At present voting in the United States relies mainly on Microsoft's Windows technologies and depends on the movement of data between a total of over a million independently programmable machines via networks and human carried devices like usb drives and data cards. All of these things are vulnerable to fairly simple attacks that can be difficult to see, are almost impossible to prevent, and can significantly affect the vote count. As a result elections now start months before election day, results can take weeks to tabulate, and losers claiming that the other side cheated are reasonably considered credible by many.
In reaction to this most of the buzz about voting reform now revolves on voter id, purple fingers, and paper ballots. The reality, however, is that most of the complexity, cost, and inherent weaknesses in the present system aren't in the voting processes, they're in the voter registration, vote collection, and vote reporting processes.
The system suggested in this essay addresses the major technical and management challenges facing a system designer tasked with developing an elections management "solution" (i.e. processes, hardware, software, and systems management) aimed at reducing the costs, risks, and uncertainties affecting elections management processes.
The all-important political problem of getting to implementation is not addressed here but it is assumed throughout that the implementation processes will be led by a national body providing template legislation and full access to a demonstration system to the states and, through them, the counties and other authorities that actually run elections.
The components
Overview
The system envisaged here is based on electronic vote collection and tabulation; produces two independent physical audit trails; can reduce election management costs by up to 90% relative to present practice; virtually eliminates legal risks to poll workers and organizers; and enables running elections on a single voting day with all results available immediately.
This system is fully centralized with no programmable voting devices and no local vote counting on election day. Each state level jurisdiction has two separately managed data centers (about 120 nationally when fully implemented), approximately one smart display and roll printer combination per 250 eligible voters (about 800,000 units nationally), and special displays and printers (about 4,500 units nationally) in the offices of each participating county or other controlling jurisdiction.
A smart display is a large screen terminal with no local connectivity other than its (hardware encrypted) wired network connection to the data center and no local programmability at all.
Voting Process
Ballots are thought of here as specific to individuals, not to a time or place. As a result counties can have hundreds of slightly differing ballots, and the voter can be anywhere an appropriate terminal is available. Voters can even complete part of the ballot at one location and then go somewhere else to complete the rest of it.
Voting stations can correspondingly be placed anywhere voters can find them: in schools, on aircraft carriers, in senior centers, and in embassies or consulates. As a result absentee and advance voting can almost always be avoided while someone with the right to vote as a landowner on a financial measure in one jurisdiction and on political choices as a resident in another can exercise both rights without breaking the law - or the speed limit.
Notice, in this, that only votes recorded on authorized terminals during election day are counted, but the system will be internet accessible at all other times so people who want to review the ballots, practice voting, or teach others how to vote can do so.
The voting process is simple: a greeter identifies the voter, the identification process brings up all the choices this person is eligible to make, the person makes and reviews choices, clicks a submit button, those choices are recorded in both data centers, a roll to roll label printer produces a paper ballot visible but not accessible using a window between the two rolls with a highlight icon chosen at random from a palette of at least five, the voter clicks the matching icon on screen to certify that the printed ballot is correct (repeated failures to certify trigger staff attention), the state level record is marked signed-off, totals are updated, the vote is encoded and printed as a machine readable q-code in county or other jurisdictional offices, the voter is marked as having voted, and the national system is updated.
Notice in this that the voter sees both the paper record and the electronic one before certifying the electronic one as correct; the records from the two data centers have to match exactly; the two sets of paper records have to match both each other and the computer record; printer rolls are serialized and tracked; people can vote in multiple locations but only once on each issue; identification is required; and, the national level system acts as a data repository and reporting system while providing a switching service to ensure that people only vote once on each choice they're eligible to vote on.
Hardware
The key to the technology idea here is that smart displays are big screen terminals with no local processing capabilities. Thus all applications run on the server, the device must correctly self-identify before booting from the server, the boot software itself comes from the server, and all communications with the server are uniquely encrypted. As a result these provide a provably secure interface between the user and the application software.
With smart displays those who want to use the system to cheat are forced to attack at the server center rather than the voting center while attacks on the people working at the voting center, like attacks on the data communications channels, are limited to immediately obvious sabotage and so produce only local and very short term effects.
