Electronic voting is a bad idea and I'd be suspicious on anyone trying to promote it.
How can you know that even if the source code for the voting machine is open, the voting machine is running the exact same source code? How can you know nobody has tampered the code the instance is running?
I'm glad my country is still running on paper ballots and glad we require voter ID.
Transparent voting boxes, ballots in envelopes, manual redundant counting done by people, usually voter who were nicely asked if they can come help back in the evening. That's what we use in France, you get the official result a few hours after the closing of the voting stations.
The whole process is watchable, from the sealing of the box the morning to the count in the end and parties send observers in random stations to check nothing fishy happens.
An official log book is open for anyone to notice if they feel something fishy happened (you were not allowed to vote, the counting was unfair, etc...)
Oh, and make voting day a holiday, or just put it on Sundays.
I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.
> Oh, and make voting day a holiday, or just put it on Sundays.
> I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.
The most funniest thing is who is just eligible to be a candidate (not mention his chances to win). And how the chosen legislation, which is the result of those elections, is far from the most fair - one approved by score voting in direct democracy.
That makes it harder to keep an eye on the voting process from A to Z, which people do in the current process. If the box containing the ballots stay alone, trust is lowered.
Seriously, is it harder to make a daily holiday and a transparent process than landing a man on the moon with tech from the 60s?
The vote processing chain is lengthy, it is inevitable that a computer system will be inserted somewhere in that chain. Right now the push is to have these systems right at the front, facing the voter, but that isn't the only time the votes are processed electronically.
In my district we vote by coloring in little circles with a #2 pencil, we then feed that directly into an electronic machine that tallies the results for my district. While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.
With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway. It would be my preference that the pieces of the system that perform this processing are backed with open source software.
At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository. This would prove in a clear and straightforward manner that tampering has occurred.
As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state. Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing? Or when regions of the state send their votes up to whatever the next link might be? I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.
I think the main argument for physical voting is that it's much safer precisely because it doesn't scale well - and so attacks against it don't scale well either. The manpower requirements buy you security.
> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.
I agree, but I think it does not apply to elections - simply because it's the one place where both the ruling party and competing groups have very strong incentives to mess with the process.
> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?
Yes, but again, the argument goes, the less scalable and more manpower-intensive the whole process is, the more difficult is to hack it.
> I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
I agree with the call for transparency, but I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).
>>> I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).
Spot on. Democratic process means "owned by people". So the voting system must be able to be run in the hands of the people. Hence the necessity to have it in the form of a simple technology such as pen/paper.
Moreover, having the votes counted in some hours instead of a night doesn't make a big difference, considering the time that is needed for example, to form a government once the vote is closed.
I love computers, but it's not the right tool for this job. It's not much different than free software : the problem here is political rather than technical.
> having the votes counted in some hours instead of a night doesn't make a big difference, considering the time that is needed for example, to form a government
Yeah, in the US it takes 2 months to get the new President actually in the White House, no matter how quick votes are counted. They can easily spare a day or two to count everything three times over, the country will not go to the dogs in the meanwhile.
Ironically, timings are much more imperative in Europe, where electronic voting is less popular. Maybe because multi-party governments often require weeks of haggling, so a few extra hours counting votes are not particularly important.
And we didn't know the result of the 2000 election until December (when Bush v Gore was decided) so the country isn't going to descend into anarchy if counting takes an orderly couple of days.
Your entire premise is based on there being a long complicated chain, which I think is a bit of a red herring. Voting happens in districts. The totals for those districts are already posted publicly. There's no need to validate the entire chain when the lowest level is already open and free to be audited by anyone. Additionally, for the districts I'm familiar with, polls are staffed by volunteers and anyone is free to stand around and watch the whole process.
A paper ballot system where local volunteers from the district count the votes at the polls in a manner that can be observed would absolutely work for the US. It would be pretty easy to just write down what the volunteers counted and then check later whether that matched up with the nationally posted numbers. No long chain to decipher, no obscure software to worry about. And, as a bonus, there are places where this is already done this way, so really nothing needs to change policy wise (other than eliminating the other methods).
