Today I attended a session led by Ka-Ping Yee at our Foresight Nanotech unconference on some of his new thinking in voting machines. While Ping was presenting a system to secure the type of voting machines we’ve been saddled with of late, both he, I and many others like the idea of an open source system which divides the ballot generator from the ballot counter. In such a system you have two machines. One helps the voter prepare a standard ballot that is human readable. In addition, the human readable output is also readable by a machine that scans and counts ballots for quick counting, though the ballots can also be counted by hand.
The idea is that you don’t need to work nearly so hard at securing the ballot preparation machine, as what matters is the paper ballot, which a human is able to scrutinize. So you can have it be open source code, on old donated standardized hardware, which means free voting machines.
However, recent studies suggest that voters can be easily fooled and don’t inspect their ballots very well. Tests show that when fake voting machines deliberately generated errors in the output ballot, or on a “review your choices” screen, 2/3 of voters didn’t notice the errors, and didn’t notice even multiple major errors. Yikes. (Figures corrected.)
Now 1/3 of voters do notice the problems, but it is possible to design problems that the voter will conclude were their own mistake. For example, if their ballot doesn’t show a vote for senator, their natural assumption may be that they just didn’t press the buttons hard enough or otherwise made a mistake, and they should just do it over. However, an attacker can then have 1000 ballots for the wrong senator simply be missing the senator race, and ~320 will go back to fix it, but ~680 will leave it be, depriving said wrong candidate of a large number of votes.
To prevent this, I propose that election officials would regularly, and a random times, run audits of the machines. They would go to a ballot generator and cast a ballot, making a videotape of their session to assure there are no errors. (The voting machine must not be able to tell such a tester from a real voter, so they can’t take extra time on the test, for example.) However, after receiving their prepared ballot, they will indeed make a full check for any sorts of errors, and confirm any errors found on the videotape. Any error found will be extremely serious, and result in immediate cessation of operation of that model of machine and software.
Of course, the system which picks the random times and the ballots to try must not be made by the same parties making the ballot generator. And two officials should examine the ballot after the fact to avoid fraud by officials, and of course to assure the ballot is sealed away in a lockbox and not put in the ballot box or scannng machine. Testing scanning machines is more difficult, as one must have a mechanism to void out a ballot after scanning it and examining the scan. Such actions should be watched by several voting officials and partisan scrutineers.
A modest number of such trials should be enough to assure the ballot generators are acting properly almost all the time, as any error introduced enough times to affect an election would be very likely to intersect with a test run.
