Many jurisdictions will need to replace their voting systems in the next few years, but commercial voting systems currently in the marketplace are expensive to acquire and maintain and difficult to audit effectively. Elections may be verifiable in principle – if they generate a voter-verifiable paper trail that is curated well – but current systems make it unnecessarily hard or impractical to verify elections in practice.
Recent experience with open-source tabulation systems in risk-limiting audits in California and Colorado, and voting system projects in Los Angeles County, CA, and Travis County, TX, suggest that the United States could have voting systems that are accurate, usable, accessible, verifiable, efficiently auditable, reliable, secure, modular, and transparent, for a fraction of the cost of systems currently on the market. The key to reducing costs is to use commodity off-the-shelf hardware, open-source software, and open data standards, with usability and auditability designed in from the start.
The United States could have the best possible voting systems, instead of just the best voting systems money can buy, if new systems adhere to the Principles enunciated below. (Download PDF)
Verified Voting Foundation: Principles for New Voting Systems
Any new voting system should conform to the following principles:
1. It should use human-readable marks on paper as the official record of voter preferences and as the official medium to store votes.[1. The medium might be voter-marked paper, a paper ballot marked with a ballot-marking device, or paper printed with the voter’s selections. For the purpose of recounts or audits, the human-readable marks should take precedence over any other representation of voter intent, such as a barcode or QR code.]
2. It should be accessible to voters with disabilities, and in all mandated languages.[2. This can be accomplished by providing an accessible ballot marking device.]
3. It should provide voters the means and opportunity to verify that the human-readable marks correctly represent their intended selections, before casting the ballot.[3. Some voters might need to rely on assistive technology, but to the extent possible, verification should not require technology.]
4. It should preserve vote anonymity: it should not be possible to link any voter to his or her selections, when the system is used appropriately. It should be difficult or impossible to compromise or waive voter anonymity accidentally or deliberately.[4. Reporting vote subtotals by geography to comply with jurisdictional rules may entail some unavoidable loss of complete anonymity.] No voter should be able to prove how he or she voted.[5. This is to avoid coercion and vote selling.]
5. It should export contest results in a standard, open, machine-readable format.[6. For instance, results might be reported in EML.]
6. It should be easily and transparently auditable at the ballot level. It should:
export a cast vote record (CVR) for every ballot,
in a standard, open, machine-readable format,
in a way that the original paper ballot corresponding to any CVR can be quickly and unambiguously identified, and vice versa.[7. This might involve printing unique identifiers on ballots, if that can be done in a way that precludes linking any ballot to any to individual voter.]
7. It should use commercial off-the-shelf (COTS) hardware components and open-source software (OSS) in preference to proprietary hardware and proprietary software, especially when doing so will reduce costs, facilitate maintenance and customization, facilitate replacing failed or obsolete equipment, improve security or reliability, or facilitate adopting technological improvements quickly and affordably.[8. his includes supplies and “consumables,” such as paper and batteries. Software should be licensed under a permissive license, such as BSD or MIT. Software that is not open-source should be disclosed-source to the extent reasonably possible. Disclosing source code provides the possibility of discovering errors, security vulnerabilities, and threats to voter anonymity, and mitigating their consequences. Moreover, subject to intellectual property laws, disclosing source code may offer continuity if a vendor goes out of business.]
8. It should be able to create CVRs from ballots designed for currently deployed systems[9. This allows modular replacement of components of a voting system. For instance, the tabulation component could be replaced without replacing the entire election management system.] and it should be readily configurable to create CVRs for new ballot designs.[10. New ballot designs might be required for new voting methods; ballot layouts might be improved to be more usable by voters or tabulated more reliably by machine.]
9. It should be sufficiently open[11. In particular, the design, data formats, and programming interfaces should be open and the licensing should be permissive.] to allow a competitive market for support, including configuration, maintenance, integration, and customization.
10.It should be usable by election officials: they should be able to configure, operate, and maintain the system, create ballots, tabulate votes, and audit the accuracy of the results without relying on external expertise or labor, even in small jurisdictions with limited staff.
_________________________________________