Tagged audit

Blockchains for Elections, in Maine: “Don’t Be Hasty”

Many have noted with interest some draft legislation in Maine that mandates the exploration of how to use blockchain technology to further election transparency.  My comment is, to quote one well known sage, “Don’t Be Hasty”. First, though, let me say that I am very much in favor of any state resolving to study the use of innovative tech elections, even one as widely misunderstood as blockchains. This bill is no exception: study is a great idea.

However, there is already elsewhere a considerable amount of haste in the elections world, with many enthusiasts and over a dozen startups thinking that since blockchains have revolutionized anonymous financial transactions — especially via BitCoin — elections can benefit too. But actually not a lot, at least in terms of voting. As one of my colleagues who is an expert on both elections and advanced cryptography says, “Blockchain voting is just a bad idea – even for people who like online voting.” It will take some time and serious R&D to wrestle to the ground whether and how blockchains can be one of (my count) about half a dozen innovative ingredients that might make online voting worth trying.

However, in the meantime, there are plenty of immediate term good uses of blockchain technology for election transparency, including two of my favorites that could be put into place fairly quickly in Maine, if the study finds it worthwhile.

  1. In one case, each transaction is a change to the voter rolls: adding or deleting a voter, or updating a voter’s name or location or eligibility. Publication — with provenance — would provide the transparency needed to find the truth or lack thereof of claims of “voter roll purging” that crop up in every election.
  2. In the other case, each transaction is either that of a voter checking in to vote in person — via a poll book paper or digital — or having their absentee ballot received, counted, or rejected. I hope the transparency value is evident in the public knowing in detail who did and didn’t vote in a given election.

In each case, there is a public interest in knowing the entirety of a set of transactions that have an impact on every election, and in being able to know that claimed log of transaction records is the legitimate log. Without that assurance of “data provenance” there are real risks of disinformation and confusion, to the detriment of confidence in elections, and confusion rather than transparency. Publication of these types transaction data, with the use of blockchains, can provide the provenance that’s needed for both confidence and transparency. Figuring out the details will require study — Don’t Be Hasty — but it would be a big step in election transparency. Go Maine!

— EJS

Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue

counties

Courtesy, Alex Halderman Medium Article

In the last few days, we’ve been getting several questions that are variations on:

Should there be recounts in Michigan in order to make sure that the election results are accurate?

For the word “accurate” people also use any of:

  • “not hacked”
  • “not subject to voting machine malfunction”
  • “not the result of tampered voting machine”
  • “not poorly operated voting machines” or
  • “not falling apart unreliable voting machines”

The short answer to the question is:

Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.

Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.

A Basic Democracy Issue, not Partisan

The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)

A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.

While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.

Three Basic Steps

Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.

  1. Standardized Uniform Election Audit Process
  2. State-Level Review of All Counties’ Audit Records
  3. State Public Release of All Counties Audit Records Once Finalized

The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.

This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)

The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.

That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.

This Needs to Be Solved – and We Are

The fundamental objective for any election is public assurance in the result.  And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.

No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.

There are several matters to address:

  • Meeting the three basic security requirements;
  • Publicly demonstrating the absence of the vulnerabilities in current voting technology;
  • Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
  • Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.

All that and more!

The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.

— John Sebes

Tabulator Troubles in Colorado

More tabulator troubles! In addition to the continuing saga in New York with the tabulator troubles I wrote about earlier, now there is another tabulator-related situation in Colorado. The news report from Saguache County CO is about:

a Nov. 5 “retabulation” of votes cast in the Nov. 2 election Friday by Myers and staff, with results reversing the outcome …

In brief, the situation is exactly about the “tabulation” part of election management, that I have been writing about. To recap:

  • In polling places, there are counting devices that count up votes from ballots, and spit out a list of vote-counts for each candidate in each contest, and each option in each referendum. This list is in the form of a vote-count dataset on some removable storage.
  • At county election HQ, there are counting devices that count up vote-by-mail ballots and provisional ballots, with the same kind of vote-counts.
  • At county election HQ, “tabulation” is the process aggregating these vote-counts and adding them up, to get county-wide vote totals.

In Saguache, election officials did a tabulation run on election night, but the results  didn’t look right. Then on the 5th, they did a re-run on the “same ballots” but the results were different, and it appears to some observers that some vote totals may be been overwritten. Then, on the 8th, with another re-try, a result somewhat like in NY:

… the disc would not load and sent an error message

What this boils down to for me is that current voting system products’ Tabulators are not up to correctly doing some seemingly simple tasks correctly, when operated by ordinary election officials. I am sure they work right in testing situations that include vendor staff; but they must also work right in real life with real users. The tasks include:

  • Import an election definition that specifies how many counting devices are being used for each precinct, and how many vote-count datasets are expect from them.
  • Import a bunch of vote-count datasets.
  • Cross-check to make sure that all expected vote-totals are present, and that there are no un-expected vote-counts.
  • Cross-check each vote-count dataset to make sure it is consistent with the election definition.
  • If everything cross-checks correctly, add up the counts to get totals, and generate some reports.

