Slashdot Mirror
How Would You Design the Voting Technology?
Bob Glickstein asks: "Punch-card ballot machines are now universally reviled, and we techies all know the perils of electronic ones. But I haven't seen anyone talk about a better solution. It's gotta be inexpensive, rugged, reliable, accurate, verifiable, tamper-resistant, simple to use, and secret. Verifying a vote tally should not result in TV news images of rooms full of election officials, squinting at ambiguous marks on a piece of paper. What contraption can possibly meet all these criteria?"
Use Scantrons, where you bubble in the answer with a black pen or a #2 pencil. Have the people bubble in their votes, and run them through. This makes reading them very easy, especially since the machines are already in use across the country, and verification is as simple as looking at which one is bubbled.
--That's the point of being root, you can do anything you want, even if it's stupid.
That said, I absolutely insist on machine-readable and hand-countable pen-marked paper ballots. This is the only way to insure both fast and accurate election night returns *and* verifiable beyond-a-shadow-of-a-doubt recount ability. These machines have been manufactured for many years and they *were not* responsible for the Florida cluster-fsk.
"Eve of Destruction", it's not just for old hippies anymore...
Let the results of the election be open for everyone to tally the counts. Assign a voter registration number to each voter, and allow anyone to query the system with that number to find out who they voted for. This would allow for a couple important things:
1. individuals can later make sure their vote was registered correctly.
2. organizations could step through the enumerated voter numbers and publish their own results of the election. They would back up the database in the process.
3. individuals can submit their vote to as many organizations as they want. The groups would then cross verify the votes with their databases.
What to do if someone finds out their vote isn't correct, is debatable. I wouldn't allow them to change it, but if there are enough errors then the election needs to be done over again.
There could be a simple web site that takes your vote and submits it to as many organizations as it can.
I don't know what to do about people that don't vote, nor the people that don't verify their vote.
I'm sure there will be millions, and every one of them could be voted without their aproval. yikes. Damn lazy people.
None of this is really important anyway. What the fuck good does voting do when there are campaign finance laws that are only bipartisan.
-metric
Next time you catch a flight, take a look at that boarding pass in your hand, and consider the possibilites it presents for a voting system:
:-)
1) On a touchscreen, choose your candidates, then confirm your vote by pressing the "Vote & Print" button.
2) In the background, your vote is electronically counted.
3) The voting machine prints out your boarding pass / ballot, while also encoding the magnetic strip on the back with the details.
4) The voter can read the printed ballot to confirm it is correct, before dropping it into the ballot box.
5) When the polls close, the ballots are fed through a magnetic reader, and the tally compared to the electronic tally to confirm its validity.
6) If someone challenges the count, then the ballots are manually tallied using the print-out on the front.
The strong points for this system are transparency (you can still see the ballot), redundancy (for printer, magnetic encoder and electronic count to all fail is highly unlikely), clarity (no hanging or dimpled chads), security (you can hack the electronic count, but not the printed one) and cheap ubiquity (every airline clerk has a printer and a stack of cards).
I belive this combines the best features of electronic and paper voting, using each ones strenghts to overcome the others limitations.
If any boarding pass manufacturers choose to implement this, I expect royalties and a cushy seat on the board
I have no doubt that experts will solve the challenges of security and usability that will be presented by electronic voting. Though it's highly doubtful that every state, county and municipality will purchase the same machine, so we're going to face a huge problem with interoperability. There will need to be a method of exchanginge these data from disparate sources. How about an XML vocabulary? In honor of the 2000 election, we could call it 'dub-yahML" Not to be confusesd with the wireless markup language.
The most transparent technology there is at the moment for recording votes is for voters to tick boxes (or write numbers) on printed ballot papers and put them into ballot boxes.
In Sweden, we use a simplified version of this. Don't trust the voters with a pen! Each party has their own ballot with their name printed on it. You get them in the mail before the election, you get them when you vote and you have more ballots in your voting both.
Thus, 99% of all voters don't even need a pen.
The counting is done manually, and is 95% ready just a few hours after the voting is closed.
I would never trust any kind of "voting machine". There is no transparancy. Being an engineer, I can see too many ways to cheat with them.
(The exception (1%) is that you still CAN take a blank ballot and vote for whatever party you want, say the Donald Duck party. Those votes get counted too.)
)9TSS
- Each machine is totally independent of all others, and -this is important- not connected to any network. Each machine has a unique serial number, and is equipped with a touch screen, speakers, and a microphone, a button, and a printer.
- The first thing the user encounters is a choice of languages. This is pretty self-explanatory.
- The user is then presented with the list of candidates. Each candidate is presented in sequence, with the presentation consisting of the following:
- A voter can select the candidate by touching the screen, pressing the button, or giving a voice command while the candidate is onscreen. Each candidate will be onscreen for six seconds, or the time it takes for the candidate with the longest name to say it plus a second of padding on each side, whichever is greater. This should give ample time to recognize a candidate.
- The user is given a chance to confirm the vote. All their votes are read sequentially, and the user may confirm that this is in fact what they want to do.