Electronics isn't a problem. The problem is electronics that you cannot personally verify. Every step can be electronic and things be just fine. However if someone decides to cast doubt on any point in the chain it needs to be possible to verify that link actually was done correctly.
With your system I can cast doubt on the entire chain, and there is no problem because you can remove all doubt by taking those paper ballots and counting them all by hand. With several hundred million ballots to count it is obviously expensive (in man-hours), but you can see how to verify that counts. Note that the above verification is something your average idiot with no knowledge of computers can understand and trust.
There exist systems that are all electronic: the voter pushes a button (on a touch screen) and from there on we only have the count. As a programmer I can think of many ways I can make the voting system change a few votes and there is no way to know that the machine's count is wrong.
Part of what make this hard is anonymous votes are important. There are cases in history where someone was forced (with a gun) to vote for someone they probably wouldn't have voted for otherwise. We have solved this problem by having watchers at the polls (from all sides) ensure that nothing funny happens at the polls, and once you leave the booth nobody has any way to know who you voted for.
The above is why I think absentee voting needs to be restricted to those who physically cannot get to the polls on voting day (I'm fine with a voting week or month)
> While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system
I've worked with the New York City Board of Elections [1]. We have what I consider to be best in class: electronically-scanned paper ballots.
When a voter walks in, their name is checked against the rolls and the stub number on the blank ballot they're given is recorded. The voter marks the ballot in confidence and then inserts it, themselves, into an optical scanner. The scanner increments a "public count" by one and drops the ballot into a locked box.
At the end of the day, the public count is compared to the count at the beginning of the day. (These counts are publicly recorded for each machine and do not increment down over the life of the machine.) The aggregate votes to each candidate are then printed to a tape and posted publicly.
The machine also uploads these data to a USB drive, which is taken to a computer at the poll site for electronic transmission to the Board. Before transmission, anyone may compare those numbers to the tape or pubic count. (The scanner workers have to certify the electronic transmission before it's sent.) The NYPD then collects the machines, paper ballots and tapes.
Throughout the day, anyone may see the public count at each scanner. At the end of the day, anyone may review the publicly-posted tapes. Stub numbers for the paper ballots issued and public counts recorded are reconciled, with multiple poll workers certifying the reconciliation.
It's a messy system, but it's robust. The public count means you'd have to compromise everybody at a poll site to add or destroy ballots. (Or, you'd have to predict who won't vote and manually commit fraud.) To tamper with the votes, you'd have to compromise machines before they print their tapes. You'd then have to hope the Board's random audits don't attempt to reconcile the paper ballots with the compromised tapes.
> While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.
How can you be sure about that?
> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.
The point is that if you are not convinced, you can go and observe the process. The point is to remove as much trust as possible. The point is not to just have some human in the loop, but to make sure that people who distrust each other can personally make sure that the correct procedure is being followed.
> It would be my preference that the pieces of the system that perform this processing are backed with open source software.
The problem is that you have no way to verify that what is actually processing your vote is the open source software that you hope it is.
See also Ken Thompson's classic "reflections on trusting trust":
> At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository.
No, they can't. The only way to check what software is running on the computer is to use software that is running on the computer, which is thus also suspect. That is, short of decapping each and every chip in the one computer that you are trying to check and extracting all the circuitry and all storage bits in it.
> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.
But ensuring trustworthiness of elections is not one of those. Elections are the anchor that all the other trust that we put into democratically elected governments is anchored at, it's the one lever that we have to remove governments that turn out to not be trustworthy. You cannot trust the government to remove itself in case you want to have it replaced.
> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?
If the election is run properly: No.
Represenatives from each party will be observing the election process at every polling station, and the general public can usually also observe if they wish to, from opening until the votes are counted. Also, election results should generally be published broken down by polling station, so each of the observers can check that what they observed at their polling station actually matched what went into the total.
There is absolutely no place for trust in elections.
Where is the good old Anonymous when we need them?
We need a high-profile hack of some local elections to drive that point home. Something done completely for teh lulz, leading to a result so absurd the elections would have to be redone.
If all that was at risk was a night in police jail and a slap on the wrist, it would be done, but reading the sentences one faces for election tampering is really chilling.
I would not risk it for a million, I will certainly not risk it for the lulz. Plus, in most cases, it involves (laughably weak) physical security. I am less confident on how to hide my tracks there and I suppose many would-be hackers feel the same.
It doesn't matter what gets done, it matters how it's portrayed. Such a hack would just be used by the media to vilify their target-of-the-week, and politicians to institute ever-more-prominent centralized electronic controls that don't grant any related protection, but allow them to expand their personal influence and institutional surveillance surfaces (see also: TSA).
In fact, the media is already trying to CYA, and the state is already trying to expand control, by claiming that such a hack was perpetrated by a nation-state in the 2016 election, and that that's why they were so egregiously wrong in everything they said about Clinton/Trump in the preceding 18 months.
At defcon this year they had a bunch of the popular electronic voting booths set up, and they were all hacked within 6 hours. A big problem is having physical access to the booth. All of the hacks involve picking a lock.
Unfortunately it would need to be a hack that purposefully gets itself caught in order to drive any point home. I can imagine the risk vs reward on something like that would be very undesirable.
> the voting machine is running the exact same source code?
Or the processor is trustworthy ? Many voting machines are using old processors, such as 68000, and it would not be too hard to emulate a a rogue processor that will have a different behavior, whatever the source code is.
You can also change the behavior of the voting machine at a certain time, or in certain conditions (such as detecting a voting session has started)
The problem is not that voting machines are vulnerable to one or two attacks. There are thousands of ways of compromising them.
The only answer to this is that cryptography specialists do not have any answer to a secure electronic voting not involving a physical element (a bulletin, a receipt, etc.). This means that there is no THEORETICAL solution.
There are attempts to create an end-to-end auditable voting systems. Where you don't have to trust the organizers or machinery to not trick you, and you can validate that your vote was counted correctly.
Sadly, as far as I know, none is without issues (older systems were found to have various problems, and newer stuff is still bleeding edge that wasn't yet reviewed thoroughly).
The trick is that you don't just have to convince somebody (a security expert) that the system is trustworthy, you have to convince everyone (voters) that the system is trustworthy. Anything more complicated than paper ballots counted in public will leave room for doubt.
There are systems that are essentially paper ballot and by no means remove the "classic" experience, but have extra properties that allow audit, e.g. https://en.wikipedia.org/wiki/Punchscan
Paper ballots leave a lot of room for doubt in my mind. How you can you recount the ballots and come up with a different number? This shouldn't be possible, but it happens all the time: https://en.m.wikipedia.org/wiki/Election_recount
Thinking out loud here, how about a blockchain based solution? Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.
The entire point of a recount is that when the votes are close enough to swing the balance of an election, they're recounted, potentially repeatedly until we can be sure they're correct. They're essentially never more than a few votes off either way. If it's not close enough to swing the balance of the election, it doesn't really matter that a dozen votes were miscounted - we'd prefer that not to be the case, obviously, but not by breaking the other properties of the system.
Short of some very very clever cryptography, you really, really don't want to be able to verify your individual vote, because that means you can verify it to others - the entire point of this process is to avoid coercion, or else there's much simpler solutions. (Pull everyone into the polling station at once and have a show of hands, for example.) You want to verify that one ballot was given to each person registered to vote, and that all votes were counted correctly, but you don't want to verify that an individual person's vote was counted correctly.
If you're concerned with inaccurate recounts, you should be more concerned with systems for which recounts are not possible at all. Like the US'es closed-source black-box voting computers that are currently in use.
Putting aside theoretic possibilities, at this point in time approximately nobody is going to trust a blockchain system. Between "Isn't that the stuff you use to by drugs online?" ignorance and the all-too-real history of everything that has happened with Ethereum to date, that just won't fly.
A ballot design that is prone to getting different results when recounted (hanging chads, etc) is a bad ballot design. Fix your ballot design first.
>Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.
Voting receipts like this are bad. They enable people in power (bosses, spouses, etc) to intimidate you into voting the way they want to see and threatening to punish you if you don't because they can force you to prove the way you voted. It also allows vote buying.
Good question. Volunteer to help with your local elections. Learn how it's done.
