It isn't that software engineers are bad at their jobs. Information and matter happen to have very different properties when it comes to resisting modification and showing evidence of tampering at our current level of technology. It isn't that electronic voting systems can't be made more resistant to tampering. The problem is that if tampering is possible it seems more likely to succeed with an electronic system than it would exposing a large number of human agents modifying paper ballots.
I live in a country with compulsory voting and paper ballots and we have proportional voting in one house and we still manage to get a concession speech within a few hours typically. If it ain't broken... I don't see what is gained from taking human observers out of the loop and hiding everything under the skirts of a computer system with a sign saying "trust us".
There's also trade off where the more tamper resistant/evident the system is, the more sophisticated it must be and the harder it is to understand the system.
Trust isn't just about engineering like it is for avionics or other high-reliability systems. It's also about independent verification, including by lay people. If it requires advanced cryptography or computer science knowledge to trust the election results.
I live in Canada where we do paper ballots everywhere. We also get same-night results on election day. They're just starting to experiment with vote tabulators, and this means that results come in faster now. In fact, in the latest Ontario provincial elections they had a declared winner 20 minutes after polls closed. Especially with tabulator machines I just don't get the point of electronic voting.
Another important difference is computer systems themselves are inherently general purpose [0], unlike a physical machine - An airplane cannot be subverted to calculate the GDP of the United States, but all Turing machines are created equal. Another difference is computer systems are generally open to unpredictable external inputs [0], unlike a physical machine - An airplane is not needed to be designed under the assumption that an adversary would use weather modification to destroy it.
[0] Unless specialized designs are used explicitly in hardware and software, similar to those which are found in embedded industrial control systems, which removes these uncertainties to a large extent. But they are rarely used in practice because of its difficulties and cost.
As Bruce Schneier written in Cryptography Engineering,
One of the biggest differences between security systems and almost any other type of engineering is the adversarial setting. Most engineers have to contend with problems like storms, heat, and wear and tear. All of these factors affect designs, but their effect is fairly predictable to an experienced engineer. Not so in security systems. Our opponents are intelligent, clever, malicious, and devious; they’ll do things nobody had ever thought of before. They don’t play by the rules, and they are completely unpredictable. That is a much harder environment to work in.
Many of us remember the film in which the Tacoma Narrows suspension bridge wobbles and twists in a steady wind until it breaks and falls into the water [1]. It is a famous piece of film, and the collapse taught bridge engineers a valuable lesson. Slender suspension bridges can have a resonance mode in which a steady wind can cause the whole structure to oscillate, and finally break. How do they prevent the same thing from happening with newer bridges? Making the bridge significantly stronger to resist the oscillations would be too expensive. The most common technique used is to change the aerodynamics of the bridge. The deck is made thicker, which makes it much harder for the wind to push up and down on the deck. Sometimes railings are used as spoilers to make the bridge deck behave less like a wing that lifts up in the wind. This works because wind is fairly predictable, and does not change its behavior in an active attempt to destroy the bridge.
A security engineer has to take a malicious wind into account. What if the wind blows up and down instead of just from the side, and what if it changes directions at the right frequency for the bridge to resonate? Bridge engineers will dismiss this kind of talk out of hand: ‘‘Don’t be silly, the wind doesn’t blow that way.’’ That certainly makes the bridge engineers’ jobs much easier. Cryptographers don’t have that luxury. Security systems are attacked by clever and malicious attackers. We have to consider all types of attack.
I don’t know if I agree with this reasoning. Bridges are at risk of being destroyed by any attacker with a truck full of dynamite. Do they defend against this in their designs? Do we blame the bridge engineer if someone destroys it? Do we blame the airplane builder when someone shoots a missile at it and it blows up? Software is one of those few practices where we blame the builder for being careless when the product is deliberately and maliciously attacked.
Here's the thing about voting. There are basically three kinds of fraud: fraud in counting votes (what independent monitors are meant to solve), fraud in casting votes (what voter ID is meant to solve), and fraud in inducing votes (such as voter intimidation). Unsurprisingly, in practice, almost all of the problems that actually occur with legitimate democracies, and even most of them in sham democracies, is with the last category of fraud. People who freak out about the insecurity of voting machines worry about the first two kinds of issues, and generally ignore the latter part.
The majority of countries where elections take place, don't have voting machines. So it's hardly surprising that most kinds of election fraud don't involve voting machines.
Also, I am very sceptical of your claim that most of the problems belong to the last category. If it seems that way, I say that is because of observation bias. It's much easier to find evidence of voter intimidation than for fraudulent counting, even if both take place.
Hackable voting machines completely invalidate the safety provided by independent monitors, which is why people are concerned. It shifts the dynamic you’re speaking of.
> People who freak out about the insecurity of voting machines worry about the first two kinds of issues, and generally ignore the latter part.
No, they don't, IME; many of the people most vocal about the vulnerability of voting machines are the exact same people active against voter intimidation and suppression.
