What then do you think needs to be done differently?
First of all, there are several areas where there have been problems. One has been the certification and testing that we have doesn't actually [cover every scenario]. For example, if you drop a voting machine from four feet, will it still work? Or if you hit a certain temperature in the room, what problems are you going to have with the voting system? It can't really test the voting systems for how they'll perform in a particular software failure because you can't anticipate what all the software failures are going to be.
The National Institute of Standards and Technology [NIST] identified what I think is a breakthrough property in an e-voting machine, which is the idea of making it software-independent. That means designing voting systems where a software failure does not have any possible impact on the accuracy and integrity of the election. This isn't my idea. This is NIST. They published a paper where they identified that, and I said that is the killer property that you want.
A light went off over my head when I read that, and I said that that's a very good way of describing what I've been trying to say. The concern that I've always had as someone who's an expert in software is that what we need is software that's redundant and that's not trusted in the process.
How would that work? Are you talking about using old-style vote counters and mechanical systems again?
No, you can do it with computer systems. If you start out with the goal of designing something to be software-independent, which is a different mind-set from designing something without that requirement, you design it very, very differently. You have redundant components.
Let me give you an example of a system that is software-independent. You have a system where voters use a touch screen to make their selections and the touch-screen machine, when they're done, prints out a paper ballot that they look at and has all the candidate choices that they made. The voter then takes the completed, printed ballot, and they put it into a scanner. The scanner tallies the ballots up and keeps counts of all the votes. Now if the software on that system fails, they wouldn't get a printed-out ballot that they could then accept and approve.
After the election is over, you pick a bunch of scanners randomly, and you audit them. You count the papers, and you compare the totals that the scanners ran, or you have a different independent scanner that you run the ballots through to see if you get the same answers.
In any stage of the process, a flaw in the software will either be caught and corrected, or it will prevent you from proceeding, in which case you can get the ballots pulled up some other way.
Now let's compare that to an existing direct-recording electronic (DRE) touch-screen machine, where the voter comes in and marks his or her choices and they are stored on a magnetic card on the inside of the machine, and at the end of the day, the voting officials get the card and it has all the tallies. Any flaw in the software could change all the tallies or record the votes incorrectly, and there would be no checks and balances against that because there is no paper record of the actual choices made by the voters.