How does it work?

An ordinary IBM-style personal computer is the basis of a SAVIOC voting station. Virtually any such computer will do. It must have a keyboard, a monitor, a serial port and a printer port, and it must be capable of booting up from a 3.5" diskette. It does not need a working hard drive, CD-ROM, mouse or other accessories. Four megabytes of RAM is enough. Systems completely satisfactory for use with SAVIOC are discarded every day because they cannot handle the latest Microsoft software. In many voting precincts, machines could be borrowed for the day from the nearest desk in the same building. At the extreme, brand-new systems with far more capability than needed could be purchased for less than $500 per station.

The only hardware essential for converting a computer to a voting station is a "Permission Box". This small Box has a pushbutton that voting officials use to authorize each new voter. It is connected to the computer by a cable of any desired length, and is kept well out of the reach of voters.

An optional hardware addition is a diskette locking system to seal the diskette into the diskette drive for the duration of voting. The seal must be destructively opened to release the diskette. This is optional because the software detects diskette removal and sounds an alarm.

To insure against power loss, an uninterruptable power supply (UPS) could keep the computer running a short while, and an inverter in a nearby vehicle could power the UPS during longer outages, if necessary. Both items together can be purchased for about $100.

An extremely simple computer program could be used to collect votes, if everyone using it happened to be comfortable with computers, meticulous, and completely honest. Unfortunately, none of those characteristics can be assumed to apply to all voters and officials in a general election. Therefore, the software must be designed to compensate for any such shortcomings:

1. All software, including the operating system, program and ballot-defining file, is on a single diskette. Booting the computer from that diskette eliminates any chicanery involving the hard drive. Everything on the diskette can be verified using SAVerify.exe.

2. Any keys that could be used to interrupt the program are disabled. The "typematic" feature that could be confusing to those unfamiliar with computers also is disabled. (A key does not repeat if held down.)

3. The ballot is completely defined by a relatively simple text file. Ballots for many different precincts could be placed on a single diskette that is copied for distribution to all those precincts; officials at each precinct select the proper one to use.

4. A voting session for one voter begins and ends with the voter pressing a distinctive key (Y, meaning "Yes") while the computer shows a screen distinct from all others in message and color. These begin-end actions are the equivalent of closing and later reopening the privacy curtain on a mechanical voting machine, or of receiving a paper ballot and later dropping it in a box. The software will not allow overvotes. If there are undervotes, they are brought to the voter's attention at the end. The voter may elect to go back to those places, or finalize the ballot with the undervotes standing. Any selection may be changed until the final [Y] key is pressed.

5. It is possible to vote using only three keys (assuming no write-in votes). Those three keys are the [Y] key (used only for beginning and ending voting), the [down arrow] key to point to a candidate or option, and the [spacebar] to make a selection (or turn off a previous selection). A few other keys allow faster navigation: step back up in a list, jump to the next or previous office or question, and jump directly to the end of voting. Write-in votes, of course, require typing the desired name.

6. The remote possibility of a computer failure, even in the middle of writing a file, is handled by storing all vote counts and write-ins in three identical files. Constant comparisons make sure that the program will stop if there is a mismatch. If a failure of any type occurs, voting can be resumed with a fresh diskette in another computer. (The software does not allow restarting with a used diskette, or any diskette that does not have zeroes in all the vote counters.)

The best hardware and software in the world cannot completely prevent voting fraud, but they can make it much more difficult. Proper procedures help SAVIOC achieve much of its security by hiding nothing:

1. Multiple identical copies of the ballot diskette are provided to each precinct. As the polls are opened, a diskette is selected by a clearly random process to become the "official" diskette for each voting station at the precinct, and the chosen diskette (write-protected) is used to boot up the computer. The rest of the diskettes are distributed to the minority party, the press and even the public. Anyone can check that the starting ballot information is correct. Even the software can be validated bit-for-bit using a special verification program (SAVerify) also available on the web site.
During the start-up process, exact replicas of the "official" diskette can be made and distributed for additional confirmation.

2. As a voting station is turned on, computer-literate observers can assure that it boots from the diskette, and not from the hard drive. (It's generally not necessary, but for extreme security, disconnect power to all hard drives of any computer used as a voting station.)

3. Officials should use the indicator lights on the "Permission Box" to confirm proper operation. One light indicates when voting is in progress. If any voter starts to leave while that light is still flashing, officials should instruct the voter to complete the ballot. The other light confirms that the Permission Box is connected and powered. For even better supervision, turn the monitor toward the officials between voters (and toward a wall while a voter is using it).

4. When the polls close, officials can attach an ASCII printer to the parallel port and print out as many paper copies of the results as desired, while the master diskette still is sealed into the computer.

5. Before turning off the voting computer, officials can generate as many copies of the final master diskette as desired, for distribution to the minority party, the press and others. Anyone can check that the program and starting ballot remained unchanged, and that the officially-reported results match those on the diskette. (Where there is concern about releasing results too early, diskettes and printouts can be sealed into tamper-proof bags for later distribution.)

6. The verification program (SAVerify) can be used to assure that all copies of the final results generate the same fingerprint on multiple computers. Paper copies of that fingerprint code (an 8x5 array of characters) can be signed by all interested parties to eliminate arguments about which diskette was modified, in case of a later mismatch.

Virtually all of the concepts embodied in SAVIOC are the product of one person, who is not omniscient. Occasionally new information is discovered or different viewpoints are encountered that influence the design. For instance, a town in Connecticut once had 135 candidates for 88 council seats. They were forced to resort to paper ballots because their voting equipment could not be set up for such a ballot. A ballot like that would cause problems for almost any 2001 voting system, but SAVIOC was redesigned to handle it. (As a result, the California recall election would have been no problem for SAVIOC.) Another redesign was undertaken when it was discovered that in Washington, D.C., voting for a presidential candidate must be coupled with voting for a set of electors for that candidate. SAVIOC now can handle that special situation, too. The ability to accommodate blind voters is an even more recent addition. Improvements continue.

We welcome examples of "difficult" ballots, questions about how SAVIOC works (or why it works the way it does), examples of special situations it might not handle now, and suggestions for improvement.