Can someone enlighten me why we need a full multipurpose computer that can run custom software just to increment one of two numbers? What's the secret sauce that means we can't run the whole election off of a cluster of 4000-series CMOS's on a breadboard mounted in a plexiglass case in the public somewhere?
Not just one of two numbers. Ballots contain multiple referenda, and races for multiple positions, each of which can have anywhere between 1 and tens of candidates.
You need to display all of that information, take a user's input, store it in an auditable format. Oh, and people like "small government" so making custom hardware is completely out of the question. Using a "multipurpose" computer is the economical choice.
But there's another aspect to this: if you can swap out the hardware and keep the software the same, it makes the whole thing more transparent. A jumble of 4000-series CMOS on a breadboard could hide any number of bugs/backdoors. And, perception of trust is important, nobody wants to vote on your science fair project. Also, you'd need to produce thousands of these machines to run an election. Really easy to procure thousands of commodity multipurpose machines... but you're talking about mass-manufacturing your science fair project. Hell no.
There's a lot to be said for the value of commodity hardware: you almost certainly can't prove that purpose-built hardware has or hasn't been tampered with by the manufacturer. With commodity hardware, the risk that the manufacturer anticipated your use case (voting machines) and implanted a backdoor that can affect their functions is extremely small.
Excellent point, I've never seen that. The whole structure of election has a lot of variation from place to place, which is a major stumbling block for people who want simple, universal technological solutions.
And I forgot write-ins! You don't even have a fixed set of candidates in a given election!
I've always wondered why there isn't overlap between voting machines and slot machines. Surely most of these problems have already been solved by the Nevada Gaming Commission
The problems do look the same. Why don't they share a common enforcement agency? Because they deal with two types of entities (government vs corporation) that operate machines with vastly different use cases with vastly different threat models. A casino's threat model for its slot machine supply chain is completely different than the threat model for voting machine integrity.
Boiling the problem down to the integrity of the hardware and software throws out the nuance of how and why exploitation might occur (and who is doing the exploiting), which has huge implications for how you make regulations and do enforcement.
There are multiple reasons. First, the tabulator typically needs to determine the "style" (layout) of the ballot from one of possibly hundreds of options (due to multiple government and taxation jurisdictions). Second, a typical ballot in most US jurisdictions has a dozen or more questions on it, and cumulatively across all ballot styles there are often over a hundred questions.
Third, though, and perhaps most significantly, "traditional" optical mark reading (OMR) systems using LED or laser sources and diodes were inflexible as to ballot layout and more problematically not very reliable across varying marks (remember the grade-school requirement for #2 pencils due to OMR scoring of exams), a particularly big issue since voters are often not experienced with OMR systems and so do not mark their ballot "correctly." To address this, almost all modern ballot tabulators use a CCD mechanism to take an image of the full ballot and then interpret it via machine vision (this is not a case of machine learning, the algorithms used are actually very simple). This yields much more reliable interpretation of ballots with fewer ballots rejected to hand-counting, but requires more complex software.
It's important to understand that most US election administrators avoid hand-counting in large part because of its inaccuracy. In many US jurisdictions hand-count ballots are counted by two individuals to improve reliability, but the error rate remains higher than machine tabulation. When it is 1AM after a day that started at 5AM and you are on the hundredth ballot you've hand-tabulated since you got off the precinct floor it becomes extremely difficult to tabulate with the virtually zero error rate that US voters expect. This is not a hypothetical scenario but one that's pretty typical of US election working conditions due to the slim budget and expectation of rapid posting of returns.
That's not impossible for a simple electromechanical calculator either. An attachment similar to those paper drums seismographs use would suffice while still being simple enough to be trustworthy; a video recording of the counter along with maybe an array of debug LEDs would suffice too now that I think about it.
You could print a receipt that contains the voter's selection. The voter would then verify the selection and deposit the receipt into a receptacle. The voting machine results could then by audited by comparing the receipts to the voting machine's history.
I should clarify my question "why" is specifically about conflating votes with timestamps. I have more general concerns about voting machines, but those have been raised elsewhere in the comments many times by other commenters.
The timestamp of each vote in the machine could be useful during the audit. Imagine you found a discrepancy, you'd then want to determine when the discrepancy started.
If you're able to determine some subset of voters from the attached timestamp information, then you're equally able to use that data to harass people who didn't vote for the candidate you want.
So you can demonstrate that votes correspond to people voting. Not on an individual basis, but just to make sure that if you have 100 votes on a machine (or 1000 votes across 10 machines at a location, they happened when there were 100 (or 1000) people at that voting location. It prevents adding votes before or after the fact, like putting a thumb on a scale.
You'd have to hide the results of the vote if you're collating them with timestamp, otherwise you could pretty easily figure out Bob who showed up early voted for the square.
And I'm unsure how adding timestamp helps with the problem you're trying to solve, don't you just need Sum(machine vote count at location X) == voters visiting location X. (Also this hueristic is kinda leaky since how do you account for voters protesting with intentional spoilers?)
If you let the government get away with just simple counts they don't have to work as hard to fake an election. A time series can be compared with exit polling for example to highlight irregular patterns.
I remember hearing about a study on very simple electronic voting machines. These machines had a bunch of buttons representing the candidates. And in the study, they were able to make a decent guess of who voted what by looking at the rf emissions from the machine from a distance.
I could imagine a whole computer being there could make the rf emissions less predictable. I can definitely think of some ways of making a simple machine like that more resistant against an attack like that. Idk if the study looked into that, I can't find the study anywhere.
Timing attacks and similar methods of vote snooping is definitely a big issue I've been thinking about for a very simple calculator like this. At first you'd think you could mitigate that with some sort of analog capacitor timer buffer thing somewhere in the chain but then you screw up a lot of predictablity needed to trust such a device...