We’ve forgotten that things like stuffing ballot boxes, buying votes with alcohol, missing and broken voting machines, and all other manner of manipulation occurred in the past (some more recent than others). I’d argue that on balance, our elections today are the most fraud-free that they’ve ever been, but with the advent of more and more electronic voting equipment (and, heaven forbid, internet voting), the risk may be again growing.
Many of the current systems use a single machine where votes are registered and counted. Most have a paper audit trail, though at least one model uses thermal paper, which is not remotely archival. Those audit trails are rarely machine readable, often consolidate a large number of issues into tiny font, or worse, scroll part of the ballot off because it’s too long.
Combining the voting selection and counting into a single system makes those machines a key risk for failure, either through fraud, hacking, or simple failure. I had a friend that worked for an IV&V company certifying voting equipment. She’d worked in aerospace and the procedures were as good as any I’ve ever seen, but even with all that, issues still got through – new vulnerabilities, failure to patch machines, or simply insecure design are all problems that still plague us today. There’s simply no way to ‘prove’ that the machines are secure – even through formal validation methods. There’s too many machines, too many locations, too many opportunities for tampering, and too much code to test.
So what to do? I believe that looking to the past provides the answer – paper ballots. But let me explain the nuance here. Build a one machine on which the voter makes their choice, and then have it print out a paper ballot using good old-fashioned pigment ink/toner so it’s archival. By having the machine print the ballot, rather than a human marking the form, it eliminates the ‘hanging chad’ or ‘improperly marked’ ballot, because the machine prints them.
Once printed, the voter can validate that the printed votes match their intent, and deposit into a separate machine that tabulates the votes. The paper ballot remains the legal record, and can be preserved for hand counts as long as needed. Splitting the system into two separate machines separates the most complex code – the user interface to cast votes on a lower risk level, because the voter can verify the output.
The counting machine does need integrity checks and a higher level of validation, but we can mitigate that by using two different machines from different vendors and compare the results. Of course, that only works if there’s a durable, voter self-validated paper ballot as the legal record, and manual transit between machines.
It won’t help with mail ballots (which have a whole separate set of risks), and isn’t exactly cool and modern. But it’ll work. One last thing: let’s keep voting off the internet. That’s, as we say in the business, a bad idea.