Home

Writing (Nick)
Amy
Owen
Myles
Furry Folk
Dust Jackets
PostgreSQL & JDBC
Land Rovers
 		 
A HAVA-Compliant, independently verifiable vote casting and tabulation machine


Purpose

This document describes a voting machine that complies with HAVA requirements while still producing a system of verification that is transparent to the typical citizen.

Assumptions & Context

The voting systems currently available, while HAVA compliant, have no method for verifying that the vote cast has been recorded faithfully. This has been established elsewhere and hence won't be revisited in this document.

Opportunity

The problems with the current voting systems won't go away, therefore there is an explosive growth opportunity for a company with a product that can be quickly brought to market to solve the problem soon after the 2004 general election. Inevitable public dissent following this election will create a huge market for a viable replacement to the existing systems. The market is not limited to the U.S.

There are several keys to HAVA compliance:

  • The system must be easy to use.
  • The system must warn voters of "voting errors" such as undervotes or overvotes.
  • The system must be accessible to those with disabilities- In particular, the large population of people with impaired vision.
  • The system must preserve the privacy of the voter.

In addition, to be competetive, the systems must be direct-recording and allow for instant tabulation.

The Solution

The bulk of the user interface will be functionally identical to the several competing systems on the market now. They have solved the HAVA compliance issues neatly, but left verification by the wayside in the process. We'll build on the part that they did right:

  • The voter indicates votes on a large "tablet" device by using a "touch-screen" or buttons corresponding to clearly marked choices.
  • Voters with vision impairments listen to a menu over headphones and respond using the same input devices.
  • The system checks for voting errors and notifies the voter of potential undervotes. (Overvotes are prevented by the user interface.)
  • In the final step, the votes are displayed to the voter for verification.
That is the end of the process for the currently available systems. here's the last piece we add:

The current systems all have a final verification display that looks something like this: 
            President of the U.S. -> John Kerry
                  Indiana Senator -> Richard Lugar
       Indiana Secretary of State -> Todd Rokita
               Wayne County Clerk -> Sue Anne Lower
The verifiable voting system adds one step to this system. To the right of the screen is a window behind which an adding-machine tape is spooled. The last step shifts the display one column to the right so that the name of the candidate is printed on the tape next to the display of the office. The voter then confirms that the tape displays the correct votes. If the voter does not confirm, "VOID" is printed on the bottom of the tape and the voter is returned to the screen menu for correction. If the Voter confirms, the tape prints "confirmed" under the names and the paper is sliced off and falls into a bin. All of this is visible the voter.

Each precinct has one machine for visually impaired voters with a Braille impact embosser behind the tape. This machine still prints the names on top and normally functions without the embosser. To allow a visually impaired voter to vote, the poll worker simply removes the cover over the tape, allowing tactile access to the tape. This automatically turns on the embosser, thus allowing the voter to listen to the names/offices in order over the headphones, and confirm that the tape has the same names in the correct order on it using the braille.

None of this interferes with the direct recording and tabulation of votes, so the slips of paper simply become an easily used audit trail for recounts if the system is ever called into question or if there is a mechanical/electrical failure on the voting machine before the votes are recorded. Because the names are in office order, the use of a "mask" to facilitate manual recounts is possible. (This was one of the advantages of punch-cards.)

To allow meaningful testing, the voting machines should be produced using standard hardware and operating systems, thus producing a larger pool of computer experts qualified to do testing on behalf of local election boards.

The software itself, although it might be copyright protected, should be published in source form, thus allowing further inspection. The binary version of the code should be compiled under the supervision of a non-partisan group, and an md5 "signature" generated and published to help local inspectors confirm that the version of the program being run matches the version that was certified at compile-time.

Copyright, Updates, Comments, Questions.

Copyright © 2004 Nick Fankhauser.
I grant the right to reproduce this work to anyone with the following restriction: The entire work must be presented in the reproduction.

The reason I require that the entire work be reproduced is that I will probably update it periodically. I believe that all of the statements are true but I am not perfect and may need to make corrections or perhaps even change my opinion. I also hope to be able to report some progress toward a solution eventually. If you are reading a reproduction, please go to the following URL to make sure you have the most current copy: http://www.fankhausers.com/articles/

I invite comments, questions and corrections. I'm willing to post opposing opinions if they are reasonably well written. My EMail address is nick@fankhausers.com


This page was last updated:
Friday, 04-Jun-2004 13:13:28 EDT

[Return to the top of this page]