An Electronic Voting Machine proposal
If your facts and logic are convincing, I'll change my mind !
Electronic voting machines are not evil !
It is quite possible to have an
electronic voting machine system that is more open, auditable and reliable
than the current non-electronic voting systems.
What a voting system should accomplish:
- Verify voter's ID.
- Prevent coercion or exposure of the voter's choices (secret ballot).
- Record the vote reliably and accurately.
- Count votes accurately.
- Provide an audit trail, and ways of recounting.
- Good access for impaired voters (visually impaired, elderly, etc).
- More options for all voters (touch-screen, single button to vote straight party line, etc).
- Provisional voting (voter's eligibility to be confirmed later).
- Absentee ballot (voting from distance).
- Early voting.
- Voting from any location (no need to go to a specific precinct). This could require a single machine to support
multiple different ballots simultaneously.
- Ballot sanity-checking before finish (check for choosing wrong number of candidates, forgetting to choose anyone in some race, etc).
- A greener voting system (less paper consumed, less travel to vote).
- Least amount of trust needed to be assured that process is accurate.
- Great amount of redundancy and cross-checking.
Today's voting systems don't accomplish most of these goals.
For example, paper ballot systems have mechanical problems in counting, require trusting the machine (the paper is used only in one step),
give bad access for visually impaired or elderly, don't provide multiple options for voters, don't allow voting from
any location, aren't "green" (require travel to polling place), don't have redundancy and cross-checking.
Absentee ballots don't prevent coercion, don't record votes reliably (can get lost in mail, no confirmation),
and have most of the problems of paper ballots.
Today's electronic machines require trusting or internal-auditing a very complex machine.
Disadvantages of a purely pen-and-paper system:
Paper is hard to transport and store and recount. It doesn't provide multiple UI's, such as for the blind.
It can be manipulated (extra ballots added, valid ballots discarded). It can be damaged or lost accidentally (fire, physical collision, etc).
You have to print and manage unique paper for each precinct. If there's an error or change, you have to throw away paper and print again.
It generates waste.
Voting has two parts to it:
- The "front end": what does the voter see to make choices ? A touch-screen,
a punch-card, an optical-scan card, etc.
- The "back end": what comes out of the machine when the voter is done choosing ?
How is the vote recorded and maybe recounted ?
Voter gets an encrypted paper receipt after voting, and can use it then or later to verify vote
was recorded accurately, and made it into central database. A single polling place can use a mix of machines from different
manufacturers. Vote-recording and vote-verifying machines must be from different manufacturers.
Only the internals of the central vote-counting machine need to be trusted or expert-verified;
no need to look at internals of the individual vote-recording and vote-verifying machines, because
they are used to check each other.
How the "front end" of electronic voting should work:
- At the polling place, there are any number of "voting" machines, perhaps made
by one manufacturer, or made by multiple manufacturers, offering only one user interface,
or offering many different choices of user interface. You could choose which machine you
want to use. Each voting machine could present an electronic touch-screen to the voter, could
present a panel of LED strips and buttons, could present a paper poster with levers next to names,
could accept a punched-hole ballot card, could accept an optical-scannable ballot card.
It could let the user choose any language (English, Spanish, etc).
Could support Braille.
- The machine lets you make your choices, then it prints
out a paper "receipt" that you take with you, and another paper receipt (minus voter ID information) that gets stored
at the polling place in case of a recount. The two receipts can be handed to the voter first,
so the voter can check that the votes on the two are identical. The machine also stores the vote (minus voter ID information) electronically inside
itself, to be counted at the end of the day, as usual.
If a "voting" machine's receipt-printer jams or runs out of paper,
the voter doesn't budge until the printer is fixed or replaced, and two valid receipts are printed.
It's exactly what would happen when buying a lottery ticket. In fact, there could be a
"receipt received" button that the voter pushes to finish the voting process, and the
vote does not get stored in the machine until the voter presses that button.
- The paper receipt is like a lottery ticket, in that it shows
a big encrypted string of numbers or letters, maybe 100 digits long.
Might also have the same info in a big bar-code. And might show
the state, county, precinct and election date in plain text. [The receipt does not
show your ID or votes in plain text.] Something like
(from Vote and Verify).
- The encrypted string on the receipt includes all of the election info
(state, precinct, voting machine number, time-stamp, etc),
the voter's ID info (registration number, ID info, etc), and all of the
- Right after you get your receipt, you could turn to another ("scanning") machine and stick your receipt in
and verify that it recorded all of your choices correctly. If this second machine is
from a different manufacturer than the first machine, this gives you confidence that your
receipt matches your choices.
- Each machine could do both voting and scanning functions, or there could
be voting-only machines and separate scanning-only machines.
- Absentee voting and vote-by-mail could also produce a receipt, which would be mailed to you,
or you could pick up later at the election office.
And later you could go to the election office and have it confirmed, if you wished.
This would be a big improvement over today's situation; right now you get no confirmation
your absentee vote was even received, much less recorded correctly.
