Features of VoteHub

The VoteHub mobile voting system makes absentee voting more accessible and secure with advanced cryptography that is end-to-end verifiable so voters can verify their ballot is recorded, cast, and counted correctly, and the public can verify the election is secure. Here's an overview of the VoteHub system along with some key features.

System Overview

Key features of VoteHub include:

Mobile voting application available through iOS and Google Play Stores.
Fully accessible and compliant with WCAG 2.2 requirements.
Digital voting engine secured with end-to-end verifiable homomorphic encryption and an immutable hash chain that protects the integrity of every vote.
Multi-factor voter verification, including through the use of one-time access codes as well as traditional signature verification, to ensure only eligible voters can vote.
Election Admin web application that enables election officials to set up, configure, and manage elections.
Signature verification system that enables election officials to perform on-screen signature verification.
Off-line ballot decryption in a fully air-gapped local area network to ensure no tampering with cast ballots once they are decrypted.
Compatible with auto-duplication software to generate machine readable ballots capable of being read by any proprietary election system software.
Easy-to-use ballot verification tools that make it easy for voters to independently verify their ballot is recorded and cast correctly. User testing found an average 46% of voters performing independent verification checks, and as high as 60% of blind users performing checks.
Academically reviewed cryptographic protocol built on 20+ years of research.
Distributed trust to protect the integrity of the election.
Fully auditable and publicly verifiable through a public bulletin board displaying all activity logged in the digital voting system.
Produces a paper ballot for tabulation, recounts, and audits.

More Efficient Election Administration

Learn more about the benefits for Election Officials and how easy it is to set up and manage an election in VoteHub.

Voting with VoteHub

Learn how voting with VoteHub works.

Research and Case Studies

Learn more about how VoteHub compares to other voting options and how VoteHub protects the security of elections.

Detailed Design Artifacts

(coming soon)

View the cryptographic protocol, system architecture, and design documentation.

Frequently Asked Questions

How do you protect against hacking?

As an end-to-end verifiable voting system, VoteHub has been designed and built to not only be resistant to successful attacks, but to also ensure any attack is detectable and does not threaten the integrity of the election. VoteHub undergoes regular and rigorous security testing to ensure it is resistant to successful attacks. Testing includes a public vulnerability disclosure program that enables researchers to find and report vulnerabilities so we can continue to improve VoteHub and prevent attacks. With end-to-end verification, VoteHub also ensures that voters and the public can independently verify the system is working and no attacks compromise the integrity of the election. Voters can verify their ballot is recorded, cast, and counted correctly using independent tools, and the public can verify the system is working through publicly viewable activity logs showing all activity in the digital voting system. This level of transparency does not exist in traditional voting and provides greater transparency that can help ensure confidence in the election.

How do you prevent voter fraud?

VoteHub mitigates the risk of voter fraud following the same process used for by-mail voting. Voters sign affidavits and provide identification as required under local jurisdiction rules. Signatures are then verified by election officials, following the same process used for traditional by-mail voting. VoteHub also provides a multifactor authorization tool to authorize voters to submit a digital ballot. The system delivers a one-time access code to the email address in the voter's registration record, providing an added layer of protection against voter fraud or voter impersonation.

How do you protect voter privacy and ballot secrecy?

The system is designed to protect voter anonymity throughout the voting process in the same way voter privacy is maintained in other forms of absentee voting. The VoteHub app does not store or retain any data whenever a voting session ends, whether through a successful ballot submission or because the voter exits the app. That means no voter identifying data or ballot selections are stored by the application outside an active voting session. When digital votes are submitted to the digital ballot box, the voted ballot and affidavit are encrypted separately. Election officials will be able to decrypt just the affidavit in order to perform signature verification to ensure the eligible voter submitted the ballot. The marked ballot remains encrypted during this process, much like voted paper ballots remain in sealed envelopes during signature verification with physical absentee ballots. Once signatures are verified, the digital ballot box will record which ballots are accepted for counting. This process is also published on the public Digital Ballot Audit Site. When it is time to export, decrypt and print digital ballots for tabulation, the accepted ballots are exported and moved offline before they are mixed to protect voter anonymity and then decrypted for printing. Any identifying information about the voter is removed from the digital ballot before it is decrypted and printed, much like a physical ballot is removed from the return envelope and separated before it is tabulated.

How do you protect against denial of service attacks?

VoteHub is deployed using cloud services and tools to mitigate the risk of a successful denial of service attack. There are excellent tools like CloudFlare that are used in every industry to identify and mitigate the impact of a successful denial of service attack. If an attack occurs, services like CloudFare can isolate the suspicious traffic and ensure any service down time would last minutes, if not seconds. It's also worth noting that other voting methods have well known risks to service availability. For example, in-person voting carries the risk of long lines, closed polling places, power loss, bomb threats, weather and transportation hazards, staffing shortages, ballot shortages, etc. Similarly, by-mail voting risks lost or misdelivered mail, loss of ballot drop boxes, voter intimidation at drop boxes, misprinted ballots, etc. VoteHub would help mitigate the risks in other voting options, helping to ensure every voter can still access and cast a ballot.