Right now the system consists of more than a million vulnerable devices, hundreds of ad-hoc processes, and tens of thousands of potentially corruptible people - the system as proposed has, in contrast, one core process, about 120 servers, and perhaps seven hundred people with some form of authorized access divided into two groups that aggressively monitor each other.
Notice, in this, that the smart display, like NCD's original 1980s X-terminals, is not a "thin client" - it is not a "client" in the Windows community meaning of that word at all: without local processing and/or programmability there can be no possibility of hacking, device substitution, man-in-the-middle attacks, in transit data changes, or hidden "features" allowing vote manipulation.
On present knowledge and availability all processors would run Debian Linux on Intel with the terminals and printers custom built to that technology.
Other technologies could be used: specifically Solaris on SPARC would be preferable because of its larger headroom, hardware cryptology, and better software support for management and security, but some of the preferred open source software hasn't been adequately tested in this environment and the fact that both Oracle and Fujitsu seem to see SPARC as more of a short term customer obligation than a long term R&D investment opportunity casts doubt on its commercial viability.
Using Microsoft's client-server technologies, on the other hand, would immediately defeat the simplification agenda while introducing higher costs and much greater complexity along with a wide range of OS, application, networking, and processor vulnerabilities.
Note in this context that specifics on what technology to use are obviously arguable - the same people who brought us multi-billion dollar Obamacare website failures could undoubtedly take three or four years to produce a disastrously stupid elections management system too - but a major benefit of using open source software on commodity hardware comes from the fact that there are thousands of small software companies in the United States capable of producing cheap, fast, simple, and highly reliable systems on Linux, BSD, or Solaris in a matter more of weeks than months.
The smart displays and printers would be custom built for use within this system but networking would be off the shelf and most probably already installed and working in most muncipal offices and places, like schools and churchs, where voting booths are normally set up. All communications between the server, printers, and terminals would, however, be fully encrypted with only those devices recognized as legitimate by server software allowed to connect on voting day - meaning that router and other commonly expoited network vulnerabilities could be applied to disrupt voting, but that disruption would be immediately obvious to those affected and could temporarily delay some voting, but could not introduce error into the counts.
Software
Voting application
The vote collection process uses a normal internet browser like Brave or Firefox running entirely on the server with only the display and user interaction handled by the terminal.
The voting application itself uses standard web tools like nginx, PHP, and MariaDB to present the ballots, collect the results, and manage the print verification and redundancy processes.
In the background the underlying server OS, whether Linux, Solaris, or something else, combines with the database and web server software to handle things like device recognition/auhorization, database redundancy, logging, printing, networking, and the like.
Pre-voting
There are two key elements to the pre-voting software:
- a PHP/mariadb (or comparable) application along the lines of a greatly simplified, single purpose, version of Limesurvey would allow counties and other jurisdictional authorities to interactively prepare and test specific ballots for use on election day. Note that open source products like Limesurvey already include most of the common question types -including those needed for preferential (ranked choice) voting.
Notice, in this context, that open source means open source: every piece of code must be easily reviewable by anyone - including this and, of course, the use of javascript in the html pages is a security plus, not a negative; because anyone can review it at any time, but it can't be changed from the voting display.
- the voter list preparation system has numerous elements the specifics of which will vary by state or other jurisdiction. Its purpose is to prepare and qualify lists of eligible voters from publicly verifiable data.
This piece will draw political opposition because none of the current voter registration and voting management processes will serve any public purpose in the new system. Instead the people running the state data centers will collect and use information from local, state, and federal government sources to develop, maintain, and publish lists of eligible voters. These processes will not use middleware: instead departments and agencies providing data will be asked to provide simple text files and data center staff will provide scripts to read and load data from these files using a classifier to identify errors, duplicates and people who do not exist or are mis-adddressed within and between files because even 1970s COBOL programs written for OS/370 can usually print their data -meaning that this approach allows departmental or agency staff to produce these files at no measurable incremental cost to their data center operations regardless of the technology they use.
