Building a Better Voting Machine

edmicman writes "Wired News has an interesting article about what would make the perfect voting machine: 'With election season upon us, Wired News spoke with two of the top computer scientists in the field, UC Berkeley's David Wagner and Princeton's Ed Felten, and came up with a wish list of features we would include in a voting machine, if we were asked to create one. These recommendations can't guarantee clean results on their own. Voting machines, no matter how secure, are no remedy for poor election procedures and ill-conceived election laws. So our system would include thorough auditing and verification capabilities and require faithful adherence to good election practices, as wells as topnotch usability and security features.'"

Make it complicated please

I'm serious. The more stupid and computer illiterate people you scare off, the better off we all will be.

Trollish but valid point

I would just like to point out that while the parent post is trollish in nature, it is a sentiment similar to what nearly all (if not all) of the founding fathers believed. That being certain qualifications are needed in order to cast a ballot. Their fear was some rogue could convince less educated people to vote for him so that he could, in turn, pillage the government and/or be a tyrant. I'll grant it's a thorny issue, but the problem of attempting to intentionally limit people who vote is that inevitably some racial groups will be disenfranchised (as well as other categories of population, such as the elderly in this case). Also, some local officials will try to exacerbate the situation to their favor (as happened-- and is still happening--in the South).

Re:

So, you are saying:

1. There should be a certain intelligence standard to be eligible to vote.

Yes, that is a thorny issue; but the idea does have some merit. But, you are also saying:

2. Intelligence follows racial and/or age groups.

I heartily disagree, as w

The Better Mousetrap

Build a better mousetrap and the world will beat a path to your door*

* Subject to verification of safety by Underscribblers Laboratories; application, denial, re-application, re-denial, vetting by 12,256 paper shufflers, 52,469 rubber stampers, 245,19

Random spot checks

From TFA: "Random spot checks...This involves taking a random number of machines out of commission just before polls open on election morning to run a sample election on them to make sure the machines are recording and counting votes accurately.

Before the polls open? How about during the election? At random times during the day?
The poll workers should be required to have an extra one on hand just in case one breaks. It would be used to stand in for the one that was being checked. ( It could also be chosen for a random check. )

Re:

Yeah, voters are going to react really, really well to someone coming into the polling place, playing with the machine for 10 minutes, counting votes before and after and saying "Don't worry, I'll erase all this when I'm done.'

As a general comment on these

Re:

The poll workers should be required to have an extra one on hand just in case one breaks. It would be used to stand in for the one that was being checked.

In my county (Franklin County, Ohio) that would be an extra 1200 machines at a cost of $5000 per machi

Re:Random spot checks

$5000 per machine? Why? A $100 PC in a $50 arcade cabinet with a $20 printer could do everything that a perfect voting machine needs to do, and thats thrown together from consumer parts. If someone isn't building this 'perfect' voting machine for under $200 then something is wrong.

Re:

The $5000 gets you several things. It gets you a gigantic touchscreen about the size of my dell 20 inch monitor for the visually impaired (recall that a significant number of voters are elderly), along with a headset for those who really can't read well a

Open source & peer review

I think Wired is barking up the exact same, wrong, tree, that Diebold and every other manufacturer of voting machines is barking up - namely that they have all the answers.

The solution is very simple: require all electronic voting machines to be open source, and invite all software developers around the world to peer review the code. When that majoriy agrees that a system is secure, then it's ready for use.

Re:Open source & peer review

require all electronic voting machines to be open source, and invite all software developers around the world to peer review the code. When that majoriy agrees that a system is secure, then it's ready for use.

... and when it's pronounced secure etc. - burn it to a ROM and disable any access to it which doesn't require at least a crowbar.

After the vote, have the machine print out the total.

Re:Open source & peer review

burn it to a ROM and disable any access to it which doesn't require at least a crowbar.

Have you seen the skills of the people who tamper with slot machines? They can pop the mahcine open, swap a ROM, and close it up in just a few dozen milliseconds, witho

Re:Open source & peer review

Open source doesn't mean shit when any random bozo can reflash the system.

"For every problem, there is a solution that is simple, elegant, and wrong." -- H.L. Mencken

Re:Open source & peer review

When that majoriy agrees that a system is secure, then it's ready for use.

