Usability of Voter Verifiable, End-to-end Voting Systems: Baseline Data for Helios, Prêt à Voter, and Scantegrity II

In response to voting security concerns, security researchers have developed tamper-resistant, voter verifiable voting methods. These end-to-end voting systems are unique because they give voters the option to both verify the system is working properly and to check that their votes have been recorded after leaving the polling place. While these methods solve many of the security problems surrounding voting with traditional methods, the systems’ added complexity might adversely impact their usability. This paper presents an experiment assessing the usability of Helios, Prêt à Voter, and Scantegrity II. Overall, the tested systems were exceptionally difficult to use. Data revealed that success rates of voters casting ballots on these systems were extraordinarily low. Specifically, only 58% of ballots were successfully cast across all three systems. There were reliable differences in voting completion times across the three methods, and these times were much slower than previously tested voting technologies. Subjective usability ratings differed across the systems, with satisfaction being generally low, but highest for Helios. Vote verification completion rates were even lower than those for vote casting. There were no reliable differences in ballot verification times across the three methods, but there were differences in satisfaction levels, with satisfaction being lowest for Helios. These usability findings— especially the extremely low vote casting completion rates—highlight that it is not enough for a system to be secure; every system must also be usable. INTRODUCTION For centuries there has been a desire for auditability in elections. In mid-19 century America, groups of voters stood in public venues and called out their ballot choices to the election clerks, while a judge tallied the votes (Jones, 2001). The advantage of this voting method was that anyone could listen to the vocal expression of preferences and keep their own vote count, which prevented practices like ballot box stuffing. While this oral voting method may have increased the accuracy of vote counting, voters’ desire for privacy was not addressed, enabling bribery and coercion. In response, during the late 1800s, voting jurisdictions began to introduce the use of the secret, Australian ballots that listed all the candidates for the same office on the same sheet of paper (which was issued to voters at the polling station) and guaranteed voters privacy in preparing ballots inside a booth (Brent, 2006). This voting system ensured that voters prepared their own ballot expressing their intent while preserving anonymity. Yet this voting method was not perfect; there was not a means to audit the election—leaving a long-standing tension between auditability and privacy in elections.