How to rig an election

My friend Alex Halderman is now after bigger fish than copy-“protected” music CD’s. Watch this video, in which he, Ed Felten, and Ariel Feldman demonstrate how to rig a Diebold voting machine (and also watch Alex show off his lock-picking skills). Reading the group’s paper, one becomes painfully aware of a yawning cultural divide between nerds and the rest of the world. Within the nerd universe, that voting machines need to have a verifiable paper trail, that they need to be open to inspection by researchers, etc., are points so obvious as to be scarcely worth stating. If a company (Diebold) refuses to take these most trivial of precautions, then even without a demonstration of the sort Alex et al. provide, the presumption must be that their machines are insecure. Now Alex et al. are trying to take what’s obvious to nerds into a universe — local election boards, the courts, etc. — that operates by entirely different rules. Within this other universe, the burden is not on Diebold to prove its voting machines are secure; it’s on Alex et al. to prove they’re insecure. And even if they do prove they’re insecure — well, if it weren’t for those pesky researchers telling the bad guys how to cheat, what would we have to worry about?

So, how does one bridge this divide? How does one explain the obvious to those who, were they capable of understanding it, would presumably have understood it already? I wish I had an easy answer, but I fear there’s nothing to do but what Alex, Ed, and Ariel are doing already — namely, fight with everything you’ve got.

30 Responses to “How to rig an election”

  1. David Molnar Says:

    Upton Sinclair has an interesting quote about this – “It is difficult to get a man to understand something when his salary depends upon his not understanding it.” We’ve seen this in computer security for a long time, although thankfully a few vendors are starting to do more.

    That being said, I do not think this is a “nerd” vs “non-nerd” thing. Policy makers are taking notice of the issues with electronic voting machines. If you look at, you will find Congressional testimony, security analyses, and other information provided to policy makers about the issue. (Disclosure: my advisor and many colleagues are involved with ACCURATE.) So people in that “universe” are indeed starting to understand. Clearly written reports and easily-understood demonstrations — like the one you’ve written about here — are the best way I know to help that process.

  2. wolfgang Says:

    Recently voting machines caused some problems in Maryland.

  3. Greg Kuperberg Says:

    The arrangement with Diebold is obviously terrible. That said, there is a certain amount of silliness in demanding a so-called “paper trail”. Certainly the voting should have a trail. However, in this day and age there are various sorts of electronic trails that could be much more useful than a paper trail.

    I would say that the “cultural” divide, or rather the intellectual divide, is so yawning that it is really two divides. First there is a divide between the typical voter and the typical techie. A reasonably bright, typical techie is going to think of a lot of basic things like paper trails and inspections. And I don’t think that any of these ideas are really impossible for the typical voter to understand. But most voters just don’t care a whole lot, and they are also getting a certain amount of smoke and mirrors from the usual culprits. (That is, from demagogues.)

    But then another divide is between the typical techie and the cryptographers and so on who have thought about real security. I’m sure that these experts have interesting results that go way beyond paper trails. Their results have to do with things like shared keys and coalitions. A lot of what they have to say is not too hard for the typical techie to understand — except that once again, the typical techie does not have the time to learn the material. Meanwhile serious security probably really is too hard to explain to the typical voter.

    I can think of two related lessons of this. First, there is a certain amount of Mickey Mouse not only in the problem, but also in many proposed solutions. Even if they are a big improvement, many of these solutions aren’t all that serious. Second, it is tempting to feel superior just because you know the basics that Scott reviewed. (Which is not to accuse Scott; rather, the temptation cannot be denied no matter who brings up the subject.) But this is a big mistake, because there is a lot more for most of us to learn about voting security.

  4. Scott Says:

    Greg: There’s actually a third lesson of the point you raised. This is that, if your goal is to change how things are done in reality, then it’s entirely possible to “know too much.” Alex et al. have been in the Washington Post, Fox News (!), etc., and are actually starting to have an impact. But I guarantee that if they started talking about voting schemes that were provably secure unless one-way functions can be efficiently inverted on a 1/poly(n) fraction of inputs, they would have zero impact.