As for blockchains: Voters sign in before they cast their ballot. If the order in the pollbook matches the order the ballots are recorded, no more secret ballot.
Any crypto- blocko- based system that both protects the secret ballot and ensures the public vote count (aka Australian Ballot) has to create a digital equivalent to the physical secure one-way hash (shuffle) of dropping a ballot into a box.
The wikipedia link mainly mentions crypto-methods...how exactly is a non-engineer supposed to end to end verify this? If you use paper ballots you can simply sit down and count...heck not even that basic math if you get creative with sorting
I agree with you entirely. There is no absolute way that we know of to truly know the code running is the exact code on GitHub. You can fake that it is in many ways, I don't see people running shell commands on the software before and after they vote to make sure it's the correct software. Even IF that software remains uncompromised, who owns the database? Who stops them from-
On top of this, we all know that if it was implemented as well as physically possible, there would still be vectors for attack. However, if current voting machine trials are anything to go by, it's usually implemented extremely poorly.
Why use a voting machine at all? Isn't the main point of having a polling location simply so you can verify your identity? If we could come up with a system that allowed one's identity to be verified online, or by postal service, then do we really need thousands of machines collecting the votes. Couldn't it be centralized to a handful of more easily audited systems?
No, the point of a polling station is so that there's provably no coercion. You fill out your ballot in secret, you're not permitted to take a photograph of it, and you place it in the ballot box without telling anybody what you've voted for.
The more you allow people to vote from their homes, the more likely it is that people can be coerced into voting the way their partner, employer, or otherwise, want them to.
You missed one important criterion. After you vote there is no way for you to prove who you voted for. If you could verify it after the fact then it opens up potential for coercion or incentives.
>You fill out your ballot in secret, you're not permitted to take a photograph of it, and you place it in the ballot box without telling anybody what you've voted for.
In the US, only one of those is guaranteed [0]. In California, where I can get an absentee ballot just by asking for it, none of those is guaranteed.
There's some challenging requirements around this. You need to positively identify someone as having the right and ability to vote (no dead people voting like in Illinois). You need to make sure they vote only once (no ballot box stuffing). You need to make sure their vote wasn't coerced (as far as you can). You need to make sure their vote is anonymous (to protect the voters from retaliation). And it needs to be easy enough so that your 80 year old grandmother can do it.
My country doesn't require voter ID at all, other than confirming a few details and most studies here has shown that requiring ID didn't cut down on fraud.
For me it's important that the barrier to voting is as low as possible, and we don't have a governement issued ID that is free.
That should be solved by issuing a free government ID, not by compromising and creating a giant loophole when potentially citizens of other countries can vote in your election and there is no way to verify that.
Not as easy as it sounds. I was in a Government office for some tax related reason and was in line behind some guys trying to apply for their 'electrical card' (sic, electoral). This is in N. Ireland, which unlike the rest of the UK requires ID to vote.
They were having to be talked through filling in the form only to hit a roadblock when it came to proof of address. After expressing their voluble disbelief at some length that the handwritten doctor's note they had would not suffice, they eventually left empty-handed. (Incidentally, they were only looking the card to use it for ID for flying, they had no interest in voting).
Now these guys were obviously jokers, but it shows you will need a certain degree of application and time to get even the most rudimentary of verifiable ID. Even the conscientious may find themselves not getting around to getting the ID before election and losing their vote.
That's implementation problem, not an argument against making sure only eligible citizens can vote.
Why not have a national ID like in some European countries? Issue it at age of 15, you can go to a government office with parents when you are 15 and get your ID.
You can pass a sensible legislation for this. Have a grace period of 2 election cycles to allow all the people who want to vote enough time to get their ID (10 years is more than enough time to prove your address).
I was reacting to the parent comment. For some reason in Northern Ireland example cited there proof of address was required.
Government can issue IDs without proof of address. This is matter of implementation. For national election at least you shouldn't need it. For local elections it should be required.
Governments can and do issue ID using whatever criteria they see fit. But the lesser the criteria the weaker the proof. I mean, you need a photo at least, right? And presumably some means of proving that photo is you (for passports in UK you have to get a doctor or similar person of authority to sign a declaration). So it's not such a simple matter.
