Electronic Voting

Sat 13 March 2004 by Kevin van Haaren

As big a tech geek as I am, I’ve always distrusted electronic voting systems. Especially the current ones being sold. And internet voting is right out.

Voting has some particular requirements. Voting requires both authentication and anonymity. Authentication because you don’t want people voting that aren’t supposed to. Anonymity because you don’t want to be able to track a vote back to the person that cast it.

Openness of the process is another requirement. Voters should feel that the process of voting, moving votes to the counting location, and counting votes is reliable and trustworthy. In any well designed system (computer or not) the weakest link is almost always the people involved. So the system should have checks in place to help keep the people involved honest.

Accuracy, of course, is a huge requirment.

Speed would be nice, but isn’t a huge necessity.

The problems with current e-voting systems are not limited to just having devices that don’t print out a physical record of the vote, although that is a key factor in the process i’m about to describe.

So here’s how I think e-voting should work:

  1. authentication must be kept seperate from the voting booths and the voting system. The current system (in Missouri, at least) is a table you identify yourself at and are issued a ballot that you then go to the voting machine with to cast your vote. This seperation should be maintained in any new system. You should NOT authenticate yourself to the voting machine, authentication MUST be seperate from the vote itself.

  2. the electronic voting machine itself can be of several varieties, touch screen probably being the most flexible. The device MUST include a device for issuing a human-readable paper ballot. However, I do think multiple methods of encoding the paper ballot should be used. For example, in addition to the human readable ballot a 2d barcode can be printed at the bottom for a machine countable ballot. So I think recounts would be handled in the following order:

    1. Initally transmitted count - Machine count of bar code on printed ballots
    2. Count by people of human readable porton of printed ballots
  3. printed paper ballots are collected in locked voting boxes, as the system is done now for regular ballots.

  4. voting machines can transmit data back to the central location, but it must not do this over the internet (so the phone system would most likely be used.) In addition a method of preventing bogus machines from reporting data must be instituted (one way that comes to mind is issueing each machine a key that encrypts and authenticates the data in transmission. The keys would be changed for each vote.)

  5. the central location would have methods in place of protecting the count on the collection system. Some simple steps include — no connection of the system to the internet, or even any system of remote control (so support would always have to be on-site). Don’t keep data in databases that can be manipulated right on the box. Robust unalterable logging (i.e. to a printer and/or write-only cd-rom)

One thing I didn’t mention was the software used in the machine. How do we know we can trust that? Although I prefer the software be open source (preferrably GPL), I don’t think it has to be required. What does have to be required is the source code MUST be available for review by any that request it. It can still be proprietary and protected by copyrights, but most be reviewable by any that wish to.