Notice, in this, the political expectation that the servers will be available year round and used, among other things, to maintain the voter lists with open processes for adding or removing people. Notice too that public voter lists will not identify party affiliations or provide other personal non identifying information thus making it much harder to dox or survey people based on their political views than it is now.
Most of the time these voter lists will be mostly complete - but errors and exceptions will occur. The first election day control on this is to hold the person identifying the voter on arrival responsible for the decisions he or she makes - someone who passes out found driver's licenses to people coming in will leave an obvious and indisputable trail. Once exceptions are authorized (e.g. for a second person claiming to be John Q. Smith 03/17/51 of 714 Root Square, Alighieri, NY) the software simply segregates all affected ballots pending resolution of eligibility through whatever process the state or county wishes to adopt.
Notice in this that the server software retains the link between votes and voters, thus compromising ballot secrecy. This happens twice in the standard process: once at the server end where the link is maintained until voting ends and then dropped for undisputed ballots, and during voting if the voter does not certify the completed ballot as correct. At the server end the links are invisible and can be both organizationally and technically protected, but that's not true at the polling station. If an alarm is triggered (i.e. a voter fails to certify the electronic vote as correct) someone has to see if the printed ballot really is different from the on screen one, and that person will therefore see both versions in the presence of the voter.
A related issue arises with regard to some minor processes, particularly those dealing with voting by the handicapped. Assistive technology can, for example, be provided but devices of this kind tend to be both expensive and slow - meaning that jurisdictions using them will want to consider directing the handicapped to polling stations set up specifically for them. Unfortunately travel to these dedicated polling stations could impose a barrier to voting for some. In general, therefore, it is assumed here that almost all states using the system will legislate support for an "assisted voting" protocol under which the handicapped voter either comes with a trusted assistant ready to act as an interface to the voting system or is assigned one from on-site staff.
Breaching ballot secrecy in these ways is obviously undesirable, but these solutions are actually much better than what is generally done now and are easily accommodated in both the organizational structure and the software to, on net, vastly improve the system's ability to maintain ballot security.
Reporting
Almost any SQL compatible, open source, report writer can handle the reporting needs. In brief the system allows up-to-the-second reports on all races -it is expected, in fact, that the smart display used in conjunction with the log printer in county or other jurisdictional offices will show a dashboard providing a running count on all races during election day.
In addition some audit reports are generated in near real-time. For example, each time the server receives a vote cast via a smart display it first instructs the printer attached to that display to print the vote and the verification icon. When that vote is verified it gets recorded first and then the server instructs the printer in the county or other jurisdictional headquarters to add it to that roll. Both are serialized with the count on the printer allowed to lag that shown on the display by only a second or two before alarms are issued.
Systems Management
The basic principle here is to set things up so the results from two independently managed data centers have to match exactly, draw the management for each from politically opposed parties, and require both to make their software and operations manuals easily available to the public.
Thus all data would be fully duplicated between each pair of state level data centers with republicans in charge at one and democrats in charge at the other. Staffing for a solution built from the ground up to use low cost technologies (Linux on Intel or Solaris on SPARC) would run from three to five full time people at each of the state level data centers and two or more county (or other jurisdictional authority) staff for several days before the election, on election day, and for one day after election day for each polling place.
Note, however, that the inevitable voting day failures: communication failures, power failures, general process confusion, etc have to be handled by people, not automata. In most cases those issues will be simple process errors by someone at a voting site -delivery failures combined with simple failures to plug something in will, experience suggests, dominate these and most can therefore be addressed by ensuring that selected windows support staff from the local jurisdiction are available on election day and fully practiced up on how to set up and manage voting stations.
Thus data center involvement will most probably be dominated by communications issues including network failures and device authorization failures. Again, most of these are not different from the day to day issues occuring in any Windows environment with only a minority requiring the attention of data center staff.
Key advantages of this solution
The main cost reductions associated with this solution have little do with the election day costs: they're in things like the cost of operating the voter registration system and advance/absentia polling systems all of which disappear entirely while costs associated with professional insurance and ballot logistics (printing, transportation, tracking, storage, and disposal) are reduced almost to insignificance.
