How the Nedap/Powervote system would work if a VVAT was added

This describes how the Nedap/Powervote machine, fitted with a VVAT would actually work. The purpose is to clear up the common misconceptions and to show that such a system can work well and raises no problems, technical, constitutional or otherwise.

It is is not an analysis of the current Nedap/Powervote system - see the ICTE homepage for details of why the standard Nedap/Powervote system without a VVAT is not acceptable.

It should also be noted that what is described here is not necessarily an ideal VVAT system however it is the best that can be done by making small modifications to the system that has already been purchased.

Parts marked in blue indicate steps that are extra or different to the standard Nedap/Powervote process.

Parts marked in green indicate steps that are not fully described yet.

Assumptions

1. It is assumed that pure PR/STV with fractional vote transfers is being used to count the votes rather than the present system which involves random transfers. There are two reasons for this assumption:
   • Electronic voting makes pure PR/STV practical and by the time a VVAT system is introduced, there will have been plenty of time to develop the counting software.
   • When random transfers are in effect, the process of recounting becomes more complicated. It is still quite possible to perform a recount in this situation but since we have been promised fractional transfers as a benefit of electronic counting, it would be a waste of time to deal with the full complexity of a system that will very soon be obsolete.
2. It is also assumed that there is only one poll being conducted. The case of multiple simultaneous polls is very similar, the voter should enter and verify their preferences for each poll separately.

Casting Votes

1. The machine is primed and ready for voting
2. The voter enters their preferences using the buttons until they are happy that the vote displayed is the vote they would like to cast
3. The voter presses the Print button. This causes the machine to print out a copy of the vote.
4. The voter examines the paper copy and checks that it is identical to the vote displayed on the machine. The voter cannot touch or alter this paper copy as it is behind a protective screen.
5. When a vote has been printed out and has not yet been accepted or rejected, the voter cannot make any changes to their preferences on the voting machine
6. At this point the voter can still change their mind and reject the preferences they have chosen. In this case they should press the Reject button. The paper ballot will then have "Rejected" printed on it and will be guillotined and fall into the ballot box. The voter may now alter the preferences they have selected on the machine and the process returns to step 2.
7. If the printed preferences do not match those entered by the voter then there may be a very serious problem. It is crucial to understand that this is not a problem caused by VVAT. Without VVAT the problem would still exist, it would just go undetected which is absolutely unacceptable. See below for a discussion of what might have caused this to happen. The voter now has 2 options:
   1. They can reject the print out, reenter their preferences and try again. They should also inform a staff member that they had a problem. The machine should then be tested further before allowing any other voters to use it.
   2. They can tell one of the polling staff that there is a problem. If the official verifies the problem, then that machine must be considered faulty and should be replaced. It should also be inspected by technical experts as soon as possible to try to determine the cause of the error. The voter should then be allowed to cast their vote on a different machine.
8. The reason these two options exist is because we cannot force people to take option 2, doing so would violate the right to secrecy. However if someone finds a definite problem then the implications are so serious that they should have the choice of giving up their secrecy in order to protect the overall integrity of the poll. Neither option is particularly good, however it is not VVAT that causes these problems, similar problems arise with the non-VVAT version although it seems that they have not been considered in detail. See below for a discussion of what should be in the case of a verified malfunction.
9. When the voter is satisfied that the printed vote matches the displayed vote then they press the Cast button. The printed vote will be guillotined and will drop into the ballot box. At the same time, the vote is recorded to the storage module.
10. The voter leaves the booth and the attendant prepares it for the next voter.

Counting the votes

Counting the votes is no different from the standard Nedap/Powervote system. The data is transferred from the ballot modules to the count computer where it is collated and counted by the counting software using the standard rules of PR/STV. All the information concerning transfers at each stage of the count is available for analysis.

Using the paper ballots to verify the result

If the validity of the result is questioned, the paper ballots can be used to verify the correctness (or incorrectness) of the electronic result and to produce a final, valid, voter verified result.

The printed votes are compared to the electronically recorded votes. This task is somewhat tedious but is still far less work than a full manual count of the paper votes. It can be observed by all interested parties.

If the electronic and paper records are found to be identical then there is no longer any doubt about the correctness of the electronic result. The paper trail has now served it's purpose. There may still be doubt about the correctness of the result produced by the counting software. This can be dealt with by examining in detail every stage of the count as it was performed by the software and also by allowing running the vote data through several independently written counting programs.

If a difference is found between the electronic and the paper records then it means that the electronic data which was fed into the counting software was incorrect and so the result was invalid. In this case we should either correct the electronic record and recount the corrected data by computer or we can go for a full manual count of the paper ballots.

At the end of the day either the original count will be proved correct and will remain as the official result or it will be proved invalid and a new verified count will replace it as the official result. There will be no ambiguity or danger of having two valid counts.

Errors

The causes of a discrepancy between the printed vote and the vote displayed on the machine break down into 3 categories:

1. Transient error due to "spontaneous bit inversion". This is a somewhat technical subject and such an error, if it occurs may be more likely to crash the voting machine or silently corrupt the storage module than to produce a discrepancy between the printed vote and that entered by the voter. Such errors are unlikely but have occurred in election systems in the past, including one well documented case in Belgium. To "fix" such an error, all that is required is that the machine be switched off and on again.
2. Isolated failure of a single machine. This could be due to faulty hardware in that particular machine or it could be due to malicious tampering with that machine. In either case, the problem can be "fixed" by replacing the machine.
3. Software and hardware bugs. The most serious cause of failure would be a bug that is present in all the machines running on polling day. This would most likely be due to a mistake made in the design or implementation of the system. There is no way to "fix" this on polling day. If the bug is likely to effect the outcome of the election then there is no option but to stop using the voting machines altogether.

Unfortunately with computer software and hardware it is frequently impossible to establish which type of error is occurring without long and detailed analysis of the malfunctioning machine. Certain kinds of hardware failures or tampering would be quite obvious but many software design errors can be difficult to reproduce or isolate. Such a problem software problem could appear more like a transient error than a nationwide disaster in the making.

It is essential that there be a clear procedure for reporting these errors to a central authority and for quickly deciding based on the number of problems and their type whether there is a risk to integrity of the election. If there is no backup method of recording votes then this could mean abandoning the poll completely. This would be disastrous but the alternative - proceeding using machines that are known to be faulty - is unacceptable. Again it must be stressed that this outcome can in no way be blamed on VVAT. Without VVAT we would be completely ignorant of the fault and we would suffer incorrect results in not just that poll but all future polls using the same equipment.

Quality Control

It is essential that a computerised election system includes some sort of quality control whereby a certain percentage of constituencies are chosen randomly and the results fully audited, irrespective of calls for a recount. If discrepancies are found between the paper and electronic records this should trigger further audits of other constituencies and so on. The hope is that the results of these audits would be used to identify and remove any bugs that are in the system and also to thwart would be tamperers. They must continue indefinitely, even if the system appears to run bug free for many years.

It would be wise to audit the entire country for the first few years of electronic voting and also after any significant changes to the system.

Conclusion

I hope this shows that a Nedap/Powervote system, modified to include a VVAT is workable and reliable possibility. If you think that something about the system described here is impractical, unworkable, unconstitutional, would violate the secrecy and anonymity of the vote or is just plain wrong then please let me know.