Open Source Voting Machine Reborn After 6-Year War With IRS (Wired)

I do not believe that this is correct, from the BBC's web site ( http://news.bbc.co.uk/news/vote2001/hi/english/voting_sys... ) :

"Not quite secret ballot

Your name will then be crossed off and the clerk will give you a ballot paper stamped with an official mark.

It also contains a serial number, which means that your vote is not in fact completely secret as it is possible, though illegal, to trace all votes to the people who cast them.

The purpose of the serial number is to stop impersonation of voters and electoral fraud."

As the original commented said this takes a court order to de anonymise, but it is possible.

In locales where voting is obligatory (like here in Brazil), proving that you voted is not a problem, since it does not give much information. In fact, here you already can prove that you voted (you get a paper ticket after you vote).

Even in locales where voting is not obligatory, I fail to see the problem in being able to prove that you voted.

You have to prove that you haven't already voted in order to vote. I don't think it's practically possible to prevent proving the opposite in that case.

Almost ten years ago, in this very same site, I pondered the following two posts. Take in consideration that, at that time the present incumbent party (PT) just won the presidential election, from the last incumbent (PSDB).

( commenting to https://lwn.net/Articles/98671/ )

BEGIN QUOTE

I live in Brasil. We have had voting machines in the last 12-14 years (yes, twelve to fourteen -- it depends the size of the city you are in). Brazilians here: the first election here in Belo Horizonte to use the machines were the mayoral (and city council, state representation, governor, house and senate) before FHC was elected (as I count it, 2 years + 8 years + 1 1/2 = 11,5 years). I know it, because I was "mesário" (election "table" official? election "clerk"? what is a good English translation?) in the previous election, and in the two subsequent elections). IIRC, there were electronic ballot boxes in Rio and Sao Paulo in the election before that (the only two cities larger than Belo Horizonte).
Our voting machines are mainly of three different (internally) models: (a) the old ones, that use VirtuOS (*) as the OS, (b) the new ones, that use WinCE as the OS, and (c) the newest and deprecated ones that have the second printer to print your vote, show it to you inside a clear acrilic case, and mix it with others inside the machine.
Externally, all of them look roughly the same: a box similar to the old "portable computers" of the eighties, with a 5-6" diagonal LCD and a big numerical keypad in the right side of the screen, that has, besides the 0-9 keys, "confirma" (ok), "erro" (cancel), and "branco" (white).
The electoral process (from the point of view of the voter) begins ... when you get your first job. If you are a mandatory voter (literate person with age 18 to 65) you have to go to Electoral Court and register to vote. In the process of registering, you receive the "Título de Eleitor" (voter id card), in which you have the number of you voting section. To change jobs, and specially to get a government job, you have to prove you are a registered and regularized voter (you voted in the last election, or regularized your voting situation after it).
In the election day -- normally the first Sunday of October for the first round and the first Sunday of November in case of needing a second round (**), you scan the newspapers (or the Superior Electoral Court website), search for the address of your section, and go there. No, there is no transit (absentee) vote, you can only vote at that address. If you can't get there, you'll have to "justify" your absence to an Electoral Judge, to regularize your voting situation.
At the section, you will present your voter id card to one the "mesários", and if you don't have it on you, you can still vote (you can show other valid id), but will be delayed. The mesário will search for your name in the vote-ticket sheet, and annex it to your id while you vote. You will sign a receipt in a sheet, and proceed to the voting "booth". Another "mesário" will type your voter id # in a remotely connected keypad, setting the machine in the "ready to vote" mode.
The voting "booth" is really only a desk with the voting machine over it, facing nobody else in the room, and sometimes with a cardboard "cover" around it. You will "dial" the numbers of the candidates, in order. when you dial all the digits of one candidate, a star-trek-like chime rings, his/her face will show up in the screen, and if you digited it right, you hit "ok". otherwise, you hit "cancel" and start over. After typing all the candidates, you hit "ok" one last time, the machine chimes again, and goes to "stand by" mode. You have voted. If you don't want to vote for nobody for some office, you can hit "white" instead of the candidate ## (accounted as a "white vote", or "none of the above" -- this is the equivalent of putting your paper ballot in the box without marking anything), or if you really want to protest you can type 9999 or other non-existent-candidate-#, and your vote will be accounted as a "null vote", or "I'm really pissed of" (the equivalent of drawing pictures or writing "improper expletives" in a paper ballot)
Then, you get your id back, your ticket (keep it together with your voter id!! -- it's the proof that you are a regularized voter!), and you go home. Ah, bars do not open (theoretically) in the election day, so hope you have bought your beer/wine/other-booze in the day before).
From the point of view of election officials, things are more complicated. The machines arrive to the Electoral Judge (yes, a Judge of Law) pre-prepared one to two months before the election day, along with boxes of diskettes (where the results will go) and Flash ROM cards (where the software and the candidates names/photos will go). All Electoral Judge Offices already have Flash readers, to make some verifications on this Flash ROMs.
