation of who he or she is voting for and because there is a paper ballot record.

Voter anonymity
In the worst case scenario privacy can be breached. But this is unlikely to occur - no one can reveal someone's vote without knowing the secret private key which would be very hard for even an adversary to obtain.

Voter verifiability
Voters can verify that their vote was transmitted correctly from the voting machine to the ballot box server. Auditing is used to ensure that votes are cast correctly.

Immediate results protection
Having no intermediate results before the voting period ends is not very significant for a non-absentee voting system. Even if there aren't any practical restrictions to prevent obtaining intermediate results, straw polls in the status quo achieve the same end of producing intermediate results on election day. These are usually accurate,though not so in the 2004 election.

Ease of performing a recount
Wombat voting provides the tools necessary to perform a recount without getting voters to vote again. This is because there is an auditable paper record of votes.Depending on how the paper ballots are set up this could be very efficient - I.E. as efficient as optical scan voting.

Usability
The system seems to be easy to use. There are a few issues that would have to be addressed in its implementation, however (for example, elderly individuals might find it hard to read and use these touchscreen systems.) Regardless, the general public shouldn't have too much of a problem voting and verifying their votes with this system.