Sunday, July 29, 2007

E-Voting Worries Emerge Again

Instapudit is beginning to beat the drum on paper trails for voting. I'm all for verifiable voting, and I'm as scared of an all-electronic system as anybody else, but a paper receipt doesn't fix the problem.

It's too easy to have the receipt jibe with the input at the polling station but still be tampered with downstream as the votes are collected and tabulated. The correct system preserves the recorded ballot from the polling station all the way up through to the central compilation of votes.

How 'bout this: You vote on an e-machine and you are presented with a paper record number. Your ballot is only referenced by the record number, not by your name or any other identifier, preserving secrecy. If you want to get really fancy, you can have the voter enter a PIN number, so that display of the ballot requires both the record number and the PIN. This merely prevents somebody from filching your number and finding out how you voted.

Later, the voter can log on to a central web site and enter the record number (and PIN), causing the ballot to be displayed. If the ballot jibes, no problem. If not, the voter complains.

A small number of complaints are to be expected, due to the contrariness and/or poor memory of the electorate. A small amount of background noise would be discounted. However, any statistically significant number of complaints would be investigated for evidence of fraud.

This is a somewhat more expensive system, in that it requires that all ballots be preserved electronically, which takes more memory. It also requires printers, which are widely considered to be the bane of all precinct workers. (Printers need paper, they run out of ink, and they jam, requiring immediate attention and some way to synchronize the voter's ballot back with the printer output.) I suppose you could just display the record number and have the voter write it down on a piece of paper, which would prevent the need for the printer.

The nice thing about this system is that it's end-to-end. You put in an input at one end (your ballot at your polling place) and you retrieve it at the other end (the central tabulation system). Any tampering anywhere in between will be noticed.

Of course, you could still hack the tabulation site so that it displayed the right proper ballot information but still tabulated fraudulently. Presumably, this gets much harder to do, since security and auditing of tabulations is much easier to do than it is at the precincts themselves.

No comments: