It's all a matter of trust. Complaints about hackers and viruses are easily addressed using isolated networks (i.e. NOT connecting the voting system to the Internet and using encrypted hard lines to transmit the vote tallies to the central office, maybe even a traditional phone call.
But then we come to the trust of the software. It seems relatively obvious to me that E-Voting is a good way to sure up the election. For all of the failures that can be found in computers (Crashes and lost data), an equal number of failures can be found in hand counting the ballots. But how do we know for sure that the ballots cast are legit? How can we prove that the writers of the software didn't write the winner into the software? 'Use Open Source' many say. Well, we're talking embedded systems here, how can we PROVE that the software on the machine is actually made from the published source? The answer is 'we can't' . But then again, how can we trust the current vote tallies? We can't. As it stands, we know now, 4 years later that Bush won as the result of a supreme court ruling in the state of Florida. Individuals may unfairly represent the votes they count, etc. Now in the human counting method, the bias is adjusted for by the fact that each person has a different view. This means that, roughly, the cheaters are themselves a fair representation of the populace, and as such, convey the will of the masses. In e-voting systems, this distributed network is removed, especially if only one manufacturer is used. This is where the ultimate solution has to come in.
So allow me to propose a complete handling solution. First it should be obvious that, "to promote competition" (and evenly distributed biases, *wink wink*) at least 3 different manufacturer's products must be used in EVERY district. Each manufacturer must publish their source code, as well as the MD5 sum for their roms which must be displayed by the machine (Not that we actually trust that number, since it could be saved and displayed. But if the companies make it actually generate that number, then it can be used to detect viruses and the like.) The device must be designed so that the GUI software is encoded onto true ROM modules. EEProm modules may not be used for the GUI. The subjects being voted on will be encoded onto a flash ROM module along with a public key provided to the voting district by the central voting authority. The flash rom module will be secured into the device using a unique head screw holding a cover over it. If at any time this cover is removed, an audible alarm MUST sound. The format of this flash ROM module will be defined by a UNIVERSAL STANDARD and as such will be usable in ALL manufacturer's designs. The votes will be encoded using the public key found on the flash, and the votes will be written onto the flash module along with the card's checksum up to that vote. Some mechanism (preferably standardized) will be used to control voting frequency, such as a single use mag stripe card that is encoded with a card ID number, and automatically wiped when used. The card will be provided by the voter management clerks at the voting center (similar to how ballots are managed today.) The ID number will be written to the flash module and DOES uniquely identify a voter. As an added precaution, the ID code will NOT be associated with the vote, just stored in a list of voters who have voted. NO other network devices, including wireless transmitters, Ethernet cards, alternative removable media, or built in flash ROM devices may be incorporated into the device. The device MAY NOT have the ID of the voter and the vote outcome ANY portion of RAM at the same time. Once the voter is authenticated and his/her ID written to the card, memory must be wiped before voting may commence. A thermal or other inkless printer will be integrated with the device which will print out votes (WITHOUT the voter ID) and cut them into individual slips, which the voter will then place in a ballot box. This is to provide a paper backup while simultaneously ensuring voter anonomy. The paper backups will be handled with the care necessary. (Such as being stored in a cool, dark place in the case of thermal paper) After voting is done, the flash modules, and the ballot box will be transported to the central voting authority who will then use the appropriate private key to decrypt the votes and tally them up using the decryptors of EACH of the different manufacturers. Thus, if 5 manufacturers devices are used, than each card will be decrypted and compared in EACH of the 5 devices (Thus why the flash module's format is standardized) If the results come out different on even 1 machine, ALL of the manufacturers will be investigated. This will keep at least the decoder devices honest. Before the beginning of the voting, each voting machine will be tested to ensure reliability by the voting booth clerks, this includes posting several votes and verifying the results using a decoder. At least one device, from each manufacturer, selected at random, will be tested by submitting a COMPLETE vote load to it. This means if the machine can be expected to see 1000 votes, then at least one will be tested 1000 times and the results verified. ABSOLUTELY NO BATTERY BACKED UP DEVICES OF ANY SORT MAY BE USED.
These measures will almost assuredly guarantee that the voting machines themselves are clean, so all of the 'cheating' would have to be done by humans. The measures are a bit extreme, but they do address the issue.
Fascist security... I wouldn't be surprised if those machines where less likely to make a mistake counting a million votes than a human counting 10.
Mood: Accomplished. That's a lot of planning there...