That’s not exactly dirt-simple, but it also sounds to me like something that could be implemented in well-designed software that is easy for election officials to use, and easy for observers to understand. And that understanding is critical, because without it, observers may suspect that the election has been compromised, and some election results are wrong. That is a terrible outcome that any election official would work hard to avoid — but it appears that’s what is unfolding in Saguache. Stay tuned …

— EJS

PS: Hats off to the Valley Courier‘s Teresa L. Benns for a really truly excellent news article! I have only touched on some of the issues she covered. Her article has some of the best plain-language explanation of complicated election stuff, that I have ever read. Please take a minute to at least scan her work. – ejs

Where We Stand – on D.C. and Elsewhere

We’ve been answering lots of questions about the OSDV Foundation’s role in the District of Columbia’s Pilot “digital vote-by-mail” project, including a recent post with a detailed account of the history leading up to the Pilot.  But there is one Q&A in particular that I want to share with a broader audience. It’s a two-part question:

  1. Where do the OSDV Foundation and TrustTheVote Project stand on Internet voting?
  2. How does this square with OSDV’s role in the D.C. Pilot?

To complement Greg’s recent post , I’ve provided what I hope is a crisp, yet complete, answer in the form of a pointed list of positions, which apply very specifically to the use of technology in U.S. elections.

On Internet Voting

  • We do not support Internet voting for everyone – such all-electronic elections lack the ease of independent verification that is the strength of the method of op-scan counted paper ballots coupled with mandatory auditing.
  • We do not support any of the types of Internet voting used in other countries – there is no voter-approved ballot document when the ballot itself is HTML and HTTP data exchanged by a Web browser and an i-voting server.
  • We do not support any usage of email for transporting marked ballots – email is fundamentally and easily vulnerable to mischief en route from the voter to the BOE.
  • These on-line methods of voting and ballot transport all have significant risks to ballot integrity, inherent in the use of the Internet.
  • These on-line methods have significant risk to the “secret ballot” by making either ballots or votes attributable to specific voters.
  • These on-line methods are not a form of “verified voting” where the ballot marked by the voter is the ballot that is counted.
  • We fully support verified voting methods for domestic polling place voting.
  • We fully support existing election practices of paper vote-by-mail.
  • Our core mission is and will remain the creation of open transparent technology to support the existing election practices.
  • We support existing UOCAVA voter-support methods including digital distribution of blank ballots, and express delivery (e.g., surface courier or mails) of marked paper ballots from the voter to their respective BOE.
  • We believe that there may be a need for digital ballot return by those UOCAVA voters who lack timely access to rapid and reliable means of paper ballot return, and who have recently used email for digital ballot return.
  • We believe that it is worth considering whether those UOCAVA voters should demonstrate a need for digital return because of that lack of timely access.

About the D.C. Pilot

  • We are supporting D.C.’s Pilot effort to investigate the need for and feasibility of a Web-based alternative with significantly less risk to the “secret ballot.”
  • We believe that the Pilot’s method does not make Internet voting completely safe or secure for general use.
  • We believe that the Pilot’s method does not make Internet voting completely safe or secure for UOCAVA voters.
  • We believe that the Pilot’s method does address some security issues of current email voting, but does not attempt to address all security issues of email voting, or all security issues of Internet usage.
  • We believe that the Pilot project will create a publicly documented worked example that can be used for concrete evaluation of the Internet risks and ballot-secrecy benefits; an evaluation that should be part of consideration of whether or not any form of digital VBM methods are appropriate for continued use for UOCAVA voters.
  • We believe that the worked-example benefit will be strongly supported by the Pilot project’s pre-election public review period for anyone to try the system, to examine, probe, and assess not only the technology but also its deployment and usage.
  • We believe that the worked-example benefit will be strongly supported by a public post-election out-brief.
  • We believe that the transparency of the Pilot will be strongly supported by system’s software being available for use independent of the DC pilot, including, but not limited to, the existing TrustTheVote Project software for election administration and ballot design, which is one of our key contributions to the project.
  • We believe that much of the digital ballot technology can be dual use, applying to both UOCAVA vote-by-mail and overseas kiosk-based voting.

