No. To protect voting, don't use software. Everyone needs to be able to _understand_ as well as be able to verify that they successfully voted.
Besides the issues with what software the machine is actually running, most people cannot comprehend or understand that software - even if it is open source. That is not acceptable for an open democratic society, or to sustaining it.
In this particular situation it should not be necessary to rely on an expert to explain whether the vote counting mechanism is reliable. This only adds to the problem of unreliable or scheming officials - it doesn't improve anything in terms of transparency.
Just have the electronic system return a clearly labeled ballot to the voter, which would be verified and turned in before leaving. A physical count can be used to confirm the electronic count or vice-versa (physical counting has vulnerabilities too).
New York uses the reverse of that. You fill out a paper ballot, which then gets fed into a machine for counting. A random sample (of sufficient size) of the paper ballots are then counted to verify the electronic results.
Voting with paper does not scale. You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.
On the other hand, with direct democracy, the stakes are lower for each vote. So there is less incentive to manipulate the vote. So it makes sense to use e-voting for direct democracy.
In the end the voting mechanism in democracy is not really about precision, it's more about getting an acceptable outcome for all the parties
The fact that it doesn't scale is exactly why we should stick with it. We want voting to be hard, distributed, and diverse. That prevents a single county or state from destabilizing the rest of the country. It should prioritize accuracy over speed and all else.
It's like an ecosystem. The more homogeneous the system then the more vulnerable we are to a single virus (or hacker) we become.
Wait, why do we want voting to be hard? If voting is hard, that means it takes more time to vote, and not everyone is equally able to take extra time to vote. A disproportionate percentage of the voters will end up being people with more time and/or more flexible schedules.
Public - i.e. everyone knows how others have voted - voting can be both precise and secure. Public voting can be done electronically, say, via encrypted SMS.
Do you know how people take photos of themselves voting at "secret-keeping" poll-stations? How about politicians, which publicly give lucrative promises to their particular electorate?
If they want to sell their vote - it is their choice. I'd only say that the right of citizens to secede from such a society must be respected too.
>Do you know how people take photos of themselves voting at "secret-keeping" poll-stations?
That's illegal, and (somewhat contradictorily) not non-repudiable. You can take a picture of yourself with "ballot marked for candidate I'm paid/coerced to vote for" and then step right out and say "oops, I messed up my ballot, give me another one" and then submit that.
Didn't SCOTUS recently uphold peoples right to take selfies in the ballot box? Seems that ship has already sailed in the US.
Also, California allows for absentee voting with no particular reason. I've voted in every election I've ever been eligible to vote in and I have never once set foot in a physical polling place.
Yes, it does, it just scales less well than electronic/internet voting. Each voting method (and arguably, voting system) have their + and - but paper voting has the most important benefit. Specifically, the most important one is that whilst counting we have the benefit of many eyes watching over (one of the things NSA improved post-Snowden). I know this first hand as I have participated as vote counter in the 2017 Dutch election on March 15 (can recommend volunteering for the educational experience and ability to observe alone, plus it can be seen as a civil duty). Our team consisted of approx 8 or 9 volunteers. How many people audit the source code? The patches? The build process? The hardware? Are those random people? Are computer experts biased? You don't need to be intelligent or even familiar with computers to count paper votes. You do have to be a computer expert [2] to audit the software or hardware.
> You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.
I'd rather have authentic results for a few elections than have many elections with a higher potential of being bogus.
We should also not neglect that a direct democracy can be dangerously manipulated in times of fake news. The same is true with 2 or 3 elections every 4 years, but the vulnerable choke points are higher in a direct democracy.
Finally, a disadvantage is that you got so many elections that people are tired of elections. I don't know the scientific name for this phenomenon but I know an analogy: visit a supermarket and have a look at all the brands for product X where X can be peanut butter, ice cream, or beer. Result: brand loyalty. So people are gonna vote e.g. 'peanut butter' (I don't wanna name a realistic example to avoid reader assuming I'm partisan) in each of those direct democracy elections w/o looking further. Do not want!
There's an adagium in computerland "if it ain't broken, don't fix it". Paper voting isn't broken, it has a proven track record.
PS: For anyone who is interested in the history of voting security and the risks of electronic & internet voting I can recommend the course "Securing Digital Democracy" by J. Alex Halderman (one of the researchers in the Diebold affair some 15 years ago) on Coursera [1].
[2] Not sure on a better term here. Computer expert is an inaccurate global term; what is required is a rather specific skillset. Perhaps programmer or hardware hacker is more accurate. But even then programmer doesn't tell us about which programming languages are mastered, and hardware hacker is equally vague. You get the gist.
