Besides the issues with what software the machine is actually running, most people cannot comprehend or understand that software - even if it is open source. That is not acceptable for an open democratic society, or to sustaining it.
In this particular situation it should not be necessary to rely on an expert to explain whether the vote counting mechanism is reliable. This only adds to the problem of unreliable or scheming officials - it doesn't improve anything in terms of transparency.
On the other hand, with direct democracy, the stakes are lower for each vote. So there is less incentive to manipulate the vote. So it makes sense to use e-voting for direct democracy.
In the end the voting mechanism in democracy is not really about precision, it's more about getting an acceptable outcome for all the parties
It's like an ecosystem. The more homogeneous the system then the more vulnerable we are to a single virus (or hacker) we become.
So why to bother with secrecy in the first place?
Yes, it does, it just scales less well than electronic/internet voting. Each voting method (and arguably, voting system) have their + and - but paper voting has the most important benefit. Specifically, the most important one is that whilst counting we have the benefit of many eyes watching over (one of the things NSA improved post-Snowden). I know this first hand as I have participated as vote counter in the 2017 Dutch election on March 15 (can recommend volunteering for the educational experience and ability to observe alone, plus it can be seen as a civil duty). Our team consisted of approx 8 or 9 volunteers. How many people audit the source code? The patches? The build process? The hardware? Are those random people? Are computer experts biased? You don't need to be intelligent or even familiar with computers to count paper votes. You do have to be a computer expert [2] to audit the software or hardware.
> You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.
I'd rather have authentic results for a few elections than have many elections with a higher potential of being bogus.
We should also not neglect that a direct democracy can be dangerously manipulated in times of fake news. The same is true with 2 or 3 elections every 4 years, but the vulnerable choke points are higher in a direct democracy.
Finally, a disadvantage is that you got so many elections that people are tired of elections. I don't know the scientific name for this phenomenon but I know an analogy: visit a supermarket and have a look at all the brands for product X where X can be peanut butter, ice cream, or beer. Result: brand loyalty. So people are gonna vote e.g. 'peanut butter' (I don't wanna name a realistic example to avoid reader assuming I'm partisan) in each of those direct democracy elections w/o looking further. Do not want!
There's an adagium in computerland "if it ain't broken, don't fix it". Paper voting isn't broken, it has a proven track record.
PS: For anyone who is interested in the history of voting security and the risks of electronic & internet voting I can recommend the course "Securing Digital Democracy" by J. Alex Halderman (one of the researchers in the Diebold affair some 15 years ago) on Coursera [1].
[1] https://www.coursera.org/learn/digital-democracy
[2] Not sure on a better term here. Computer expert is an inaccurate global term; what is required is a rather specific skillset. Perhaps programmer or hardware hacker is more accurate. But even then programmer doesn't tell us about which programming languages are mastered, and hardware hacker is equally vague. You get the gist.
You can throw cryptographic verification on top of that if you like.
Paper doesn't matter if it isn't being counted. Spotting irregularity in voting results might be possible with statistical methods but how often were votes really recounted?
If the actual votes are printed, how do you make sure no one can prove their vote to third parties and so be paid for it?
Having a merkle tree and voting from your device instead of a polling station is not just more convenient - it's more secure too. Everyone can verify their vote was counted!!
And right now? Right now we have a government database of who voted for what. That's crazy.
With electronic voting, I can't be sure my vote got counted, and even less sure others weren't tampered with.
I'm not sure why you would do it in a non-corrupt country though.
We have a secure, provable, relatively cheap method right now: Paper ballots and public observers at elections. Compared to the stakes the cost is peanuts.
How can you know that even if the source code for the voting machine is open, the voting machine is running the exact same source code? How can you know nobody has tampered the code the instance is running?
I'm glad my country is still running on paper ballots and glad we require voter ID.
Transparent voting boxes, ballots in envelopes, manual redundant counting done by people, usually voter who were nicely asked if they can come help back in the evening. That's what we use in France, you get the official result a few hours after the closing of the voting stations.
The whole process is watchable, from the sealing of the box the morning to the count in the end and parties send observers in random stations to check nothing fishy happens. An official log book is open for anyone to notice if they feel something fishy happened (you were not allowed to vote, the counting was unfair, etc...)
Oh, and make voting day a holiday, or just put it on Sundays.
I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.
Sums it up.
