The Kentucky officials are accused of taking advantage of a somewhat
confusing aspect of the way the iVotronic interface was implemented.
In particular, the behavior (as described in the indictment)
of the version of the iVotronic used in Clay County
apparently differs a bit from the behavior described in ES&S's standard
<a href="http://www.essvote.com/HTML/docs/iVotronic.pdf">instruction sheet
for voters [pdf - see page 2]</a>.
A <a href="http://www.essvote.com/HTML/iVotronicDemo1/demo.html">flash-based
iVotronic demo available from ES&S here</a> shows the same
procedure, with the VOTE button as the last step. But evidently
there's another version of the iVotronic
interface in which
pressing the VOTE button is only the <em>second to last</em> step. In
those machines, pressing VOTE invokes an extra "confirmation" screen.
The vote is only actually finalized after a "confirm vote" box is touched
on that screen. (A different flash demo that shows this behavior with the
version of the iVotronic equipped with a printer is available from ES&S
So the iVotronic VOTE button doesn't necessarily work the way a
voter who read the standard instructions might expect it to.
The indictment describes a conspiracy to exploit this ambiguity in
the iVotronic user interface by having pollworkers systematically
(and incorrectly) tell voters that pressing
the VOTE button is the last step. When a misled voter would leave the
machine with the extra "confirm vote" screen still displayed, a pollworker
would quietly "correct" the not-yet-finalized ballot before casting it.
It's a pretty elegant attack, exploiting
little more than a poorly designed, ambiguous user interface, printed
instructions that conflict with actual machine behavior, and public
unfamiliarity with equipment that most citizens use at most once or twice
each year. And once done,
it leaves behind little forensic evidence to expose the deed.
J. Eric "jet" Townsend, CMU Master of Tangible Interaction Design '09