The electoral Judge has the personal responsability of, in the meantime before the election day, testing *ALL* of the machines and checking their Flashes with some checking software. He has to set the clock to the election opening date/time, emit the "zerésima" (0th report), that is a report saying "this box has no votes on it", make some votes, close the box, emit the totalling report, check if those were the votes, repeat the procedure a random number of times, and sign the machine as "ok" in a list. He should do it in a way that prevents "date/time" hacks, "number of activation times" hacks to be done. Some machines even get tested for a full day, to test for "number of votes" hacks. He can delegate some of the work, but it's his responsability -- he better delegate it to trusted people, in case of fraud it's his neck on the line.
In the evening of the election day, he must make sure the clocks are ok for all of the machines.
In the election day, the "mesários" in each section must emit the 0th report, annex it to the official election papers, and the box is ready to be used. At the end of the election day, the "mesários" emit 6 or more copies of the totalling report for each box. Three of them go with the official election papers, one is affixed in the outside of the section, and the others go to party appointed officials. Some electoral judges appoint press members to receive them, too.
The totalling is already in a diskette, that is inside a sealed compartment in the box. Some Electoral Judge Office employee breaks this seal (marking he's done so), and the diskettes are read in a computer in the Office, their contents (probably signed cryptographically) sent (directly by a dial-up line, not over the Internet) to the Regional Electoral Court, where they are processed against all other ballot boxes.
I should say, at this point, that all of this is accompanied by the Electoral Judge and the District Attorney, which are not elected officials in Brasil, and the elected officials have no power over them. Or at least, should not have.
The press and the parties' officials all have the intermediate per-box results, immediately after the election closed, so they can do the math, too. And they do -- in small towns the result of the mayoral elections is usually known far before the official announcement, because people sum the per-box results by hand, instead of waiting for the Big Computer at the Regional Court add for them.
Quoting (mis-quoting?) Gangs of New York, "ballots do not win elections -- counting does!", the counting/summing part is verifiable.
At this point, I should say I consider our system very very reliable, because of the distributed nature of the checkings that are done in the machines. I have worked at a District Attorney's office, and the fiscalization of the procedures to be done to the machine by the Electoral Judge was partly delegated to me, so I know what I'm talking about. The Judges and their guys usually fiddle with the clock, make a lot of votes, and thoroughly check the machines before they are used. This is taken very seriously.
Even in the few instances where it's not done so seriously, the overall bad effect is not great. Yes, it should be relatively easy to rig a mayoral election in a small town (100 machines or less -- each machine in the range from 500-10000 voters) -- but just with the DA's and the Judge's help. And they usually won't help, normally they have nothing in it for them, and the risk is very big [election fraud penalties are reasonably high]). But I think impossible the effort to rig, p.ex., an election like our last presidential one -- and, to boot, won by the opposition party.
You must notice that this is only allowed by our unified electoral system. The voter database is also a single one and it's very difficult to vote twice or more in our system.
I think the electronic system is better than the paper-ballots one (at least here in Brasil, but probably everywere) because counting ballot papers is hard, slow, error- and fraud-prone and no-one wants to recount them. It's easier, in my opinion, to rig some pre-printed million paper ballots and distribute them in a lot of ballot boxes than to distribute a million swing votes in 1000 machines.
I think the snafu in the last USofA election is really due to few people watching the counts, etc. Our multi-party (c. 20-30 parties now, but there were 50 at some point in the 90's) system makes every count/recount have at least 100 party officials doing the same. The voting machines were reasonably scrutinized by party-appointed experts.
Yes, paper trail (now deprecated here) is good, but only if you have a good, OCR-like way of counting the paper ballots. This is expensive. Our paper-trail machines had a second (thermal?) printer, that printed your vote and displayed it inside a clear plastic case before it was dropped in a box inside the machine, all sealed. But... as I said before, who is gonna recount them? It's easier to trust the distributed nature of the election and the audits made by the parties officials. If the paper trail were made in big, OCR-able letters, or with some bar-code, the tickets would have to be fixed-size, bigger than they were, and more expensive, in general.
Finally, yes, I would like the boxes to be all-free-software, so every citizen could independently verify the reliability of them, and even to check criptographically in some sense that the voting box he is using is "pristine", if possible, but... we did not get there yet.
(*) a DOS-clone-enhanced with possibility of multitasking and multiuser operation. a nice system, and it was always far better than MS-DOS.
(**) we have many political parties, so for the majority-vote offices (normally executive ones), if a candidate does not win 50%+1 of the valid votes, another electoral round is made with only the two most-voted candidates.