Conversely, many of the people who have historically most backed moves to vulnerable voting machines are also the same people practicing voter intimidation and suppression.
paper ballots are not perfect, but it's a proven technique with known processes and checks (double counting, check the number of votes match the number of ballots, people from various parties controlling the ballot, etc).
Also, at least for national election, it's quite hard to manipulate such ballot wildly as there are heavily decentralized with a lot of individual polling places. It's quite hard to have a massive fraud on the ballot itself has you have fraud in hundreds of places.
Now with the voting machine, you have one or a few central points where it could be possible to take over the voting machines and manipulate the vote on a large scale.
Also, voting machine can be quite horrible. It's basically a computer that is only used once or twice a year. So it's likely that voting machines have a ton of CVE. Also, those are generally not very well made, with a lot of security holes, from physical attack to debug ports not removed, default passwords from the manufacturer not replace or bad configuration/lack of security in the software.
The only use case for a voting machine that I could see is the following:
Using a voting machine where when you cast your ballot, it prints a paper with the name of the candidate, after that you do it the 'old' way (envelope+ballot).
When counting it's now possible to compare the paper ballot and the electronic one and check if everything matches.
As a side effect, it reduces the quantity of paper required.
People who freak out about the insecurity of voting machines worry about the first two kinds of issues becoming issues. That's different from ignoring fraud in inducing votes.
I'm also curious about your source on the last category being most common.
If by "most common" you mean "affecting most voters worldwide", it's possible a number of high-population countries with flagrant corruption in elections may bias this figure, but overall—particularly in, say, West Virginia (which I guess is what inspired this comic)—I would imagine the 3rd category would be the least prevalent, particularly as it's the easiest to detect.
They don't, but the point is that elections are already manipulated in that way, so that people aren't going to bother with a roundabout way of manipulating an election, when there's a much easier, less illegal (or at least, more opportunities for plausible deniability) way to do it.
One example is that a voting machine (depending on how it is built) can either provide or fail to provide secrecy for the voter. If the fact that a voter cast a vote is public knowledge but HOW they voted is well concealed, then certain kinds of induced votes ("vote for the right guy or I'll beat you up afterward") are not possible.
I know this is mostly over how important it is not to have anything voting/democracy related fail horribly, but going after the comment in the fourth panel what exactly happened to our field that we can't generally be trusted to make something that works? Is it just "Move fast and break things" in action?
Architects and mechanical engineers not only know about blueprints and design procedure, they also have a solid understanding of the physics that make their designs work. Programmers, by and large, just know how to code.
There exists a formidable body of study describing the practices and theory required to write knowably-correct software, but the software engineering industry treats these ideas with utter derision. Even lighter-weight methods for knowably preventing broad classes of errors(e.g. Haskell-like type systems) are considered niche and pretentious. These opinions are mirrored by many CS programs, so most engineers wouldn’t have the slightest clue how to apply these methods, or even know that they exist, should they decide they were necessary.
Here, the problem is we can't trust users to not try to break the system. When I buy a plane, I don't want the plane to crash. When I buy a voting machine, I'll do everything I can to break it so as to earn more votes than I deserve.
It's a rare case of a system its main customer does want to be able to break.
Now, of course we can make things that work. Airplanes and elevators are computing devices too, after all. But a working software is as expensive as a working airplane. People don't want their word processor to cost millions of dollars. OpenOffice is free, MS word is a few bucks, what do you expect?
"Now, of course we can make things that work. Airplanes and elevators are computing devices too, after all."
Funny you should say that. Yesterday, the buttons for our elevators crashed. Nobody could hail elevators on the touch-screen thing. Because software. Name the last time an actual elevator crashed.
There was an incident with someone using an elevator here in Portland, Oregon, a few years ago, IIRC not a sudden stop at the end at least but too rapid movement leading to an actual heart attack. It is rare in the US for elevator users to be harmed but not that rare for maintinance workers to be harmed; it is actually a fairly dangerous profession.
IMO, it is actively harmful to blame the software industry as a whole for voting machines being horrible since however bad most software is there are parts of the industry that can produce software as reliable as bridges and elevators and those are the parts of the industry that should be used for voting machines even if the rest of the industry was quite a bit better. It is only for political reasons that voting machines are unreliable.
In countries with lack of proper regulations elevators are crashing more often, that's what I would expect. But I don't think elevators crash as often as software in India.
It happened 2 months ago, here in France. A kid died in the accident, and it was not a software problem. And there are tons of elevators out of order, on a daily basis, and more often for mechanical reasons than for software reasons (now obviously, the software part of an elevator is less complex than its mechanical part, but still).
I love how the bar gets lowered as people struggle to make software look reasonable. "Elevators out of order" is not "elevators crashing". Of course mechanical systems wear out and have to be repaired.