Cost reduction is not, however, the major benefit - the major benefits are:
- this is the only known and practical way of meeting the implicit constitutional requirement that states resolve elections on election day without significant advance voting;
- the near elimination of opportunities for vote cheating;
Although the quality of the work going into the generation of state and county lists of eligible voters determines the extent to which ineligible voters are included (or eligible voters excluded), the dead cannot vote, ballot boxes cannot be stuffed, individuals cannot record more than one choice on each issue, and the open nature of the list encourages all political parties to improve it year-round by removing the other guy's ineligibles and adding their own eligibles.
Combine smart display security and open source application code with the fact that results from all data centers have to match both paper records and what you get is that none of the more significant forms of cheating seen in 2020 will be possible. People will, of course, come up with new ideas - but the use of duplicate audit trails, balanced competing interests, and open source software means that these are unlikely to remain either secret or effective for long.
- the near total elimination of today's most important process barriers to voting;
Because terminals can connect from anywhere they can go into everything from foreign bases and consulates to hospitals to eliminate the need for both advance and absentee balloting. Counties could, for example, opt to do things like sending mobile polling teams to extended care centers on election day without imperiling ballot security - and people with voting rights in multiple jurisdictions (e.g. on tax initiatives in one county and political office choices in another) can vote in those jurisdictions wherever they happen to be on election day.
Almost equally importantly states and/or counties can choose to make trial systems available on the public internet prior to the election. These would enable anyone to review ballots for accuracy, verify eligibilities, practice voting, and teach others the how-to of the voting process.
And, the system improves ballot secrecy by eliminating the voter registration process and making it essentially impossible for party workers to track who votes for whom - and anyone stealing the data from one of the centers would need deep technical skills, an equally skilled collaborator at the other center, and a suicide bomber's indifference to the personal consequences.
- real time reporting - and the option of limiting early reporting to preclude major news services from calling the election before the polls close on the west coast (or, in unusual circumstances, Hawaii and Alaska).
- the elimination of around 90% of the current dollar costs and legal risks associated with elections management;
The cost issue is complicated by one of the major benefits of the system: this is a general purpose solution applied to voting during elections that should be used for other purposes the rest of the time - a reality that eliminates one of the big issues with traditional electronic voting systems: that the people running them generally have little applicable incoming experience and have to train, or retrain, every time the gear is dusted off for use. Use the system in state and county offices and the costs of running those offices goes down while information security and system reliability improve -and the cost of using them during elections is essentially reduced to the cost of moving some devices.
Reducing the variable costs of running an election to the almost trivial has an interesting electoral consequence in that it allows state and county officials to greatly simplify ballots and campaigns by running separate election processes whenever appropriate.
Sixteen years ago when I laid out a similar system in a series for Linux Insider I thought a national system might cost around four billion dollars. Today, Intel/AMD servers from a PC companies like Dell can handle state sized loads and 800,000 24" (touch screen) smart displays paired with enclosed roll to roll label printers capable of handling the load can be custom built for around $450 per set. As a result a very rough estimate for the initial cost of a national system, including set up and custom software, capable of handling 200 million votes with half of them coming after 4PM comes in at under $500 million with most of it going for hardware - less than what some of the larger states spend now.
The legal risk issue is much simpler: because processes would be both largely standardized and greatly simplified, local election officials would face almost no at-risk decisions and most of the issues now being decided in the courts cannot arise.
The reality here is simple: the wintel, smartphone, and mainframe communities will scream about the stupidity of terminals and argue that they can make their stuff secure - but, at least for the windows and phones people, it's a lie: they can't. Get any computer scientist on the witness stand and ask if some windows or other client server technology can be hacked and they can hem and haw all they want to but, in the end, they have to admit that it can - while even the most bigoted wintel fanatic among them is going to have to answer "no" when asked that same question about smart displays. Thus the bottom line is clear: if we want cheap, fast, auditable, elections run efficiently, this is the way to go. Not backwards to purple fingers and shouting out vote counts, but forwards to clean, simple, cheap, and trustworthy automation.
- Log in to post comments