An Electronic Voting Machine proposal

Contact me If your facts and logic are convincing, I'll change my mind !

Electronic voting is not evil ! It is quite possible to have an electronic voting system that is more open, auditable and reliable than the current non-electronic voting systems. The key things to have are encrypted paper receipts, and lots of small and cross-checking machines instead of a few huge machines.

What a voting system should accomplish:

Today's voting systems don't accomplish most of these goals. For example, paper ballot systems have mechanical problems in counting, require trusting the machine (the paper is used only in one step), give bad access for visually impaired or elderly, don't provide multiple options for voters, don't allow voting from any location, aren't "green" (require travel to polling place), don't have redundancy and cross-checking. Absentee ballots don't prevent coercion, don't record votes reliably (can get lost in mail, no confirmation), and have most of the problems of paper ballots. Today's electronic machines require trusting or internal-auditing a very complex machine.

Disadvantages of a purely pen-and-paper system:
Paper is hard to transport and store and recount. It doesn't provide multiple UI's, such as for the blind. It can be manipulated (extra ballots added, valid ballots discarded). It can be damaged or lost accidentally (fire, physical collision, etc). You have to print and manage unique paper for each precinct. If there's an error or change, you have to throw away paper and print again. It generates waste.

An election has several parts to it:

Voting has several parts to it:

What to expect when you're electing: Talos' 2020 election security primer

My proposal:
Voter gets an encrypted paper receipt after voting, and can use it then or later to verify vote was recorded accurately, and made it into central database. A single polling place can use a mix of machines from different manufacturers. Vote-recording and vote-verifying machines must be from different manufacturers. Only the internals of the central vote-counting machine need to be trusted or expert-verified; no need to look at internals of the individual vote-recording and vote-verifying machines, because they are used to check each other.

How the "front end" of electronic voting should work:

How the "back end" of electronic voting should work:

This kind of system seems to be known as an end-to-end auditable voting system.
Looks like someone else has had this idea: Vote and Verify.
Now work on a similar system: Kim Zetter's "DARPA Is Building a $10 Million, Open Source, Secure Voting System".
Which is related to: Microsoft's "Protecting democratic elections through secure, verifiable voting".

See also:
Wikipedia's "Electronic Voting"
Cyrus Farivar's "How e-voting works around the globe"

Internet voting / online voting:
How it would work, as part of the receipt-based system described above:

About the "sanctity" of a vote:
I and a billion others have been doing financial transactions (banking, credit cards, retail purchases) over the internet for a decade or more. The money in my bank account is worth far more to me than my vote in an election. Yes, if thousands or millions of votes were stolen in an election, that would subvert democracy. But if my individual vote was lost, it wouldn't hurt me very much.

And I suspect my vote goes uncounted fairly often. A machine malfunctions and there's no paper trail, or it's a landslide so absentee ballots get discarded instead of counted, or the Post Office loses my absentee ballot.

I and a billion others have been buying lottery tickets and using ATMs for decades, relying on paper receipts, and legal recourse if something goes wrong.

This is not to say that we should do voting in a slipshod way, or that voting errors don't matter. I think it does show that voting with receipts, electronic voting machines, and internet voting can be done accurately and securely.

Things I don't understand about absentee ballots (AKA voting by mail):

From Lawrence Norden on NPR "Science Friday" 11/16/2012:
"[in USA] ... it's not just one election, it's not even 50 elections. ... We really have 4,600 separate jurisdictions running elections because elections are really run at the county and town level. ... we need to think more about at least having some minimal federal standards ..."

In response to a comment on reddit:
> ... i can't immediately see any advantages
> [this page's proposal] would have over simply
> voting online by logging into a government website.
> and, as far as protecting ballot secrecy goes, i
> think [this page's proposal] would actually be less
> secure than one centralized govt website because
> you'd have to be concerned with the administration of,
> and security of each polling place, rather than one
> ultra-secure server behind a massive federal firewall.
> since we are quite content to electronically submit
> our financial and tax information to the IRS each year,
> and that information is much more sensitive than our votes ...

I've been assuming that the STRUCTURE of the voting system would continue unchanged, that it would be very hard to change. In USA, voting is controlled at county level, generally. Every precinct has a different slate of candidates. That makes it hard to do in a central national site. I doubt the anti-federal-govt crowd would accept that centralization. Consider the resistance to a national driver's license; why would they accept the national ID needed for centralized voting ?

My system relies on receipts for security. A central system could do the same. I guess I don't care whether voting is done by precinct or in one national server, as long as the receipt-and-verification structure I outline is used.

Voting online, as opposed to voting at a polling station (electronically or otherwise), poses a challenge of vote-selling or coercion. You really need a controlled place to vote. We could allow online voting from booths in banks, libraries, govt offices. Anywhere that some trusted person could assure that the voter goes into the booth alone. Each booth would be just an internet-connected computer with a privacy screen around it, plus a printer.

/u/Bry6n on reddit suggested using the Bitcoin crypto-currency blockchain model. My thinking on that:
[I'm may be using some terms a bit wrongly; I don't know a lot about crypto-currency.]

I guess the crypto-currency model adds two things:
  1. Identification/authentication of user/voter via an encryption key.
  2. Distributed servers and ledger (blockchain) recording the votes and doing the counting.

The identification/authentication part does provide some end-to-end verification, which is good.

The "distributed ledger" part mainly solves the simplest part of the voting system, the central counting server.

But the bigger issues are separating things across multiple vendors, separating complex UI functionality from simpler functionalities, receipts, and avoiding coercion. None of which are addressed by the crypto-currency model.

You could use the blockchain in such a system, but the blockchain would be only a minor part of it, not the important part.

A much simpler proposal, for those obsessed with paper ballots:
  1. Voter shows ID, gets a paper ballot.

  2. Voter marks the paper ballot (filling in circles, punching out holes, whatever).

  3. Voter sticks ballot into a machine, which reads the vote choices, and prints two copies of the same long one-way hash near the bottom edge of the ballot. The hash value is based on the vote choices plus some long random number. The long random number also is printed next to each hash value.

  4. The voter can look to see that the two sets of printed values (hash and random number) are identical.

  5. The voter tears off the bottom edge of the ballot, keeping one copy of the printed values (the receipt) for themselves, and putting the ballot with the other copy of the printed values into the ballot box.

  6. When votes are counted, by reading the paper votes, the random number is read and the hash is calculated again, and compared to the hash value on the paper. If they don't match, the ballot has been altered or misread.

  7. When ballots are counted, all hash values are published on a public web site.

  8. Any voter later can go on the internet and verify that the hash value from their paper receipt appears in the published list of hash values (their vote got counted).

  9. If their vote's hash does not appear in the published list, the voter can take the receipt to an election office and request an investigation.

Since the hashing is one-way, and the receipt contains no voter ID or precinct ID or machine ID or timestamp etc, vote-coercion or vote-buying is not possible, and even the election officials can not correlate a vote back to a specific voter.

Intelligence Matters podcast "100 years of Russian electoral interference - David Shimer"

"The best argument against democracy is a five-minute conversation with the average voter."
-- Winston Churchill