

Ask YC: How to Build the Perfect Voting Machine? - bprater

Some hacker mental masturbation on this great day:<p>How do you build a voting machine that is unhackable and reliable? Just software? Software and hardware? OS? Do you put the hardware in a sealed box?<p>Where are the weak points in a system like this and how do you ensure they aren't exploited? Do you have to leave a paper trail or is there a better solution?
======
jws
I propose:

1) Paper, optical scan ballots (bubble filling)

2) A machine in the booth to do the reading and counting with a step that
shows the voter how it read their ballot and a big "confirm" button they press
to count the vote and drop the ballot into the secured bin.

3) Pick X percent of the machines and manually verify their results. Any
machine that votes significantly outside the bell curve should also be
manually verified.

This gives "instant" counting to support the unwritten requirement that our
elections return results on the night of voting so we can treat them like big
sporting events, but also leaves the canonical vote outside of the machines
where it can be used to verify the machine vote.

~~~
robg
The optical scanner is the biggest cost. Here in New Hampshire we fill out our
form in a booth then put it in the one scanner ourselves (one for the town -
population of 1600). Then it drops into a a secure big. Fast, easy, reliable,
and a paper trial. I don't

FYI: Of the 1600 residents, 720 had voted by 10am.

------
m_eiman
There is no unhackable system. So the idea should be to make the system as
simple as possible, and make it obvious if things are tampered with.

Using a computer system is not very compatible with the basic principles of
voting:

* Each person gets one vote, and only one vote * It must be impossible to figure out what some specific person voted for

Computers are good for the first part, given infrastructure to support it
(provide each person with a way to identify themselves to the computer - smart
card and biometrics maybe). They suck at the second part, though.

In Sweden we have a simple system: paper slips with party names printed (or
written) on them. You select someone to vote for, put your paper slip in an
envelope and drop that in a box after someone checks your identity and ticks
you off in a list of voters.

After everyone has voted, the box is emptied, the envelopes are opened
(checking that each one contains a single vote) and the slips are counted
manually. Results are reported to the voting comission (or whatever they're
called) who sum the votes and then it's all done. We have the results a few
hours after voting is finished.

In the US the same system should work well, I don't really understand what the
whole voting machine thing is good for. It's not like there's an election
every two weeks, computerized voting machines will probably be used maybe two
times in their lifetime. A waste of resources!

~~~
Timothee
In France, it works the same way as in Sweden evidently.

I believe one of the aspects that makes it different in the US is that on
election day, there isn't only one thing to vote for. There's the President, a
Senator, a Congressman, a Judge, local public transports directors, etc. and a
bunch of propositions. And that's different from one county to the next, from
one state to the other.

I suppose that's part of what made it interesting to look into computerized
voting machines.

~~~
m_eiman
We have three elections at the same time (national, regional, communal), and
the solution is simple: make the slips for each election have different
colors. The national election slips are white, communal slips are blue etc.

To make sure nobody takes puts e.g. national slips in all three envelopes
there's a small cutout at the edge of the envelope that shows the color of the
slip inside without revealing the vote.

------
gills
About a year ago we had Josh Benaloh of Microsoft Research as a guest lecturer
in a UW course on computing security. He talked about the cryptographic side
of voting systems, some of the papers on his page are a good place to begin:
<http://research.microsoft.com/users/benaloh/>

Edit: there are systems that can provably work, tally votes in encrypted form,
and provide a reasonable audit trail all while maintaining privacy.
Unfortunately the contracts for voting machines don't seem to be awarded based
on technical merit -- which, ironically, is entirely a function of who we
voted for in the past.

------
cmos
Anything can be broken into. The problem with computers is that if you break
into one, you have a much better chance at another one.

There is no perfect 'voting machine'. Quite often bins of votes mailed in are
found after the election.

We should stick with the old school machines. (except in florida) At least
there is a paper trail and it would have to involve more 'old fashioned'
corruption, which is something we are at least a little more capable of
protecting against. Every election we have had this same old problem, not
touch screen calibration issues (seriously!?!).

We might need more if the country is actually going to start voting again!
(super good problem to have!)

But if we must go hi-tech, let's just send everyone a magic ATM card and use
those machines. At least it's moderately old technology and infrastructure.

------
tom_rath
A piece of paper with boxes printed beside the names of those running for
office -- we’ll call this paper a ‘ballot’.

The voter receives a ballot from those managing their place of voting (after
showing identification or a registration card of some sort), has their name
physically crossed off a printed list and then, after moving behind a screen
or other mechanism to allow for privacy, places an 'x' in the box beside the
name of the individual they are voting for. The voter then folds the ballot
and places it anonymously into a box used to collect the votes for their
district. A ‘ballot box’, if you will.

Once the polls close, volunteers for the place of voting manually count the
paper ballots for the individuals running for office and report the count to a
central election office. This manual count rarely takes more than an hour or
so to complete.

Simple enough? Votes remain anonymous, the paper ballots create a permanent
audit trail and, as long as the ballot boxes are supervised by reliable third-
parties minimally affiliated with those running for office, the voter will be
assured their vote is counted towards their intended result.

This is how most of the developed world handles elections. It saves us a ton
of trouble in close races.

 _"Premature optimization is the root of all evil -- Donald Knuth"_

There are some things which should not be optimized. An extremely important,
easily manipulated event prone to corruption which occurs once every few years
(and only takes two hours to complete manually) might be considered one of
them.

------
patrickg-zill
Purple finger (indelible dye that cannot be removed without removing skin
cells). Internet-based video at all polling booths showing number of people
entering the door; can be matched with number of votes coming from that
location.