Historical reasons: http://www.whytuesday.org/answer/
In my district we vote by coloring in little circles with a #2 pencil, we then feed that directly into an electronic machine that tallies the results for my district. While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.
With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway. It would be my preference that the pieces of the system that perform this processing are backed with open source software.
At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository. This would prove in a clear and straightforward manner that tampering has occurred.
As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state. Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing? Or when regions of the state send their votes up to whatever the next link might be? I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
I think the main argument for physical voting is that it's much safer precisely because it doesn't scale well - and so attacks against it don't scale well either. The manpower requirements buy you security.
> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.
I agree, but I think it does not apply to elections - simply because it's the one place where both the ruling party and competing groups have very strong incentives to mess with the process.
> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?
Yes, but again, the argument goes, the less scalable and more manpower-intensive the whole process is, the more difficult is to hack it.
> I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
I agree with the call for transparency, but I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).
A paper ballot system where local volunteers from the district count the votes at the polls in a manner that can be observed would absolutely work for the US. It would be pretty easy to just write down what the volunteers counted and then check later whether that matched up with the nationally posted numbers. No long chain to decipher, no obscure software to worry about. And, as a bonus, there are places where this is already done this way, so really nothing needs to change policy wise (other than eliminating the other methods).
With your system I can cast doubt on the entire chain, and there is no problem because you can remove all doubt by taking those paper ballots and counting them all by hand. With several hundred million ballots to count it is obviously expensive (in man-hours), but you can see how to verify that counts. Note that the above verification is something your average idiot with no knowledge of computers can understand and trust.
There exist systems that are all electronic: the voter pushes a button (on a touch screen) and from there on we only have the count. As a programmer I can think of many ways I can make the voting system change a few votes and there is no way to know that the machine's count is wrong.
Part of what make this hard is anonymous votes are important. There are cases in history where someone was forced (with a gun) to vote for someone they probably wouldn't have voted for otherwise. We have solved this problem by having watchers at the polls (from all sides) ensure that nothing funny happens at the polls, and once you leave the booth nobody has any way to know who you voted for.
The above is why I think absentee voting needs to be restricted to those who physically cannot get to the polls on voting day (I'm fine with a voting week or month)
I've worked with the New York City Board of Elections [1]. We have what I consider to be best in class: electronically-scanned paper ballots.
When a voter walks in, their name is checked against the rolls and the stub number on the blank ballot they're given is recorded. The voter marks the ballot in confidence and then inserts it, themselves, into an optical scanner. The scanner increments a "public count" by one and drops the ballot into a locked box.
At the end of the day, the public count is compared to the count at the beginning of the day. (These counts are publicly recorded for each machine and do not increment down over the life of the machine.) The aggregate votes to each candidate are then printed to a tape and posted publicly.
The machine also uploads these data to a USB drive, which is taken to a computer at the poll site for electronic transmission to the Board. Before transmission, anyone may compare those numbers to the tape or pubic count. (The scanner workers have to certify the electronic transmission before it's sent.) The NYPD then collects the machines, paper ballots and tapes.
Throughout the day, anyone may see the public count at each scanner. At the end of the day, anyone may review the publicly-posted tapes. Stub numbers for the paper ballots issued and public counts recorded are reconciled, with multiple poll workers certifying the reconciliation.
It's a messy system, but it's robust. The public count means you'd have to compromise everybody at a poll site to add or destroy ballots. (Or, you'd have to predict who won't vote and manually commit fraud.) To tamper with the votes, you'd have to compromise machines before they print their tapes. You'd then have to hope the Board's random audits don't attempt to reconcile the paper ballots with the compromised tapes.
How can you be sure about that?
> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.
The point is that if you are not convinced, you can go and observe the process. The point is to remove as much trust as possible. The point is not to just have some human in the loop, but to make sure that people who distrust each other can personally make sure that the correct procedure is being followed.
> It would be my preference that the pieces of the system that perform this processing are backed with open source software.
The problem is that you have no way to verify that what is actually processing your vote is the open source software that you hope it is.
See also Ken Thompson's classic "reflections on trusting trust":
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...
> At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository.
No, they can't. The only way to check what software is running on the computer is to use software that is running on the computer, which is thus also suspect. That is, short of decapping each and every chip in the one computer that you are trying to check and extracting all the circuitry and all storage bits in it.
> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.
But ensuring trustworthiness of elections is not one of those. Elections are the anchor that all the other trust that we put into democratically elected governments is anchored at, it's the one lever that we have to remove governments that turn out to not be trustworthy. You cannot trust the government to remove itself in case you want to have it replaced.
> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?
If the election is run properly: No.
Represenatives from each party will be observing the election process at every polling station, and the general public can usually also observe if they wish to, from opening until the votes are counted. Also, election results should generally be published broken down by polling station, so each of the observers can check that what they observed at their polling station actually matched what went into the total.
There is absolutely no place for trust in elections.
We need a high-profile hack of some local elections to drive that point home. Something done completely for teh lulz, leading to a result so absurd the elections would have to be redone.
I would not risk it for a million, I will certainly not risk it for the lulz. Plus, in most cases, it involves (laughably weak) physical security. I am less confident on how to hide my tracks there and I suppose many would-be hackers feel the same.
In fact, the media is already trying to CYA, and the state is already trying to expand control, by claiming that such a hack was perpetrated by a nation-state in the 2016 election, and that that's why they were so egregiously wrong in everything they said about Clinton/Trump in the preceding 18 months.
Or the processor is trustworthy ? Many voting machines are using old processors, such as 68000, and it would not be too hard to emulate a a rogue processor that will have a different behavior, whatever the source code is.
You can also change the behavior of the voting machine at a certain time, or in certain conditions (such as detecting a voting session has started)
The problem is not that voting machines are vulnerable to one or two attacks. There are thousands of ways of compromising them.
The only answer to this is that cryptography specialists do not have any answer to a secure electronic voting not involving a physical element (a bulletin, a receipt, etc.). This means that there is no THEORETICAL solution.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
Sadly, as far as I know, none is without issues (older systems were found to have various problems, and newer stuff is still bleeding edge that wasn't yet reviewed thoroughly).
Way too many factors...
How would you know the shell itself, running on the machine you're trying to verify, isn't lying to you?
It's just a former CIA Director signing the op-ed. It's not like they have a collection of zero-days and other exploits is it?
The more you allow people to vote from their homes, the more likely it is that people can be coerced into voting the way their partner, employer, or otherwise, want them to.
For me it's important that the barrier to voting is as low as possible, and we don't have a governement issued ID that is free.
That being said, from times to times articles show up about someone who claimed to have invented a viable solution. So we should not diss the idea and keep an open mind. Eventually someone will find a solution.
First define the problem.
I demand the Australian Ballot: private voting, public counting.
After studing this extensively, I believe there is no way to digitize elections and preserve the Austalian Ballot. Because there is no digital equivalent of the physical secure one-way hash (shuffle) of dropping ballots into a box.
Any crypto- blocko- based system has to design for the whole election. Not just the voting. Including pollbooks, which record when ballots are issued to voters. Including precinct-based election counts, because every single precinct gets a different ballot (say 500 voters).
Maybe someone will prove me wrong. Cool. Then show me. The burden of proof is one them, not me. Otherwise, stop wasting everyone's time with technophilia sideshows. We've got real democracy with real work to do.
---
Alternately, any proposal has to replace the Australian Ballot with something new. Some ideas which would simplify the problem space:
- replace winner takes all with Approval Voting;
- issue separate ballots for federal, state, county, and local elections;
- decide that time-boxed privacy, where the secret ballot is preserved until an election is certified and then made public, is sufficient
- supplant our current loose voter ID regiment some kinda of U2F futuretech.
That doesn't handle auditing the machines themselves, but as the 2016 US presidential election recount found in Wisconsin, the tamper-evident machines showed evidence of tampering, so maybe we're closer to knowing whether the trusted systems we use to count votes are trustworthy.
Of course, the current machines are still Diebold ("Premier Election Solutions"), so who knows. Ken Blackwell will make sure only the right folks vote, anyway, just like he did in 2008.
Mapping, voter files, candidate filings, canvassing reports, ballot artwork, translations, ballot tracking, etc.
All of it should be open source. The way it used to be. Before the vendors smelled blood. (Especially after HAVA.)
I traveled my state advocating "citizen owned software". Everyone gets that phrasing. Overwhelming support.
To say a machine hasn't been hacked is trying to prove a negative.
So yeah. Doesn't really matter whether it's electronic or not.
In the USA, average precincts are 500 voters. Totally doable. In fact, that's how many jurisdictions did it.
What we need is a zero-knowledge proof: we need the entire voting dataset to be publicly downloadable and some kind of checksumming so that, while maintaining anonimity, I can 1)check that my vote is the same 2)run whole the counting in a blink on my PC.
This gives much better guarantees of no tampering
3) Users should not be able to prove to another person who they voted for
This is to prevent people from using threats of violence or promise of reward to coerce others into voting a certain way.
Unfortunately, this requirement is very hard to fulfil while also fulfilling requirement 1.
Verifying your vote is in the sum, and tallied, is not good enough if the result is swamped with, or more craftily, the balance just tipped by fake votes.
I have no idea how you would implement that.
Second, never allow paper ballots to be handled by just one person, or by only members of one party - whether blank or used. Require that members of at least two political parties be present any time the ballots are physically touched.
Third, if using machines to read the ballots (ScanTron, etc), conduct spot counts of random machines, to make sure the machine results match the paper ballots. Conduct spot counts of entire polling stations randomly to make sure result totals match voter roll totals. Although this isn't 100% certain, it doesn't take a lot of spot checks to detect any sort of large-scale fraud effort.
Do these things, and it's exceedingly difficult to do statistically meaningful vote fraud, because we have a high degree of trust in the paper ballots and their surrounding process. From there, you can use automatic ballot reading and tallying to get fast results - the vote counting/tallying automation is derived data, not the System of Record.
There are probably less than a hundred people in the world who can understand an electronic voting system at every level down to and including the silicon.
Paper ballots (the kind with marks read optically, not the ridiculous punch cards at the center of the Florida 2000 debacle) are easy to use and understand with a very low error rate and keep a paper trail, being the actual ballots.
I don't understand why anyone other than the companies who sell e-voting machines actually want electronic voting.
They want certainty more than any thing else. For decades, computers were regarded as more accurate, impartial, certain than human tabulators.
Second factor is appropriations. Elections are big money. And like all industrires, there's a revolving door between government and industry.
Admin also want control. Their impulse is to centralize, simplify. Think of the logistics of running 100s of voting sites, 1,000s of precincts. All the training, people, materials, gear that has to be stored, shuttled around, repaired, etc. Moving to voting computers, reducing head count, moving to central count seemed like a huge win. (But you and I people computer people, we know they just traded problems.)
With paper ballots how do we guarantee those with a right to vote who cannot travel to a secure voting location have the ability to do so?
ID requirements are frequently used in order to deny voting to people who are poor or otherwise find it difficult to get particular documents.
Very hard to defraud if you are in, purely for example, Russia.
Voting software is bound to fail, no bug bounty is big enough to offset the billions that could be made off of hacking an election. It is bound to fail spectacularly, and then for the rest of time people can point at the election and say "the ability to see the source code let this happen."
I'd much prefer electronic to paper. Last year I voted on 24 initiatives, and that is just the federal level. It also does not include elections.
How it will work: A person gets this device in the voting center enters/gets his voter ID, does the voting (anonymously), presses the read-only lock and throws it into the bin. After all the voting these device are scanned and voting data is retrieved. A voting database is populated in each center in a transparent way, to prevent tampering (several parties can be allowed to read this data separately and then all data variants can be compared against each other, just in case). After consensus on the voting data, each voting center sends the results for counting. And the voting is completed.
In the end, these devices are reset and the cycle continues.
Well, I'm sure that there must be some problems when voting the aforementioned way. But I guess it could work out, with some modifications.
EDIT: Grammar.
By our observations electronic voting added several layers of complexity that are difficult to justify.
Obviously everything could have fancy UIs created for end users so they don't see that really all have is a JWT (maybe a QR code printed out when they vote? And all the info easily human readable?). Verification could be handled by a .gov address and also through manual use of the public key (so other services could be set up to verify votes as well). And internet connectivity wouldn't be a problem as they could just require T1 lines at polling locations (I assume if phones went out across the country the election would be delayed regardless). You could likely tell if someone had stolen the private key (the only way I can think of breaking this system), if you have a service to verify someone's vote, and it doesn't show up there, even though you have a signed JWT containing your vote. That would prove someone had stolen the private key, allowing for a makeup election.