Exactly! That's where Diebold's machines come in. You can use them to determine when you've hit that majority!

Re:Open source & peer review

If you actually read the article, you'll see that they propose something just as good - requiring the full source code to be made public, which allows /. type geeks to do a complete audit.

Essentially, though, the key requirements are simple to state: secur

Re:Open source & peer review

I think Wired is barking up the exact same, wrong, tree, that Diebold and every other manufacturer of voting machines is barking up - namely that they have all the answers.

The solution is very simple...

Erm? Pot... meet kettle.

There is no simple solution to voter fraud. There always has been fraud, and there always will be. It's the nature of ingenuity. Hence the "build an idiot-proof machine, and the universe will build a better idiot". If someone wants to hack an electronic voting system, they will, open-sourced and peer-reviewed or not.

In my view, the goal is simply to minimize the impact of such efforts, and to make it as difficult as possible to do so, as cheaply as possible. Open source *might* be a good way to go... certainly better than the closed electronic systems Diebold and their ilk are currently pushing. However, it's still an electronic system, and electronic systems are prone to making small errors very quickly (or being hacked to introduce small biases, very quickly). I'd personally prefer to return to a simple paper and pen ballot... simply check the box of the person/proposition you're voting for. Put paper in box. Let people count ballots (with observers, if desired). It scales fairly well, is difficult to introduce large errors into, and can't be hacked remotely. If it takes a little longer to get election results, so be it... there's almost two months between election day and inauguration day.

Re:Open source & peer review

Every time this comes up, I propose the same idea, but each time it gets a little more fleshed out.
0. The voter completes whatever identification/registration/whatever steps required before being allowed into the actual voting room where...

1. The voter receives a numbered (in an OCR friendly font, see below) blank ballot and is directed to the voting booth. The number indicates both the voting location and the sequence that the cards are issued. If ballots run out, voters are asked to wait while more are printed and delivered.
2. The voter inserts the ballot into the electronic voting machine until a green light comes on. Diagrams illustrate the right way to do this, a notch in one corner prevents the voter from continuing until he/she figures this step out. Red light if they fail to do it wrong (labelled "WRONG" for the colorblind, buzzer for the blind though they will probably have someone load the ballot for them) to prevent them from trying to jam it in harder.
3. The machine displays the ballot in the selected font size or reads the ballot to the blind user.
3a. Each race is displayed separately with the candidates below it in a column. (or "For" and "Against" for appropriate referendums, etc.)
3b. The user selects a candidate using up and down buttons, then presses the "Vote" button to select that.
3c. Their choice is now highlighted on the screen (and read to them).
3d. The user presses the "Next" button to move to the next race. Or presses the "Finished Voting" to indicate that they will will not vote in the remaining races. Loop to 3a until there are no more races or the user presses Finished Voting.
4. A list of races and the selected candidates appears, the user can move up or down and see each race (have it read to them) and if they wish to change their mind, they can press the "Vote" button to return to that race and change their vote (See 3). User presses "Finished Voting" again to indicate that they are done (5 second delay required to prevent accidentially bouncing the button).

Easy enough right? Now...
5. The ballot card is fed through the machine's printer and printed in rows, with each row containing one race. Columns are the name of the race, the selection for that race, and a pattern designed for optical recognition. Each option has a unique code consisting of the code for that race plus a code for the candidate (to prevent misaligned scans) as well as codes for "no vote" and "write-in".
6. Voter fills in any write-in positions.
7. Voter reads the ballot card, and if there is a mistake, the voter presents the ballot to the site overseers who
7a. Record the ballot number as destroyed and then
7b. Destroy the ballot and issue a new one. Go back to 2.
8. Voter places ballot in ballot box and goes home, proud to have done his civic duty.

Lather, rinse, repeat for thousands of voters. The numbered ballots tell us two things: 1) Are there any missing ballot boxes and 2) are there any extra ballot boxes.

