Electronic vote counting is vulnerable to many of the problems of completely electronic voting, but not all. I think it’s possible to develop a scheme for electronic vote counting (well, electronic vote tallying, at least) which is invulnerable to any planned attack. This would enable more complicated vote-counting schemes, usually required in order to maintain local representation while being nationally proportional, to deliver a result within hours (as British electorates are used to) instead of days, while still ensuring fairness. An example of a problem solved by such a system is the redistribution of excess votes in STV: because that process takes so long, Australia and Ireland both only use a random subset of the ballots to determine how to do it proportionally to the number of next-preference votes cast. This is not reproducible in the case of a recount, and could be subtly rigged by a dishonest returning officer.
The difference between counting and tallying
The distinction here is something I’ve made up in order to separate the easily-attackable parts of an electronic vote counting system from the more basic aspects.
Counting, in my terminology, refers to the entire process of opening a ballot box, reading the marks on the pieces of paper, producing some kind of database of the number of votes cast (this could be a ‘database’ in the form of piles of ballot papers and handwritten count numbers, or computerized), and declaring a winner.
Tallying, on the other hand, refers only to taking the set of votes cast and determining the winner(s). It is a mathematically pure function, in computer science terms.
Tallying alone is far harder to break than the entire counting process. Essentially the programmer trying to throw the election must know the names and allegiances of each of the options on the ballot. If the computer has any idea which candidate represents each party, it can potentially throw the result.
Rules for setting up and operating the tallying machines
- The tallying machines must be set up with the required software before the election begins. Once the voting software has been installed, they must have all means of attaching arbitrary external devices physically disabled or sealed off (this means that the keyboard and mouse must be attached by PS/2, not USB — the computer must not have any open USB ports). The computer case must be secured closed with a padlock to which nobody except the returning officer (or the body responsible for overseeing the fairness of the election) has the key, and sealed with a labelled tape. It must have no connection to any other computer, or to the Internet, at any time.
- Before the election count itself begins, a series of test data should be manually entered into each tallying machine and it must be verified that the software produces the expected result for each. The number of test runs should be picked at random. The inputs must be engineered to be as realistic as possible, and the exact test values must be kept secret until unsealed for the tests themselves.
- On the night of the count, each candidate is assigned a random, unique letter for each voting machine. That letter is the only information the voting machine itself knows about each candidate — the association from ‘Candidate A’ to ‘Conservative Party’, ‘Candidate B’ to ‘Keep Royalty White, Rat-Catching, and Safe Sewage Residents” Party’, ‘Candidate C’ to ‘Labour Party’ etc. must be done by the humans who read the results off the display. The letters for each candidate also vary from machine to machine.
- Each ballot box is to be entered twice, by two different counters, into two different tallying machines. Discrepancies are to be resolved by resort to a third tallying machine or a manual tally if that fails to produce a consistent result.
- The final result shall be verified by each of the tallying machines individually.