END FIRST QUOTE

BEGIN QUOTE

With mechanical voting, there are the following possible frauds:
1. insertion of pre-printed ballots in the boxes
2. magical creation of boxes full of ballots
3. magical creation of districts
4. swinging the numbers during/after the counts
All these frauds are possible because of the slowness of counting and difficulty of manually adding the ditricts.
With fully digital voting (*) there are the following possible frauds:
1. insertion of swings in the votes (each two votes for A adds/switches one for B)
2. identifying each voter with its vote, in some point in the future (possible coercion)
3. can't think of other
In both cases, the solutions are the same: Fiscalization. Many eyeballs. Free press. Free speech. Full and thorough investigation in the cases that raise doubts (**)
(*) Take a look at my post above, to se a model that IMNSHO *works*.
(**) This last one is the most important: don't you think some people today holding high offices in the USofA would be in jail because of the last presidential elections' snafu if the investigation of it was full and thorough?

END SECOND QUOTE

Look my other answer, above. There are really many, many ways of hacking mechanical voting, including compromising the paper ballots and the voting pens' ink. It is not the mechanic nature of the election that makes it become magically reliable.

Do you have any references to this? Because I live in Brasil, and I didn't see any news about it (*). We do have a system (as I mentioned above) that does make this kind of scam hard to pull, if the various people in charge don't drop the ball.

(*) it's not to say our system is perfect; I know of attempted frauds in municipal elections in 2008 and 2004, but I don't know of any *successful* outrageous fraud, and I dare say if there were any, people would pull the same frauds with the paper ballots.

That said, I *do* support every party claim for more transparency and accountability in our voting machines. I just don't see the paper ballots being intrinsically more secure.

Now, seriously. Read my other answer, above... the reason an election is difficult to rig in Canada is not the paper ballot, but the well-established democratic institutions...

Everybody receives at home a sealed envelope that contains an empty envelope, and one bulletin for each candidate.

At the voting place (usually a school or some such), there are piles of bulletin, one pile per candidates, plus a pile of empty envelopes.

Then, when getting into the voting place, you can either bring your pre-filled enveloppe with you, or you have to take exactly one envelope, *and* exactly one bulletin for each candidates.

Then you walk in to the voting booth, where drapes prevents anyone seeing what you are doing, and you do whatever you want with the envelope and the bulletins.

You walk out, present your ID and voting card, the people there (all volunteers) check you are registered at this voting place, check your ID, cast your vote in the ballot box, sign the register roll, and walk out.

For those voting where you can write names on the ballot, there are also 'blank' bulletins, which you have to take exactly one as for the candidates bulletins. A pencil is in the voting booth (or you can bring your own). And the process is the same.

The ballot boxes are transparent, so anyone can check they are empty at the start of the vote, and that voters only drop a single envelope at a time.

Regards,
Yann E. MORIN.

To prevent it, you prevent blank ballots from leaving the polling place. easiest it to enable several people (from different parties) to scrutinize the people leaving.

The strength of paper ballots rests in the fact that EVERYONE can see what's going on - including those of opposite parties/stances. Where I used to vote, the votes were counted by three people, and all counts had to agree. Anyone could stand in the room and watch the counts - and all the political parties had folks standing there to watch for any hanky-panky. When the state announced results, those political folks knew exactly what the count was from our community - so if it differed they could protest and force a recount. And since the paper ballots still existed, you could really do a recount (unlike a "recount" that is rerun the tally on the machine that you don't trust).

1 - there is one "table" committee with each ballot box. These are 3 volunteer citizens, one of them is "president of the table" but that's a formalism, any significant dispute between the three calls in monitors. Additionally, there are "floating monitors" provided by the state and by political parties.
2 - when it's your turn to vote, you walk up to "the table", your ID is checked against the voter rolls, and checked for preexisting votes (your govt ID is marked when you vote, so you cannot vote twice). You are then given an envelope which is signed fresh in front of you by the 3 "table authorities".
3 - you enter the voting booth, and in this private space you can put anything you want in the envelope, including paper ballots you brought from home. There is a big trash can too (ostensibly so you can dump a ballot you have been given).
4 - when you come out, it should be with the envelope clearly sealed - the 3 table authorities check their signatures are on the envelope, sign/seal it, and in it goes...

This description is based on procedures in Argentina. NZ has a fairly different scheme; again the envelope is given to you when you arrive; you cannot use your own -- the reasons are very different, as the envelope has a unique serial number.

Thanks all for your answers.

I never thought about envelopes; the paper voting here in Brazil, as I recall it, did not use envelopes. Instead, the ballot was folded (the votes on the inside, IIRC the signatures on the outside since they were on the reverse side of the paper), and inserted directly into the (opaque) urn. Each voter received a single blank signed ballot.

Electronic voting would not fix it either - the attacker could just as easily give the voter a small video camera (e.g. a cheap mobile phone) and require them to record what they do in the booth.

With electronic voting, the problem is that a small (e.g. potentially just one) number of people can subvert the entire voting system, *without* anyone else knowing. This is simply impossible with paper voting and distributed counting.

That's the American Way ;) They will go to absurd measures to protect their perceived "democratic values" while there are gaping holes elsewhere that everyone tries very hard to ignore.