Securing Voting Machines

Problem: Record the voter's intent to the voter's satisfaction, do it securely, and do it privately.

Context: The problems with manual counting, paper ballots, punch cards, bowls of marbles, and other labor-intensive voting systems have been well documented.

Solution: Make a machine that can record a voter's ballot and then send that result to a central collection authority.

The overwhelming advantages of using secure, automated vote collection should be obvious to anyone who has followed voting scandals all over the world in recent years. Those who would steal elections are getting more sophisticated; those who would protect the electoral process need to do the same.

---

No discussion of electronic voting and voting machines is complete without reference to the work of Dr. RebeccaMercuri?: http://www.notablesoftware.com/evote.html. It would be wise for contributors to this page to do a little research first so as to make informed observations and contribute worthwhile suggestions to this discussion.

The other site to visit for a broad range of election machine issues is Black Box Voting, http://www.blackboxvoting.org. Please note that there is another site, blackboxvoting.COM, which is not the same and has a different intent altogether.

We need to talk about a limited range of technical matters concerning voting machines and automated vote counting systems, since these boxes are here to stay and we have to make the best of them. There is a deafening silence in the Internet community about the technical solutions to the problems of voting machines.

As these discussions get worked out into finer detail we'll move the resulting consensus over to the spec page.

---

"The citizen has a legitimate right to know, for example, how his vote is computed"

-- Peruvian Congressman Dr. Edgar David Villanueva Nuñez, in his letter "Respuesta a Microsoft", http://ece.clemson.edu/crb/students/vilas/professional/openSource/peruToMicrosoft.htm

---

Operational matters:

• must be easy to figure out how to cast a vote, even for voters with far below "average" IQ.
• A voter should be able to get in, vote, and out in less than ___ minutes.
• Enough machines to handle a peak rate of 1 person every 20 seconds should cost less than ___ dollars.
• The cost of ballots should be less than __ dollars per ballot.

Selectivity (election operations) matters:

• Voting options
  • Yes/No/Abstain (for issues and referenda)
  • Select (n) of (m) candidates
  • Support for up to (n) write-in candidates
• Overvote suppression (voter cannot select more than (n) candidates)
• Undervote confirmation: force selection of "abstain" when < (n) candidates are chosen.
• Configurable victory threshold (for single-machine election. N/A to machines in an array?):
  • Plurality: winning candidate receives more votes than any other candidate.
  • Simple Majority: winning candidate receives more than half of the votes cast.
  • "Super" Majority: Issue passes if more than 2/3 (generalize to any threshold) vote in favor of it.
• Configurable "flag for recount" threshold (default to 1%)

Technical matters:

• anonymity -- it should be impossible for anyone to discover what/who any particular voter voted for. (exception: if 100% of the people in a particular precinct voted a certain way, it doesn't hurt for people to realize that Fred must have voted that way.)
• Once the polling place has closed, [Who ?] should get the final tally within __ hours.
• ... requirements for when power goes out? ...

Issues without borders:

• impossible for any single ("corrupt") person to change the vote "significantly".
• difficult for any small ("corrupt") group to change the vote "significantly". (OK to allow the majority of the voters to change the vote?)
• Easy for any number of people to *read* the final vote totals (after the polling place has closed - is there any way of letting people see the vote totals "so far" without violating the anonymity requirement? Negative - this violates election law all over the place.)

---

Don't have time to read the whole page, sorry. But wanted to toss in a couple of ideas (I hope they weren't mentioned already): You keep the idea of going to a polling station, so we can be sure somebody is keeping an eye on the machines for tampering. Instead of using paper as an entry mechanism, which just seems silly to me in this day and age, you use paper as a receipt mechanism. The person punches in their vote on a machine very similar to the automated movie-ticket machines in theatres. You can even have the person required to enter the vote twice to confirm it, similar to the password changing scheme that's almost everywhere. Then, before the person leaves, the machine displays in big huge letters the name of the candidate, just so there's no confusion, and to give the voter one last time to confirm or restart. "You voted for Bob Dole! Is that REALLY what you meant? Hit this huge obvious button to CANCEL, or press this tiny little button to confirm." Then, the machine prints out your vote on a paper ballot, giving the voter one last chance to confirm that they voted what they really wanted. Then the voter puts this paper ballot in a ballot box so that there is a paper backup to satisfy the luddites. Of course, the vote has already been counted electronically, so the paper really is just a backup system.

---

The solution is not as simple as presented. Real world problem: In the November 2003 election in Virginia, several machines failed. They were taken to a repair site, which was of course out of site of election officials, and then returned to the polling place. A lawsuit was filed contesting the election claiming the voting machines could no longer be considered secure.

The people filing the lawsuit are, of course, totally correct. If the machines were taken off-site and then returned without going through a rigorous validation process then they should have been sidelined for that election. The idea of having an open source, formula specification voting machine is that anydamnbody can run tests on it and know that it is validated for use. All this Diebold and ES&S crap with the tightly closed embedded systems stuff inside is not going to be easy to validate.

---

Things that go wrong in elections are listed at ElectoralEngineering. Are there technical solutions to any of these social problems?

---

This seems to be largely an exercise in circular reasoning. The page starts with statements such as, "The problems with manual counting, paper ballots, punch cards, bowls of marbles, and other labor-intensive voting systems have been well documented." and "The overwhelming advantages of using secure, automated vote collection should be obvious to anyone who has followed voting scandals all over the world in recent years."

If an automated system is to be made secure, one needs to know what the system is being secured against, i.e., what is the list of problems with manual counting, etc.? What are the "overwhelming advantages" that are to be provided? Technology does not solve social problems and I doubt an automated system would reduce fraud, but in fact may increase the potential for fraud. The more the process is hidden from observers, the easier it is to commit fraud.

Yes, that is the reason almost the entire body of suggestions to election commissioners, congressmen, etc., has been for Open Source software on spec voting machines. If a system is testable and verifiable from the outside then anybody and everybody can do the testing and verifying. This makes a system more secure, not less.

---

See: TechnicalSpecificationForVotingMachines, VotingMachineDiscussion

CategoryVoting