no vote tally produced by multiple, programmable, voting machines can be proven correct without giving up ballot secrecy.

The most striking thing about the whole evoting controversy is that everybody's focused on the visible part of the iceberg while the action, as usual, goes on below -i.e. people focus on the voting and tabulation processes, not the voter registration, poll management, and control processes where most of the work is, and where most of the problems are.

(Caution: this controversy is obviously politically loaded - see blackboxvoting.com for links to many voting machine analyses (basically all negative) and an article in yesterday's (Sun Oct 15/06) Washington Post for a typical set-up for widespread claims of electoral fraud if the wrong party wins in November).

I believe that the focus on the voting machine instead of the voting process reflects an echo chamber effect in which public experience with Wintel security functions as an amplifier for media players using the noise as a screen for their own objectives and their own activities.

What's much harder to explain is that the technical people who spend time worrying about whether or not evoting enables vote cheating pretty much unanimously assume that each voting machine should be a locally controlled, fully programmable, stand-alone, computer used to replace a traditional, paper based, voting machine in the traditional voting process.

Since most of these same people have at least some PC experience you'd expect them to know better - but if they do, it's not obvious from what they say.

In fact, about two years ago, I did a a series on evoting for LinuxInsider which led to long, and unintentionally tragi-comic, email exchanges with two well known E-voting luminaries. One of them had a very neat audit and control solution which amounted to having each voter record separate testimony about who had been voted for, while the other eventually proved unable to demonstrate his tamper proof voting solution because, he said, malware on his computer prevented it from completing the process - and, since it was his excuse, I have to assume he thought this perfectly consistent with his stated opinions.

In contrast I think there's a very simple, cast-in-stone, rule describing reality here: nobody, and no set of controls, can guarantee the integrity of any electronic system in which people motivated to subvert its operation have access to any part of its programming. And there's a corollary: the more independently programmable devices there are in the process, the more complex and intractable the control problem gets, and thus lower the barriers to misuse get.

In fact, with respect to voting, the proposition can be stated in terms of a simple trade-off: no vote tally produced by multiple, programmable, voting machines can be proven correct without giving up ballot secrecy.

The reason for that is simple. If you use people to check on the accuracy of the system's record and total, you give up ballot secrecy - but if you don't, then you have to trust the system's programming.

I've seen some ingenious schemes for beating this trap, but they all seem to fall prey to the realities of human nature - for example: if you use a paper ballot as a backup to the electronic record, then:


  1. if you let the voter physically touch the paper ballot you will fall victim to voter remorse, voter mischief, or voter ignorance - meaning that some will take it home, others will scribble changes on it, and yet others will intentionally damage it or stuff it in the wrong box or otherwise take advantage of whatever opportunities for error, intentional or otherwise, you provide.


  2. but if you have the machine generate and store the paper ballot you have to provide a way for the voter to review the ballot and then respond to real or perceived error; otherwise at least some will get in front of the nearest TV camera to swear they voted one way, but your corruptly managed machine printed and recorded a contrary vote - and the only certainty will be that you won't be able to prove them wrong to their satisfaction.

    And that change response will, of course, require you to record the original vote and the change(s) the voter made - meaning that you'll never be able to reconcile your paper and electronic counts or prove your record accurate against the guy who claims he didn't change his mind - or started to and then decided to let the first vote stand -unless you identify the source of each vote and change.

Many of these problems aren't obvious and take a long time to go through, but consider one small additional example. Suppose you used a simple voting machine that records the vote and prints a summary of the vote on a cash register style paper tape somewhere in a back room solely for audit purposes. Great, but what happens when party bosses, who have a time stamped video record of people entering and leaving the polling place, get their hands on that tape? Right, they can guess, with a high degree of accuracy, how each person voted.

Here's my bottom line: nobody can fully guarantee the accuracy of any voting and tabulation process without giving up ballot secrecy, but the simpler the system, and the larger the voting base, the closer it's possible to get.

Want to disagree? Please do: I'm very interested in scenarios or strategies that combine good audit control and vote defensibility with ballot secrecy, and I'd very much like to be proven wrong on this.

More Wednesday