8a. At the end of the day, the election observers record the lowest numbered unused ballot and destroy the remainder.
9. Ballot boxes are delivered to a counting station.
10. Ballots are dumped out, stacked up with the notches aligned, and each stack is counted in total
11. The counted stack is then fed through an optical sorter set to sort the possible options for the first race into bins, one bin per candidate, one bin for all write-ins, one bin for no-votes.
11a. Run each candidate's bin individually through the counting machine.
11ai. Election observers spot check stacks by flipping like a flipbook and watching to see if the optical pattern being counted changes.
11b. Count write-ins by hand
11c. Run the no-vote stack through the counting machine....
11d. and make sure the votes add up.
12. Report the total to the next higher up official.

Lather, rinse, repeat for all of the stacks.

Why is this superior? First off, let's look at the actual counting: The counting machine doesn't k

Don't build anything

Paper and pencil. Mark your choices, put it in a cardboard box. It's the perfect solution and scales wonderfully.

Many countries already use this advanced technique.

Re:Don't build anything

Other famous democratic countries do use pencil and paper. Canada, one of Americas greatest neighbours to the north uses the birchbark and pinecone voting system... just pulling your leg. They, like Australians, use pencil and paper. We have about 70% voter turnout in Canada, with a voting population in the range of at least 10 million people. It takes us less than 2 hours after a poll closes to give nearly complete and meaningful results to the public.

Telephoning the result to a central station is the extent of electrified voting in Canada. Everything else is on paper, for easy double checking if there's a court challenge. To have a system without paper that the voter marked, is an invitation for fraud.

Re:

paper ballots can still be spoilt.

Reading this [bbc.co.uk] from the bbc:

Londoners had to register four votes altogether, a first and second choice for mayor, a vote for a London Assembly candidate and one for an Assembly party. While 2.9% of papers for the mayoral bal

Re:

Other famous democratic countries do use pencil and paper.

To be fair, a Canadian Federal election basically has one choice for voters to make--their MP. So do other Parliamentary systems.

In 2004, here in Ohio, I had 54 different race and issue choices. I

Re:

That's an interesting point. The obvious answer seems to be you choose between convenience of electronic voting - and get shafted out of your democracy that you're supposed to be getting. Or you simplify elections so that dog catchers aren't on the same pa

just like encryption

the best algorithm in the world is worthless in a poor implementation. enacting legislation that governed the process of counting the votes and verifying them is just as important as the machines themselves.

Lines of Code = Tax Code

"If you've got 50,000 lines of code, that's approaching the complexity of the U.S. tax code," Wagner says.

Could you please express that number in Libraries of Congress? If you laid out all those lines of code without newlines, how many times would it wrap around the Earth?

Re:

Could you please express that number in Libraries of Congress? If you laid out all those lines of code without newlines, how many times would it wrap around the Earth?

What size font?

Ive been saying it all along

Have one machine with fancy GUI's that are easy for people to use, which PRINTS a clear paper ballot on which the marks are both human and computer-readable (think of the little ovals you used to fill in with #2 pencil, only bigger ovals) and then a *seperate machine* which does nothing but scan and count the ovals.

The marking machines could be of any complexity, wouldnt require auditing (the names on the ballots would be pre-printed, the machine would only mark in the ovals). Voters could choose to use the machine, or to mark the paper ballots themselves, and in all cases would be able to *look* at the paper ballot and verify their selections before submitting it to be counted. The specs for filling in the ballots could be released (and in fact the ballot specs would be part of the specs for the counting machine), and anyone under the sun could make marking machines, of any design that they wanted. The key is that these machines would record votes only on the paper ballot.

The scanning/counting machine would have to be absolutely auditable, as simple and as transparent as possible. Every aspect of its operation would be required to be public domain, and available to any citizen upon request.

Re:

Even better, the wonderful thing is that it doesn't have to be transparent. Its auditable. Every single stage can be confirmed "outside the box," by testing against the specification rather than against any specific implementation. Any element can be te

Re:

What you suggest is similar to the proposal via the Open Voting Consortium.

The differences are in that in the OVC approach only the results of a voter's selection are printed onto the generated paper. (We don't use pre-printed papers except that we use ma

Two components

A simple, inexpesnive, secure, effective voting machine which is auditable could have two components. 1) A pen. 2) A paper ballot. Another similar machine would also have two components and be equally effective. 1) A stylus. 2) A cardboard ballot. This

Re:

Right. Like those effective and accurate butterfly ballots and ballots with hanging/dimpled/torn chads that made the 2000 election in Florida beyond question of who won?

Exactly.

MY Perfect Voting Machine

The true perfect voting machine consists of the following four components:

- Paper
- Pencil
- Locked box with slot
- Election official who can count

Anything else is a solution in search of a problem, and a way for partisan election officials to send some contract money to their buddies in the tech industry.

Seriously, who the hell cares about digital records or fast counts? I don't care how fast the results come in, I want them to be RIGHT. A voting system needs to enforce two basic principles: private votes and public counts. The voters need to know that their votes are private and anonymous, and the counting process needs to be simple and transparent enough that it can be understood, audited, and repeated. Computers, for the majority of people, are magical black boxes. They don't trust them as far as they can throw them, and that means there will always be suspicion of fraud, no matter how open the source and how impenetrable the outer casing. When we go to paper ballots, we guarantee that the process is easily understood, auditible, difficult to rig, and that counting is repeatable. There is no electronic system that satisfies all those conditions, and therefore electronic systems should not be used.

However, if we wanted to use touch screen systems to print out ballots instead of marking them, that's fine with me (it would make voting more accessible, with a well-designed UI). The voter can verify their votes before dropping them in the box. But the printed paper ballots need to be counted by hand.

Re:

Can I at least use a pen? It would make me feel a little better, anyway.

Open Voting Consortium

For those who are interested in seeing a proper voting system put together, check out the Open Voting Consortium [www.openvotingcon]. They have a free, open-source voting platform that addresses all of the concerns. It has a verifiable paper trail as well as support for blind users and multiple languages.

I personally have donated money to this organization and believe they are doing the right thing in addressing the current mess we have now.

Their paper trail has a really nice feature in that it also prints a bar code for a quick machine recount of the ballots as well as a human readable output.

-Aaron

Re:

"Their paper trail has a really nice feature in that it also prints a bar code for a quick machine recount of the ballots as well as a human readable output."

If it's as you describe and the votes are recorded for the machine in a separate bar code from

David Chaum's Method

At the end of the article they mention David Chaum's method of voter verifiable elections. I first saw this several years ago in graduate school (I believe I was reviewing an earlier version of the paper for a conference). It is a gloriously beautiful protocol, far beyond what I ever hope to see implemented in my lifetime. :( I suggest you take a look, I will look at the version referenced in the article again tonight as the exposition is considerably clearer than the version of the work I read (dumbed down a bit for a mass audience).

First

First of all, make them not terrible. If we could get them to at least on par with the quality of ATM's we'd be somewhere. I am all for electronic voting machines. However, the job application kiosk at wal mart had more effort put into its engineering and

no to technophilia in voting

the best voting technology ever?

paper

pencil

optical scanning of little filled in ovals

the blind can get by with a guide, just like they always have

end of story

what we need is simplicity when it comes to voting, not complexity. i believe we should never go t

Re:

Right, because no one EVER goes outside the lines, or makes a stray mark, or doesn't erase something they should have.

Electronic machines can prevent "overvotes" and warn the voter against "undervotes." Yes, they have issues, but they have benefits too. I

He forgot one thing

The machine should not be made by Diebold or ES&S. Here's the Wiki link http://en.wikipedia.org/wiki/Diebold_Election_Syst ems [wikipedia.org]

In other news...

In a bizarre turn of events Wired magazine editor-in-chief Chris Anderson is elected president in electronic elections held in Bolivia, Ghana, Uganda and prime ministor in the UK.

Re:

That really would be bizarre, because we use pencil and paper for voting here in the UK.

Why is this needed?

Why the hell is this needed? You can already track how well a game does by tracking sales. Surely you can track those -- how many boxes did you create? You made the damn things, you better damned well be able to count them.

On the other hand, you can now bu

Slightly offtopic, but...

So what DO you solve anyway by building a "better voting machine" ?
You still have the problems of a "democratic republic" election system in place, so basically you get to pick between the lesser of two evils, if you're lucky.

For what it's worth, you could

I know what would make a GREAT voting machine

First, it should add numbers accurately. Nothing fancy, just count what each persons votes for and make sure it adds up to the totals.

Second, don't allow poll workers to "adjust" votes with administration screens. If the machine can count 'em right in the

Bullet-Proof Elections - the Geek Way

Ok, voting machines cannot be guaranteed to be bullet-proof. Anyone who knows a decent amount about computer software & hardware gets that.

But why is it so hard to envision a simple audit trail to absolutely guarantee the authenticity of any election?

1) Make sure every voting machine spits out a paper receipt with a unique transaction number and the vote(s) recorded.

2) Make public a web site that displays *every* receipt number and its vote(s). Ok, it might be 300 million database records, but a simple menu across the top will let anyone drill down to their receipt number and confirm their vote was recorded correctly. We'll file this exercise as each Citizen's Responsibility. (It's important to note that having a citizen enter a receipt number to see those particular ballot results will not be secure since it would take a different path through the web site software, and also reduce anonimity).

3) Democracity loving geeks everywhere will write code to scan that (huge) web site and confirm the final totals.

It seems so simple. What am I missing?

Re:

If you take away a verifiable record (be it an ID you can look up or an actual copy) of your vote, you open yourself to the following type scenarios:

1) Boss: You know, I really need to see your vote receipt so we can make sure you're protecting our inte

Voting machines must meet slot machine standards

Voting machines should be at least as secure as slot machines. The state of Nevada has standards for those, as I wrote in a previous Slashdot article. [slashdot.org] Nevada is concerned with collecting taxes and not cheating customers when the machines are owned by very shady people. So they have technical standards with teeth. Stuff like this:

• ... must resist forced illegal entry and must retain evidence of any entry until properly cleared or until a new play is initiated. A gaming device must have a protective cover over the circuit boards that contain programs and circuitry used in the random selection process and control of the gaming device, including any electrically alterable program storage media. The cover must be designed to permit installation of a security locking mechanism by the manufacturer or end user of the gaming device.
• ... must exhibit total immunity to human body electrostatic discharges on all player-exposed areas. ... must exhibit a capacity to recover and complete an interrupted play without loss or corruption of any stored or displayed information and without component failure. ... Gaming device power supply filtering must be sufficient to prevent disruption of the device by repeated switching on and off of the AC power. ... must be impervious to influences from outside the device, including, but not limited to, electro-magnetic interference, electro-static interference, and radio frequency interference.
• All gaming devices which have control programs residing in one or more Conventional ROM Devices must employ a mechanism approved by the chairman to verify control programs and data. ... All gaming devices having control programs or data stored on memory devices other than Conventional ROM Devices must:
  (a) Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid. Any program component of the verification or initialization mechanism must be stored on a Conventional ROM Device that must be capable of being authenticated using a method approved by the chairman.
  (b) Employ a mechanism approved by the chairman which tests unused or unallocated areas of any alterable media for unintended programs or data and tests the structure of the storage media for integrity. The mechanism must prevent further play of the gaming device if unexpected data or structural inconsistencies are found.
  (c) Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent validation information.
  (d) Provide, as a minimum, a two-stage mechanism for validating all program components on demand via a communication port and protocol approved by the chairman. The first stage of this mechanism must verify all control components. The second stage must be capable of completely authenticating all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the authentication information must be stored on a Conventional ROM Device that must be capable of being authenticated by a method approved by the chairman.

That's part of what's needed. Those standards cover the possibility of

Re:Don't get too upset over this, it isn't importa

"And I'll even give a pass on FL in 2000 even though the recount conducted by the press gave the state to the Republicans."

There WAS NO COMPLETE RECOUNT!
Shit I am tired of this fucking false rumor. There were thousands og votes not even counted, as well as

Re:Don't get too upset over this, it isn't importa

And yes I said DEMOCRATS steal elections. Think about it, who runs the elections in every major city? Who runs the elections in most smaller cities? How many precincts are entirely run by Democrats vs how many can you find without a single Democrat in the

Re:Don't get too upset over this, it isn't importa

Either we trust the people running our elections or we don't.

There should inherently be distrust of our election officials, always every time, forever.
If they cant stand an audit, they should not be there.

Ever sell a house? Escrow companies exist because