    This raises an obvious dilemma for us theorists: if we, too, want to have an impact, do we need to “unlearn” some of what we know? If so, how?

  5. Anonymous Says:

    Yoda sez to Scott: “You must unlearn what you have learned.”

  6. John Sidles Says:

    Scott sez: This raises an obvious dilemma for us theorists: if we, too, want to have an impact, do we need to “unlearn” some of what we know? If so, how?

    This is the fundamental question of agnotology.

    Obviously, it is socially disruptive to ask this question, and even more disruptive to answer it. So disruptive, that in our culture it is relegated mainly to the domain of humor and satire (see examples below), for reasons that neurobiology and cognitive science are only beginning to unravel.

    — from Joseph Heller’s Catch-22

    Colonel Scheisskoph was all ears. “What are bomb patterns?” “Bomb patterns?” General Peckem repeated, twinkling with self-satisfied good humor. “A bomb pattern is a term I dreamed up just several weeks ago. It means nothing, but you’d be surprised at how rapidly its caught on. Why, I’ve got all sorts of people convinced it’s important for the bombs to explode close together and make a neat aerial photograph. There’s one colonel in Pianosa who’s hardly concerned any more with whether he hits the target or not.”


    “I really can’t believe it,” Clevinger exclaimed to Yossarian in a voice rising and falling in protest and wonder. “It’s a complete reversion to primitive superstition. They’re confusing cause and effect. It makes as much sense as knocking on wood or crossing your fingers. They really believe that we wouldn’t have to fly that mission tomorrow if someone would only tiptoe up to that map in the middle of the night and move the bomb line over Bologna. Can you imagine? You and I must be the only rational ones left.”

    In the middle of the night Yossarian knocked on wood, crossed his fingers, and tiptoed out of his tent to move the bomb line up over Bologna.

    — from Matt Groening’s The Simsons

    Lenny: Hey, Homer, weren’t you the plant’s Y2K Compliance Officer?

    Homer: Absolutely!

    Carl: Must’ve been hard de-buggin’ all those computers, eh Homer?

    Homer: Doing what now?

    Lisa: You did do it, right Dad? Because even a single faulty unit could corrupt every other computer in the world.

    Homer (calm): That can’t be true, honey. If it were, I’d be terrified.


    Homer Simpson: How is education supposed to make me feel smarter? Besides, every time I learn something new, it pushes some old stuff out of my brain. Remember when I took that home winemaking course, and I forgot how to drive?


    In summary, modern cognitive science and information theory are helping us understand why humor is so serious, and why having an impact (of the kind that Scott envisions) is so difficult.

    So the short answer to Scott’s question is “Cultivate lively senses of humor, history, and optimism. Then get to work.”

  7. Andy D Says:

    A related cultural divide nerds should be aware of: there are legions of people out there who took years to be convinced that e-commerce was safe, and legions more who have yet to be convinced.

    It may be that the physicality of voting booths makes them seem less mysterious and more secure than the cryptographic security systems of the internet, but it may also be that people just aren’t as invested in their vote as in their money. Maybe if you had to stick a major credit card into the voting machine to get your vote read, people would think more critically about voting security. (I realize this would disenfranchise many people.)

  8. Anonymous Says:

    There is a nice irony in the AP article about this. It says that the Diebold marketing director Radke questions “why Felten hadn’t submitted his paper for peer review, as is commonly done before publishing scientific research.” Obviously, this was meant merely as a smear, but I am not sure which it reflects more on:

    * a decades-out-of-date mindset of people at Diebold, or

    * the standards that the company believes should apply to everyone but itself.

  9. Greg Kuperberg Says:

    If your goal is to change how things are done in reality, then it’s entirely possible to “know too much.”

    I disagree. I agree that it is possible to say too much, but that does not mean that cryptographic protocols, or other mathematical ideas about security, are not important. They are important and they do affect what should be said. People who don’t realize that there is a higher level of this discussion are at risk of being dragged down to the bottom level.

