Broadly speaking, the voting system in any given polling place consists of two parts: the vote recording devices in the booths, and a controller at the table with the precinct board. The booths are connected to each other via a serial cable, and a serial cable also connects the controller to the closest booth. Each vote recording device has an attached printer. The printer has its own power supply, as does the controller, while the vote recording devices are powered by the controller via the serial connection. Printer, controller, and vote recording devices each have their own battery backup. The printer will maintain a paper record of each vote cast on the machine to which it is attached; each vote recording device will maintain a tally of the votes cast on that device, and the controller will maintain a tally, both on a hard drive and in flash ram, of the votes cast on it. In the event of a recount, the paper trail will be used, but all four can be cross-checked for data integrity.
At the start of the day, polling place officials will print out a tape representing all votes currently stored in the controller machine, and check to see that they are all zero. (This is identical to the procedure used in previous elections for optical-scanner machines in polling places.) The poll workers can also check the printers in each booth, verifying that they are displaying printed text saying that it is the start of the day and there are no votes already recorded. The vote recording devices can not be independently checked to see that they have recorded a total of zero.
As voters come in to vote, once their registration has been verified, the election official sitting at the controller will use the controller to issue a randomly-generated four digit code. That code will be printed out on a ticker tape receipt and handed to the voter. The voter will then go into one of the booths, select a language, and punch in the number. The vote recording device will query the controller over the serial line to see if the number is valid; numbers which were not issued by the controller, or which were issued and have already been used, will be rejected. The vote recording device will also reject numbers which were issued more than thirty minutes ago; such numbers are deemed to have expired, and the voter must return their access code to the precinct board and be issued a new one (just as if they had spoiled their ballot).
Once their access code has been confirmed, voters will be shown the ballot associated with their precinct. (In polling places with multiple precincts, the precinct board member operating the controller selects the correct precinct number prior to issuing the access code; this is a major potential point of failure, and should be addressed by election departments minimizing the number of such polling places.) They can scroll through different contests using the scroll wheel, selecting candidates or yes/no choices with a button. They can select blank entries in the simulated ballot, thereby entering a 'write-in' screen in which they can use the scroll wheel to select letters, spelling out a name. At any time they may press a 'help' button, which brings up a screen explaining how to use the interface; pressing 'help' again while in that screen sends a signal to the controller prompting the election board to send someone to provide help in person.
After they have made all of their selections, the voter is taken to a screen that summarizes their ballot. At that point, they press a button which says "cast ballot"; this will cause the printer to print out a paper version of their ballot, listing all of their choices. The voter is then supposed to compare the printed ballot with the list of choices on the screen, verifying that they are the same. If they are not, the voter can select a 'reject ballot' option, and go back and make further changes; the paper ballot is then marked as rejected. If they are the same, the voter can select 'accept ballot', at which point the ballot is marked as accepted and a bar code is generated representing the choices (allowing the ballot to be read both by hand and by machine).
(It is important to note that the presumption here is that the paper ballot and the on-screen record always say the same thing, and that a 'rejection' is instigated by the voter having realized that they made an error; neither the training class nor the provided material gave any indication as to what the proper procedure is if the two do not match.)
The machines provide incredible support for disabled voters. For vision impaired voters, all of the devices are different sizes and shapes and are labelled in braille, and there are headphones which can be used to hear someone read the ballot to you. (There's an issue here, of course: there's no real way to be sure that option #1 is really so-and-so when the voice says it is; but that's not a significantly greater issue than that faced by blind voters in previous systems). For people who are unable to use the buttons, each polling place will be equipped with tactile input switches; and the vote recording machine is capable of being controlled by a sip-and-puff device. There is even a procedure for curbside voting: once an access code has been entered into the last machine in the daisy chain and verified over the serial connection, a poll worker can disconnect the machine from the chain, take it out to the voter, and then bring it back in and reconnect it.
At the end of the day, the controller prints out the number of access codes issued, the number of votes cast, the number of votes cancelled via the controller, and the number of access codes never entered into a vote recording device. The expectation is that the number of access codes minus the number of cancelled votes should always equal the number of people who signed the roster; and that the number of access codes issued minus the number of cancelld votes minus the number of abandoned votes should always equal the number of votes cast. Should those totals not add, the polling place workers will have more than a little bit of explaining to do. (This is similar to the current system: if the number of ballots voted isn't the number of people who signed in the roster, there's a problem; if the number of ballots voted plus the number of ballots spoiled plus the number of ballots unused isn't the number of ballots issued, there's an even greater problem --- and the precinct board is accountable for it.)
