General Discussion

I am saying that we have excellent procedures, multiple checks and balances, and a lot of auditing. I trust that we will catch it before it taints our process, because we've built it to be as transparent and fail-safe as possible, while protecting the privacy and rights of every single person who votes. The reason I can trust it is because we run regular challenges. Prior performance is not a guarantee of future protection, but our process is pretty damn good and our performance always exceeds expectations. I'd put our elections up against any county anywhere for cleanliness and accuracy, at 5:1 odds. Hell, I'd put a mortgage payment on it.

To be perfectly honest and rather grumpy with the *all Tech is Evil* subtext, my county is home to a lot of white hats and at least some grey hats. (Thus, I must assume black hats, too, or at least charcoal grey for hire.) This is what you get when you put a major university, four national science agencies, a major hardware/ software company and thousands of start-ups and splinters in the same place for 50 years. We breed geeks, and we attract them. A specific crew got heavily involved in vetting and securing the county's software and hardware, starting in the mid 1990s, before this was on anyone's map. My county happened to also have tech savvy crews in both the (Old Order) R and D party offices at the time, and had enough pull and comity with the County Commissioners to establish a permanent working group. I know we're rare, but you want best practices? We've been cranking them out for years. There are multiple CompSci and PoliSci doctoral theses written on our election security. And we're not alone. There's a group in Sea-Tac, one in Portland, another in Silicon Valley. That I know of. The Johnny Come Latelies who just realized that nothing anywhere close to the internet can ever be secured? Yeah, those people have some remedial reading to do.

Quis custdoiet ipsos custodes? In this case, it's the citizens in the county, and too many counties don't recruit geeks. Far too many turn away the geeks who ask questions and label them cranks. It's what we get when we don't pay attention to County Commission and C&R races, or only vote for the ones who promise more roads and fewer mill levies. Our watchmen are us, and for the most part, we have bilged this course because we'd rather complain online or watch Reality TV instead of go to the county meetings.

Or more precisely, we're expecting our voting systems to be perfect maps, but there's no such thing. A perfect map would be a perfect copy of the territory, and thus, perfectly useless. The map is not the territory, and to create a perfectly, permanently secure system would make it perfectly, securely non-functional. Hackers gonna hack, and their skills are going to evolve. What's secure today will not be tomorrow. It's not about security, it's about auditing, always. You build the system to be as secure as possible while keeping it functional, then you test the hell out of it at every step of the way.

Look, if you're going to make the blanket assumption that we must treat every machine as forever and entirely compromised, you also need to make that argument for every standardized test, from IBTS through ACT/SAT, to M-CAT, L-SAT, GRE and most states' teacher competence exams, a bunch of the actuary and public accountancy exams, most Bar exams, and almost every continuing education license exam. Heck, most Food Service Handler certificates are issued after a Scantron test.

Let me back this up. Every ballot should be paper. (with one exception - the speaking voting machine developed to let blind, visually impaired and mobility impaired people vote in privacy. That is a reasonable accommodation, we can secure those machines, and it is better for a citizen to be able to vote securely and privately.) Those ballots should be counted as accurately as possible. That means machines, because machines are better counters than humans, who get distracted. A stand-alone optical scanner (one that is intentionally blind and deaf to all internet and LAN access, and can only be programmed via the optics and the on-machine buttons) has a significantly higher Sigma rating than human beings. Humans make errors about 1 in a million times. Machines make errors about once in a billion.

Given that most ballots run between 4 and 6 faces of 8x17 or 11x17 sheets of paper (unlike the U.K., but they rarely vote on more than 3 people/issues at a time), those ballots are not easy to count. We have three choices:

1) Have more elections. There's no reason to suck all of the local race/ballot measure oxygen out of the room because we're also running national seats at the same time. It's counter-intuitive, in fact. The problem here is we will continue to see miserable turnout for other than quadrennial elections. This can be partially fixed with making Mail ballots standard everywhere, plus adding universal voting centers (for people who live one place and work another, or are in the process of moving, or don't have an address, or live in an abusive situation where their ballot cannot be assured, or just like the idea of going someplace to vote/drop off their ballots) that make all voter rolls always open to everyone at every polling place. (For which we need to trust the idea of universal print on demand ballots and an open-access, read only voter database, and purple hands. A Lot of Sec States will hate that, and bye-bye voting privacy, because there will be employers who fire people *with* purple hands, and those who fire those *without*.) More elections also minimizes the targets of any one election, which means we can focus more operational security on the Federals. But more elections means we have to pay for it. Good luck with that. One third of this country is popping the corn in preparation for the day we have people keeling over in the streets because they think it will save them $15. They're not going to get enthusiastic about an extra $2.50 a year to support having an official opinion.

2) Convince the whole country to just live with the discomfort of uncertainty for 2-5 days after Election Day while every single precinct does the work. Most Americans will lose their shit because if there's one thing we aren't good at, it's waiting. The media will love it -- if they get to extend Election Night for a week, with the whole breathless horse race -- or hate it, if we impose a blackout until 7 days after Election Day. Either way, prepare for a lot of whining and tantrums for the first few years and full meltdowns during implementation while everyone tries to game the system. In this climate? That's something I DON'T trust.

3) Accept some technical risk and audit the hell out of everything. Be so bloody engaged at the local level that your County Clerk & Recorder sends you their personal, family Christmas cards. Elect local and state election officials who know enough about the machines they're dealing with to talk intelligently about them, who understand and can articulate the difference between proprietary and open-source, who are not at all afraid of encryption, who unreservedly support open source hardware and software, public pen-testing, bounties for proof of concepts, bigger bounties for fixes, and transparent audit trails. Demand paper ballots everywhere. Demand from your local officials that your tabulating machines be as dumb as possible, with no internet access ever and all source code in a public, open repository. Get friends and go to your local, county elections working group meetings. Make Bingo cards of election fallacies for the meetings, so you all stay engaged. For all that the "hanging chads" took the blame, punch cards are really difficult to manipulate. They're entirely mechanical systems with no software. No software or firmware is always safest. It takes the longest to vote -- so expect lines -- and it takes the longest to count. A little software and firmware -- about as much as it takes to run an extremely limited, no internet access, Raspberry Pi running open-source scanning software attached to a consumer level digital camera -- is still much safer than anything online, and far safer than anything sitting on the Internet of Things.

The one thing that doesn't work and never will work and only breeds paranoia and discouragement? Not doing your homework. Not seeking out best practices. Not engaging at the local level. This is a technical problem. It has technical solutions. They're easy. (Really. And cheap, much cheaper than the proprietary systems.) But easy != effortless. This takes work that must be done on the local level.