The "front end": what does the voter see to make choices ? A touch-screen,
a punch-card, an optical-scan card, etc.
The "back end": what comes out of the machine when the voter is done choosing ?
How is the vote recorded and maybe recounted ?
How the "back end" of electronic voting should work:
At the polling place, when you are done voting on the "voting" machine, it prints
out a paper "receipt" that you take with you, and another identical receipt that gets stored
at the polling place in case of a recount. The machine also stores the vote electronically inside
itself, to be counted at the end of the day, as usual.
The paper receipt is like a lottery ticket, in that it shows
a big encrypted string of numbers or letters, maybe 100 digits long.
Might also have the same info in a big bar-code. And might show
the state, county, precinct and election date in plain text. [The receipt does not
show your ID or votes in plain text.]
The encrypted string on the receipt includes all of the election info
(state, precinct, voting machine number, time-stamp, etc),
the voter's ID info (registration number, ID info, etc), and all of the
votes cast.
At any time after the election, you can take the paper receipt to the election office,
show ID, and have them stick that receipt into a "scanning" machine.
The official will verify that your ID matches the ID recorded in the receipt.
Then the machine will check to confirm that the central election database already
had your vote recorded, and everything on the receipt matches everything in the database.
And it will let you see all of your votes cast, on a screen that you
can see but the official can't see. So you can see that your votes were recorded correctly.
It would be nice if you could get on the Internet and go to the election web site and
do the receipt-confirmation yourself, by typing in the encrypted string. But this
is bad because someone (your boss, for example), could force you to do this to
prove that you voted the "right" way. Or some voter could sell their vote and use
this to prove to the buyer that they voted as directed. Or someone could
steal your receipt and find out how you voted. So the official in-person checking of ID is necessary.
It would be possible to allow Internet-based "partial confirmation". That is, confirmation
that the vote on your receipt was recorded, but not that the receipt correctly
captured your voting choices. You browse to the election web site,
type in the 100-digit encrypted string from your receipt, and the site tells you whether that
vote has a match in the central election database. (Or maybe you type in the first 80 digits,
and it tells you what the remaining 20 are, so you have more confidence.)
So now you know that your vote got into the
database. You still don't know if your receipt matches the choices you made; to confirm
that, you'd have to go to the election office to use the "scanning" machine.
The "voting" machine at the precinct could be supplied by a different vendor than the "scanning"
machine at the election office, if you're worried about letting one company supply both.
Absentee voting and vote-by-mail could also produce a receipt, which would be mailed to you.
So later you could go to the election office and have it confirmed, if you wished.
This would be a big improvement over today's situation; right now I think you have no idea if
your absentee vote was even received, much less recorded correctly.
On election day, each polling place could also have a few "scanning" machines in addition
to all of the "voting" machines. So as soon as you vote and get your receipt from
the "voting" machine, you could walk over to a "scanning" machine and confirm that your
receipt is correct right away.
On election day, if a "voting" machine's receipt-printer jams or runs out of paper,
the voter doesn't budge until the printer is fixed or replaced, and two valid receipts are printed.
It's exactly what would happen when buying a lottery ticket. In fact, there could be a
"receipt received" button that the voter pushes to finish the voting process, and the
vote does not get stored in the machine until the voter presses that button.
This "back end" "receipt-based" solution is independent of how the "front end" of the voting machine works.
That is, the voting machine could present an electronic touch-screen to the voter, could
present a panel of LED strips and buttons, could present a paper poster with levers next to names,
could accept a punched-hole ballot card, could accept an optical-scannable ballot card.
It could let the user choose any language (English, Spanish, Braille, etc).
But no matter what kind of "front end" is presented to the user, any voting machine must
print the two receipts as described above. Different counties or states could choose different
"front end" types as they wish.
This "back end" "receipt-based" solution should eliminate most of the controversy about
trusting voting-machine manufacturers, and verifying the software and software updates.
Voters no longer have to trust the "voting" machine; they only have to trust the "scanning" machine.
And the "scanning" machine is a much simpler machine, since it doesn't have all of the user
interface (displays, switches, levers, etc) of the "voting" machine. It just scans the receipt,
decrypts it, displays the info to official and voter, and compares it to info from the central
database. And you could have two different "scanning" machines from two different manufacturers
in the election office, if you wished. And now there is a paper trail, for recounts.