Interpreting reports of e-voting failures: part I (Background)

Over the next week or so you're going to hear a lot of complaints about voting machine failures. Unfortunately, the signal to noise ratio tends to be fairly low, so it's hard to figure out what's going on. Over the next few days I'm going to post a bit about voting technology and what kind of things can go wrong. In this post, we provide an overview of the major kinds of voting system in use in the US.

The majority of voting systems in the US fall into one of two broad types:

Optically Scanned Paper Ballots (opscan)
These are pretty much what they sound like. You're issued a paper ballot (usually card stock, actually) and you fill in a bubble or arrow corresponding to the candidate you want to select. Here's an example. These ballots are then optically scanned and the votes are recorded.

Opscan ballots can be run in either a precinct count optical scan (PCOS) or a central count optical scan (CCOS) mode. In PCOS, the scanner is at the precinct; you mark up your ballot and then you feed it into the scanner. At the end of the election, the scanner outputs the results on a piece of paper or a memory card. The results then get carried back to election central where they can be aggregated to determine the final winner. The ballots also get sent back in case a recount is needed, but they're not used as part of the main count.

In CCOS, there is no scanner at the precinct. Voters just drop ballots into boxes and then they are counted on one big scanner (or maybe many) back at election central, where the votes are aggregated and the winner is determined. Some jurisdictions run hybrid systems where ballots cast at the polling place are PCOS counted but absentee and vote-by-mail ballots are counted centrally.

A PCOS system has two major advantages. First, because votes are scanned while the voter is still present, errors can be caught and the voter can correct his ballot onsite. Thus, the rate of errors is quite different ([*], citation due to Joe Hall). Second it creates a set of independent records that might be useful for detecting some ballot stuffing attacks. The big disadvantage of a PCOS system is that the scanner is out at the field and is potentially subject to attack by voters or pollworkers. An attacker who takes over the software of the PCOS system can make it return any results he wants, which won't be detected unless an audit or recount is run. By contrast, the central count scanner can be kept in a secured room and thus is harder for outsiders to attack.

The advantage of both types of systems is that there is a paper record, so in the worst case you can recount every single ballot with a new scanner or by hand. More on this later.

Direct Recording Electronic (DRE)
The other major type of voting system is what's technically called a Direct Recording Electronic (DRE). These are commonly called touchscreens but not all are. A DRE is just a computer where you enter your vote. The computer outputs the votes (or the vote totals), just like the PCOS scanner. They then get carried back to election central for aggregation and contest resolution. Most of these machines are in fact touchcreens, but older ones often used an array of buttons and the Hart system uses a clickwheel. One big advertised advantage of DREs is that they can be fitted with a variety of accessibility devices (audio, sip/puff, etc.)

Many states require independent paper records and so most DREs can be fitted with what's known as a voter verifiable paper audit trail (VVPAT) printer. A typical VVPAT is a reel-to-reel printer with the paper under glass. Here's a not so great picture of a Hart voting machine with a VVPAT fitted (on the left). The way the VVPAT works is that once you've entered your vote, the DRE prints out a summary on the tape. You can then either approve or reject it. If you approve it, the vote is cast. If you reject it, you can vote again. The idea hear is that the paper trail represents an independent check on the machine, since it can't just return any votes it wants; the results need to match the paper (at least if you run an audit). More on this later.

Electronic Ballot Markers (EBM)
There's one less commonly used system that's starting to get some traction, at least in terms of mindshare: electronic ballot markers. An EBM is basically a DRE which instead of recording the ballot results, prints out a paper ballot which can be fed into an optical scanner. The idea here is that there is built in error checking, since the computer can prevent invalid choices, but that the ballots can then be checked using central counting, so there is less of a security dependence on the machine. Also, like DREs, EBMs are more disabled-friendly.

Next: Non-malicious failure modes