The 2020 federal electoral debacle is going to have two very positive consequences: numerous lying cheats facing jail time, ignominious retirement, or endless litigation (see this compilation of evidence); and, dramatic electoral reform. This article offers a suggestion on accomplishing the latter.
Most of the buzz about voting reform right now revolves on purple fingers and paper ballots but most of the complexity, cost, and inherent weaknesses in the present system aren't in the voting processes, they're in the voter registration, vote collection, and vote reporting processes.
At present e-voting in the United States relies mainly on Microsoft's Windows technologies and depends on the movement of data between a total of nearly a million programmable devices via networks and human carried devices like usb drives and data cards. All of these things are vulnerable to fairly simple attacks that can be difficult to see and almost impossible to prevent.
In contrast the suggested solution is vulnerable to attack only at each of about 116 pairs of independently managed servers - and those attacks will necessarily leave obvious markers in the audit trails.
With the suggested system in place all voting will take place in person, on election day, and every vote will generate a countable paper ballot.
There are three main pieces:
- Implementation is the most organizationally difficult piece because voting is a states rights issue and managed at the county level. Thus the federal government cannot impose voting systems and processes across the country. Instead the administration should develop model legislation supported by a working prototype using today's technology to implement the approach specified in the legislation and make both available to the various states.
The legislation will specify some constraints on the technology including the use of general purpose hardware, 100% open source for all application software, duplicated independent data centers, multiple independent audit trails, and some limitations on those implementing or supporting the use of the technology. It might require, for example, that ballots require no more than 12 decisions, and that persons or companies providing products or services in support of this solution be 100% American owned, get no more than 5% of their annual revenue from any level of government (or its agencies and contractors), and have a continuing business presence in the state using it.
The legislation would not be complicated. Nancy Pelosi's H.R.1 ran to 600 pages to specify a system made to order for the continuation of democratic party power, but throwing out the current system and starting over means that this one might not make 40 pages including the usual boilerplate, exceptions to existing law (particularly with respect to the handicapped and local by-laws) and the repeal of most existing legislation affecting elections and funding for elections related activities.
- the technical piece is the most susceptible to attacks out of ignorance and self-interest because it requires duplicated, independently managed, and widely separated data centers in each state with voters accessing those centers via internet connectivity using smart displays -essentially just screens with keyboards and mice.
The key to the technology idea here is that smart displays have no local processing capabilities, must correctly self-identify during bootup from the server, and encrypt all communications with the server. As a result these provide a provably secure interface between the user and the application software.
Notice, in this, that the smart display, like the traditional X-terminal, is not a "thin client" - it is not a "client" in the Windows community meaning of that word at all: without local processing there can be no possibility of hacking, device substitution, man-in-the-middle attacks, in transit changes, or hidden "features" allowing vote manipulation.
With smart displays cheaters are forced to attack the server - not the display, the network, or those involved at the polling stations. As a result the system transitions from about a million vulnerable devices and tens of thousands of potentially corruptible people now to about 122 servers and around seven hundred people, divided into two groups that aggressively monitor each other, in the future.
All data would be fully duplicated between each pair of state level data centers with republicans in charge at one and democrats in charge at the other. The software would consist of a suite of pre-election tools to set-up the lists of eligible voters and their options while voting day software would collect and tabulate votes using the same technology (plus printers) you're using to read this document. Staffing for a solution built from the ground up to use low cost technologies would run from three to five full time people at each of the state level data centers and two or more county staff for a few days before and on election day for each polling place.
The specifics on what technology to use are arguable - the same people who brought you multi-billion dollar Obamacare website failures could undoubtedly take three years to produce a disastrously stupid elections management system too, but there are thousands of small software companies in the United States that could produce cheap, fast, simple, and highly reliable systems in a matter more of weeks than months.
For example, if I were doing it the software would use Linux, MariaDB, Nginx, and PHP while the hardware would mainly come from Oracle and Dell. The Windows community, in contrast, might want to build an all Microsoft system around Windows networking with what they call thin clients -in the end, however, technology choice issues are just cost issues - measured in dollars, risk, and time- not functionality issues: as long as there is no local processing and network connections are secure from bootup on, many technologies can be made to work: it's just that using Linux on Intel/AMD with open source software will be easier to secure and cost an order of magnitude less than doing it with Microsoft's tools and at least two orders of magnitude less than trying to do it with traditional data processing tools and expertise.
Again, different people will do different things, but if I were working for the administration I'd settle the application software issue by holding a competition with the outcomes measured on security, cost, and deploy-ability.
The voting process would be simple: a greeter identifies the voter, the identification process brings up all the choices this person is eligible to make, the person makes choices, those choices are recorded in both data centers, a roll to roll label printer produces a paper ballot visible but not accessible using a window between the two rolls with a highlight logo chosen at random from a palette of five, the voter clicks the matching logo on screen to certify that the printed ballot is correct (and repeated failures set alarm conditions), the state level record is marked signed-off, the vote is encoded and printed as a machine readable barcode in county offices, and the matching federal system is updated.
Notice in this that the records from the two data centers have to match exactly, the two sets of paper records have to match both each other and the computer record, printer rolls can be serialized and tracked, people can vote in multiple locations but only once on each issue, identification is required, the only point at which human intervention is possible occurs in the presence of the voter, and the federal system acts as both a data repository and reporting system while providing a switching service to ensure that people only vote once on each choice they're eligible to vote on.
- the third piece will draw political opposition because all of the current voter registration and voting management processes must be completely abandoned. Instead the people running the state data centers will collect and use information from local, state, and federal government sources to develop and maintain lists of eligible voters.