How the "back end" of electronic voting should work:
- As people vote, the resulting encrypted strings (same as on the receipt, minus voter ID)
are retained on the machines and/or sent to the central computer database.
- After the polls close, the votes in the central computer database are tallied
and results announced. Since this tallying software is fairly simple (no user interface stuff),
it should be easy to verify and non-proprietary.
- At any time after the election, you can take the paper receipt to the election office for a "full verification".
You show ID, and have them stick that receipt into a "scanning" machine.
The official will verify that your ID matches the ID recorded in the receipt.
Then the machine will check to confirm that the central election database already
had your vote recorded, and everything on the receipt matches everything in the database.
And it will let you see all of your voting choices, on a screen that you
can see but the official can't see. So you can see that your votes were recorded correctly.
The "voting" machine at the precinct could be supplied by a different vendor than the "scanning"
machine at the election office, if you're worried about letting one company supply both.
This "back end" "receipt-based" solution should eliminate most of the controversy about
trusting voting-machine manufacturers, and verifying the software and software updates.
Voters no longer have to trust the "voting" machine; they only have to trust the "scanning" machine.
And the "scanning" machine is a much simpler machine, since it doesn't have all of the user
interface (displays, switches, levers, etc) of the "voting" machine. It just scans the receipt,
decrypts it, displays the info to official and voter, and compares it to info from the central
database. And you could have two different "scanning" machines from two different manufacturers
in the election office, if you wished. And now there is a paper trail, for recounts.
It would be nice if you could get on the Internet and go to the election web site and
do the receipt-confirmation yourself, by typing in the encrypted string. But this
is bad because someone (your boss, for example), could force you to do this to
prove that you voted the "right" way. Or some voter could sell their vote and use
this to prove to the buyer that they voted as directed. Or someone could
steal your receipt and find out how you voted. So the official in-person checking of ID is necessary.
It would be possible to allow Internet-based "partial verification". That is, confirmation
that the vote on your receipt was recorded, but not that the receipt correctly
captured your voting choices. You browse to the election web site,
type in the 100-digit encrypted string from your receipt, and the site tells you whether that
vote has a match in the central election database. (Or maybe you type in the first 80 digits,
and it tells you what the remaining 20 are, so you have more confidence.)
So now you know that your vote got into the
database. You still don't know if your receipt matches the choices you made; to confirm
that, you'd have to go to the election office to use the "scanning" machine.
This kind of system seems to be known as an
end-to-end auditable voting system.
Looks like someone else has had this idea: Vote and Verify.
Now work on a similar system: Kim Zetter's "DARPA Is Building a $10 Million, Open Source, Secure Voting System".
Which is related to: Microsoft's "Protecting democratic elections through secure, verifiable voting".
Wikipedia's "Electronic Voting"
Cyrus Farivar's "How e-voting works around the globe"
Internet voting / online voting:
How it would work, as part of the receipt-based system described above:
- When you register (in person or via signed paper mail, as you do today), you
get a couple of encrypted strings from the registrar. One (R) identifies them to you; the
other (U) identifies you to them.
[Maybe some parts could be paper-mailed to you and others emailed to you, to verify
that your postal address and email address are valid.]
- To vote, you go to the registrar's web site, put in your identifying encrypted string (U), and see and
verify the encrypted string (R) that assures you that you're connected to the registrar.
You do your voting, and get back a big encrypted string representing your vote "receipt" (as described earlier in this page).
And your vote has been recorded.
[One issue: how do we prevent a situation where the vote is coerced or paid: someone is watching the voter
as they vote, to make sure they vote the "right" way ? Of course, absentee ballots today are vulnerable to this too.
For online voting, perhaps we might require online voting in a controlled location,
such as in a booth in a bank or government building.
But that defeats some of the advantages of online voting (less travel, for example).]
- At any time later, and as many times as you like,
you can go to the registar's web site and do a "partial verification" (as described earlier in this page).
That is, confirmation
that the vote on your receipt was recorded in the central database, but not that the receipt correctly
captured your voting choices.
[Maybe only one person in 100 would do this, but
that's enough to keep the system honest.]
- At any time later, you can take the receipt to the election office,
show ID, and do a "full verification" (as described earlier in this page).
[Maybe only one person in 500 would do this, but
that's enough to keep the system honest.]
About the "sanctity" of a vote:
I and a billion others have been doing financial transactions (banking, credit cards, retail purchases)
over the internet for a decade or more. The money in my bank account is worth far more to me than
my vote in an election. Yes, if thousands or millions of votes were stolen in an election, that would
subvert democracy. But if my individual vote was lost, it wouldn't hurt me very much.
And I suspect my vote goes uncounted fairly often. A machine malfunctions and there's no paper trail, or it's a landslide so
absentee ballots get discarded instead of counted, or the Post Office loses my absentee ballot.
I and a billion others have been buying lottery tickets and using ATMs for decades,
relying on paper receipts, and legal recourse if something goes wrong.