I like the model where you vote electronically and you can see (through a clear material) that the machine prints out a copy of your votes and drops them into a bin.
You can throw cryptographic verification on top of that if you like.
Paper doesn't matter if it isn't being counted. Spotting irregularity in voting results might be possible with statistical methods but how often were votes really recounted?
How do you check that your votes were actually taken into account? Even if you can do that, how do you check that no votes were added on top of legit votes?
If the actual votes are printed, how do you make sure no one can prove their vote to third parties and so be paid for it?
That's silly. Do you need to use paper and pencil to do banking? If we as a society and individually can trust our money to technology then why not voting?
Having a merkle tree and voting from your device instead of a polling station is not just more convenient - it's more secure too. Everyone can verify their vote was counted!!
And right now? Right now we have a government database of who voted for what. That's crazy.
And now do both things _publicly_! For money (or others things you own) you will need a Torrens-like title system with a replicated database among your fellow-citizens. For voting - it will be a database replicated on DVDs (or something that can be read, say, by a microscope:)
How do you verify the entities that are registered on the chain are who they are supposed to be? It may show a commit log of Citizen X voted in a certain way, but how do you verify it was Citizen X that actually voted or that they even exist?
The same way as you supposed (not:) to check it under a paper-ballots voting system. By the Citizens Database - when every citizen's biometric data (photos, eye or ear scans, body measurements, etc.) and contact data is published on holographic discs, magnetic tapes (IBM has one with 330 TB storage). It will allow anyone to verify there are no fake identities there. One may store just a hash table for all entries, if he can't afford those storage mediums.
I'm sorry but I'm having difficulty understanding what you're trying to say. You still need a body to oversee adding entries, otherwise anyone could add anything? How do you verify exactly, you've just got a bunch of data, which may or may not be legitimate. It still boils down to the best way to protect voting, isn't by the more exotic systems whereby fudging can be done at scale. It's by making the exploits not scale and keeping anonymity by having another process for voter registration.
I'm not sure what the choice of media has to do with anything.
No one requires these biometrics to make bank transactions. The bank can give you a simple security device, but with smartphones even that is optional now.
Biometrics, seriously?
Biometrics are only a one-time proof when eg you are issued a token. They can be replayed later and can't be used anywhere except where there's a physical security guard preventing tampering. And even then you trust the security guard.
It's definitely not a separate issue, it's fundementally linked. Voter registration is separate and not tied to any electronic ID, so you saying it's a solved problem isn't true.
I don't know the technology, but I assume that system could be built.
The bad part about that is that if I can validate my vote after the fact, someone else can also demand to see what I voted for, and that opens the door for vote buying, intimidation etc.
And how do you prove that all of those citizens exist?
We have a secure, provable, relatively cheap method right now: Paper ballots and public observers at elections. Compared to the stakes the cost is peanuts.
Exactly, and the simple, physically decentralized, distributed, and somewhat resource/time intensive aspects of paper-based balloting are all great checks against easy attacks.
The fact that virtually anyone both capable and eligible to vote is also capable of understanding the voting process, as well as what kinds of physical acts are signs of fraud means that many more people can evaluate the process, and determine - even just by looking - whether something fishy is going on at their voting station.
Your average voter will be easily convinced that he "doesn't know enough to judge" whether something is fishy with his voting machine, even if something seems to be clearly malfunctioning; "oh don't worry sir, the print out might be wrong, but your vote was definitely counted correctly internally".
The rise of any form of electronic voting is really troubling - and don't even get started on anonymity concerns...
I live in Denmark, every citizen has a social security number and we all have access to a digital identification method called "nemID".
It's basically a login that's tied to a piece of paper containing a hash table of numbers you use for two factoring.
It's the safest citizen verification system we've ever had and it's basically used for any for of identification in the digital world from banking to using our public sector.
Our government as an example used it to send digital mail to everyone in a secure mailbox called "eBoks" saving us billions in not sending paper (and bankrupting our postal service as a side effect).
We still use paper ballots for elections but it's frankly easier to fake an identity using those than if you were to sign in with "nemId". Today all you need to be allowed to vote is the paper you received and the right sex/age range. So basically I could vote for my brother if I obtained his ballot. With NemId I'd need his username/password as well as his keycard.
Obviously you'd have to anonymize it, but some digital systems being broken doesn't mean they all are or that our current system is that great.
I've observed elections in the balkans, and they sure aren't safe or democratic despite being done they way you prefer, because it's so easy to exploit if you manipulate the paper trail.
