Lesson 8 of 8
In Progress

Machine Verification

Roy Minet December 26, 2022

People don’t trust machines.  They are quite correct to not trust them.  No one can guarantee that any machine at least as complicated as a paper stapler will work correctly 100% of the time.

Modern machines are way far more complex than a paper stapler.  They almost inevitably depend for their operation upon a digital computer.  Digital computers are extremely complex, and worse, they are controlled by complex “software” (or “firmware”) that can be modified fairly easily.  Software can be defective; that is, contain mistakes (known as “bugs”) which can cause malfunctions.  Bugs are accidents.  But software can also be intentionally modified in subtle and hard-to-detect ways that could fraudulently affect election results.

The customary way to ensure that machines used for voting have a very high probability of working correctly through an entire election day is to rigorously test them before approving them for use.  State agencies are responsible for “certifying” voting machines.  Such certification processes were satisfactory for the older and simpler electro-mechanical voting machines.

However, advance certification is not at all sufficient for modern digital hardware/software machines and can only create a false sense of security.  Of course, rigorous testing in advance is still necessary to avoid the possibility of disruptive system failures on election day.  But it can no longer adequately assure integrity for two reasons.

First, it is possible to engineer a system that will pass testing with flying colors, and yet still manipulate voting on election day.  Recall the fairly recent case where Volkswagen scurrilously engineered the software that operated its vehicles to detect when its emissions were being measured.  The software tweaked engine operation to minimize emissions during testing.  At all other times the software operated the engine to achieve maximum performance, even though emissions then exceeded legal limits.

Second, and more likely, the software could be nefariously replaced or modified at any time after certification testing.  This could happen during machine storage, transport or whenever it is connected to a network, either before or even on election day (network connections can be wireless and invisible).  There would be no obvious evidence of such software modification.  Of course, it should be possible to develop rules and procedures that could minimize the opportunities for fraud and provide some reasonable assurance of machine integrity.  However, a significant number of voters are bound to question machine integrity and there is no quick and conclusive way to prove to them that all machines are indeed functioning properly.

Unfortunately, there is yet one more problem standing in the way, and it’s a serious one: The Jones Rule.  There simply is no way that a large majority of voters are ever going to be able to understand these highly complex machines.  A lack of understanding is a lack of transparency that inevitably engenders a lack of trust.

Does all this bad news mean we have to forego the huge advantages that modern complex machines can provide?  No.  It just means we have to be extremely careful to properly engineer the overall election system that the machines will be a part of.  We need a new rule to govern that.  Each and every output of a machine that could affect the outcome of an election must actually be checked and verified routinely as a part of normal operating procedure.

If every machine output is indeed verified, we can guarantee that any mistake, whether just a machine malfunction or an attempt to fraudulently manipulate the election, definitely will be caught and can be corrected.  This is something that all voters can understand and trust.  It takes the machine complexity (and all its unavoidable risks) right out of the picture and renders it irrelevant.

Checking and verifying each and every machine output (that could affect election results) sounds so onerous and burdensome that it could obviate the advantages of machine automation.  That is not necessarily so.  One system complying with this new rule already exists.  It awaits further testing and acceptance into service.  Here are the basics of how that system works.

Voters vote in the customary private voting booth, choosing and selecting candidates for each race using a computer touch screen.  After making and checking their selections (as often as desired), voters touch a “Cast Ballot” button to finalize their ballots.  A clear and simple plain paper ballot is printed showing the candidates they have selected in each race.  There is nothing on the ballot that the voter cannot read and understand.

Voters are instructed to read and carefully check their ballots.  If there is any problem with the ballot, voters can touch a “Ballot NOT Printed Correctly” button which will summon the Judge of Elections and a poll worker to immediately resolve whatever the issue may be.  If the ballot is correct, the voter touches a “Ballot Printed Correctly” button.  Each voter then takes the paper ballot that they have verified to the customary ballot box and deposits it there on the way out of the voting booth area.

When the polling place closes, the machine produces a text file which is a list of every ballot cast in a random order, including the selections made on each ballot.  The text file is in a well-known, widely-understood and widely-used format called XML (Extensible Markup Language).  XML files can be read both by humans and by computers.  The XML ballot list has triple redundancy and also has quadruple tamper protection.  There is no way to prevent someone from tinkering with or modifying such a file, but the tamper protection means that any modification(s) will be obvious and easily detected.

Each polling place posts its list of ballots publicly on the Internet ASAP after closing.  There is no way anyone can tell which voter cast any particular ballot, so complete ballot secrecy is guaranteed.  A computer anywhere can read and tally the ballots from all polling places.  Anyone anywhere can verify the tally, even by a tedious hand count, if desired.  Final election results, including all write-in votes, can be available a half hour after the polls close.

There are only two outputs from the machine that can affect an election outcome.  The first is the ballot that is printed for each voter.  Each one of those is immediately checked and verified by the voters themselves.  The second is the list of ballots (and the selections thereon) that is produced when the polling place closes.  The ballot list can be positively verified by matching up the ballots from the ballot box, one-to-one, with the list.  This can be done later or immediately by the polling place crew before sealing a copy of the file with the ballots.

Some of the many advantages are:

  • Every machine output is actually checked and verified as normal procedure.  Voters can easily understand the procedure.  Thus, they are able to implicitly trust election outcomes without having to understand how the machine functions.
  • Complete secrecy of every ballot is guaranteed.
  • Transparency is maximized.  All polling place procedures are simple and understandable.  Every choice on every ballot from every polling place is made publicly available immediately after the polls close.  Therefore, election results can be verified by anyone anywhere using any method.
  • Efficiency is greatly improved by automation and opportunity for fraud is minimized.
  • The currently available system supports a choice of voting methods.  The Plurality, the BAWV (Best, Alternate, Worst Voting) or the AADV (Approve, Approve, Disapprove Voting) method can be selected for each election.

Many mistakes have been made through the improper use of technology for voting systems.  However, there is every reason to utilize the most modern technology if it is carefully and properly done.  In fact, elections could have and should have been benefiting from such automation for the past quarter century.