These statements are specific to U.S. election practices and laws, especially about U.S. military and overseas voters. We certainly respect that other countries have different needs, practices, and capabilities, and in general, a very different election landscape than in the U.S., with its 50+ different state election codes, thousands of election administration jurisdictions, dozens of electoral districts for each individual voter, and a significant portion of the electorate that must vote remotely.

Lastly, an important caveat: these are positions, opinions, and beliefs only of the OSDV Foundation; we do not advocate on behalf of any other organization; as a non-profit public benefits corporation we cannot directly lobby any public agency or institution for any policy or regulatory change. That stated, we certainly can and will continue to opine here and elsewhere, but as always our focus is on the application of technology in the administering of public elections.

— EJS

Dude, What Is My Ballot, Really?

(Part 2 of 2: What’s My Ballot?)

Today, I’m continuing on from a recent post, which compared my in-person voting experience with one method of Internet-based voting: return of marked ballots by fax or email. Next up is a similar comparison with another form of Internet-based voting: Internet voting from home using a PC’s Web browser.

Let’s briefly recall the result at the end of the day in my polling place:
1. Some paper ballots in a ballot box.
2. Some digital vote totals in a computer, and set of paper rolls that provide a ballot-like paper trail of each voter’s activity that led to those vote totals. The paper trails can be used to check the correctness of the digital vote totals.
Let’s also recall the result at the end of the day with email ballot return:
1. Some printed versions of faxed/emailed ballots, which are treated as ballots for counting purposes.
While we’re at it, let’s recall the results of the old lever machines too:
1. Some mechanical vote totals in one or more machines
2. A hand-recorded paper transcription of the “odometer” readings. (Those machines were a lot harder to move than a computer is! So the transcriptions were the basis for vote totals.)

Now, on to home-based Web i-voting. Before doing the end-of-the-day comparison, let’s start with what the experience looks like — fundamentally, it’s Web pages. You point your browser to a Web site; you type in your voter identification, a bit like the in-person poll-book signing experience; and then you get your ballot: one or more Web pages. Various Internet voting products and services differ, but they are all fundamentally similar to something that I bet many readers have seen already: online surveys. Take a look at this simple election-like survey about music in Cuyahoga County. The web page looks like a simple ballot, with contests for vocalist and guitarist instead of governor and dog-catcher. There are candidates, and you vote by selecting one with a mouse click on a radio button next to the name of your favorite.

So far, so familiar, but when I press that submit button, what happens? Where’s my ballot? Let’s take it step by step.

  • The submit button is part of an HTML form, which is part of the Web page. (You can see the HTML form if you “View Page Source” in your browser.)
  • Pressing the button tells your browser to collect up the form’s data, which might include Rachel Roberts for Vocalist if you had clicked the radio button next to Rachel.
  • These parts of the forms data are something that in election lingo you might call a “vote” (or “contest selection” to be precise.)
  • The HTML form data, including the vote-oid data, is sent from your browser to the Web server via an HTTP POST operation.
  • The HTTP transaction is typically via an encrypted SSL session, to preserve privacy en route over the Internet.
  • The Web server passes the POST parameters to some election-specific Web application software, which interprets the data as votes, and stores the vote data in a database.

Now, let’s be specific about that database stuff. In surveymonkey, there is a database record for each Cleveland Music survey response, and it’s possible (if the survey was set up that way) that the record also includes some information about the person who responded. In actual government voting, though, of course we don’t want that. So even though the i-voting server has a database of voters, and even though you had to log in to the i-voting server, and even though you were only allowed to vote if the voter record said you were allowed to vote, still your vote data shouldn’t be stored with your voter record. So, the vote data is supposed to be anonymously and separately stored, becoming part of vote totals for each candidate in each contest.

Can you say “odometer“? Okay, maybe it’s not that obvious, so let me juxtapose a couple images. As I recounted earlier, a much younger me is standing in the voting booth of a lever machine, looking a big bank of little switches next to candidate names, and thinking that is the ballot. Then the big lever is pulled, the little switches flip back, and it’s like the ballot just evaporated! Though of course I was told that the counter dials in the back of the machine did tick over like the odometer on a car, recording each vote. The votes were stored on the odometers, but the ballot was gone without a trace. Now shift the scene to my first surveymonkey experience. I clicked some radio buttons, clicked submit, and poof! what I thought was a ballot just disappeared. I’m told that the counters in a database somewhere ticked over to record my “votes.” Again, votes were supposedly recorded, but there wasn’t really ever a durable ballot. Home-based web client-server Internet voting is just like that, regardless of varying technical implementation details. There’s no durable ballot document.

