About the Author

Chris Shiflett

Hi, I’m Chris, a web craftsman making things like Mapalong & Brooklyn Beta with my friends at Analog.

Foo Camp and Electronic Voting

I'm at Foo Camp this weekend, an ad hoc gathering hosted by Tim O'Reilly. Tim describes Foo Camp as follows:

Foo Camp is a creation of the people who attend. We're inviting people who're doing interesting works in fields such as web services, data visualization and search, open source programming, computer security, hardware hacking, GPS, and all manner of emerging technologies to share their works-in-progress, show off the latest tech toys and hardware hacks, and tackle challenging problems together.

One of the challenging problems we have tackled is electronic voting. While Foo Camp attendees span all corners of the technology industry, we all agree on the basic approach that needs to be taken in order to offer a reasonably secure, feasible, and simplistic solution.

The most interesting aspect of the proposed solution is that it actually involves less technology and sophistication than other solutions that have been proposed in recent years - and this from a group of technology enthusiasts. The basic idea is that a two step process is needed:

  1. In the first step, the voter uses a machine to select the desired candidate, and this machine prints a ballot that displays the selection in a standardized font that is easy to read using an OCR technology. This ballot does not include any personal information about the voter; only the voter's selection is indicated.
  2. The second step involves the voter presenting this ballot to the election officials, and this is where voter eligibility and such are verified. An eligible voter then inserts the ballot produced by the first step into a counting machine (the one that performs the OCR), and here it is recorded. The consumed ballot is kept for confirmation.

There are quite a few benefits to this solution, the biggest of which is that it does not attempt to be a perfect solution. It also manages to closely resemble the existing process while making several notable improvements. Other benefits include:

  • No reliance upon the security of the first step (because the ballots are not counted until the second step) in addition to the opportunity for third parties to make financial gains (proprietary implementations are fine, since security only matters in the second step).
  • The first step allows for multiple methods of error reduction as well as evidence of each vote due to the fact that a physical ballot is generated.
  • Potential for future improvements, including the ability to generate ballots (first step) from locations outside of the secure voting area (because another ballot can always be created in the secure voting area, eliminating concerns of coercion).
  • The voters themselves have an opportunity to verify the first step, because the output is human readable, and this output is exactly what is read and recorded.
  • The second step relies upon an open standard, and implementations are required to be open source and thoroughly reviewed by software professionals.
  • Multiple implementations of the second step are possible, strengthening the reliability and security.
  • There is little cost in increasing the verification efforts for situations where the vote is closer than the tolerance level of this system.

There are other details, but this should give you a general idea. More formal specifications and such are in the works. Feel free to suggest weaknesses and improvements to this system; this is still a work in progress.

About this post

Foo Camp and Electronic Voting was posted on Sun, 12 Sep 2004 at 05:42:43 GMT. Follow me on Twitter.

6 comments

1.cmoneti said:

Even simpler: forget the machines for the first step; just mark machine readable paper ballots (like old school standardized test with no. 2 pencil --accept use ink). Voter then proceeds as in step 2, passing ballot through a tallying machine. Multi-lingual ballots are no problem (just printed paper); a copier can make more on the spot as needed. Result is cheap, no computers to program, a paper trail, and a reassuring voting experience.

Mon, 13 Sep 2004 at 02:24:57 GMT Link

2.Randy Tremaine said:

It allows for alterations to made to the "ballot" by the individual voter. It is plausible that a alteration could be made that would cause an inaccuracy in the ballot counting process that may cause multiple votes to be cast or votes to be removed.

Does little to make voting more convenient and rapid for voting officials which is the primary aim of "electronic" voting methods.

Provides additional opportunity for fraud by voting officials. Voting officials generate or forge extra ballots and stuff them in the OCR machine.

Does not improve speed and accuracy of recounts and audits. One is still counting pieces of paper by hand and we saw how well that works last time in Florida.

Does not address challenges of properly identifying voters electronically.

Wed, 15 Sep 2004 at 16:03:28 GMT Link

3.David Sklar said:

Randy writes:

> It allows for alterations to made to the "ballot" by the individual voter.

