Professor Avi Rubin has a column in Forbes this month on e-voting. His suggestion? Let’s not.
You don’t like hanging chads? Get ready for cheating chips and doctored drives.
I am a computer scientist. I own seven Macintosh computers, one Windows machine and a Palm Treo 700p with a GPS unit, and I chose my car (Infiniti M35x) because it had the most gadgets of any vehicle in its class. My 7-year-old daughter uses e-mail. So why am I advocating the use of 17th-century technology for voting in the 21st century–as one of my critics puts it?
He then chats briefly about the weaknesses of the current implementations of DRE (Direct Recording) technologies; I’ll go a step further and suggest that even robust voting devices present some of the systems problems – the problems in the end-to-end chain of voting process – don’t get addressed.
I’m working on something longer – but note that no modern American corporation could run financial systems as risky as the voting systems we propose to use for electing our public officials without the directors of the company facing sanctions under Sarbanes-Oxley.
The only solution is some sort of quantum voting system involving entangled pairs of photons.
Here’s what you need: a triple biometric measurement to uniquely identify the voter with one printed receipt that goes with the voter and a second receipt that goes into a lockbox. Once the vote is completed, you can randomly sample prceinct receipts to check for errors/fraud.
If you can go anywhere in the world and use a credit card or ATM without massive fraud, we can certainly make a machine that accurately and legally records votes.
A thought: If Arizona were to institute e-voting as well as its proposed “$1 million voting lottery”:http://www.opinionjournal.com/cc/?id=110008804, would that run afoul of the bill the House recently passed against online gambling?
Ironically, perhaps, Mexico has some of the best voting procedures I’ve seen yet. Markinmexico has covered the procedures extensively, so I won’t repeat them.
But consider a few ideas to be used along with electronic voting, and I’d be content. First, each machine prints 2 receipts. You check them, and if they are valid, you put one into a sealed box and keep the other (they would have to have unique id numbers, so that you couldn’t put in both for two votes in a recount). The original count is the electronic voting machines. If that’s challenged, the sealed box is used to do a recount. While there wouldn’t be a point in going to the voters’ receipts (how many would have thrown them away), it makes it so that people cannot disclaim their votes on the grounds that they didn’t check their paper ballot. Not even after you got home, eh? What it would do is allow someone to come back and contest their own vote, thus removing it from counting if they decided that the machine tallied their vote wrongly once they had left the polling place.
Why don’t we just vote with our Social Security Number into a machine that prints you a sheet to turn in to hard box, one for your personal record, and then of course a digital one for the computer speed efficiency advantage?
If their is a discrcreption have a recount with the paper copies.
I think the Social Security number voting would halt fraud provide an extra check because you could even use willing voters to confirm votes with their copies.
I understand the idea of anonymous voting in 3rd world nations were the new dictator would use the last vote to solve his next vote issue. But in the US I find such a threat nill at best. Keep in mind I am not putting forward that votes should be published by SS corresponding just that we do so much with our SS today and it works. If it works with our money in the bank it should work with our votes.
The problem with printed receipts given to the voter for their records is that it brings up the specter of coerced voting: “come back tomorrow with a vote receipt for Mr. Foo or you’re fired” shenanigans.
The real problem with electronic voting systems is that it’s way too black-box. Is the system secure? Are you sure? Are you REALLY sure? Has the operating system on the box been compromised? Trojaned? Subverted from the ground up? It’s tough to tell… and this opens up all sorts of claims of fraud, and delegitimizes the entire electoral process.
‘sides, why do we NEED it? There’s nothing wrong with a pencil-marked, optically-scanned paper ballot. It’s good enough for the freakin’ SAT, isn’t it good enough to count the votes?
“…e-voting. […] Let’s not.
This was established back in the mid-Nineties on comp.risks.
Everything since then is redundant.
Paper ballots work.
Let’s get an e-voting system that works and let people vote from home via the internet or by automated telephone system. Then we can let people vote directly on legislation instead of through elected representatives. Elected representatives would still draft legislation. This change over could be started with experiments in different states and the systems that work best could be adopted elsewhere.
A.L., a small suggestion – perhaps this woman might make a good podcast interview for Pajamas Media Politics Central… just a thought…
Well, maybe when you register you should receive a voting card that functions like a credit card– except of course, you only can use it to vote. Each card has a social security number (among other things) associated with it. When a swipe is made, or a vote card number is entered into a terminal, the number is looked up in a database and the status of that SSN is checked.
The only issue is, how to prevent someone from voting for you? Obviously dead people voting might become a lot less of a problem, but you would just need to hand the card to someone else? (to do fraud). Its not a problem with credit cards, because you wouldn’t give it to someone else if you didn’t want them spending your money.
Keys are defined as three things: 1. Something you have 2. Something you know 3. Something you are.
Maybe you should have to sign digitally/physically like you do with a credit card?
Dunno. Just thinkin’.
I’m a coder.
The more complications you introduce to the machine: biometrics, entangled photons etc: the more easy it is to hide rogue code.
Then ALL the code on every node the data passes through must be checked for integrety.
Here is as far as I will go.
Standard paper ballots that can be read by several different brands of machine. Which aside from the hanging chad problem, was the beauty of IBM punchcards.
The data encrypted to ensure integrety in transmission.
Two different machines to do the final counting. An IBM and a MAC so the code cannot be ported.
The coders all work on a clean sheet basis.
The code is totally open: i.e. published and also locked. All tools for generating the code are publicly available. Assemblers compilers etc. All input and output (right down to the binary bits) open source.
But stick with paper. Which humans can verify in case of dispute.
Every thing about the voting system should be standard.
The ballot (except for the questions on it).
The read head. The code specification (at all end nodes, plus encryption. Eliptic Curve Encryptiion is the latest and greatest and lower bandwidth than the prime number stuff we use for public key encryption.
However, since there is always a chance of fruad, paper as backup. And since methods of fraud with paper are well known we safeguard tht system as well.
Nothing is fool proof but double entry book keeping and open books helps.
No, no, no: no tying the votes to anything personally identifiable. Suppose you live in a district that is almost all of one party, and you want to vote the other way. Or suppose you are in a union, but want to vote against the union’s preferred candidates or issue positions. Or suppose you are a leader of a political party whose conscience tells you that, though you cannot publicly oppose a certain issue, you will nonetheless vote against it.
Now suppose that someone gets hold of and publishes the personally-identifiable votes? Australian ballots (the secret ballots) were introduced in the US specifically to prevent these kinds of intimidation.
Where you really start running into problems is people who have trouble reading a regular printed ballot — maybe they’ve got vision trouble, or they’re dyslexic, or if they can read, they only read another language besides English. It really helps those folks if there’s an audio presentation of the ballot, and that’s easier with various forms of DRE.
I used to work for a major organization of blind people, and we got pretty heavily involved in this. They insisted on being able to cast their ballots in secret (you would be AMAZED at the horror stories they could tell of their experiences with poll workers who wanted to “help”), and they also insisted on being able to verify how their vote was recorded on whatever was going to be used to audit any vote discrepancies.
We didn’t issue any specific endorsements, but ES&S’s AutoMark was pretty close to the perfect solution. It’s essentially a DRE that marks a paper ballot, and then the ballot can be entered into any machine that has the ballot definition file loaded to be reviewed. The company has some minor bugs they’re working out currently.
The problems we saw with reforming the voting system were the crazy patchwork of laws in each state about what the rules are for ballots, and what hoops you have to jump through to get certified, and getting everything done in time to meet the deadlines set by HAVA. Congress showed no particular interest in extending the deadlines or providing more money (I personally spoke with a Senator who said, “We already allocated the money to fix that problem. We’re not going back to it.”). It also didn’t help to have the “Bushitler” crowd jumping up and down screaming about every technical glitch and screwup, convinced they’d found the key to Bush’s Seekrit Plan to Rule The World.
Yes. Tie the votes to biometrics. We have plenty of PKI technology to make the receipts only readable by the voter and the precinct. Yes, give them receipts. Let them throw them away if they want. Let them click a box to encrypt their receipt.It just doesn’t make sense that an ATM should provide more information to the user than a voting machine.
As for M Simon’s comments, these technologies are all very mature. I could construct a voting machine from COTS components inside of a week. It’s about as trivial as process as one can imagine. Keep the source open. Heck, print a current checksum of the source on the receipts.
I have to admit a little bit of expertise here. Aside from being a former Systems Architect, I also designed and wrote the secure voting system that the Federal Reserve Board Of Governors uses to make decisions. I think I know a little something about secure voting systems. Too much of this is political, and too much of this is “many cooks spoil the stew” Making computers count is not rocket science. They’re pretty good at it already.
I liked those old “battleship” voting machines. The levers gave this satisfying click, and then the big red curtain handle that registered all of your candidate and issue selections gave this “ka-chunk” that the job was done.
My precinct has long changed to those paper ballots and black pens where you join the lines. I guess you can’t change your vote back and forth like you can on the voting machine prior to working the big red curtain handle. But I suppose you could ask for a fresh ballot if you mess up. After you mark the ballot, you feed it into the “bleedleebeep” machine that goes bleedleebeep when it registers your vote. The ballot goes into a pile from which they can do a recount if there is a challenge.
For whatever system of ballots and marking ballots, there should be a voting booth for data entry on to a physical ballot, this physical ballot should be both machine readable and human readable, human readable by the voter to verify that they voted the way they want and by recount officials, and then there should be a polling precinct exit station where the voter feeds the ballot into a bleedleebeep machine for counting and archiving.
You know, and actual physical ballot and an actual physical ballot box. You are issued a ballot based on voter registration, you mark the ballot in a voting booth, and then you deposit that ballot in a ballot box. Whatever electronics they use is OK provided that these basic elements remain.
“If you can go anywhere in the world and use a credit card or ATM without massive fraud, we can certainly make a machine that accurately and legally records votes”…I don’t think this is a good analogy. If fraud occurs with a credit card or an ATM, you will know about it which you get your bank statement or your credit card bill. But since voting deals with pooled collective action, rather than individual accounts, there is no corresponding audit trail for electronic voting.
I’m sticking with the analogy, David. When I vote, this is part of a transaction I have with the state. As we have seen in all of these recount troubles, whether I voted, whether I voted legally, whether my vote counted, etc — all of these details about the individual transaction are important.
It used to be people would walk into a polling place and verbally tell how they voted. I know we can’t go back to that, but I like the simplicity of that system. I also like the public nature of voting. This is something I’m doing to change the direction of government, I should take ownership of that act. But because of abuse, those days are gone and are not coming back. Whateever the system, it should be gamed as much as possible for ways to abuse it.
Still, it’s simply uniquely identifying a voter, making a choice and having the choice recorded and tabulated. We act like this has never been done before. This problem has been solved in hundreds of ways in the past. It’s not as hard as we make it out to be. If you want to decrease the noise associated with working with large numbers, you have to increase the quality levels of the identification and tabulation systems. If you want anonymity, you have to add some crypto. If you want audits, you’re going to need a 2 or 3 authentication-factor system. Pick your features. All of this stuff is old hat.
Jeff & Avatar
No offence but I feel your worry if we lived in some 3rd world swamp. But I cannot see any way an employer could use how you vote to discriminate against you. Companies get sued daily for real and or suspected discrimination of every kind from race/religion to fat/or diseased. Spontaneous order would quickly fix those managers dum enough to try such a harebrain scam after the lawsuits started getting settled after the first year.
Jeff
As far as the worry about being intimidated because the majority of your district votes opposite you nothing would change if you chose to drop your receipt in the shredder. I would have it just like a gas station pump go in pull curtain type in SS number maybe a random question or two code whatever vote take receipt and either pocket or basket shredder to the left. When you walk out know one knows the better unless you deem otherwise.
As far as what ifs about people getting list and releasing to public or using for shady purposes welcome to the real world of human nature. The same fears could be said about our online banking systems yet while violations do occur they are rare and usually limited. Violating a voting record would have no were near the possible gain of violating a banking list of names codes accounts.
Personally in such a district what would worry me more would be a system that would allow a certain few to handle the voting station with anonymous votes no receipts no way to confirm and those same volunteers just simply re stack the deck so to say dropping the ones the don’t like replacing those with ones they agree with. How could that minority ever have a chance of proving such either way unless someone in on the scam came out and ratted? How do we really know that our vote boxes are not opened and restacked now paper or no paper you cant really know if the paper was filled out by me or some snake in a room restacking a voter box.
I just like the idea of confirmation and would be willing to risk the possibility of someone knowing how I voted to cut down on possible fraud. Now the anonymous computer voting with no printed copies to boot would be just begging fraud. But confirmable backed up with paper prints plus the advantage of computer speed that would be awesome. Imagine the guy who shows up to vote for someone else tripping up on the question part then having to go out front and prove who he is (the cost and risk of being caught would be increased exponentially). Imagine someone trying to stack the box with a confirmable record possible.
I do admit biased thou. I support the computer voting because I am a major supporter of the people form of government. I support basically getting rid of both the House & Senate and replacing them with 24/7 shows with pro-con representatives on their explaining why you should vote Y/N in laymen terms on the next bill coming up on the regular weekly Xday vote. I just think we will never clean up government until we drop government. You cannot pay off the majority of the nation but it is well proven you can buy the majority of politicians whether its outright bribes, earmarks, or one for you one for me BS it’s the same dam corruption of the system. The majority rule could have safe guards for certain things requiring a super majority to avoid heat of the moment bad decisions. Each bill could start with a petition then go local vote to state vote to national vote to qualify.
C-Low,
I won’t go into the problems with direct democracy; that’s been covered elsewhere.
I will just limit myself to observing that just because we do not live “in some 3rd world swamp”, we are not pristine. If you’ve never lived in a place where such intimidation is commonplace, it’s hard to know how much subtle and even overt pressure there is, and if you could lose your job or your friends over it, maybe even be killed for it, would you be so willing to vote your mind, or would you bend to the pressure? And if your option is to throw your ballot away, you’ve given up your right to vote and you’re no better off because your SSN will be missing from the information, so they’ll still know you didn’t vote “the right way”.
The fundamental thing that makes our system of voting work is the ability to vote without anyone knowing which way you’ve voted. Otherwise, I could just get some bruisers together and rig any vote any way I want.
I’ll be blunt. The difficulties involved in physically going and casting a ballot =do not concern me=. It should be tougher to vote for elected office than it is to activate your toaster. If that means that people who aren’t very motivated self-select themselves out of the pool of voters, then that is only a bonus. There are plenty of people out there who don’t know enough about -anything- to responsibly cast their vote; some of them realize this, which is good, and others of them don’t realize it but are too apathetic to vote anyway, which is still good. (Think of them as a reserve army of voters. If something goes REALLY wrong, they’ll make it to the polls…)
Frankly, I’m not particularly worried about people who can’t vote normally through some sort of disability. If you can’t use a paper/pencil optically-scanned ballot, you should probably use early voting and get someone you can trust to help you out while you have plenty of time to work on it. If you can’t use a ballot -and- you’re lonely with nobody to trust, you probably have bigger problems than inability to vote, no? ;p Breaking the system to accomodate marginal cases is not a winning proposition.
(Similarily, I don’t cry over ballots discarded due to user error. If you can’t be bothered to mark the ballot properly, that’s probably an indication as to how seriously we should take your vote anyway…)
The weaknesses in the current system are almost entirely on the voter identification end; practically all vote fraud rests on accurately counting votes that should not have been voted, not miscounts of votes that were cast properly. Electronic voting machines don’t fix that. If anything, they make fraud easier, because it can be done at the programming level where it’s not detectable even by partisan observers. Sure, you can publish the source code, but is that REALLY the code that the machine was running? Sure, you can publish a checksum, but is that really the checksum or just something the program printed on your receipt to make the voter think it was?
(Good analogy – Microsoft Windows activation. One of the largest, most powerful, and wealthiest corporations in the world implements a security feature -specifically designed so that people don’t steal their product-… which is about as big a motivation as a corporation can get!… and it’s not only easy to crack but practically routine. Surely subverting a vote is worth more to interested parties than, say, two hundred bucks for an OS?)
All this doesn’t mean that there’s no room for an electronic voting machine. But have it print out a freakin’ paper ballot, with a machine-readable barcode on it, as well as a summary saying “you voted for this guy, this guy, this guy, this guy.” You can run audits to make sure that the machine count matches the paper ballots (and a few more to make sure the barcodes match the printed summary, heh.) If there’s a dispute, go to the paper.
#14,
I know what to do about the people who have trouble reading english. Let them have ballots written in english.
Consider it an incentive system.
I’m 61 I’m interested in reading Israeli sources in Hebrew. So I’m learning Hebrew.
I’m also thinking od picking up arabic. Spoken Hebrew and Arabic are similar. Written completely different.
My point. If voting is important learn english. You then have access to a broader range of sources. Even OFs can do it.
#15,
I too have been a systems architect. I have also had dealings with real code hackers. What we used to call crackers.
Open source. Open source.
Paper ballots and electronic counting. Electronic transmission of encrypted results. Also written tabulations from each precinct that can be manually added at election central.
Double entry book keeping is the only way to go.
If you make the mechanism standard then it is very easy to get people to write open source code for it. The major cost of the design is then reduced to zero.
IBM punch cards can be recounted physically. How does a human count bits? I know. Ask the computer.
The paper ballot keeps the voter separated from his identification. Very important.
#21 makes some good points. I think electronic counting of paper ballots would be OK.
Make the counters cheap enough and you have two machines from different mfgs. count the ballots.
If they agree each sends on the results. If not. Manual recount from the roving recount team.
The main thing is to have checks on the system.
In a disputed election a manual recount is possible if the party wishes to pay for it.
How do you dispute bits in a Diebold machine?
The system not only has to give the technically adept confidence, it has to give confidence to the ordinary citizen. Paper. Electronically counted twice. Hand counted only when the electronics disagree.
Some Democrats think Republicans are stealing elections with Diebold machines.
Let them pay for a recount of paper ballots.
Daniel (#15),
“Heck, print a current checksum of the source on the receipts.”
Uhh, guess again: how do you know the machine hasn’t been compromised in such a way to print phony-correct checksums? As a proof of concept, I submit the various rootkits floating around…
Avatar (#21),
“Breaking the system to accomodate marginal cases is not a winning proposition.”
I like that, but note it does fly in the face of various Federal laws and, perhaps, the 14th Amendment too.
Avatar (#21),
As Kirk Parker (#25) noted, ignoring “marginal cases” is in violation of Federal laws (in this case, the Americans With Disabilities Act), which means any attempted solution will ultimately have to be redone, with all the attendant lawsuits, expense, headache, and fingerpointing that comes with it. We’re better off if we recognize that the entire voting system needs overhauling, and not just the “security” end of it, although we have to address the security concerns as well.
It would be nice if everyone could use “early voting”, but I’ve worked in places where if they weren’t required by law to let you leave work, then you didn’t get to leave. If that’s the only job you can get (and God knows there have been times when that was indeed the only job I could get), then you can’t do early voting.