In my country where everybody has a national ID, you go to police station when you turn 15 to pick it up. You don't have proof of address when you are 15 because you live with your parents. So they send letter to the address of parents.
Like I said, studies shown that having an ID didn't change much. Plus, they already can! Commonwealth citizens can vote in UK elections pretty much as soon as they arrive.
I question the results of these studies. I think it's very difficult to measure empirically how many people are cheating if it is not required to have voter ID / some sort of proof of your identity when voting.
Presumably at least a few of them anticipate the easy problems and design a methodology appropriate to dealing with them.
For instance, if voter ID is highly effective, you'd expect much higher rates of double votes under a given registration in places that don't require it (unless the cheaters are masters of anticipating registrants that aren't going to vote).
What should you be primarily worried about? It's like serving your e-commerce website over HTTP because there have been very few security breaches. Why not get a certificate and use HTTPS? It's a massive improvement in security for a very small cost.
Not analogous,because attacks relying on coordinating large numbers of people (with a high rate of detection) simply doesn't scale. We should be worried about electronic attacks on voting infrastructure, political attacks on districts, political attacks on the registration process etc.
I'd rather say it's a good idea but it also is a technical problem that is not yet convincingly solved. It is clear though that open source by itself is not a solution, for the very reason you mention (how can one be sure about what code is running on a machine one doesn't own?).
That being said, from times to times articles show up about someone who claimed to have invented a viable solution. So we should not diss the idea and keep an open mind. Eventually someone will find a solution.
I demand the Australian Ballot: private voting, public counting.
After studing this extensively, I believe there is no way to digitize elections and preserve the Austalian Ballot. Because there is no digital equivalent of the physical secure one-way hash (shuffle) of dropping ballots into a box.
Any crypto- blocko- based system has to design for the whole election. Not just the voting. Including pollbooks, which record when ballots are issued to voters. Including precinct-based election counts, because every single precinct gets a different ballot (say 500 voters).
Maybe someone will prove me wrong. Cool. Then show me. The burden of proof is one them, not me. Otherwise, stop wasting everyone's time with technophilia sideshows. We've got real democracy with real work to do.
---
Alternately, any proposal has to replace the Australian Ballot with something new. Some ideas which would simplify the problem space:
- replace winner takes all with Approval Voting;
- issue separate ballots for federal, state, county, and local elections;
- decide that time-boxed privacy, where the secret ballot is preserved until an election is certified and then made public, is sufficient
- supplant our current loose voter ID regiment some kinda of U2F futuretech.
pvote.org seems like a decent solution, it's <500 lines of code that needs to be audited.
That doesn't handle auditing the machines themselves, but as the 2016 US presidential election recount found in Wisconsin, the tamper-evident machines showed evidence of tampering, so maybe we're closer to knowing whether the trusted systems we use to count votes are trustworthy.
Of course, the current machines are still Diebold ("Premier Election Solutions"), so who knows. Ken Blackwell will make sure only the right folks vote, anyway, just like he did in 2008.
> pvote.org seems like a decent solution, it's <500 lines of code that needs to be audited.
Quoting from the website:
"Pvote is small. The current version is 460 lines of Python. It uses Pygame for graphics and audio."
So, add to that 130000 lines of pygame, 1.5 million lines of cpython, 14 million lines for gcc, 20 million for the linux kernel, ... and you haven't even begun to list all the stuff you would need to audit?
I agree, you'd need a way to verify every machine is running the the open source software. The risk are too great you'll fail and the rewards for anyone that can hack the machines too great.
To say a machine hasn't been hacked is trying to prove a negative.
Every time we vote, there is more talk about the burned ballots, unopened chests, uncounted votes and fraud concerning votes being collected from neighboring countries posing as people from my nation.
So yeah. Doesn't really matter whether it's electronic or not.
Most fraud other than most primitive attempts by idiots goes unnoticed. If voter ID is not required it is not possible to prevent people who don't have right to vote from voting.
How can you know that even if the source code for the voting machine is open, the voting machine is running the exact same source code? How can you know nobody has tampered the code the instance is running?
I'm glad my country is still running on paper ballots and glad we require voter ID.