I've worked as a DRO in the Canadian election. There is no way to steal an election in Canada. Whatever the Balkans have, that isn't what I'm talking about because the way it works in Canada is like this:
1. I take someone's ID, I look them up on the voter list. If they are not on the voter list I take their proof or the sworn testimony of someone that does live in the district that they live where they say they live. Either way, observers can record their name and supposed address.
2. I hand them a folded ballot and they go, with assistance from a family member if necessary, to behind a security wall to mark their ballot.
3. They place the ballot in the slit of the box, folded so their vote is secret, but visible to all observers so that they couldn't not have snuck in a second ballot.
4. The ballot box never leaves public view. In the event of an emergency I take the ballot box and hold it high so that everyone can see it, especially the observers, until we get outside.
5. Anyone in line by the time the polls close is allowed to vote and number of voting locations are determined by a public service (not politicians) so we don't disenfranchise voters or unduly burden voters.
6. In full view of my assistant poll clerk and all observers we count every ballot. As DRO I have final say over questionable ballots. If I make an obviously unfair call observers can alert my superiors at Elections Canada. I only had to make one decision on one ballot out of around 500.
7. We compare the count of people, the count of the ballots we gave out, and the count of the ballots in the box. These all must match. If they do not match we count again. It's harder than you'd think because people accidentally fuck up ballots or someone can have the same name but be a different person. This can even happen at the same address! Usually a son being named after a father.
8. I fill out the vote totals and give one copy to Elections Canada, one copy to each party observer, and I keep one copy for myself. We then put security tape around a tamper evident bag with the original ballots for them to be counted again by Elections Canada HQ.
Now tell me, how are you going to fraud that system? We wrote down everyone's name, at most you might be able to get someone to vote on behalf of their brother here or there. Or the people voting by mail might have their ballots disregarded or changed, but most people vote on election day and Elections Canada is trustworthy and explainable to anyone.
I could never fully trust your NemId system because you could never prove to me that everyone that supposedly voted existed. In Canada's system we can literally count the people walking through the door and we can literally count the individual ballots.
No it doesn't, we have observers from every party. If I lie the press finds out.
False nemids can be created. Prove me wrong.
See the problem? Even if what you are saying is true it is very hard to prove the inverse and just the ability for foreign propaganda to delegitimise a voting process is enough reason to move to a voting system that is impervious to this type of attack.
This isn't how empirical evidence works. It's a system you know nothing about that has never been compromised, unlike a faked passport. It's impossible to prove you wrong because the burden of evidence is on your table.
What you are asking me to do is impossible because there is no way I can convince you when you've turned your back on facts.
Aside from that, the system you've described which works pefectly fine in Canada is extremely similar to the voting system in Iraq, Russia and Serbia, places where telling on liars obviously isn't hindering elections from being manipulated.
You may be safe right now, but you're protected by the people running your system, not the system itself.
The point is to do pen&paper elections instead. It's the ultimate "open source" solution since everybody who can hold a crayon in the right direction can participate in the verification of the process.
The problem with pen and paper elections is that they rely on honest counting.
It's true that it's easier to manipulate a terrible digital system but that doesn't mean pen and paper is safe.
Block chain technology would offer an open record that couldn't be manipulated, something paper does not.
I mean, I live in Denmark, one of the least corrupt countries in the world and we've had politicians caught changing votes with a pencil and an eraser during the count.
In Minnesota, honest counting is enforced by process. Any ballot handling, whether marked or unmarked, requires the presence of members of at least two different parties. At no point is a single person (or group from just one party) ever left alone with ballots.
We've had two full-on hand recounts at the state level in the past decade or so, and the final results where within a few hundred from the original count in each case, with three million votes cast. Good process solves a lot of problems.
I live in Denmark where we have a digital identity called "nenId". It's the safest form of citizen identification we've ever had and it would be immensely more safe for elections than our current system of sending out paper cards to be traded in for a vote.
On top of that the block chain could offer us a record that couldn't be manipulated.
Sure we don't have a lot of problems with voter fraud in our current system, but that doesn't mean it's not extremely vulnerable because it relies on honest counting.
There is no such thing as "safest form" of anything. You have to consider what threats you are trying to defend against. The threats that you have to defend elections against are completely different than anything else. In particular, elections have to defend against a government that tries to stay in power. A centralized form of identification can be the most dangerous thing for an election ever.
Besides the issues with what software the machine is actually running, most people cannot comprehend or understand that software - even if it is open source. That is not acceptable for an open democratic society, or to sustaining it.
In this particular situation it should not be necessary to rely on an expert to explain whether the vote counting mechanism is reliable. This only adds to the problem of unreliable or scheming officials - it doesn't improve anything in terms of transparency.