With trust in election results low, wouldn't VoteHub make it even easier for people to call the election results into question?

VoteHub gives the public more evidence, not less, that the election is correct. In every voting method, there is a risk that voters will question whether or not the system is recording or counting their vote correctly. In traditional voting systems, voters and election officials have limited evidence to verify everything is correct. Voters can raise questions about whether the system is working, and election officials have limited means of verifying whether or not voters' claims are correct. This risk also exists with digital absentee voting, but in this system, voters and election officials will have additional evidence available to verify if everything is correct. Voters can verify if their ballot is recorded correctly by performing a ballot check. If they detect any problem, they will be directed to use a different return method, including requesting a paper ballot by mail or printing and returning a ballot marked in the voting app, which they could then verify is printed correctly. If a problem is detected, voters are also directed to report it to their election official, who can use the evidence to determine if there is a wider problem with the voting app or digital ballot box. Similarly, after a ballot is submitted to the digital ballot box, voters receive a ballot tracking code that they can use to verify the ballot was received correctly. If there is any problem, their ballot tracking code will return an error that can also be reported to election officials. Election officials will be able to detect if the problem is valid by using the voter's tracking code and accompanying digital signatures, and can use the codes to isolate the affected ballots and notify any other potentially affected voters. And with a public activity log displaying all activity in the election, from the moment the election is created to the moment the last ballot is extracted for counting, the public has more evidence that everything is working correctly than is available in other voting options.

Won't VoteHub make it easier for foreign governments to interfere in elections?

The 2016 Presidential Election proved that foreign interference does not require foreign governments to breach election systems used to record or count ballots. Rather, they were able to sow doubt and discord in our democracy simply by spreading mis- and dis-information on social media. In 2020, election disinformation created a crisis of faith in our democracy, resulting in the events of January 6th and ongoing threats to election officials and distrust in the results of elections. But 2020 proved that foreign governments pose less of a threat than people in our own country. VoteHub does not introduce new risks not already present in election systems. No voting system is immune from disingenuous cries of fraud without evidence. It is true that the internet provides an opportunity for bad actors to try to attack elections and ballots and at a broader scale than reasonably feasible in existing voting options. But VoteHub was designed to ensure that any cyber threat is detectable, regardless where they originate. And as an end-to-end verifiable voting system, VoteHub enhances the evidence available to voters and the public that the results of the election are correct, potentially mitigating the risk that the results of the election can be so easily called into question. VoteHub may even assist election officials fighting misinformation as it provides a direct communication tool to voters through which they can provide accurate and trusted election information.

How do you ensure malware doesn't change votes?

As an end-to-end verifiable voting system, VoteHub provides tools for voters to verify at every step that their ballot is recorded, cast, and counted correctly and nothing is secretly changing their vote. To protect against malware on the mobile device used to vote, voters are encouraged to perform the ballot check using a separate device to verify their ballot is recorded and encrypted correctly before casting. Once a ballot is cast, voters can verify it is received correctly, giving them evidence that their ballot has not been tampered with while in the digital ballot box. And with a public activity log displaying all activity in the digital ballot box, the public has evidence that there is no tampering or threat to the encrypted cast votes. Ballots are decrypted offline, in an air gapped local network protected in the same way as other election equipment, mitigating the risk that malicious software could change ballots undetectably.

The ballot check seems too complicated. Will voters even use it?

Surprisingly, we only need a small number of voters to perform the ballot check to be confident that if there was a problem, we'd find it. In fact, some experts have said that as few as 5% of voters need to perform the check to be confident a problem would be found. In user testing of VoteHub, an average 46% of voters have been performing the ballot check, far exceeding the goal of 5%. And user testing found that over 60% of blind voters were able to successfully perform the check.

Wouldn't coercion and vote selling be more common with VoteHub?

Voter coercion, intimidation, and vote selling are all prohibited by federal law. And most states have also enacted laws making voter coercion and intimidation a crime. There is no evidence to suggest that coercion is more pervasive with mobile voting tools like VoteHub. In fact, VoteHub may help to prevent existing forms of voter intimidation and coercion. Most examples of intimidation are related to in person and by mail voting: For example, in 2020, a robocall scheme targeted predominantly Black neighborhoods in Illinois, Ohio, Michigan, New York, and Pennsylvania that attempted to frighten voters that their personal information would be given to the police if they voted. And in 2022 in Arizona, vigilantes, sometimes armed, staked out ballot drop boxes in an attempt to intimidate voters when dropping off their ballots in the midterm election. VoteHub would mitigate the risk of these types of voter coercion and intimidation since the voting process can be completed entirely in private.

Wouldn't VoteHub make it possible for a hacker to just delete all the ballots?

VoteHub was built and tested to be resistant to any type of attack. But if an attack occurred, the impact would be reduced for several reasons. Election officials are able to export ballots regularly for off-line decryption and printing, mitigating the risk that such an event would successfully delete all ballots in an election. If any ballots were subject to an attack, election officials would be able to contact voters impacted to give them alternative methods to vote. Voters could also detect the problem through the ballot tracking process and public activity logs. It's also worth noting that disruption events occur in other voting methods that require contingency planning. The same can be offered with VoteHub.