A workable electronic voting system

This was originally posted on the old modestproposal.org in 2003. You can find a link to the original story via the Internet Archive.

Following the 2000 Presidential election it was shown that existing voting technology was antiquated, confusing to use, and in many cases a direct cause of voter disenfranchisement. A call was put forth by the state of Florida, which had borne the brunt of the backlash to this old technology, to modernize their voting system to achieve the following goals.

  • A simplified ballot that allows most everyone to understand and vote for their chosen candidate.
  • A system where votes could be clearly tallied with no hanging or dimpled chads.
  • A system that would allow ease of tallying and eliminate tallying errors.

The Problem:

The problem here is simple, privacy. We have developed a system in this country of anonymous voting that allows the ability to vote for unpopular candidates or referendums without fear of reprisals or scorn. In short my vote is my business and no one else need know how I voted.

Any electronic voting system implemented must maintain this privacy or else it will do more harm than good by effectively disenfranchising those who do not wish their voting habits known.

The Modest Proposal:

A computerized voting system that maintains anonymity, allows for simple (hopefully error-proof)  selection of candidates, and allows for easy tallying and recounting (should it be necessary).

The system will work as follows:

  1. An election judge/worker will verify the eligibility of the voter and issue them a voter ID card.
  2. The voter will take the card to a voting machine which will read the card, present the candidates/voting items and after the voter makes their selections print their ballot.
  3. The voter will take their ID card and their ballot and they will both be read and kept by a tallying machine.
  4. At the end of the day the tallying machine will report the results for that precinct.
  5. Should a recount be necessary the ballots are available.

Now let me break that down…

1. An election judge/worker will verify the eligibility of the voter and issue them a voter ID card.

I am a firm believer that people should be involved in the voting process and while I don’t want them in the booth with me, I a human being verify each voter’s eligibility than use a machine. First off, this allows for unusual situation such as day of registrations (which many states allow) as well as situations where voter record information is either inaccurate or out-of-date.

Once the judge has verified that the voter is qualified to vote at this precinct they shall issue them a signed (or initialed) voter ID card.

2. The voter will take the card to a voting machine which will read the card, present the candidates/voting items and after the voter makes their selections print their ballot.

When the voter enters the booth the machine will display a simple message such as “Insert Card,” no other input will be accepted and the keyboard will be disabled. Once the voter inserts the card issued them by the election judge, the machine will read the barcode and confirm that is a valid card. The machine will then display the ballot one election at a time. Each election will consist of one office or referendum (I.e. President, Senator, Governor, Mayor, School board levy, etc.) The voter will select their candidate by pressing directly on the candidate’s name on the screen. After each choice the voter will be asked to confirm their selection before continuing to the next election. Once the voter has chosen and confirmed their selections for all elections in the precinct they will be shown a ballot consisting of all of their elections with their choices listed. They will be asked one final time to confirm all of their selections and once they do they will be told to remove their Voter ID card from the card reader. Once the card is removed their ballot will be printed.

The printed ballot will consist of plain text listing each election and the chosen candidate/decision and a 2D barcode at the bottom. The 2D barcode will consist of the choices made plus the unique ID number from their voter card.

3. The voter will take their ID card and their ballot and they will both be read and kept by a tallying machine.

The voter will insert their voter ID card into the labeled slot on the Tally machine. The Tally machine will read the barcode on the ID card and then signal the voter. After the signal the voter will then insert their ballot into the Tally machine. The machine will read the barcode on the ballot and after verifying the ID matches the card, record the proper votes for the proper candidates. The machine will then mark both the ID card and the ballot with a sequential number. Finally the machine will keep and store the ID card and ballot in separate storage areas for archival purposes.

4. At the end of the day the tallying machine will report the results for that precinct.

Once the final ballots have been recorded the election judge will flip a switch on the Tally machine. The machine will then transmit an encrypted message back to the state host system containing the exact tally for the ballots in the machine.

5. Should a recount be necessary the ballots are available.

Also at the end of the day the collected ballots should be returned to a secure central location for storage. Should a recount be necessary, the ID cards can be checked to verify the judge’s signature/initials and should any fail to pass check the corresponding ballot with the same sequential number can be removed as well. At that point it is simply a matter of going through each ballot and verifying what is written on each, they should all be easy to read.

