System Usability and User Mental Models of Three Verifiable, End-to-end Voting Methods: Helios, Prêt à Voter, and Scantegrity II
Acemyan, Claudia Ziegler
Kortum, Philip T
Doctor of Philosophy
There are many ways voting systems can be maliciously attacked so that election outcomes are altered. In response, voting security experts developed end-to-end (e2e), verifiable voting methods. These systems were intended to be secure, accurate, reliable, and transparent, while still preserving voter anonymity. What is not clear is if these complex, novel systems, which allow voters to check on their ballots after voting, will be usable by every voter. If voting methods are unusable, negative ramifications like disenfranchisement and altered election outcomes could occur. For this reason, system usability and voter mental models of e2e systems must be understood. To address this lacuna in voting research, three e2e methods representative of voter verifiable technologies were studied: Helios, Prêt à Voter, and Scantegrity II. Four studies were conducted. In the first study, baseline usability data was collected. By having participants vote with each system in a mock election, it was found that the systems were difficult, if not impossible, to use. Only 58% of voters were able to cast a ballot, and fewer were able to verify their vote. In the second study, the behavioral errors that led to ballot casting and vote verification event failures were identified, and potential contributing system design deficiencies were discussed. This study revealed that a few design details were driving most of the observed failures, of which all can be fixed. In the third study, voters’ mental models for each voting system were explored. The data supported the claim that voters did not have comprehensive mental models accounting for how the systems work; rather their models emphasized how-to-vote procedures, which were not always correct. In the fourth study it was asked if voters even wanted to use the verification systems, and if they did, what form of verification they would expect. Sixty-five percent of voters indicated that they would be interested in checking that their ballot was cast. As for the preferred form of verification, there was not a consensus—indicating that a diverse set of expectations will need to be accounted for when developing the systems. In conclusion, the tested e2e systems were not easily usable by voters, fully understood by them, or in a form that voters might have expected. Yet the system problems observed can be fixed, and voters seem to support the idea of auditable voting systems—meaning future effort should be spent improving upon the next generations of e2e systems so that all voters can use secure, accurate, transparent, and reliable voting systems.