    For that matter, the fact that Alex at al appeared on Fox News could serve as a warning that they might not succeed. It could be useful, or it could be the opposite. Fox News is really the epitome of the dishonesty and stupidity that they are up against.

  10. Greg Kuperberg Says:

    anonymous: It is easy to overanalyze Diebold’s inane bit of anti-Felten rudeness. It is almost too lame and cliched to be a smear. In any case it says absolutely nothing about their technical mindset or their standards, other than that they have a combative PR department.

  11. Scott Says:

    Diebold marketing director Radke questions “why Felten hadn’t submitted his paper for peer review, as is commonly done before publishing scientific research.”

    Diebold’s response has generally broken new ground in the chutzpah field. They also attacked Felten’s group for testing a “single machine” that was “two generations out of date.” Of course, if they’d made available some more recent machines…

    (Also, does “two generations out of date” mean it was used in 2000 or 2004?)

  12. Anonymous Says:

    My personal opinion is that paper ballots (where one draws a tick or x beside a candidate and inserts the ballot in a box) work just fine. I’ve voted this way in many Canadian elections and the vote counting always goes pretty smoothly. There are scrutineers present from each party during the counting process. Usually, the outcome of an election is determined an hour or two after the polls close. Sometimes a local candidate wins by a single vote, in which case there are recounts throughout the night, but the matter is resolved by the next morning.

    I’m writing this because I wonder if I’m missing something. For the U.S., the fact that the population is nine times as large as Canada should not make a difference; presumably, there are also nine times as many polling stations and vote counters, and it amounts to just a level or two more in the depth of an addition tree. Are “voting machines” really needed? Do they (assuming they are better implemented) provide better security? Is there a significant cost savings in using them?

    –Richard Cleve

  13. Scott Says:

    Richard: Indeed, many people who have looked into this have to come to exactly the same conclusion — namely, that paper ballots work just fine. I think part of the problem is that in the US, there’s this weird tradition that all voting and determination of the winner must take place in a single day. (Well, that’s the theory, anyway…) Perhaps another reason paper ballots aren’t used is that, since the stakes are (no offense) so much higher than in Canada, a lot more thought and effort goes into how to make the vote count inaccurate. Of course, this raises an obvious problem with Alex et al.’s argument: if voting machines did have a verifiable paper trail, wouldn’t that defeat the whole purpose of them?

  14. Anonymous Says:

    Some quotes to answer to John’s quotes.

    — Stranger in a Strange Land, Heinlein

    I grok people. I am people… so now I can say it in people talk. I’ve found out why people laugh. They laugh because it hurts so much… because it’s the only thing that’ll make it stop hurting.

    I had thought — I had been told — that a ‘funny’ thing is a thing of a goodness. It isn’t. Not ever is it funny to the person it happens to. Like that sheriff without his pants. The goodness is in the laughing itself. I grok it is a bravery . . . and a sharing… against pain and sorrow and defeat.

    So, some things are just too serious for most of the people to talk about them seriously.

  15. Concerned Non-citizen Says:

    Douglas Jones has a very nice illustrated voting machine history that explains some of the reasons why paper ballots were replaced with machines in the US.

    Machines may be a lot worse in terms of security, but it’s a lot harder to prove an election was tampered with. Maybe this is the voting version of the “Peter Principle”: election systems will evolve until fraud can no longer be detected.

    I think that trying to get people to distrust paperless voting machines by proving we can crack them is ultimately a losing strategy. Eventually Diebold (or someone else) will get smart and make a voting machine that really is very hard to crack — unless you have some secret backdoor information. Alex, Ed and friends will no longer be able to show how easy it is to rig an election and the public will be convinced everything is finally ok…

  16. Greg Kuperberg Says:

    But the issue is certainly not paper versus computers, because paper ballots only work fine when they are counted or otherwise analyzed by computers. When paper ballots were counted by hand, there were a lot of abuses.

    So paper is very far from a complete voting technology. Paper is one solution for computer input and/or output in voting. The common-sense statement is that there is no reason to rule out paper as obviously inferior to electronic screens as an I/O format. On the contrary, it seems to be a useful complement.

