Voting machines are used every year in every election from city proposition decisions to presidential elections.  These voting machines are used to help streamline the counting of the votes to optimize elections and expedite results.  However, it seems like all we hear about in the news is how untrustworthy the machines are.  If the government is going to use voting machines in future elections, we need to demand guidelines for the design and use of these machines.

Barack Obama is going to appoint a Cheif Technology Officer of the US and it is about time!  At the least the government needs someone who "gets it", because politicians like Ted Stevens (see "Series of Tubes") don't.  The CTO needs to choose the guideliens that voting machines must follow.  I believe that the future CTO is going to be well versed with software development processes that they can enforce strict software testing procedures.

Here are the regulations that I think all voting machines and the software that runs on it must follow:

• The voting machine must produce a paper log of every vote tallied.
  A paper trail is required because the fact about all machines is that there is always a potential for failure.  If the machine fails there must be paper that can be counted by hand.  Moreover, with the way recounts are constantly demanded in elections now, this is more of a legal requirement rather than a technical requirement.
• The voting machine software must be tested using test driven development (TDD) and unit tests must be constructed for every single method and class.
  The only exception for TDD is the main function of the software, but every function should be unit tested and developers should make use of mocking frameworks for methods with no return value (actions).  All tests should not only be divulged to the government, but also customers and voters.  This is to prevent claims like the one mentioned in the Dallas Morning News article "House 105 hopeful Romano, Democrats take recount fight to court.  In this article the author mentions this nice little bug in the machines: "But if a voter casts a straight-party ballot, then selects the name of a candidate from within that same party in a specific race, that candidate is actually de-selected and no votes are counted in that race."  I believe that this could have been prevented through strict unit tests and mocking.  Not to mention the source should be tested on a production model before it is published to the general public.  This eliminates platform inconsistancies.
• The source code should be released to a review body of software developers and university Computer Science PhD's and graduate students.
  Getting a review by professionals and academics would draw insights both groups could use to make judgements and fixes.  I realize that trade secrets are crucial to keep safe, but I believe the voting machines review needs to be the same as a military contractor review.  The trade secrets must be protected by the government so that the organizations can still make money in multiple markets.  This was done in California and unearthed serious vulnerabilities according to a Wired Threat Level blog post.  The results of the study are publicly available on the California Secretary of State website.
• The systems must export data in a standardized and portable format such as XML.
  Just in case systems integration becomes an issue, the machines need to be able to submit something common that can be read by any machine.  Just imagine how nice it would be for a state to have its count of votes 10 minutes after polls close and results are available online.  I know there are still counties that cannot afford voting machines or the residents of those counties refuse to use them (technophobia) but at least the major population centers will have their vote.
• Security should be of utmost importance.
  The program should operate in the most secure manner.  Every vote should be auditable, all connections should be encrypted, and all vote data should be encrypted, checksummed, and be read-only to all but the system itself.  If a centralized system should be used, then a point-to-point encrypted connection should be created.  If it has a database, then it should not be modified by human hands.  This may seem to be a bad thing, but if an administrator cannot modify votes and the source code is reviewed by software professionals and academics then it removes the human corruption element.

Maybe this is a project for the open source development community to take on.  If the code is reviewed by everyone then we know what were getting when we vote. If it was open sourced to run on a basic platform, with module that allows it interact with the hardware (a la Linux).  Either way, to make voting machines immune from corruption some changes need to be made. These changes are not just software, but political as well.  Our democracy is too valuable to be glitchy and the quality of software used to support the democracy should be solid as well.

Nov 30, 2008