Slashdot Mirror
Building a Better Voting Machine
edmicman writes "Wired News has an interesting article about what would make the perfect voting machine: 'With election season upon us, Wired News spoke with two of the top computer scientists in the field, UC Berkeley's David Wagner and Princeton's Ed Felten, and came up with a wish list of features we would include in a voting machine, if we were asked to create one. These recommendations can't guarantee clean results on their own. Voting machines, no matter how secure, are no remedy for poor election procedures and ill-conceived election laws. So our system would include thorough auditing and verification capabilities and require faithful adherence to good election practices, as wells as topnotch usability and security features.'"
... and when it's pronounced secure etc. - burn it to a ROM and disable any access to it which doesn't require at least a crowbar.
After the vote, have the machine print out the total.
Ignore this signature. By order.
For those who are interested in seeing a proper voting system put together, check out the Open Voting Consortium. They have a free, open-source voting platform that addresses all of the concerns. It has a verifiable paper trail as well as support for blind users and multiple languages.
I personally have donated money to this organization and believe they are doing the right thing in addressing the current mess we have now.
Their paper trail has a really nice feature in that it also prints a bar code for a quick machine recount of the ballots as well as a human readable output.
-Aaron
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
At the end of the article they mention David Chaum's method of voter verifiable elections. I first saw this several years ago in graduate school (I believe I was reviewing an earlier version of the paper for a conference). It is a gloriously beautiful protocol, far beyond what I ever hope to see implemented in my lifetime. :( I suggest you take a look, I will look at the version referenced in the article again tonight as the exposition is considerably clearer than the version of the work I read (dumbed down a bit for a mass audience).
What you suggest is similar to the proposal via the Open Voting Consortium.
The differences are in that in the OVC approach only the results of a voter's selection are printed onto the generated paper. (We don't use pre-printed papers except that we use marked papers so that it is possible to distinguish between fake ballots that are printed elsewhere and valid ballots printed in response to a real voter's choices.)
The reason why the non-selected choices are not printed is mechanical - to keep the voter's selections on one sheet of paper.
Yes, multiple pages could be printed, each bearing the election idenfication information. This increases the issue of paper handling. One of the biggest problems with these machines are printers (not adequately reliable, need supplies, tend to draw a lot of power, take so long that the voter might walk away, print on papers that are not mechanically strong enough to withstand fast scanning by the vote counting equipment, etc) Remember this stuff has to work in conditions that range from 0% to 100% humidity and with power that is downright awful delivered through building wiring that may date from days of Edison and Tesla.
But overall, I agree with you that the right approach is to consider the voting machines to be ballot marking machines, with variaions to fit the needs of physically disabled voters - and that the paper that is generated is "the" ballot and becomes valid only when physically inserted into a ballot box.
Every time this comes up, I propose the same idea, but each time it gets a little more fleshed out.
0. The voter completes whatever identification/registration/whatever steps required before being allowed into the actual voting room where...
1. The voter receives a numbered (in an OCR friendly font, see below) blank ballot and is directed to the voting booth. The number indicates both the voting location and the sequence that the cards are issued. If ballots run out, voters are asked to wait while more are printed and delivered.
2. The voter inserts the ballot into the electronic voting machine until a green light comes on. Diagrams illustrate the right way to do this, a notch in one corner prevents the voter from continuing until he/she figures this step out. Red light if they fail to do it wrong (labelled "WRONG" for the colorblind, buzzer for the blind though they will probably have someone load the ballot for them) to prevent them from trying to jam it in harder.
3. The machine displays the ballot in the selected font size or reads the ballot to the blind user.
3a. Each race is displayed separately with the candidates below it in a column. (or "For" and "Against" for appropriate referendums, etc.)
3b. The user selects a candidate using up and down buttons, then presses the "Vote" button to select that.
3c. Their choice is now highlighted on the screen (and read to them).
3d. The user presses the "Next" button to move to the next race. Or presses the "Finished Voting" to indicate that they will will not vote in the remaining races. Loop to 3a until there are no more races or the user presses Finished Voting.
4. A list of races and the selected candidates appears, the user can move up or down and see each race (have it read to them) and if they wish to change their mind, they can press the "Vote" button to return to that race and change their vote (See 3). User presses "Finished Voting" again to indicate that they are done (5 second delay required to prevent accidentially bouncing the button).
Easy enough right? Now...