    The fact remains that there are things to say about voting convenience other than whether you use paper. I would mention two points. First, I don’t understand why I should have to register to vote. The airport knows who I am with just one swipe of a credit card; it is both more convenient and more secure than what they do at voting stations. Maybe a credit card wouldn’t be quite right, but a magnetized Social Security card ought to be enough.

    Second, whatever solution anyone proposes, it is a disaster that voting technology and even voting rules are so far from uniform across the country. An election is not much more reliable than its least reliable district. The American system is so hodge-podge that reliability seems almost unattainable.

  17. Scott Says:

    Greg: I completely agree with both of those points, and would also add that election day should be a national holiday. But given the current political climate, all of these reforms are essentially fantasies.

  18. Greg Kuperberg Says:

    Eventually Diebold (or someone else) will get smart and make a voting machine that really is very hard to crack — unless you have some secret backdoor information.

    Or maybe not. It seems to be a law of (human) nature that wickedness is usually limited by incompetence.

    Actually I think that incompetence is the more fundamental end of it, in this case.

  19. Concerned Non-citizen Says:

    Greg: I have to disagree with you on the usefulness of a paper trail. The advantage of a paper trail isn’t convenience (obviously) — it’s assurance for human voters that their vote was counted correctly.

    A purely electronic trail, even if it is, cryptographically, perfectly secure, can never be secure in practice. A corrupt voting machine can always display a vote for one candidate on the screen, and record a completely legitimate electronic vote for the other candidate (including any electronic trail).

    Of course for a paper trail to be useful, it needs to be used. I disagree that only computer counting is meaningful, though. On the contrary, hand counts, though thay may be slightly slower and prone to errors, are still preferable: everyone who observes the count can understand what’s going on and verify that the count was correct (indeed, in many countries this is the standard voting methodology).

    Of course, there are still only a small number of people who actually count the ballots, making the counting process more vulnerable to corruption or coercion.

    There are a small number of cryptographic systems that try to get the best of both worlds — the “mathematical” assurance that the vote cannot be altered, without having to place trust in the counting computers (e.g. Chaum’s, Neff’s, and similar systems). These work because they also provide some sort of hardcopy receipt to the voter. These systems are a lot more secure than any current non-cryptographic system, since they allow every voter to verify that the entire election was accurately counted. However, a “standard” paper voting trail has the additional advantage that it is easily understandable by the average voter (and this can also be combined with the cryptographic systems).

    As for not being able to design a hard-to-crack voting machine, I think it’s easier than it sounds: remember, the would-be crackers are working under a huge handicap — they don’t get the source code, and sometimes even access to the machine itself is difficult.
    In any case, even if wickedness is usually limited by incompetence, I wouldn’t want to bet my country on it.

  20. Greg Kuperberg Says:

    I have to disagree with you on the usefulness of a paper trail. The advantage of a paper trail isn’t convenience (obviously) — it’s assurance for human voters that their vote was counted correctly.

    Except when it isn’t. After all, paper records have been fabricated in the past.

    A corrupt voting machine can always display a vote for one candidate on the screen, and record a completely legitimate electronic vote for the other candidate (including any electronic trail).

    It is true that each voter should have something to take home in order to confirm his or her vote. I don’t remember ever having such a record even when I voted with paper. For all I know, someone replaced my paper ballot with another ballot with the same serial number but a different set of votes.

    Maybe the best record to take home (let’s say that it’s a paper record) would include a cryptographic hash of your vote, so that you could either check that the vote was consistent with the hash; or if you are worried about your privacy, you could hide your vote and still use the hash to help certify the voting count.

    I disagree that only computer counting is meaningful, though.

    That is not exactly my position. I do not think that computer counting is the only meaningful procedure. Rather, I do not see how any vote with more than a million ballots can be adequately reliable without computer assistance of some kind. It may be useful to also count the ballots by hand, but refusing to use computers entirely is as silly as refusing to use paper entirely.

    Indeed, if the question is erroneous ballots rather than fraud, the I am told that the most reliable system is a paper ballot checked by an optical scanner. That way, you can be told on-site if you marked the ballot wrong. The scanner is, of course, a COMPUTER.