So, at the end of the day, we have stored vote totals in a database of a system that also logged the voter logins. At that point I don’t have an answer to “What’s the ballot” anymore than I do for lever machines or the early paper-trail-less DREs. Unlike the (much-more-insecure) email ballot delivery, we don’t really know what or where the ballots are. Recalling my experience in the Middlefield Road fire house, the vote data is similarly stored as bits on a computer, but!!! there is also the paper trail. That paper trail can be used to audit the system and detect errors and fraud, and serves as the durable record of the vote — almost a ballot, except for being on flimsy paper with some ballot information left out. But with i-voting, there is nothing even similar. Any kind of auditing that’s done, is done using data saved on the server computers, rather than looking at a ballot document that the voter also saw.

Is that so terrible? Maybe so, maybe not. A durable ballot is not a holy requirement for U.S. elections — though in some parts of the country it almost is. And a durable ballot may not be a requirement for a voting system that is specifically and only for timely assistance of overseas and military voters. Such requirements are a matter of local election law and decisions of local election officials. But my critical observation here is about voter trust. Trust derives in large measure from comprehension. And for many voters, a voting system is comprehensible if the voter knows what the ballot is, where it goes, and what happens to it. That’s why overseas voters like fax and email return. Despite the security and anonymity problems, the voter understands that ballot, how it pops out of the fax/printer on the other side of the planet, and how its counted as a paper ballot. The same can’t be said for paperless home-based i-voting. As a consequence, I think that it will be harder to build trust, at least in some parts of the country that are paper-centric. However, it may be less of a big deal if limited to overseas and military voters, whose main concern is “get the the ballot home in time to be counted.” The pilots are happening, and time will tell.

— EJS

Dude, Where’s My Ballot?

I just finished voting in CA’s primary — whew! 47 contests, 76 candidates total, and for on-paper voters, 4 sheets! But today, instead of hand-marking a ballot (my preference explained in an earlier posting), I used a DRE. This voting machine is part of the voting system that San Mateo County purchased from Hart Systems, the smallest of the 3 remaining vendors with a significant share of the U.S. voting systems market.

Comparing with people voting on paper or turning in vote-by-mail packets at the polling place, I had to ask myself the question: where’s my ballot? The answer is in two parts.

As a techie, part of my answer is that an electronic version of my ballot is stored as bits on magnetic storage inside one of the computers in the polling place. It may or may not be not be a “ballot” per se (a distinct collection of selections in the contests), but rather just votes recorded as parts of vote total, analogous to the odometers on the old lever machines. As jaded techie, this strikes me as not the most reliable way to store my ballot.

However, as an observant voter, I can also see that my ballot is also represented by the “paper trail” on the voting machine. As an informed voter (a trained poll worker who also talks to local election officials), I know that this paper is used by election officials as part of auditing the correct operation of the computers, by manually tabulating vote totals for a handful of randomly selected precincts — an extremely important part of the election process here. However, as a jaded observant voter, the cheap paper roll (like a gas station receipt printer) strikes me as not a very durable way of recording the ballot information that I could have put on nice solid real paper ballots.

But leaving aside questions of paper stock, the combination of the two ballot recording methods is pretty good, and the audit process is great! Though I have to say: my thanks and condolences go to the hard working San Mateo County elections staff who wield scissors to cut the paper rolls into individual ballot-oid papers to be hand-tabulated in the audit.

So, as a paper ballot fan, I left reasonably satisfied, though glad of the ability to vote on paper in November. It’s a bit of a conceptual leap to go from a tangible paper ballot in a locked ballot box, to the above non-short answer to “Where’s my ballot?” But it’s a leap that I think many voters can be satisfied with, or would be if the paper trial items actually looked like ballots (as in the system we’re building at TrustTheVote). But it got me thinking about some of the overseas-voter Internet voting pilots I’ve been reading about. That’s enough for today, but a good question for another day, about Internet voting, is the same question, “Where’s my ballot?” More soon …

— EJS

Childhood Ballot Confessions

I have to admit, I like paper ballots. But it wasn’t always that way. As a small child, I remember going into the voting booth with a parent, and watching them use those fine old lever machines. They were cool. The curtain made it seem like something both secret and important was happening. The little flippy switches made a satisfying little “tick” sound when you flipped them down to make a selection, and nice “tock” sound if you changed your mind and flipped one back up again. And of course the best part was hearing the thing click and clack after you pulled the big lever.

But although it was cool as a machine, and the whole voting thing was groovy, I had a twinge while looking at the little floppy switches flipping themselves back up again. It was like all this important secret stuff we did in the booth … just sort of evaporated. Sure, the clicking and clacking was the machine “remembering” each vote, but it was odd to see.