Also, if you think it’s OK to require some people to let someone else cast their ballot for them, just where are you planning to draw that line? Maybe those folks do have big problems (and perhaps it’s just that they recently moved to the area, and don’t yet know anyone they trust enough to cast a ballot for them), but why should they be disenfranchised on top of all their other problems?
For that matter, why shouldn’t YOU be required to let someone else fill in your ballot — after all, a trained operator would solve all the problems of “user error”. If there’s truly no way to include everyone in the system, then let’s say so; however, if it’s just that we don’t want to put any effort into it, that says something harsh about us as a nation. It’s not “breaking” a system to provide reasonable accommodation; go look at the AutoMark that I referred to above, and see if it meets your ideas for a voting system.
Jeez,
What a paranoid buch of techies. Fear of the great employer/VRWC/Bush-Cheney-Diebold consortium stealing your vote.
I can’t remember a single suggestion in the preceding comments that came close to the real world.
If you fear it, just vote an absentee ballot, and convince all your friends to do the same. If you, or they, are too stupid or lazy to keep your address current for whatever passes as a registar in your area, tough, you shouldn’t be voting anyway. And anybody to addicted or addled enough to not have a home address should definitely not be voting, even tho’ in the last election they voted Donk for a pack of cigarettes.
Mike
Michael, I don’t have a problem with an Auto-Mark style system, though I prefer the added layer of security of a paper ballot which is both machine-readable AND human-readable. The problem with machine-readable-only ballots is that you have no idea if the votes on the ballot match the votes you cast. The problem with human-readable-only ballots is that it makes counting the suckers rather time-consuming. With both on there, you have the ability to check your vote before you turn it in, plus the ease of machine-reading, AND the ballot has both versions of the record on the paper, so if foul play is later suspected, there’s a paper trail. (And one that doesn’t require a big-ass database of who voted for what, at that.)
Nor is the technology hard. Wal-Mart uses it at the freakin’ fabric table, fer chrissake.
I’m sympathetic to the plight of people who have actual disabilities that make things difficult, though I have trouble thinking of a way that a blind man could verify his ballot – they’re NOT going to be printed in braille, and even if his choices are read back to him, does he really know that’s who he’s voting for? Come to think of it, that’s a good analogy for this whole thing… non-verified electronic voting puts EVERYBODY in the position of a blind guy who just had a poll worker cast his ballot, no?
As far as paranoia goes, maybe I should shut up and hack the system myself? Be nice to decide who gets elected, it surely would… I don’t actually want to do this, but I’m smart enough and good enough with computers to pull it off, and there are people out there a lot better with computers than I am. (My ego prevents me from claiming there are people who are a lot smarter, heh.) But not only am I unwilling to do it, I don’t want to have to worry about all those other bright guys out there doing it -either-. Thus, making it harder to do is a big positive.
(Nor would it do any good to just file an absentee ballot myself. I’m not worried that MY vote will be miscounted, duh, but that somebody will systematically misrepresent the votes, something which a few mailed ballots probably can’t counteract… and instead of convincing half the nation to vote early, why not just fix the voting machines?)
Finally, I’m -part- of the vast right wing conspiracy, not fearful of it. But the sword cuts both ways, man…
#27,
I voted for Bush. I’m part of the libertarian Right.
Honest open systems give confidence that the voting was fairly done.
Confidence is as important as accuracy.
It should be part of the specification although not exactly quatifiable.
It is critical that losers be as confident as winners in the system. It reduces the odds of extremely sore losers taking matters into their own hands.
Where you technical guys are blowing it is that you think that accuracy and speed are the only criteria.
Two important others:
Confidence
Anonymity of the Ballot
to add to
Speed
Accuracy
Voter Verification
At track back.
Electronic Voting.
A recap of my thoughts plus a link here.
#25 — “Uhh, guess again: how do you know the machine hasn’t been compromised in such a way to print phony-correct checksums? As a proof of concept, I submit the various rootkits floating around…”
This seems to be an advanced game of “I’m thinking of a number” — one person offers a solution, and then several others imagine flaws. Repeat and rinse.
Hey — we all have powerful imaginations. And there are some really smart people on the board. I can keep thinking up solutions and other folks can keep thinking up ways around them. The goal, however, is not to have a risk-free solution. Such a solution does not exist. The goal is to make the cost of faking one vote more than the value of the vote itself. This is the way security works. The ATM at the bank isn’t foolproof — there are all kinds of ways around it. But in general, there are easier ways to steal money. So the crooks go elsewhere. The ATM system works.
Unless you understand this critical nature of secure systems there will never ever be a voting secure enough for everyone. As for the checksum, I dunno, have a separate EPROM print the checksum through a separate system. Include in the checksum the current tally of votes. Therefore each receipt would be unique based on the person, unique based on their votes, and unique based on the code of the system and memory of the system up to the time that the receipt printed.
If you don’t like that, I have another one involving quantuum computers. But it’s a pretty pointless exercise. In my opinion, outline what you want and bolt some COTS pieces together. Any thing more than that is silly.
M Simon — yes. Open source with backup printed systems kept in a lockbox. I think there is general consensus that even if such a system were hacked, the printed results would provide sufficient audit capabilities to make hacking futile.
What was wrong with the old mechanical voting systems, anyway? They were probably pretty maintenance-intensive, but so what? People seemed to have confidence in them, they were hard to hack, they gave the results instantly, and they did not create ambiguities like “hanging chads.”
The fact that a technology is old doesn’t automatically mean that it lacks value.
I’m with you, David. I don’t think there was anything wrong with the old battleship systems. We have them where I vote, and I don’t see any need to replace them.
I think the _real_ problem is that “how we vote” has become a political issue. That means that we’re never going to be happy with it, and that partisans will argue about it forever. I absolutely think we should eliminate vote fraud — maybe instead of picking a national voting system, we set out standards. Seems to me any kind of reasonable standards would include the system you describe. This does not seem like a practical debate in my opinion. We can spin off into all kinds of high-technology solutions, but when you can pick up bums off the street, give them twenty bucks and a bottle of wine for a vote, voting is going to always be irregular to some degree.
I don’t think print outs from a computer will inspire the required confidence.
Ballots marked by an individual do.
It is a form of double entry book keeping that can be human checked in case of lack of confidence in the machines.
Lack of confidence in the system is why Rs cry about voter verification and Ds cry about bits on chips.
Both need to be satisfied.
Confidence is a very important system attribute.
Daniel,
You (among others) keep bringing up things like the ATM network. As an example of a system that works well enough even though it’s not perfect, I guess it’s OK. But it’s a pretty poor analogy, because of voting’s additional requirement of anonymity. So forget the ATM network, and think about the lack of progress in a workable, widespread e-cash system. I have no idea whether the anonymity requirement doomed e-cash or was merely a small part in its going nowhere, but it’s certainly suggestive.
David Foster,
The old mechanical systems were huge, heavy, expensive to move around at election time, expensive to store between elections, expensive to service–and possibly hackable, too, if you believe various accounts of schemes for faking the zero-reset indicators. The county where I live used them, and breathed a huge sigh of relief when they went away. (FWIW, we replaced them with optical scanners.)
Kirk.
Voting has an anonymity _tabulation_ requirement, not an anonymity transaction requirement. Look at it this way: everybody knows you went to the precinct, stood in line, and did _something_. The tabulation of what that something was is anonymous. But the fact the act occurred is not.
Ergo, it should be possible to give folks non-readable receipts for their votes that would correspond to receipts at the polls. In case of confusion, you could come back, have your receipt read, and check to make sure your vote “really” counted. This provides a fail-safe on the system. Without tracking the fact that your vote took place, the integrity of the system is pretty much bupkis.