  21. Greg Kuperberg Says:

    Two other points:

    There are a small number of cryptographic systems that try to get the best of both worlds — the “mathematical” assurance that the vote cannot be altered, without having to place trust in the counting computers

    Yes, exactly. I did not catch this comment on my first skim. I think that this kind of thinking is fundamental, and I am not sure that you and I really disagree.

    In any case, even if wickedness is usually limited by incompetence, I wouldn’t want to bet my country on it.

    Well, part of the reason that the American voting system is so pathetic is that less depends on it than you might think. You aren’t betting the country on it. Democracy isn’t everything; in a country with a healthy constitutional order, it isn’t even most things.

    America is run in an extremely decentralized way, for the most part by businesses, to some extent by an honest civil service. Many nationally elected leaders — especially the current president, but not just him by any means — are monumentally incompetent, except at getting elected. The country is mostly protected from them by many layers of bureaucracy. If it weren’t, we would far worse off!

  22. paul beame Says:

    Having voted in both places, the difference between how Canadian and US elections are conducted is enormous.

    In Canada, because of the parliamentary system, for all major elections (provincial or national), there is only one race to vote on. This means that a single X through a circle beside a candidate’s name is all that is needed, though the scrutineers do argue about the meaning of non-standard marks. (The ballots I recall could easily be duplicated on an office copier so ballot-stuffing would be easy.) Canada doesn’t seem to need a holiday in order for people to vote.

    In the US, elections for president and dogcatcher — OK, port commissioner and local judge — along with propositions about who should be allowed to make false teeth, all appear on the same ballot. (I really got to vote on false teeth!) Complex ballots cause much of the problem.

    Polling booths may be a thing of the past. In elections in Oregon and Washington at least, the majority of ballots are being sent in by mail and there is talk of exclusively mail-in voting. The problems with this are at least as great as with polling booths but, since the turnout is higher, for some reason people don’t seem to mind.

  23. Bram Cohen Says:

    Scott, you may be interested in the proposal at, which doesn’t seem to have made the rounds in the crypto community yet. Basically the proposal is to slightly modify the threat model of voting, to allow for handing out certifications that votes were cast, but without tying those certs to the identities of particular voters. Therefore the whole system preserves anonymity while dramatically improving auditability (at least, that’s the simple summary, the technical details are quite straightforward, but the threat model modification, and whether it actually does what it claims to do, is likely to open a huge can of worms in the voting crypto community.)

    Full disclosure: my father is one of the authors of that proposal, and I was the one who explained the appropriate crypto primitives for building it (completely trivial, actually, but not obvious to anyone who doesn’t know crypto.)

  24. Concerned Non-citizen Says:

    Bram: I had a brief look at the voicevote site. I don’t see how the threat model there is significantly different from the standard one in the literature. I do, however, see a number of problems:

    1. The system still requires voters to trust the voting computers. In particular, here are some possible attacks:
    * Use the same random id for multiple voters. The machine can then add additional ballots to prevent the total count from changing
    * The machine can print ballots with bad signatures. The voter has no way of checking this, and after the election it will be difficult to prove that the ballots were really printed by the voting machine
    * It’s very difficult to verify that media is _really_ write-once (e.g. a CD-R could actually be a CD-RW — to the naked eye they look the same).

    2. I think the vote-buying and coercion threat is more serious than they think. It doesn’t seem very far-fetched that vote buyers will only pay out after the election results are published. For coercion, the delay probably won’t help at all.

    The cryptographic systems I mentioned in my previous post manage to overcome these difficulties: they are “receipt-free”, in the sense that voters can’t prove to anyone for whom they voted, but at the same time voters can verify that their votes were counted correctly. Also, since the hardcopy receipts don’t contain the votes — the internet copy of the receipt can contain the voters’ names: it’s then easy to verify that everyone who voted was really authorized to vote.

  25. Drew Arrowood Says:

    For once, something I know something about.

