Wired runs an interesting piece of E-voting
, which gets me thinking about the wealth of problems that it poses.
My solution is simple- if you're determined to do electronic voting (which I feel is unneccesary), let's approach the issue democratically. Turn to the Open Source community, and let them develop it. Suddenly, when there's a claim that there's a security problem, you're going to have an entire community of tech saavy people hunting it down, and fixing it. And seriously- tabulating votes _should_ be an easy task. This isn't a "big" application, and requires no ground breaking innovation.
My model would work like so-
Each machine will present a touch screen interface, and walk voters through each campaign in a wizard-style format. After each page of the wizard, the resulting vote is cached in memory, so that the last screen presents a summary, and offers to either "confirm" "discard" or "edit".
Once the results are confirmed, the machine stores the results in a _flat text file_. Mind you, the machines are locked boxes with no wired or wireless connections. They're stored in a locked cabinet, in plain view of the precinct administators. Access can only be achieved via the _back_ panel, so a voter behind a curtain could not get access to the system without physically damaging the cabinet.
So yes, I use a _flat text file_, no database. It could even be encrypted. In addition to storing the results, it prints out a set of reciepts, one for the voter, and several copies for different audit trails.
At the end of the election, the machine enters tabulation mode. It tabulates the results, and displays them on screen, prints a hard copy. After the results are printed (and checked to see that they match), a network connection is _then_ added to the machine, where it can report to a central server. All of this communication should be done on a network that has _no connection to the outside world_, even so, all communication should be strongly encrpyted, signed, and verified. Each submission of voting data should be able to be tracked back to a specific machine.
At each precinct, the administrators should manually tabulate the results of each machine. *gasp* Yes, people should double check things on the precinct level. It's not hard people, and not that much work. Use a fucking calculator. Someone at the central server should randomly spot check the precincts by phone (in person perhaps?) and compare the results.
Now, part of this process creates a multiple level audit trail. An election could be auditted on the precinct level (and this process could be abstracted to allow city-level, county-level, and state-level audits), down to a voter-level audit. Based on the contention over the election results and the closeness of the election, an audit will be conducted.
For example, in elections decided by 15% of the votes, an audit could be performed by county. For 10% of votes, it could be done by precinct, and for 5% a full voter-level audit should be performed.
So, in close elections, there _is an audit_. Period. This is in addition to any mandated random audits.
No, this isn't a fool proof election, But it's a start. And this is one person, talking off the top of their head, with only a vague understanding of security principles. I _hate_ security. But it's important, especially for something like elections.