Years later when I started to vote myself, I found it very satisfying and reassuring to be using a paper ballot, especially after the run-around I got trying to vote for the first time. I felt more confident seeing a durable ballot recording my votes, and not evaporating.

More recently, experimenting with using a Direct-Record Election device (DRE), it was back to the future, with the ballot evaporating again — and without even seeing a ballot per se, like front panel of the old lever machine. As Doug Jones wrote here recently, our touch-screens are digital DREs just as the lever machines were mechanical DREs. The little paper tapes were certainly an improvement, but flimsy enough that it was a small improvement. If you’re going to print something for me, please have it be a real paper ballot, I thought the first time. So, I now understand that I like the approach of ballot-marking devices used by those that aren’t able to or don’t wish to mark by ballots by hand.

Is there a point to this personal history of feelings about ballots?
A small one, both a link back to my posting about eMailed ballot return, and a future one on Internet voting. The point is that I think that voter confidence depends in part on the voters’ understanding the voting method that they are using. If you ask or allow voters to do something new, but which seems similar to voting that they already understand, then they can “get it” — which is why eMail return makes sense for voters because it’s like vote-by-mail that they understand. So, if people are used to a ballot — as I am — then a change is going to make the most sense if I can still understand where the ballot is, and what happens to it.

— EJS

Kudos to Cuyahoga

I was very encouraged by recent election news from Ohio’s Cuyahoga County, reported in the Cleveland Plain Dealer newspaper: Reason for election machine glitch found, officials expect things to be OK for the primary. At first blush, it might seem like bad news:

All told, 89 of the Cuyahoga County Board of Elections‘  1,200 machines powered down and then froze during a specific test done to ensure the optical scanners were reading paper ballots correctly.

But as the Plain Dealer’s Joan Mazzoli said in her folksy headline, the point is that the Cuyahoga BOE disclosed to the public exactly the problems that they encountered, the scope of the problems, and the possible effect on the election that will be conducted with machines that they tested. In fact BOE director Jane Platten explained the specific error logging procedures that they will use to audit the election, to make sure that no votes are lost even if the machines malfunction during the election. As Mazzoli quoted Platten:

We want to ensure everyone’s votes are counted.

Of course that is every election official’s goal, but this news is about a bit more: making sure that everyone’s votes are counted, and “making sure” in a way that the voters can see and believe in despite known problems with the election technology being used. That is what I call helping people Trust the Vote, and for that I say – Kudos to Cuyahoga!

— EJS

How to Trust a Voting Machine

[Today’s guest post is from election technology expert Doug Jones, who is now revealed as also being an encyclopedia of U.S. elections history. Doug’s remarks below were in a discussion about how to effectively use post-election ballot-count audits as a means to gain trust in the correct operation of voting machines — particularly timely, given the news and comment about hacking India’s voting machines. Doug pointed out that in the U.S., we’ve had similar voting-machine trust issues for many years. — ejs]

Lever machines have always (as used in the US) contained one feature intended for auditing:  The public and protective counters, used to record the total number of activations of the machine.  Thus, they are slightly auditable.  They are less auditable than DRE machines built to 1990 standards because they retain nothing comparable to an event log and because they do not explicitly count undervotes — allowing election officials to claim, post election, that the reason Sam got no votes was because people abstained rather than vote for him.  (Where in fact, there might have been a bit of pencil lead jammed in the counters to prevent votes for Sam from registering).

One of the best legal opinions about mechanical voting machines was a dissenting opinion by Horatio Rogers, a Rhode Island supreme court judge, in 1897.  He was writing about the McTammany voting machine, one that recorded votes by punching holes in a paper tape out of view of the voter.  I quote:

It is common knowledge that human machines and mechanisms get out of order and fail to work, in all sorts of unforseen ways. Ordinarily the person using a machine can see a result.  Thus, a bank clerk, performing a check with figures, sees the holes; an officer of the law, using a gibbet by pressing a button, sees the result accomplished that he sought; and so on ad infinitum. But a voter on this voting machine has no knowledge through his senses that he has accomplished a result.  The most that can be said is, if the machine worked as intended, then he has made his holes and voted.  It does not seem to me that this is enough.

I think Horatio Rogers opinion applies equally to the majority of mechanical and DRE machines that have been built in the century since he published it.

— Doug Jones

Mandatory disclaimer:  The opinions expressed above are mine!  The various institutions with which I am affiliated don’t necessarily agree.  These include the U of Iowa, and the EAC TGDC. – dj