    Here in NC, all of the machines produce a paper receipt (which I suppose is a classical object) — and these receipts are subject to hand recount. We have a Board of Elections consisting of 2 Democrats and 1 Republican per County, Nominated by the Party Chairs and Confirmed by Gov. Easley. They “canvass” (validate) the votes.

    That is the system that everyone ought to use.

    The way to make your State do this is elect the right members to your State legislature. Don’t bother trying to communicate. Ascertain which candidate is better on the election integrity issue from a person who “does politics” whom you trust to understand your position and be your advocate in what they tell you, and vote accordingly.

  26. Drew Arrowood Says:

    Making the receipt issue clear: the receipt is not for the voter — it goes in a box. The voter DOES NOT get a receipt.

    The idea behind a computer voting system is so that a first count can be conducted quickly, and everyone can start partying before 11 PM. The explanation normally given has something to do with the idea that the legitimacy of an election is more likely to be questioned the longer between voting and counting the votes. There is no receipt that can be used to check how someone has voted. Ultimately, if things “break down” — if there is litigation, or a call for a recount — the speed of the system in computer science terms is no faster than a hand recount of hand marked ballots.

    Such a system sounds odd to people who design systems, but it is designed to satisfy a human intuition that isn’t necessarily true of the world — that a thing becomes more likely to have been undetectably tampered with the longer the thing hasn’t been observed.

  27. Bram Cohen Says:

    Concerned non-citizen: thank you very much for the links, those were quite informative.

    The odd thing is that those papers advocate doing the same thing as voice vote is proposing! Only they mostly pretend that the receipt issues aren’t happening, and that the threat model is the same as it’s always been. I guess if David Chaum does it, then it’s okay.

    There’s considerably more cleverness in those papers, all but one example of which is in my not so humble opinion a bunch of pointless theatre. The good idea is in Neff’s paper, and basically it boils down to having a physical printed commit to some random data, then have the receipt which it prints out later sign both the random data and the vote. That way duplicate receipts are defeated, because the compromised machine has no way of knowing which way the user will vote and hence runs the risk of having multiple ballots signed with the same random value and going to different candidates, which could be trivially busted.

  28. Concerned Non-citizen Says:

    Bram: all of the systems I mentioned actually are receipt-free (it’s not just “pointless theatre”), although most of them don’t have any type of formal proof for this. Basically, they all have the following general framework:

    1. The receipt given to the voter contains an encypted vote (which is also published on the internet, together with the voter’s name). The secret key corresponding to the vote is shared between multiple authorities (so all of them have to cooperate to decrypt).

    2. There is some clever trick which allows the machine to prove to the voter that the “meaningless” string on the receipt really is an an encryption of the voter’s choice, but won’t allow the voter to prove this to anyone else.

    In Chaum’s original protocol, this trick involves “visual cryptography”: printing the ballot on two overlaid transparencies, such that each one separately is pseudorandom, but overlaid they form readable text (e.g., the candidate’s name). The voter must then destroy one of the two layers (and only the remaining layer is published).

    In Neff’s protocol, the trick is that the voting machine uses a “zero knowledge proof” to prove that the encryption is correct. The special property of zero knowledge proofs is that the voting machine can create “dummy” proofs that are completely indistinguishable from the real thing. The printed receipt contains proofs for all of the candidates (of which only one, of course, is real). The only difference between a real proof (that convinces the voter) and a dummy proof is in the order of actions inside the voting booth (which only the voter knows).

    Finally in all the protocols there is some additional cryptographic trick for counting all the encrypted ballots without revealing who voted for whom (but still in a way that can be publicly verified).

    In addition to the protocols I mentioned, there are some other interesting ideas (The FEE workshop has some nice examples). Some systems have working implementations or demonstrations. See this system, for instance, which also has available source code in PHP, or punchscan, which already ran some dummy elections (and has available source in C# for the audit part of the system).

