I was just thinking about electronic voting this morning, and I’m curious to know why a particular verification method isn’t used, or even talked about - displaying the total votes for the machine.
Here’s how it would work: At the beginning of election day, for every issue that’s being voted on, the machine assigns and prints a random, fake total number of votes so far to protect the anonymity of the first voter. This total is displayed on screen with that issue for the duration of the election. The number assigned is recorded by an election official, perhaps by securing a printout from the machine itself, and voting begins. When the first person votes, they can see the previous fake vote total, and that their votes incremented their respective totals by one. The voter receives a token indicating that they did, in fact, cast a vote, and the vote itself is stored electronic on multiple commodity storage devices. The voter token is taken to an election official and collected. Votes are tabulated in some sort of WORM system, so that it is possible to add committed votes, but not reduce them (this stops a malicious programmer from altering totals when someone is not looking at the device; the total number of votes must equal the total number of tokens collected). In order to prevent two people from working together to infer someone else’s vote, incoming voters should be randomly assigned to a voting machine. At the end of the day, the election officials subtract the initial random totals from the totals that machines are reporting, verify that the total number of votes equals the total number of tokens collected for each machine,
By no means easy or a complete plan, but it’s not rocket science either. It might be argued that displaying the total like this could cause a information cascade - this can be mitigated by making the initial random value very large within a narrow range, so that the percent of votes that appears to go to any option seems to be close to 1/n, where n is the number of options available to an issue — with an initial value of twice the number of eligible voters +-1% and only one voting machines, the final displayed value for an option would not exceed 68% for a two-option issue (1 part assigned for, 1 part assigned against, 1 real part for, and as much as 2% moved from the assigned against to the assigned for by chance).