I've always wondered how hard it could possibly be to create an electronic voting machine that has moderate amounts of accountability and security. So... I sat down and thought a quick one out. Turned out, it's really not that hard to do. The companies making these electronic voting machines are just morons.
Here's the first rough draft of the concept:
HDMI LCD monitor
USB touchscreen overlay
Simple B/W laser printer
Small Battery backup
100mbit Ethernet connection to the Internet
Device: Custom Linux OS, open source on public places (US Government site, SourceForge, GitHub, etc..)
Server: Custom Linux system scripts and a vote tabulation software available on public places
1. Initialize hardware and verify all needed components exist and nothing more. If hardware components are missing, it shows what is missing. If there's an extra device, it'll absolutely refuse to continue further initialization, make note of the unauthorized device, and will attempt to contact authoritative servers to alert of the infraction.
2. The system will attempt to make contact with the three primary voting server farms. Each of these servers are housed in different locations under the care of different organizations, for example: DoD - Colorado, FBI - Washington DC, Berkeley - California. The three server farms maintain constant connections to each other. The voting machine MUST make contact with these three primary servers, otherwise it will not continue. The device makes the connection via SSH using SSH-key authentication.
3. This first connection is with an initial login for the purposes of device identification. The SSH login will also provide a tunnel so each server farm can log into the device, which it will. The device and server will run various hardware profiling, hashing of system files, other checksums, and measures to make sure the server and client are connected to each other. The results are sent to the servers. After this point, the servers compare notes and determine if this is a valid device. If it is a valid, a generated username, SSH-key/password is relayed. This combination is stored in a RAM drive setup by the OS on the device and the servers make proper permissions and directories for the account. If the device is unauthorized, the IP is flagged and all relevant information is immediately forwards to all law applicable law enforcement agencies.
4. The device drops the connections using the generic login and reconnects using the new login. Once it has established the connections, it will request a the appropriate voting layout files from all the servers and verify all copies' match. This process can be automated by device ID determined by where the device should be located or where it is detected by hostname and IP. The shell provided by the login is extremely limited. Only connectivity test commands and SFTP are functional. Even SFTP functionality is limited, as the device will only be able to see the voting layout files. It can write files, but not view any files written. Consider it a blind drop box.
5. System goes online ready to accept votes. Through a system with multiple methods of feedback and verification votes are entered via the touchscreen and LCD display. The touchscreen cursor is visible during vote entry to detect calibration problems and recalibration tools are available at any time.
6. Upon confirmation of ballot, the system shows the ballot side-by-side the XML data file being sent. The filename will be the effective SHA-512 hash of the file's contents (votes, time, device ID, location, IP, random salt value, etc..). All information is in view and the system will allow scrolling over the file. Being an LCD display, this should allow the voter the ability to photograph and/or video the information if they please.
7. The voter confirms the final viewing. The system creates the data file in the RAM drive of the device and then sends via SFTP to all three servers. It then waits for a confirmation message from each server verifying the file data. The three servers then compare notes to make sure they all received matching copies and the data is parseable and sensible enough. Upon final verification, the device gets an okay from each server.
8. Finally, the printer prints out a ballot and data file copy, three times. A copy is for the voter, the local voting center's records, and the US Government election offices. The copies are clearly labeled for who they are for. The voter on the way out of the voting area drops a copy in each of the two clearly labeled boxes.
9. The system then purges the data file from the RAM disk and awaits the next voter. If at any time during the voting process it loses connection with any of the servers, it'll immediately alert that is has lost connection to a server and not allow further voting. If there is a disconnection mid-vote, it'll still allow the voter to continue enter their ballot up to the point where it sends off the vote to the servers. It'll won't complete the process until it can regain connection with all three servers.
As the votes are received, the vote file are transfers to a proxy site for public viewing. Via a web interface, users will be able to sort via different factors such as location and even exact voting machine. There will also be a search function to allow the voter to enter their vote ID (The SHA-512 hash of their data) and see both the summary and raw XML data of their vote to verify the vote has been received.
This example doesn't address a number of issues, but it's better than what I've seen from the companies that get paid millions over several years for. So where's my damn multi-million dollar cost plus contract from the United States government?!