Fair and honest voting is vital to any representative government or organization. A few errors in a large voting system are inevitable, but too many incorrectly recorded or manipulated votes make a mockery of the election, and strip the winners of legitimacy.

To avoid a repeat of the Florida 2000 fiasco, Congress passed the Help America Vote Act (HAVA), which authorized $3.6 billion for states to purchase new electronic voting machines. Most states chose to buy touchscreen-based electronic voting machines, also known as Direct Recording Electronic systems, or DREs.

DREs offer many appealing features. The ballots may be laid out by a graphic designer who can use visual elements like color and a variety of typefaces to create legible, easily-understood ballots. DREs can warn voters if they vote for too many people in a race, too few, or even none. DREs can offer ballots in a wide variety of languages. They can even offer ballots that use pictures, sounds, and animation to serve illiterate and visually impaired voters. DREs allow voters to change their minds until the moment they commit their vote. DREs offer the promise of eliminating ambiguous votes, forever freeing us from another hanging chad.

Voters who are used to ATMs and supermarket scanners are comfortable with these kinds of devices, and trust them to be accurate and reliable. But this trust is misplaced. The key difference between ATMs and voting machines is that ATMs give you a receipt. Voting machines must not issue receipts, to avoid the many evils of vote buying. So we need to ensure that their internal records are reliable and trustworthy.

Unfortunately, it is now generally agreed that voting machines are not trustworthy. It took a while for this to become indisputable because the inner workings of commercial DREs are held as trade secrets. The four major manufacturers force counties and states who buy the machines to sign contracts promising not to look inside the systems. But a few accidental leaks of their software on the internet over the last year has given security experts a chance to see how these machines work, and what they found is appalling.

The experts discovered that these machines contain grave flaws, allowing voters to cast unlimited votes, or even modify the entire database of votes without detection.

The voting-machine makers dispute these findings, but because they continue to hold their systems secret, their pleas are basically a request for blind trust in the face of evidence that such trust is not warranted. Simply put, a company's assertion that its machines are trustworthy and secure does not make it so. States are coming to realize that their traditional certification procedures are neither complete nor expert enough to expose all the vulnerabilities. The most obvious result of the turning tide is that the California Secretary of State has found Diebold machines so untrustworthy that they have been de-certified, and they cannot be used by the counties that have already purchased them.

It is premature to entrust our votes to devices built and marketed by the four dominant vendors. A great objective overview of the history of election machines, the recent laws, and some of the recent scandals surrounding DREs is available in a Congressional Research Service report. A thoughtful discussion of the present technology, and its implications appears in a Brennan Center report. The ACLU of California has produced an excellent discussion that covers almost every aspect of this issue in a thoughtful and informed manner. More information and developing news can be found at two excellent activists' sites: Verified Voting and Black Box Voting.

Because today's electronic voting machines are now agreed to be inherently untrustworthy, many states and counties are rushing to retrofit them with paper printers. This is a reasonable stopgap measure, but it creates many new problems, and does not address the central problem of trustworthiness. Furthermore, paper receipts eliminate many of the user-interface advantages of DREs that made them attractive in the first place. Perhaps the most important problem with paper trails is that they do nothing to stop DREs from committing fraud in the first place.

Another approach, called open-source software, seeks to make DRE software available for examination by the public. This is a good start, but it cannot close all the security loopholes. The key problem with both paper trails and open-source isn't with their technologies, but in the fact that we feel the need for them at all.

If we don't trust a voting machine, we shouldn't use it. Citizens of all countries and organizations deserve voting machines that are demonstrably worthy of their trust.

In the Secure-Vote Method (SVM), we use a commercially available write-once memory (like a CD-ROM) to save votes, and an independent computer to read them and verify them with the voter when they are cast. Because a CD-ROM cannot be changed once it is written (short of destroying it), votes that are burned onto the disk are safe from later manipulation and deletion. They are also safe from being saved incorrectly in the first place, because the voter personally confirms that the cast ballot is correct, using an independent computer.

The Secure-Vote Method is an open design that can be supported by a variety of vendors. In fact, the more companies that make SVM components, the safer the system becomes.

The Secure-Vote Method is a new kind of voting machine that is inherently trustworthy by design. It fulfills the criteria we should expect of a voting machine: it can be fully opened to expert scrutiny and thereby proven to be highly resistant to tampering during manufacture, distribution, and deployment.

More details on the Secure-Vote Method may be found here. A more detailed discussion of electronic voting is available in "Electronic Voting Machines: An Introduction".