Am I missing something basic of how this would be hackable? I'm one of those who finds it odd that many elections around the world are susceptible to simple human mistakes/purposeful malicious actions when it comes to counting ballots.
Granted what is publicly known, it not working is a very likely outcome, but nobody will ever be able to contest it.
How can you be sure the financial system you use is working?
>nobody will ever be able to contest it.
See blockchain. If everyone has a copy of the vote registry, then they can contest it if things don't match up.
For other systems, a disruption is just inconvenient for most people. Like if I can't use my credit card for a day, I don't care (of course this may be of more consequence for some people). Same thing with a power outage (and people that need it can have a backup for grid power; how do you have a backup for legitimate governance?).
Would there not be far more immediate and direct inconvenience if no one could use their credit cards for a day, than if they couldn't vote for a day? (Assuming the following day both systems were back up and running) What is so inconvenient about have to wait an extra day to cast a vote on who your senator will be for the coming years versus being able to buy food or medicine?
To protect voting, do NOT use software. At all. Open-Source software is no more trustable than paper, and is orders of magnitudes more complex to set up and audit. If you can't explain a 5 years old how it works, your voting approach is not trustable.
1. You don't need to commit widespread election fraud to throw an election if you can predict where a small fraud will matter.
2. Not all election fraud is a miscount of ballots. Throwing out minorities' registrations is also election fraud, and you can't fight that with more-reliable ballots.
3. The best solution might not be a technology solution. Paper ballots make it hard to scale fraud. But that's not enough, since fraud doesn't always need to scale.
4. Early voting and absentee voting need to be taken into considerations and are a growing part of voting in the US.
5. If software systems are used in voting, tallying, or anything connected to election results, the systems should be open to inspection and to pen testing.
2. Because the average voter cannot possibly understand and verify the security properties of that setup.
NB: this is not an indication of which side I fall on the debate, it is an observation.
[EDIT] Also, I'm aware similar issues exist with a website, but it seems a lot of focus goes on the actual machine.
Verifying actual real identity over the internet is impossible. Even if you did webcam-based biometric authentication of identity - these are fooled by a photograph. Going to a polling station and verifying your identity to a human being is much harder to fake, and almost impossible to scale.
The web is an untrustworthy delivery mechanism. What say if a nation state wants to disrupt your election, and starts DDoSing the hell out of it all. Protecting against such attacks at that scale would be extremely difficult.
Also on the topic of state-level disruption, it is well known that orgs such as GCHQ, the NSA etc. hoard zero-days. How do you know your extensively tested system isn't vulnerable to a zero-day that another state has and you don't?
When I created my government account I provided passport and driving licence numbers on top of the above.
I feel this invalidates your veracity point, and probably the scaling point too?
The second and third points seem more viable and are potential issues. Especially the third, this would be the main concern IMO. Though I'm sure there are protections against this too (thinking virtually distributed).
Why did anyone ever think computerising voting was a good or useful idea?
It isn't even definitively known who invented blockchain, it is behind the pyramid scheme known as bitcoin and no, no way should that ever be used in voting system computers.
Things like land ownership is vulnerable to manipulation. We don't think about it much in the west because our governments don't change the name of the owner of your house for money, but it's a real problem in corrupt countries.
It's also a major problem in shipping. Where ownership of containers is done with paper forms, that because of corruption have a higher cost of shipping than the actual container itself, and containers still get claimed with faked forms.
Know what Mærsk did to secure the container contracts? They used the block chain.
Much like container forms or land contracts, paper votes are only safe if your system isn't corrupt. With the block chain you could remove the need of relying on the system to be honest because everyone would be able to read the record.
Right now you rely on independent observers, and I hate to tell you this, but we've been unable to influence elections in corrupt countries so far.
When Putin wins with 900% of the votes in regions that hate him you can say that it seems unlikely, if they'd used block chain you would be able to see that it was a lie.
It could come useful, e.g., for keeping census data to avoid some forms of fraud. E.g. prevent rouge organizers loading elections with "dead souls" voters (Gogol-style). But I don't see any immediate use for election themselves.
Say, the blocks would store anonymized votes (nothing about blockchain itself implements the anonymization). One immediate issue I see is that blockchain only verifies integrity of the blocks after they're in there and out to the public, so it could be verified. Sending them too early would skew election results (observers would be able to see the intermediate results and bias their votes accordingly), and sending them too late would probably make blockchain mostly pointless.