- The ballot is printed. It carries a barcode stating what machine it came from, but no information which can be used to identify the voter. This way, if a machine is found to be malfunctioning or compromised, the votes which came from it can be tracked and examined further, but the vote itself remains anonymous.
- A receipt is also printed. This does not carry the vote information, but does carry the barcode for the machine it came from, in case there is need for proof that a voter used a specific machine.
- The voter takes the ballot to the ballot box and casts it.
The idea behind this system is to both maximize security and minimize damage potential. Not networking the machines, for example, does not do terribly much for the security, but does ensure that a hacker could only exploit one machine at a time; to manipulate many machines would take a huge effort. Likewise, the fact that ballots are both machine- and human-readable ensures that the more secure machine counting can be used as a primary system, but hand counts can be used as a fallback mechanism.- A picture of the candidate.
- The candidate's name onscreen, rendered however best fits the language the user chose.
- An audio clip of the candidate saying his or her name.
The idea behind this whole spiel is to present as many ways as possible for a voter to recognize the desired candidate. In this case, the user has text, visual, and aural cues.That a voter cannot prove how they voted. People seem to forget that during the depression, votes were routinely bought. You marked your ballot, showed it to the large man outside the schoolhouse window, then deposited it. Then you left and got your money. (Or your thumping if you'd promised and didn't.)
People devising electronic voting schemes seem to forget this. It is not nearly enough that a person *can* keep their vote secret; a voting system must ensure that they cannot disclose it.
Anything less opens the door for widespread abuse.
In my state we use optical scan ballots and it seems to be an ideal balance between verifiable paper trail and machine counting. Once the ballot is marked the optical scanning does indeed work well and is very quick.
The ballot is placed inside an opaque folder to hide the actual votes, but an end sticks out. A poll assistant aids the voter in feeding the machine, which sucks the ballot in and counts it. If there's a problem the ballot doesn't get sucked in and corrective action can be taken.
What could be done to improve the process is a screen-based marking station. Do away with the pen and use a touch screen in its place. This would eliminate the "stray mark" problem.
After a voter touches up a ballot, print it out in the booth. Voter then verifies it and submits it to the counting machine. If the ballot is incorrectly marked the voter would take it to the poll taker as a spoiled ballot and have it destroyed and try again.
This two-phase process has the added benefit of increasing the difficulty of hacking the system, since there are now two separate components instead of a single box to compromise.
I think I have this nailed.
First and foremost, I believe everything has it's place. I think that zelots that think that EVERYTHING should be run in Linux or EVERYTHING should be open sourced are nuts.
Everything has it's place.
And the electronic voteing booth just screams for open source.
That is where I would start. I am closed minded to any company or individual that won't go open sourced on these things.
If I was in charge I would offer the electronic voteing booth contract in the same fashion that the Navy has 'fly offs' for new jet contracts.
I would find a company, or three and give them my requirements for the voteing booth. I would ask them to design something to my specifications and it must be open source.
Then I would put up a challenge to the Linux community. I would post the same requirements that I gave those companies on the net and look for some people to put together a free software open source voteing booth.
In a year I would do the 'fly off' (or vote off, sans actual election) and either pick the free software project or one of the companies.
That is part one of my plan.
The second part are my security requirements.
At some part in either the registration process or possibly at the polling place (or even both) the voter is issued a blank smart card. The card contains no personal information either digitally or printed on the surface.
The voter goes to vote.
When they cast a vote the computer tallies it up in memory (naturaly) and then they are issued a paper reciept.
The paper reciept does not need to contain any personal information either. It does need to list who the person voted for in clear bold English. A senior citizen should be able (and encouraged) to read the reciept to see that no mistakes were made. Also on the reciept is a bar code to aid in computer tabulation.
At this point the smart card comes into play.
Here is where the smart card gets, well smart.
It is totally optional. If someone leaves the card at home, or is opposed for any reason they don't need to use it.
The user inserts the smart card and some information is stored on the card.
**note** Feel free to add suggestions to this, I am not a comp sci person at all. I came up with this on my own***
The information is something like this:
1. The exact time that the card is written to.
2. The number of voters to have used the machine that day.
3. A hash file representing the exact size of the program data on the machine (like you would use to double check the a file you would get off of usenet)
4. A running total of all the results of the voteing on that booth so far.
Finally all this data is secured with a key that is kept private in the voteing booth itself. I would make it a law that once the elections ended the key had to be made public.
Here is what I am accomplishing:
1. You can always do a normal tally and not worry about my back ups. If everything appears normal and people are happy then there you go.
2. If recounts are asked for they can be easily accomplished by using the paper reciepts from the voteing machines. If someone cries foul at the bar code they can read the type on the reciepts.
3. If people are still crying foul - the voters keep the smart cards. Since every machine has a different key and all keys are public as soon as the voteing is done then it is a simple enough matter for independent programmers to verify the votes on there own.
But what most people will do is go back to the polling place and swipe the smart cards into a reader. The reader will record the information and produce a graph showing the real time voteing that happened at each booth. Sans personal information (thank you very much).
In the event that someone tries to cheat the system it will be obvious. Even if someone reencrypts the card they will show up like a sore thumb next to the next card that is read (see... we did a running tally of the votes.