The voter lists must be public, always current, and supported with open processes for removing or adding people.
As a result:
- While political parties may choose to retain any components of the present system they want - from precincts to member registration, all the risks and costs associated with these elements of the present system disappear from state and county budgets;
- The geographic link between voting and eligibility disappears: people can vote in one or many jurisdictions from any smart display anywhere in the world - including bases, consulates, cruise ships, and seniors centers;
- polling will become vastly more accurate; and,
- doxxing will become more difficult because voter political affiliation will no longer be public information.
Most of the time these voter lists will be mostly complete - but exceptions will occur. The first control on this is to hold the person identifying the voter on arrival responsible for the decisions he or she makes - someone who passes out found driver's licenses to people coming in will leave an obvious and indisputable trail. Once exceptions are authorized (e.g. for a second person claiming to be John Q. Smith 03/17/51 of 714 Root Square, Alighieri, NY) the software simply segregates all affected ballots pending resolution of eligibility through whatever process the state or county wishes to adopt.
Notice in this that the server software retains the link between votes and voters, thus compromising ballot secrecy. This happens twice: once at the server end where the link is maintained until voting ends and then deleted only for undisputed ballots, and during voting if the voter does not certify the ballot as correct. At the server end the links are invisible and can be both organizationally and technically protected, but that's not true at the polling station. If an alarm is triggered someone has to see if the printed ballot really is different from the on screen one, and that person will therefore see both versions.
This is obviously bad, but it's actually much less bad than what we do now and something that can be accommodated in both the organizational structure and the software to, on net, vastly improve the system's ability to maintain ballot secrecy.
Key advantages of this approach are:
- this is the only known and practical way of meeting the constitutional requirement that states resolve elections on election day without significant advance voting;
- the near elimination of opportunities for vote cheating;
Although the quality of the work going into the generation of state and county lists of eligible voters determines the extent to which ineligible voters are included, the dead cannot vote, ballot boxes cannot be stuffed, individuals cannot record more than one choice on each issue, and the open nature of the list encourages all political parties to improve it by removing the other guy's ineligibles and adding their own eligibles.
Combine smart display security and open source application code with the fact that results from all data centers have to match the paper record and what you get is that none of the more significant forms of cheating seen in 2020 will be possible. People will, of course, come up with new ideas - but the use of duplicate audit trails, balanced competing interests, and open source software means that these things are very likely to be caught.
- the near total elimination of today's most important process barriers to voting;
Because terminals can connect from anywhere they can go into everything from carriers and consulates to hospitals to eliminate the need for both advance and absentee balloting. Counties could, for example, opt to do things like sending mobile polling teams to extended care centers on election day without imperiling ballot security - and people with voting rights in multiple jurisdictions (e.g. on tax initiatives in one county and political office choices in another) can vote in those jurisdictions wherever they happen to be on election day.
Almost equally importantly states and/or counties can choose to make trial systems available on the public internet prior to the election. These would enable anyone to review ballots for accuracy, verify eligibilities, practice voting, and teach others the how-to of the voting process.
And, the system improves ballot secrecy by eliminating the voter registration process and making it essentially impossible for party workers to track who votes for whom - and anyone stealing the data from one of the centers would need deep technical skills, a collaborator at the other center, and a suicide bomber's indifference to the personal consequences.
- near real time reporting - and the option of limiting early reporting to preclude major news services from calling the election before the polls close on the west coast (or, in unusual circumstances, Hawaii and Alaska).
- the elimination of around 90% of the current dollar costs and legal risks associated with elections management;
The cost issue is complicated by one of the major benefits of the system: this is a general purpose solution applied to voting during elections that should be used for other purposes the rest of the time - a reality that eliminates one of the big issues with traditional electronic voting systems: that the people running them generally have little applicable incoming experience and have to train, or retrain, every time the gear is dusted off for use. Use the system in state and county offices and the costs of running those offices goes down while information security and system reliability improve -and the cost of using them during elections is essentially reduced to the cost of moving some devices.
Reducing the variable costs of running an election to the almost trivial has an interesting electoral consequence in that it allows state and county officials to greatly simplify ballots by running separate election processes whenever appropriate.
Sixteen years ago when I laid out a similar system in a series for Linux Insider I thought a national system might cost around four billion dollars. Today, Intel/AMD servers from a PC companies like Dell can handle state sized loads and 900,000 24" smart displays paired with enclosed roll to roll label printers capable of handling the load can be custom built for around $400 per set. As a result a very rough estimate for the initial cost of a national system, including set up and custom software, capable of handling 160 million votes in ten hours at a rate of three minutes per voter comes in at well under $500 million with most of it going for hardware - that's closer to four billion with most of it going for licensing and support if you want to imagine this as Windows based, and on the order of 30 billion with most of it going for time and overheads if the data processing experts get control.
The legal risk issue is much simpler: because processes would be both largely standardized and greatly simplified, local election officials would face almost no at-risk decisions.
The reality here is simple: the wintel and mainframe communities will scream about the stupidity of terminals and argue that they can make their stuff secure - but, at least for the windows and phones people, it's a lie: they can't. Get any computer scientist on the witness stand and ask if some windows or other client server technology can be hacked and they can hem and haw all they want to but, in the end, they have to admit that it can - while even the most bigoted among them is going to have to answer "no" when asked that same question about smart displays. Thus the bottom line is clear: if we want cheap, fast, auditable, elections run efficiently, this is the way to go. Not backwards to purple fingers and and shouting out vote counts, but forwards to clean, simple, and cheap automation.