This is not to say that we should do voting in a slipshod way, or that voting errors don't matter.
I think it does show that voting with receipts, electronic voting machines, and internet voting can be done accurately and securely.
Things I don't understand about absentee ballots (AKA voting by mail):
- What percent of absentee ballots result in no vote counted ? Voter never gets the ballot,
fails to mail the ballot back, fails to sign the ballot, signs it wrong, postal system loses ballot, or it arrives late and isn't counted.
And the voter doesn't go to vote in person instead. I can find some data about some parts of this, but
little on the overall rate.
NYTimes: "Error and Fraud at Issue as Absentee Voting Rises"
- If an absentee ballot arrives after the deadline, is it counted or not ?
As far as I can tell, the answer is "maybe". If a ballot is mailed on time but arrives
late, is it counted ? Is there any law about this ?
- If the outcome of an election wouldn't be affected by counting absentee ballots and provisional ballots, are they counted anyway ?
I'd guess the answer is yes.
New Bern Sun Journal: "Provisional votes counted; outcomes unchanged"
From Lawrence Norden on NPR "Science Friday" 11/16/2012:
"[in USA] ... it's not just one election, it's not even 50 elections. ... We really have 4,600 separate jurisdictions running
elections because elections are really run at the county and town level. ...
we need to think more about at least having some minimal federal standards ..."
In response to a comment on reddit:
> ... i can't immediately see any advantages
> [this page's proposal] would have over simply
> voting online by logging into a government website.
> and, as far as protecting ballot secrecy goes, i
> think [this page's proposal] would actually be less
> secure than one centralized govt website because
> you'd have to be concerned with the administration of,
> and security of each polling place, rather than one
> ultra-secure server behind a massive federal firewall.
> since we are quite content to electronically submit
> our financial and tax information to the IRS each year,
> and that information is much more sensitive than our votes ...
I've been assuming that the STRUCTURE of the voting system would continue unchanged, that it would be very hard to change.
In USA, voting is controlled at county level, generally. Every precinct has a different slate of candidates.
That makes it hard to do in a central national site. I doubt the anti-federal-govt crowd would accept
that centralization. Consider the resistance to a national driver's license; why would they accept
the national ID needed for centralized voting ?
My system relies on receipts for security. A central system could do the same. I guess I don't care whether
voting is done by precinct or in one national server, as long as the receipt-and-verification structure I outline is used.
Voting online, as opposed to voting at a polling station (electronically or otherwise), poses a challenge
of vote-selling or coercion. You really need a controlled place to vote. We could allow online voting from
booths in banks, libraries, govt offices. Anywhere that some trusted person could assure that the voter
goes into the booth alone. Each booth would be just an internet-connected computer with a privacy screen around it, plus a printer.
/u/Bry6n on reddit suggested using the Bitcoin crypto-currency blockchain model.
My thinking on that:
[I'm may be using some terms a bit wrongly; I don't know a lot about crypto-currency.]
I guess the crypto-currency model adds two things:
- Identification/authentication of user/voter via an encryption key.
- Distributed servers and ledger (blockchain) recording the votes and doing the counting.
The identification/authentication part does provide some end-to-end verification, which is good.
The "distributed ledger" part mainly solves the simplest part of the voting system,
the central counting server.
But the bigger issues are separating things across multiple vendors, separating complex UI functionality
from simpler functionalities, receipts, and avoiding coercion. None of which are addressed by the crypto-currency model.
You could use the blockchain in such a system, but the blockchain would be only a minor part of it, not the important part.
A much simpler proposal, for those obsessed with paper ballots:
- Voter shows ID, gets a paper ballot.
- Voter marks the paper ballot (filling in circles, punching out holes, whatever).
- Voter sticks ballot into a machine, which reads the vote choices, and prints two copies of
the same long one-way hash near the bottom edge of the ballot. The hash value
is based on the vote choices plus some long random number. The long random number also
is printed next to each hash value.
- The voter can look to see that the two sets of printed values (hash and random number) are identical.
- The voter tears off the bottom edge of the ballot, keeping one copy of the printed values (the receipt)
for themselves, and putting the ballot with the other copy of the printed values into the ballot box.
- When votes are counted, by reading the paper votes, the random number is read and the hash
is calculated again, and compared to the hash value on the paper. If they don't match, the ballot
has been altered or misread.
- When ballots are counted, all hash values are published on a public web site.
- Any voter later can go on the internet and verify that the hash value from their
paper receipt appears in the published list of hash values (their vote got counted).
- If their vote's hash does not appear in the published list, the voter can take the receipt
to an election office and request an investigation.
Since the hashing is one-way, and the receipt contains no voter ID or precinct ID or machine ID or timestamp etc,
vote-coercion or vote-buying is not possible, and even the election officials can not correlate
a vote back to a specific voter.
"The best argument against democracy is a five-minute conversation with the average voter."
-- Winston Churchill
Search my site: