Text about Rush Holt’s Voter Confidence and Increased Accessibility Act via CATO, which serves as a reminder that lawyers and politicians should not be allowed to design algorithms (or do math).

How to Reform E-Voting It bans the use of computerized voting machines that lack a voter-verified paper trail. It mandates that the paper records be the authoritative source in any recounts, and requires prominent notices reminding voters to double-check the paper record before leaving the polling place. It mandates automatic audits of at least three percent of all votes cast to detect discrepancies between the paper and electronic records. It bans voting machines that contain wireless networking hardware and prohibits connecting voting machines to the Internet. Finally, it requires that the source code for e-voting machines be made publicly available.

This proposal shovels too many irrelevant requirements on the problem. Clearly the author cannot distinguish between essentials and what just sounds good.

Early in my career I ran into an observation from Butler Lampson (in a copy of Hints for Computer System Design) which can be paraphrased as:

Only end-to-end checks matter - everything else is (or should be) an optimization. </p>

The same principle applies in this case. To be sure an election is counted accurately we need to be able to detect votes added, changed, or deleted. On one end we have the voters casting their votes. On the other end we have the recorded tally of all votes cast. Given a check that the two ends match, we don’t need anything extra in the middle.

No system is ever perfectly secure. With enough corrupt people in enough places, any election (as with any other security system) can be subverted. What we can do is make the expense and risk of detection very high. We can make elections more reliable and more secure than was possible in the past, with some clear design principles and relatively simple software and hardware.

To insure votes are not changed after they are cast by the voter:

  • Give the voter a record of their vote. No personally identifying information, just an ID number (randomly generated and used only once) and a list of votes.
  • Publish a public tally of all votes. Anyone can check that the numbers add up. Any voter can verify that their votes are present and accurate.

To insure voters are not falsely added or removed:

  • Print a list of all votes recorded at a polling place at close of polls - one copy to post outside the polling place, and a reasonable number of copies for anyone interested.
  • The published public tally of all votes must include the polling place. Anyone can check that these totals match.

To trust the local results both the hardware and software design must be published for public review and approval far in advance of the election. Interested parties must have an opportunity to spot-check the hardware and software both before and after the election. Very likely well-designed and well-reviewed software and hardware will see very wide use (in this country and others). Counting votes is not complex. Getting the hard parts of the design right need only be done once.

To trust the voter’s receipt is genuine, record a cryptographic “fingerprint” for each voter, and print the fingerprint on the voter’s receipt, the polling place tally, and the final public tally. Combined with open, reviewed, and verified hardware and software designs (this is essential) - this makes election results almost impossible to subvert without detection. This is a huge improvement over the present.

Today, once you cast your vote, you have no idea if it was counted. Today, when the votes leave my polling place, I have no way of verifying that they were recorded. What we lack is an end-to-end check.

By itself, a “paper trail” does not prove anything, and “paper records” used for recount are in not certain to be more reliable. Automatic recounts - without an end-to-end check - do not prove a thing. The end-to-end check is essential, and what we lack.

Banning wireless networks and connections to the Internet is silly. Both are sources of possible problems (I would be extra-wary if a design used either), but the problems are avoidable. Even though wireless networks and the Internet are both insecure, software folk figured quite a while ago how make secure connections across insecure networks (see Secure Shell for a widely used example). I can sit in my backyard using a laptop connected to my wireless network and from there to the public Internet - and connect securely to computers anywhere on the Internet, using freely available and publicly reviewed software (and have done this for years).

Open review is essential. Banning specific technologies is unnecessary.

We can make fairly simple use of existing technology to make voting more reliable and more secure than was ever possible with paper ballots - if the design is right.