The controller also prints out a paper total of the votes cast; that paper and the controller are rushed off to a tabulating facility by two poll workers. It is not clear to me at this time what happens to the printers, with their attached paper trails, and the vote tabulating devices. These are mounted into the voting booths, which have traditionally been left for a county employee to pick up the next day; but since we have also traditionally been asked to take the paper ballots out of the optical scanner machines and return them directly to a secure facility, I imagine that a similar procedure will be in place. (Because these machines were recently acquired, a number of procedural issues have not been determined, and will be explained to us in an October procedure training class; today's class was primarily a "how-to-use-the-machines" class.)
Ways in which someone other than an elections worker could cause problems
The people conducting the training class repeated, insistently, that these systems are not "computers" and are therefore "not hackable". This is, of course, sheer nonsense: they quite clearly are computers, and like all computers may be hackable under certain circumstances. The county's insistence otherwise is for PR purposes --- and while I disagree, I did not avail myself of the opportunity to engage in a theological debate with the county elections department about what is and is not a computer. That said, once everything is set up in the morning, the system seems reasonably secure from deliberate interference by people other than the precinct board.
- The vote tabulating devices have no external inputs other than the serial cable connecting them to the other tabulating devices/controller;
- There does not appear to be any combination of key presses which will render the vote tabulating devices into a state that allows you to have programmatic access;
- The controller has two external input ports: one for the serial connection to the controllers, and a different one to a device that clears the memory of the election and resets totals to zero. That device is not present in polling places;
- The controller has no set of key combinations which drop it into a state that allows programmatic access.
There is, of course, the possibility that someone could plug a serial device into the chain and thereby intercept the data being sent to the controller and/or validate invalid access codes. Doing so would result in an inconsistency between the controller data and the vote recorder data, but that inconsistency would likely not be detected until after the election and could call the entire precinct's results into question. However, this possibility can be prevented by requiring the election board to maintain control of the daisy chain, and ensure that no unauthorized devices are attached. (Unfortunately, that point was not raised in the class, and it is one of several things I will be mailing the elections department about). Similarly, there is a possibility that someone could plug something into the controller and reset it; this, too, can be prevented by a sufficiently aware precinct board.
Ways in which an elections official could cause problems
These are, of course, legion. But they were with a paper system, too; at some point any system is going to rely on the integrity of its participants. I've listed the first handful of these to come to mind below:
- There is no way to verify that the tabulation on the vote recording devices starts the day at zero. Those totals are only used for cross-checks, as recounts are done with paper and original counts from the controllers; however, a failed cross-check could cause the precinct's results to come into question, and selectively causing failed cross-checks could cause votes for one side or another to be invalidated disproportionately;
- There is, of course, no way to verify that the vote recorded in the three memory locations is the same as the vote recorded on paper; this is a common problem with all electronic voting systems and is somewhat mitigated by using the paper trail in all recounts;
- In the case of voters who wander off without voting, there is nothing to keep the precinct board from issuing new access codes for those voters and then voting them (this same problem already exists with paper ballots);
- If the print records and the tabulation devices are not taken to a secure location immediately after the election, there is no way to prevent them from being tampered with;
- Election officials could interpose unauthorized devices;
- A sufficiently competent election official could presumably program the device to report a zero total when it did not in fact have a zero total, and then add votes in later (although this would be difficult, as the total added would need to be less than the total cast in order to prevent immediate suspicion, and the quad-redundancy check would cause problems unless the recording devices also had these votes added).
In general, however, these strike me as being equivalently secure to the paper-ballot-optical-scanner system the county used to use, assuming that these two glaring policy questions are answered wisely:
- What happens when a voter enters a code on their machine, starts to vote, and then leaves without finishing and telling the machine to cast their vote? Is the correct thing for the election official to do to go tell the machine to count the vote (in which case the official has the opportunity, should he be corrupt, of changing the vote; and, if the vacancy were not noticed immediately, the same could be said for random passersby), or to make use of an override and cancel the vote entirely?
- At the end of the day, are the printers and vote recorders taken off to a secure facility, or are they left in a public place like empty voting booths used to be?
The county will be setting up a lab where poll workers can go play and ask questions; if you have questions that I can't answer, or want to know what happens in a particular situation, I'd be happy to go play and find out for you. :)