I suppose this is true (unless the machines print MICR-style ink or something, which would probably be expensive overkill), but verification of proper reception of the ballot by the tabulating machine could catch a lot of this.

> Does little to make voting more convenient and rapid for voting

> officials which is the primary aim of "electronic" voting methods.

I disagree that that should be the primary aim of any voting method (Instead, I think the primary aim should be reliable and usable tabulation of the electorate's votes), but this system does make things more convenient and rapid for voting officials -- it has the speed benefits of an electronic system and the auditability benefits of a paper system.

> Provides additional opportunity for fraud by voting officials.

> Voting officials generate or forge extra ballots and stuff them in the OCR machine.

This is going to be a risk in any election system. At the primary election yesterday in New York, I could have generated a few hundred fake votes easily -- I just would have needed the cooperation of the five other people working the same voting machine as me. The guard against that attack (and the one mentioned above) is the redundancy of having many poll workers of varying political affiliations all watching each other. It works pretty well. The most efficient way to mount this sort of fake-vote attack is much further up the food chain than the single precinct or election district level, anyway.

> Does not improve speed and accuracy of recounts and audits.

> One is still counting pieces of paper by hand and we saw how well

> that works last time in Florida.

Recounts can be done speedily and accurately by re-feeding all of the ballots into the the same or different OCR machines. Multiple times if so desired.

If by audits you mean checking that the calculated vote total equals the votes on the actual ballots, then you need the actual ballots for that. That is difficult with an all-digital ballot.

Many problems in Florida in 2000 had do to not with the fact that the recount was *manual* but that the activities that the recounters had to do were time consuming and ambiguous. Sorting pieces of paper based on what name is printed on them in 18 pt type is much easier than shining a light through a sheet of paper to determine how much a little chad is hanging off the paper.

> Does not address challenges of properly identifying voters electronically.

Absolutely true. Also does not address challenges of making sure elected officials actually meet their campaign promises, the challenges of preventing mayonnaise from separating in hot weather, or the challenges of eliminating blog comment spam.

This system lets someone vote once the local authorities have admitted someone to the ballot/tabulation area. The authorities do this however they want, modulo federal and state election law and local tradition. This could be digital or it could be analog. The maintenance and security of voter rolls is an interesting problem, but can be dealt with separately from the problem of making it easy for citizens to cast their votes and for voting officials to tabulate those votes.

Wed, 15 Sep 2004 at 16:58:03 GMT Link

4.Chris Shiflett said:

cmoneti writes:

> Even simpler: forget the machines for the first step; just mark machine

> readable paper ballots (like old school standardized test with no. 2

> pencil --accept use ink).

This was discussed, and Dave reminded me of the problems that were brought up:

> Using the bubble sheets introduces error possibilities along the lines of

> "Is this bubble all the way filled in?", "What if N+1 bubbles are filled

> in but only N bubbles are allowed to be filled in for a race? Etc."

He has also put up a nice PDF that illustrates the flow as well as identifies which steps take place within the secure voting area:

http://www.sklar.com/files/foo-vote.pdf

Wed, 15 Sep 2004 at 20:20:43 GMT Link

5.cmoneti said:

Chris Shiflett writes:

> Using the bubble sheets introduces error possibilities along the lines of

> "Is this bubble all the way filled in?", "What if N+1 bubbles are filled

> in but only N bubbles are allowed to be filled in for a race? Etc."

I should have elaborated that the tally/OCR machine should be designed to invalidate erroneous ballots, allowing the voter to try again with a new ballot.

Other thoughts:

* The tally/OCR machine must be "configurable", but should not be a fully programmable computer. (safer and cheaper)

* Counting votes by machine is important for ballot validation, not counting accuracy or speed.

* Counting is distributed accross ~100k+ voting stations (for national elections); most voting stations receive

only a few hundred ballots each. Hand counting is not difficult or slow.

*Not having state and national running totals makes it hard for operatives to know where and how much they have to cheat.

Thu, 23 Sep 2004 at 16:16:02 GMT Link

6.Chris Shiflett said:

There are now voting standards for review:

http://eac.gov/vvsg

Thu, 01 Nov 2007 at 05:21:03 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook