A proposal for a Trustable Electronic Voting System
1. The voting process starts with a voter walking into a polling station and presenting his/her ID. This is verified by the officials, and possibly representatives of the candidates, and once verified, the Voter is issued a Physical Token. This Token is NOT generated on demand, and can be something like the tokens used at game arcades. Each token needs to have a globally unique serial ID, which would need be changeable. Each polling booth is issued a fixed number of voter tokens, enough for the total number of voters expected to show up at a booth. Any unused tokens need to be returned to the Election Authority.
2. The voter takes the token (remmeber that this token is not associated with his identity in any way) and walks up to the voting machine. This machine consists of a touch screen with the poll options on it. The machine activates when the voter drops the token into its slot. The user makes his/her selection, confirms it, and is issued a printed reciept of his/her choice. The machine keeps a running tally of the votes polled, but does NOT communicate the vote to any central server. This information is kept secure inside the machine itself, and the machine needs to be made physcially temper proof and temper-evident. At the end of the polling process, all the voting mashines can be collected together and an authorized elction officer can instruct the machine to reveal the poll results. All results from all machines can be tallied to get the final election result.
4. The receipt format would be a standardized one, established by the febderal election officals, including the fonts, sizes and the information content. It will have on it, printed, the day/date and identifier of the particular election and the id of the machine which issued the reciept, and in large fonts, the selection made by the voter.
5. The voter checks on the reciept to make sure the information on the reciept matches what he had punched in. If not, the vote is invalid, and he/she gets to vote again.
6. If the reciept information is valid, the voter proceeds to another machine, where he/she inserts the reciept into a slot. This second machine reads the receipt using Optical Character Recognition, and maintains its own independent tally of votes polled. It also securely holds all the receipts in a safe vault inside it. The first machine and this second machine are not linked in any way.
7. The first machine and the second machine must not be made by the same manufacturer, or by companies with substantial holding by common entities.
8. Ideally, the token and the receipt would be federal standards, and the machines themselves can be made by any number of companies. They would need to get certified by a testing body. The certification test would focus on standards compliance (including such standards as physical size, accessibility, etc).
9. A single company may make both the machines, but in any specific poll booth, machines from two indepepdent manufacturers need to be used.
At the end of the election, the polling officials return to a central location with all the unused tokens, and the sealed machines. The total number of votes polled by both the machines, and the number of tokens issued is first matched. Then both the machines are activated and the total tallies of votes taken and matched against each other. In case of mismatch, the paper reciepts are retrieved from the second machine, and counted by hand.
The crucial points are:
1. Two independent tallies of the same votes, with a trail between corresponding votes (the receipt carries the token ID, so from the machines databases, one can match if Machine 1 registered a vote for Party A while Machine 2 registered that same vote for Party B).
2. The receipt is human readable, and the same information as read by the human is also read by the second machine, using OCR. Bar-codes, RFIDs, silicon memory, etc are not used, as there is no way for the voter to verify that the bar-code information (or RFID or smart card memory) information is the same as the one printed on the receipt.
3. The machines themselves need not be secure or made by trusted parties (so even Diebold can make them, they seem really eager anyways ;-). They of course need to have physical security. As there is no network connnectivity, there is no chance of remote hacking. Local hacking can be prevented by access controls and physical security, and limiting the amount of time a voter spends at the machine.
4. There is a paper trail in case of conflicting results. Also any conflicting results can be analyzed in detail and the fault located to either of the machines using automatic analysis.
Post your thoughts below.