November 11, 2006
There’s a lot of controversy over touch-screen voting machines. The main problem is that there’s no record of votes whatsoever. Each vote increments a counter. The software (or a person) could modify the counter after all the votes have been registered, and there would be no trace of the modification and no way to do a recount. There would even be no proof that anything had gone wrong, except that exit polls, normally very accurate, would be way off (as was the case in 2004).
The core problem is that we can’t trust what’s in the voting machine. People have suggested opening the source code for wide public review, but this won’t help you unless you can guarantee that this is exactly what will run on the machine on voting day. You could then sign the code, but then you’d have to guarantee that no one else could sign malicious code, and so on.
We need a solution that doesn’t require any trust of any kind. Jen had a brilliant idea: when you vote, your votes are recorded and you’re given a universally-unique identifier, printed by the machine. All votes are sent to a central database, and this database is made publicly available for download. Services would immediately pop up to allow people to verify their votes, given their IDs. If enough people from one precinct complained that the database’s record didn’t match how they voted, you’d know that someone had modified the database or the software.
Let’s try to see how this could break. Firstly, maybe this database would be too big. 79 million people voted in the U.S. 2006 elections, according to CNN. If each person votes on 30 items (including local politicians and propositions), that’s 2.3 billion entries in the database. That’s large, but there are plenty of databases in existence that are that big. We could split it up by state, or smaller, if necessary.
Secondly, maybe people would be afraid of checking their votes online for fear of having their IP address linked to their vote identifier. One answer to that is that many people will be able to download this database, so you can use an organization that you trust. Another is that the system could ask you for all but two of the digits in your identifier, and show you the 100 matching results. You could scroll through the list and find your entry. Someone who had your IP address wouldn’t be able to draw any conclusions about you since you could be any of those 100 (randomly-selected) people.
Thirdly, maybe someone could introduce more votes into the database, rather than changing or deleting existing votes. Perhaps the voting machine’s software could be programmed to submit fake votes every few minutes. This is a more serious problem. One solution is to print out two receipts, both with the same unique identifier. The voter would visually verify that the identifiers matched, keep one, and put the other one into a sealed box. When the counts from the machine don’t match the ones reported by the voting location, you could open the box and discard all votes that don’t match any identifier found in it. You could still beat this by having those working at the voting location print out the fake receipts after everyone else has gone home, assuming that they’re the ones who modified the software. They would also report a count that matched the new fake number, so as to not attract attention. This is probably no worse than the current paper ballots, which can also be faked by the voting location. We’re back to requiring the collusion of hundreds of people.
Fourthly, with the current system, if person A wants to threaten or bribe person B into voting a certain way, there’s no way for him to verify that B voted as he was supposed to. But with this system, person B could be required to return the receipt for person A to check online. I don’t know how serious of a problem threats and bribes are in practice. Note that absentee ballots, which are becoming increasingly common, have the same problem.