The Virginia election commission, which is responsible for certifying whether machines are fit to be used in elections, has decertified the Advanced Voting Solutions WINVote and for many very good reasons. Amongst the many security flaws in this product are:
Worse still, this machine has been used in actual elections and its lack of any logging or record-keeping means that we'll never know if its weaknesses were used to manipulate the outcome of an election. As a proof of concept, security researchers successfully demonstrated accessing the machine and manipulating the recorded vote counts.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @09:29PM
I have come to a similar conclusion. My method is slightly different and only uses one machine.
Each voting machine is un-networked standalone and any IO (apart from that required to vote) is inside a physical locked safe (which the returning officer has the key to). The device has a card reader and physical context sensitive screen edge buttons (like an ATM)
1) The voter enters the hall, their ID is checked against a register and they are given a card with a unique code (randomly).
2) The voter scans there card and the machine assigns them an anonymous unique ID (AUID) (the value on the card). The card is retained but not destroyed.
3) The voter selects usability (language) choices.
4) The voter goes though and selects a choice for all ballots currently being run.
5) A receipt ballot is printed and displayed to the voter though a secure transparent window.
6) The voter uses a lever to move the ballot either to the "incorrect" [goto 7a] bin or the "correct" bin [goto 7b].
7a) The ballot is made unreadable by moving the leaver and dropped into "incorrect" bin. User is taken to step 3.
7b) The ballot falls into opaque "correct" bin.
8) The machine stores in a sighned list the voters AUID, and choices and destroys there card (from step 1).
At any time before step 5, the voter can press "cancel" and receive back there voting card.
At the end of the voting session the returning officer downloads information from the machine to a secure device and collates all data from voting machines.
The Returning officer reports these "initial" values though the same channels as current values are reported.
Some machines are randomly selected after the voting and a manual count is performed on the printed values. These must tie up to the machine count within an acceptable margin of error (to allow for human error in counting.)
or a full manual count is triggered.
Any registered voter can demand a re-count.
If the counts match within the human error bar the machine count holds.
For close runs (within human error bar), a more elaborate counting structure may be used (i.e tripple counting to minimize error)
Until recounts are completed the machine count holds, people can act as if elected on all matters except the voting procedure.
The returning officer later confirms or resubmits counts.