5. The ballot card is fed through the machine's printer and printed in rows, with each row containing one race. Columns are the name of the race, the selection for that race, and a pattern designed for optical recognition. Each option has a unique code consisting of the code for that race plus a code for the candidate (to prevent misaligned scans) as well as codes for "no vote" and "write-in".
6. Voter fills in any write-in positions.
7. Voter reads the ballot card, and if there is a mistake, the voter presents the ballot to the site overseers who
7a. Record the ballot number as destroyed and then
7b. Destroy the ballot and issue a new one. Go back to 2.
8. Voter places ballot in ballot box and goes home, proud to have done his civic duty.
Lather, rinse, repeat for thousands of voters. The numbered ballots tell us two things: 1) Are there any missing ballot boxes and 2) are there any extra ballot boxes.
8a. At the end of the day, the election observers record the lowest numbered unused ballot and destroy the remainder.
9. Ballot boxes are delivered to a counting station.
10. Ballots are dumped out, stacked up with the notches aligned, and each stack is counted in total
11. The counted stack is then fed through an optical sorter set to sort the possible options for the first race into bins, one bin per candidate, one bin for all write-ins, one bin for no-votes.
11a. Run each candidate's bin individually through the counting machine.
11ai. Election observers spot check stacks by flipping like a flipbook and watching to see if the optical pattern being counted changes.
11b. Count write-ins by hand
11c. Run the no-vote stack through the counting machine....
11d. and make sure the votes add up.
12. Report the total to the next higher up official.
Lather, rinse, repeat for all of the stacks.
Why is this superior? First off, let's look at the actual counting: The counting machine doesn't k
If I have been able to see further than others, it is because I bought a pair of binoculars.
VoteHere is open source. I believe that it is a secure system even though I haven't analyzed the code personally. Further, its design and implementation adhere very well to the 'trust no one' concept that is one advantage of open source (the crucial one in this context).
With this software, which I think will run on most or all of the machines that have already been purchased by all states, each vote is encoded, encrypted, and published (online) with each step of the process mirrored in an auditable backup channel. Voters don't need to trust local authorities' honesty and capability because they can check for themselves whether their vote was counted via their encrypted receipt. But no one can determine the content of specific votes unless they gather all the decryption keys to themselves. VoteHere
Ok, voting machines cannot be guaranteed to be bullet-proof. Anyone who knows a decent amount about computer software & hardware gets that.
But why is it so hard to envision a simple audit trail to absolutely guarantee the authenticity of any election?
1) Make sure every voting machine spits out a paper receipt with a unique transaction number and the vote(s) recorded.
2) Make public a web site that displays *every* receipt number and its vote(s). Ok, it might be 300 million database records, but a simple menu across the top will let anyone drill down to their receipt number and confirm their vote was recorded correctly. We'll file this exercise as each Citizen's Responsibility. (It's important to note that having a citizen enter a receipt number to see those particular ballot results will not be secure since it would take a different path through the web site software, and also reduce anonimity).
3) Democracity loving geeks everywhere will write code to scan that (huge) web site and confirm the final totals.
It seems so simple. What am I missing?
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
There should inherently be distrust of our election officials, always every time, forever.
If they cant stand an audit, they should not be there.
Ever sell a house? Escrow companies exist because there is something of value
and in the transfer you cannnot trust always the other side. Which is exactly
as it should be. Sell a car? Notice of transfer of liability. Why? Because
you cant always trust the other party involved. Which is the way it should be.
If you buy something you are issued a receipt. Why? Lack of trust. Which is
the way it should be. Your bank sends you statements each month. Repeat as
above. I wont go on, because I have made my point, I hope.
for each $party in America.PoliticalParties
Not OK when $party steals or commits fraud in an election.
next
emt 377 emt 4
So, you are saying:
1. There should be a certain intelligence standard to be eligible to vote.
Yes, that is a thorny issue; but the idea does have some merit. But, you are also saying:
2. Intelligence follows racial and/or age groups.
I heartily disagree, as will many eligible voters.
Oh, and those Southern officials were NOT trying to enforce any form of intelligence standard - they were banning smart blacks, but allowing idiot whites to vote.
Have you seen the skills of the people who tamper with slot machines? They can pop the mahcine open, swap a ROM, and close it up in just a few dozen milliseconds, without triggering the many alarms.
Of course, nothing's perfect, but it's a sad commentary that voting machines aren't at least as tamper-resistant as slot machines.
Socialism: a lie told by totalitarians and believed by fools.