I think the key issue is that these machines are internet or network connected.
If we're really concerned about this - get rid of the network connectivity.
Obviously this is over simplified, but just make a simple locally ran app or web application that refreshes once a vote has been cast. Store the vote in a simple SQLite database and at the end of the day, have a voting official go to the machine, and unlock the case, press a button on the back, which prints out or shows vote counts on the back on a small screen or something. They then can report that to whatever commission, committee, or otherwise is monitoring the election.
It's all locally stored, maintained, and under lock and key.
Why does this seem so difficult? We don't need democracy hindered by "network connectivity", just make it more environmentally friendly so however millions of people times the size of the paper ballot isn't wasted needlessly.
How do you make sure that the firmware image deployed on those machines wasn't compromised from the beginning?
What happens when a bug occured and machines need to be updated? Do you bring all machines in for maintenance or does a local IT shop do it? Maybe the manufacturer send a person but can the person be trusted to update multiple machines all over the country?
About a decade ago, a researcher demonstrated a worm that could be implanted in one machine, that over the course of months would spread to a large number of machines as election workers did routine maintenance. Since physical protection of the machines was typically weak, the initial compromise wouldn't have been that difficult for anyone able to pick a lock.
I don't understand why you need sophisticated technology like a worm when you can bribe or blackmail a developer and get whatever results you want. The weakest link here is the human that loads the firmware. Just offer him a promotion if candidate X wins and that could be enough.
> I think the key issue is that these machines are internet or network connected.
If we're really concerned about this - get rid of the network connectivity.
They (generally) aren't.
(Almost) every demo of voting machine hacking involves physical access to the machine, tools, and keys/lockpicks.
How does the voter verify that their vote was counted correctly?
All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
> All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
And then that ballot should be what is actually tabulated and the internal digital tally ignored, or not even kept. The machine should be a device to facilitate creation of accurate, easily tabulated paper ballots, period.
>All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
We should just have paper scantron style ballots that people fill out. Then have scantron counting machines to tally them up after all voting nationwide has closed.
All the other issues people are trying to do to "fix" some aspect of voting are fundamentally flawed and those who are advocating for them are either desiring the ability to violate election integrity or don't understand the requirements of voting. Or trying to get money because someone in power sits in one of the two prior camps.
"We should just have paper scantron style ballots that people fill out. Then have scantron counting machines to tally them up after all voting nationwide has closed."
Vote counting machines are just as problematic as voting machines. We should just get rid of all of the machines and both vote and count by hand.
What a nice and opaque technology. Bribe (or blackmail if you are from NSA) a developer or sysadmin and ask them to make so that every second vote for candidate A goes to candidate B and candidate B wins. It doesn't matter how people will vote, it only matters whom sysadmin chooses.
What if the voting mechanism is sll open source, simple image with has that is verified by many eyes. The international watchers and local ones can verify the machines at random by cloning the disk and comparing hash?
There are several solutions to the problem you have described. First, when the watchers appear, you can pretend that the machine got "broken" so they have to wait until it gets "fixed" (reflashed with original firmware). Of course, you can "fix" it once again after they leave. Second, you can make it return original firmware when cloning the disk for verification or store modifications in RAM only. Third option, you can have two disks, one with original firmware for verification and other that is actually used. Fourth option, you can install additional microcontroller and connect it to the printer so that it prints what you want instead of actual results.
> I think the key issue is that these machines are internet or network connected.
This is a very important issue, certainly. There is no excuse for voting machines not to be air-gapped. But that's not the only very important issue with voting machines.
If we just disconnect from the internet, then the local politicians will still be able to fix the elections. Unscrupulous local politicians are a bigger problem than foreign interference.
If we're really concerned about this - get rid of the network connectivity.
Obviously this is over simplified, but just make a simple locally ran app or web application that refreshes once a vote has been cast. Store the vote in a simple SQLite database and at the end of the day, have a voting official go to the machine, and unlock the case, press a button on the back, which prints out or shows vote counts on the back on a small screen or something. They then can report that to whatever commission, committee, or otherwise is monitoring the election.
It's all locally stored, maintained, and under lock and key.
Why does this seem so difficult? We don't need democracy hindered by "network connectivity", just make it more environmentally friendly so however millions of people times the size of the paper ballot isn't wasted needlessly.