This was sparked by a
Slashdot article which started out being a
pointer to an online forum on "e-voting", and in particular by
Shakrai's question: what's wrong with the current mechanical machines being used in NY?
In order to get anywhere with Shakrai's question--which is a good one--we need to try to agree on the essential principles and desirable qualities for a system. A related point I'll make briefly is that it's worth considering the (de)merits of both the voting machines themselves, and the system that makes use of them. Good designs for each are necessary in order to get good results, so it's not sufficient to just evaluate the machines.
These would be my candidates for "essential principles":
- correctness: the votes recorded for each particular voter must be those that reflect their actions in the voting 'booth'; in addition, the results must reflect the mandated method of aggregation, and should include each voter's votes
- verifiability: the system must support recounts
- robustness: votes must not be lost or changed or added due to outside influences; once a vote has been cast, there should be no way that it can be modified or lost
- security: each voter must get no more than one vote, and individuals must not be able to fraudulently pose as others in order to 'steal' their vote.
and my candidates for "desirable qualities":
- clarity: it should be as clear as possible who the candidates are, what office they are each running for, and how to select your choice for each office;
ideally this might mean that individuals could have a way of confirming a candidate's identity, such as a picture, or a link to the candidate's voter pamphlet statement
- flexibility: it should be possible to change the voting mechanism (from, say, one vote per person per office to approval voting, instant runoff voting, etc.) without replacing the machine
- transparency: the methods by which the votes are recorded and aggregated should be publicly known
- convenience: voters should be able to vote at times and places that do not cause them undue hardship; voters who can neither speak or read English should have other options
- efficiency: machines and the system should tabulate results quickly
- interoperability: votes from one machine should be easily aggregated with votes
from other types of machines.
- privacy: an individual's voting records should not be known by any other person except in the context of a formal inquiry of fraud or undue influence.
We could argue about which of these are the most important, or whether I've split things appropriately between "essential" and "desirable", or even my choices of terms for each of these concepts, but if we can call this "close enough" then maybe we can get somewhere with this. :) (On the other hand, if I've left something important out, say so.) But as I see it, systems that don't manage to satisfy the essential requirements are not worth considering, and those that do can most usefully be compared on the basis of how well they satisfy the desirable qualities (and at that point we can start wrangling about their relative importance).
I haven't used the lever operated machines that Shakrai describes, so my analysis is based on my best guesses and his brief description, and I might have missed something. In any event, it sounds like it covers the essentials fairly well, although it's not clear how well it provides security. As for the desirable qualities, if we score them on a 1 (bad) to 5 (excellent) scale, I'd guess clarity: 3 (no pictures by the names), flexibility: 1 (changing scheme probably requires replacing hardware), transparency: 4+, convenience: 2 (sounds difficult for blind, disabled, illiterate, or non-English-speaking voters), efficiency: 2, interoperability: 2, privacy: 4 (not 5 because the low convenience may, as you pointed out later, require a voter to get help to make their choices). So: a workable system, but one that has room for improvement.
I think that the best way to design a system that satisfies these requirements is to give those that run the machines and the system an incentive to do so in a way that promotes these principles.
My proposal for achieving this aim: parallelize the mechanisms for tabulating and aggregating votes. That is, in addition to the existing state and county organizations that do this, require the major parties (and, optionally, other organizations) to provide infrastructure for generating their own vote counts--and in particular, to require that they each use a different mechanism for doing so. So the voting process would look like this:
(0) voter 'signs in' (is checked for eligibility)
(1) voter generates ballot; this ballot is signed in some way that allows for detection of duplicates, but that anonymizes the voter's identity (a nice hash function, say)
(2) voter submits this ballot to each tabulating organization, which registers it; these are all present at the same polling location, but preferably anonymous
(3) each organization comes up with their own independent results
As the world is imperfect, we expect that the
numbers may differ slightly, but that in general the organizations will confirm each others'
outcomes (i.e., who won). In the case of outcome discrepancies, the ingredients for a recount are already in place (and, in fact, it should be easy to do cross-checking on the level of individual votes).
In this way, the organizations involved act as checks on each other; in addition, since their work is being duplicated elsewhere, they have an incentive to do it right themselves (or be seen to be either incompetent or dishonest).
The most significant drawback that I can see is that the up-front infrastructure cost would be higher; however, it would be borne by the parties rather than directly by the general public. In addition, I suspect that it may be cheaper to have this sort of error-correcting built in than to have to constantly arrange for recounts and court battles over same. Anyone have data on this?
Comments actively solicited; this has been percolating around in my head for some time but this is the first time that it's made it out in complete form.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
amnesiadust, who got tired of my posting anonymously on his LJ. :)