~~~
deathbyzen
Video at the polling booths might be illegal with our current laws.

~~~
Timothee
It would invade people's privacy. You don't want people to know if you have
voted or not and when.

------
bprater
Here's my suggestions:

1\. Everyone votes online. (Computers could be set up in voting centers for
folks without computer.) Codes are sent via snail mail. That one-time code
allows a person to log in and vote. (An issue would be protecting the voter
from anyone knowing his choices.)

2\. Because everyone votes online, the focus will be the fleet of back-end
servers processing the requests. The hardware and software will be open
sourced. On hand at the data center will be neutral parties monitoring the
software and equipment and could include representatives from both parties and
some independent verification teams.

3\. As data enters the system, it will be available for everyone to observe.
APIs will be available for programmers to create real-time information on the
election. It might be used to detect fraud.

------
gstar
Completely open hardware and completely open software, and an immutable audit
trail of operation would go a long way to solving the problem.

~~~
iigs
The position in .wa.us that has authority over this role is "Secretary of
State". I assume that it's the same in other states. Here in WA, one SoS's
core platform is basically this. <http://www.jasonosgood.com/platform.html> .

I'm not attempting to influence your vote nor encouraging discussion on this
specific candidate's merits -- just wanted to throw out there that in many
cases today is also your day to vote your position on issues of this type as
well.

------
mikhael
<http://scantegrity.org/>

Scantegrity is an open source election verification technology for optical
scan voting systems. It uses privacy preserving confirmation numbers to allow
each voter to verify her vote is counted. The confirmation numbers also allow
anyone to verify that all the votes were counted correcly.

~~~
eru
But it would allow you to prove whom you voted for?

------
djm
I don't believe any voting system will ever be unhackable or completely
reliable.

I have been paying attention to the 'off the hook' radio show (download the
mp3's from 2600.com) where voting machines are something frequently discussed
along with their various failings. In one of the very recent shows (last week
or the week before, I'm not sure) they had a discussion where everyone present
was asked which system they thought was best - the general consensus was that
eyeball scanning (or whatever the proper name for it is) was the best
technical means of authenticating a voter and their vote. Sticking to paper
ballots on the basis that technology can't be trusted was also popular.

------
abecedarius
If it has to be a touchscreen, then start with <http://pvote.org/>. It's
orders of magnitude simpler than the commercial voting machines.

------
bdr
Delegate! I don't have to know anything myself. To take care of the physical
security and hardware requirements, I'd hire the makers of slot machines. For
usability and reliability, I'd team them up with coders and UI people to write
the software, and open source it for public review.

------
known
Estonia is doing well with e-voting
<http://news.bbc.co.uk/2/hi/europe/4343374.stm>

------
gojomo
It would help to vote on fewer things. Here in SF, my ballot included:

    
    
      President/VP: vote for 1 of 6 listed choices
      US Rep: 1 of 4
      State Senator: 1 of 2
      State Assembly: 1 of 2
      County Superior Court Judge: 1 of 2
      City Board of Education: 4 of 15
      Local Community College Board: 4 of 9
      BART (commuter trains) Director: 1 of 2
      12 yes/no State Propositions
      22 yes/no City Propositions
      City Supervisor (Councilman): preference rank 3 of 3
     

That's insane; there's no chance of the average busy person making reasonable
informed choices on all of these, and we should be able to delegate most of
this to elected representatives.

(If my math is correct, and not even counting the option to abstain/undervote,
that's asking me to express almost 63 bits of preferences -- and more bits are
allocated to the less-important issues.)

I would propose a 'complexity budget' on any election's ballot, limiting it to
one page or no more than some small number N of decisions.

What to do with all the overflow items? Kick them to an 'electoral jury'. a
few hundred people randomly selected from all voters, who would know weeks in
advance of their status, and get to meet and discuss all issues in detail.
(Perhaps, as another way to improve the attentiveness/quality of this pool,
compensate service or let those selected without the time/interest to
participate nominate their own proxy on the jury.)

Then, instead of a system that almost seems designed to confuse and discourage
attentive voters, you'd have broad voting on the few major issues, and
statistically representative but highly focused voting on the minutiae.

------
ram1024
nothing is unhackable, even paper ballots are flesh-hacked by the people who
count them.

i think by far the best thing you can do is pay smart people lots of money as
a bounty on finding exploits. or publicly recognize their achievement (because
sometimes it's not about the money)

you will eventually have a product that is hard enough to hack that it's not
worth the effort (but never completely unhackable)

