An auditable voting system

[[refine this idea. It has legs!]]

Provides receipt to voter that confirms that his/her ballot was recorded as expected, and a token that can be used to confirm that his/her votes are reflected in the reported tally. Preserves privacy.

Idea is, voting machine prints a recipt for the voter, shows the votes on the ballot. Voter can raise a question if that's not how he/she voted.

Receipt also has a long opaque number which encodes:

  • the template for the ballot activated at the machine. (in our precinct, official has to enable the machine for each voter. Among other things, this selects the precinct (and in a primary, the party) and therefore the specific ballot the machine shows me. [[find out more about this]]
  • the machine's serial number
  • the sequence number of the ballot template used at that machine. e.g 156th ballot for the precinct #23 template.

Receipt is cryptographically signed, so votes and above information can't be altered.

With this much information, voter can ask the election system:

  • how did you record my vote at the ballot box?
  • can you show me my vote contributing to the tally you reported for question nnn at the precinct and all the intermediate levels, up to the grand total?

Machines also accumulate a register tape of their use during an election that includes validation information as well as the ballot details. Questions this can answer:

  • Each ballot that was voted was counted exactly once (no gaps, no double counts).
  • Signature of each receipt (Though voter may not have taken it).

You can aggregate across all the machines in the precinct to show:

  • No voter voted twice (as attested by the line numbers in signin book)
  • All voters who signed in cast a ballot (which was counted)

Tricky questions: also include personal information?

  • ID of the poll worker who enabled the machine for that voter
  • Reference to the voter's signature at the registration desk? e.g 145th signature in registration book # 444

This information would be kept separate from the receipt info to anonymize it, but could be recombined to identify how individual voter voted. Maybe there has to be a way to do this in order to create a fully auditable system??