Parts of the system

The Voter ID Card:

  • This shall be a card of either heavy bond or light cardboard.
  • It shall be white or off-white (for ease of digital reading).
  • On the front of the card.
    • The identity of the Precinct
    • The space for the signature or initials of the issuing election judge
    • A 2D barcode containing a unique id number.
  • The back of the card shall contain the same barcode as the front

The election judge will sign or initial each of these cards. Each card contains a unique non-sequential number in the barcode, the number in not written anywhere on the card other than in the barcode. This prevents the judge or anyone else from noting the ID number given to a particular voter and as these cards contain nothing to identify the voter they are issued to the ensure that there is no direct correlation between a voters name and his or her choices.

The Voting Machine:

Each voting machine shall consist of a computer with the following parts/specifications:

  • A touch screen monitor/display
  • A CD-ROM drive
  • A Keyboard (for entry of write-in candidates’ names)
  • A Card Reader to read the Voter ID Card
  • A Laser or Ink Jet Printer
  • A UPS (uninterruptible power supply)
  • The PC itself shall be diskless (i.e. no Hard Drive or Floppy Drive)

At the beginning of the election day a specially prepared CD-ROM will be inserted into each voting machine and the machine will be booted from the CD. In addition to a secure operating system this CD shall contain the voting software and a list of the elections/voting items for that precinct. This provides dual purpose; in addition to ensuring that each voting machine has the same accurate list of elections, this will prevent tampering in that if a voter attempts to reboot the machine to gain access to the underlying software it will simply stop at boot and wait for the CD.

The printer used to print the ballots is recommended to be a laser printer (for volume of pages) with a straight paper path (to minimize jams) although an ink jet printer could be used as long as steps were taken to ensure the it does not run out of ink.

The Voting Software:

A simple clear interface that even my grandmother could use (think ATM machine here). Simple clear choices, each election (President, Governor, Senator, Mayor, School tax levy, etc) shall be presented independently and the choice of each verified before continuing to the next.

An option shall be given on each election to abstain (i.e. not vote) should a voter not wish to endorse any of the candidates. Also, where applicable an option shall exist for Write-In candidates. If this write-in option is chosen, the keyboard will be activated and the user will be allowed to enter the name of his choice. After entering the name the keyboard will be again disabled.

Note: this is the only time any input other than the touch screen will be accepted, as such great care should be taken to ensure malicious individuals do not cause harm to the system.

The voting software will be loaded off of a specially prepared CD, in addition to the voting software, this CD shall contain a secure operating system, printer and scanner drivers, and anything else necessary to operate the voting machine.

For security purposes the software will not run until the CD is removed from the CD-ROM drive.

The Tally Machine:

The voter interface for this machine will consist of: one ID card sized slot, one ballot sized slot, and a display. The display will first request the ID card. After it verifies it is a valid ID card and verifies the ID number, it will request the ballot. It will verify the ID number on the ballot matches the ID card. It will then print a sequence number on both the ballot and ID card and file them appropriately. Finally it will record the votes cast for each election on the ballot appropriately.

At the end of the day an election judge will activate an end-of-day cycle. This will consist of the Tally machine contacting the state host system and transmitting the results of it’s tallies in an encrypted form to that host system. The simplest way to do this is with a phone line and modem although wireless, cellular, or even satellite may be utilized in remote areas.

The Tally machine will consist of a PC programmed again by a custom CD. This will allow the accurate listing of each candidate and each election to ensure that there are no reporting anomalies. The Tally machine operates without user intervention throughout the day until it is time to process and send the final tally.

The Central Host:

The central host serves two functions. It can be either a single powerful computer or several smaller computers that share the same data. The term Central Host is a bit of a misnomer as it is not the final, or central, repository of the voting data. The Central Host is more of a go between serving as a host for the local precincts and allowing us to minimize the number of systems connecting to the state central system. Also by creating the central system on a regional rather than statewide system, information on local candidates can be maintained by those with more direct knowledge of the local situation.

Prior to election day, the central host maintains the candidate lists for each precinct it controls and when the time comes builds the CDs used for the voting machines.

At the end of election day each Tally machine connects to the Central Host and uploads their election data. This data is then compiled and sent on to the state level for final tally and reporting.