    [Full disclosure: I am affiliated with at least one of the mentioned projects]

  29. Claire Kenyon Says:

    In France:
    – the bulletins are simple, usually just choosing the name of a single person
    – elections always take place on a Sunday
    – everything is done on paper.
    – every voting booth closes at the same time, the count is done by hand immediately and takes about an hour.
    – human observers guarantee integrity. Observers throughout the day watch people putting their envelopes in the urn: exactly one envelope per voter; the voter shows ID, signs registry and is marked as having voted, so as to prevent his voting a second time during the day. Counting votes is done by groups of 4 people, surrounded by as many observers as wish to be present. There is redundancy in the counting (which is why it is done by groups of 4 people). Discrepancies are immediately dealt with by recounts. The protocol is strict and uniform throughout the nation.
    – problems: some bizarre events such as dead people voting… but that is marginal.

    I have never had to wait in line for more than 5 minutes to vote. I have been on occasion one of the volunteers counting ballots (as a computer scientist, I find counting 1+1+1+… oddly enjoyable). Humans do make mistakes in counting, at the rate of about 1%. Thanks to redundancy, undetected errors must be of the order of 1 in 10000 votes. Cheating would be a distinct possibility in neighborhoods where everyone who cares to be an observer would be willing to overlook irregularities. It is everyone’s responsibility to make sure that this cannot happen, by being a witness to the process.

    I think the system works very well in France even though it would not work in the US.

    On a personal note, watching democracy at work fills me with awe. I cannot imagine that using a voting machine would give me the same feeling of pride that I get from the ritual of dropping my envelope into an urn and hearing one of the people overseeing the process pronouncing the solemn words: “has voted”.

  30. Ira Cohen/Barry Cohen Says:

    We appreciate Scott’s original question, but we have a slightly different take on the answer. We believe that “nerds” have much to offer in the effort to secure the
    vote, but in the end the decisive power to enact change will come from ordinary voters. Voters want honest
    elections — to know that their votes are recorded correctly and counted correctly. Many voters are
    alienated from the electoral process because they do not believe their votes, or the votes of people like them, are counted. We believe that guaranteeing that elections
    are honest and accurate is only half the battle: the other half of the battle is to convince the public that this is true. That is why we have designed VOICEVote so
    that it is understandable to the average voter and involves the voter in the process of guaranteeing the
    integrity of the election.

    On the other hand, there is a subtle point in VOICEVote that nerds should especially appreciate: in contrast to paper ballots, mechanical voting machines, or any of the existing types electronic voting machines, VOICEVote secures the information contained in votes that are cast and in the election software used by cryptographic means rather than only attempting to secure the physical
    representations of votes.

    VOICEVote makes the entire process transparent: Every voter can anonymously check his/her ballot in a simple, direct manner through any connection to the Internet. Every voter can likewise audit the entire
    count. A single missing or altered vote triggers a recount using both the paper and electronic trails.
    Bringing the voters themselves into the process of checking the accuracy of the recorded vote provides a
    very high likelihood of detecting cheating or errors.

    Recounts are now typically hard to initiate and even harder to perform with any degree of accuracy and
    certainty, as the last few elections have proven. With VOICEVote, voters no longer have to trust the election
    apparatus or the manufacturers of voting equipment. Every election is automatically subject to an effective check.

    The transparency of the VOICEVote system extends beyond the ballots and the tally. VOICEVote is built on
    software that is fully accessible for public inspection and testing. This provides opportunities to assure that the published software is actually the code that is
    being executed. The VOICEVote website will be updated soon and will include our designs to address this critical issue. Of course the proof will have to wait until we have a working model available for inspection and testing … something we hope will happen in the not
    too distant future.

    Just a word on vote-buying and coercion. We take this issue very seriously and have some significant real life experience in dealing with it. Vote buying and coercion are fairly common, especially in absentee (or as it is
    now sometimes known, early) voting and in voting by vulnerable voters, such as those in nursing homes.

    There is a traditional concern that a receipt would increase the danger of vote-buying and coercion.
    However, VOICEVote provides features that actually reduce the danger of vote buying and coercion compared
    to existing systems without a receipt.

    For a more complete discussion, see How VOICE Vote Suppresses Vote Buying (

    Ira Cohen & Barry Cohen