Elevators, bridges, airliners and other properly engineered systems, are incredibly safe and reliable. You have to go digging to find exceptional events that remotely compare to the daily chaos found in software systems. The point of my story is that elevators themselves (systems we barely think about on a daily basis) start to become chaotic and unreliable when software is introduced.
...which is not to say that it can't be fixed. My contention is that software engineering is possible, it just isn't fun or easy for inexperienced coders to do, and therefore not valued by the current software industry.
You were mentioning elevators crashing in the first place.
But anyway elevators are quite frequently out of order, and I don't know how often it's a software vs mechanical vs administrative (ie "security check") problem. I just know that, in all instances of elevator crashes I know of, the problem was a mechanical one, not a software one.
> ...which is not to say that it can't be fixed. My contention is that software engineering is possible, it just isn't fun or easy for inexperienced coders to do, and therefore not valued by the current software industry.
It's not that it's not fun, but it's incredibly expensive, and usually not worth the cost.
In this specific case, we have an essentially static system that's exposed to the public that you need to protect from an unknown number of attackers with substantially more resources than you do.
To use the analogy of the plane designer, it'd be equivalent to building a consumer airliner that can handle flying through a warzone.
Conversely, a lot of the incentives on these teams are perverse -- like the conversation in another thread about not being able to sell to stakeholders the idea of "remove junk" but being able to sell them the idea of "add AMP".
So even if you are the sort of software developer to consider the lifecycle and long-term utility of the products you produce -- good luck with that.
In the meantime, a junior programmer on my team just got an assignment (while I was on holiday) to add a feature to an old project she'd never worked on. The feature was described in three sentences, with a budget of "at most two days" as that is what the work was sold to the customer for.
I mean, it's rather hubristic to compare ourselves to those industries, we're closer to the handyman you hire to create a new door in some wall without telling him where exactly, all that matters is that it's done fast.
One major issue in electronic voting is the notion that it might enable an adversary to compromise a much larger number of votes than they would in a paper ballot system.
If every state contracts a handful (some may even contract a single one) of suppliers to crude the voting software, a bad actor that could compromise only one of those systems would have an enormous impact on an election. Contrast that with paper ballots, where an adversary would have to compromise dozens or hundreds of precincts, in-person, in order to have the same effect.
In terms of economics, having each precinct implement its own voting software (or contract uniquely) is not cost effective, nor would I trust small municipalities to be able to judge security.
It’s just too risky all around. Maybe one day when our software systems are better understood, or there are different security mechanisms, electronic voting might work. But not today.
Why is this different for software than for civil engineering? Fundamentally it’s not, except that people are willing to spend money on a new design for every bridge, and generally there is a collective awareness of threat models for bridges.
As a software engineer I have some vague notions of why voting software is a slippery slope to get on; but can anyone sum up the main arguments/ELI5 why we can trust avionics or elevator software to an acceptable level of confidence, but not voting software?
Because voting softwares don't solve any real problem while creating a horde of its own. Voting is a solved problem. Paper ballot is a perfect technology once you introduce optical readers, and when in doubt, you can always re-count everything again. Sneaking in a false vote requires getting past multiple parties watching the ballot box (and each other) 24/7.
In the recent regional election of South Korea, there was a district where the winner won by a single vote. The runner-up appealed the decision, took the ballots to the overseeing committee, and the committee re-examined individual contested ballots and decided one of the ballots previously considered invalid should count for the second person, making it a tie and (according to some tie-breaking rules) changing the winner.[1]
You can't get that kind of transparency with voting software. It's worse in every way.
> Because voting softwares don't solve any real problem while creating a horde of its own
It solves some problems that have been introduced over time in most election systems. Primarily, time to count/verify, ease of access and verifiability. To say that paper doesn't have these problems shows a lack of understanding or a willful intent to mislead. The boxes of uncounted votes from the Bush/Gore election (https://www.theacru.org/horace_cooper_bush_v_gore_redux/) were a watershed moment that could have affected change beyond the locality.
> Paper ballot is a perfect technology once you introduce optical readers, and when in doubt, you can always re-count everything again.
There are weaknesses with transport or tampering the same as any mechanical recording or electronic recording.
It's important to narrow the intent of a typical modern voting system, with "should haves" rather than hand waving away useful tools.
* Votes should have only been counted from voting membership (registered voters, for example).
* The intent (choices)/member information should have confidence that this data is opaque to inspection without a private/public key respectively. Yes, voters would have to generate their own, as that's an attack vector.
* A voting member should have the ability to track that the vote was counted at all in a given race via a reversible process, which would necessarily include the public and private key.
> You can't get that kind of transparency with voting software.
You can, but the US wont. It's an important distinction that is patently obvious.
Today, most vote tracking systems are electronic, although the ballot was paper. What's the point of half the process being paper? The US government is too inefficient, demotivated, and lacking the impetus to retrain the populace to make any system that is reliable.
> To say that paper doesn't have these problems shows a lack of understanding or a willful intent to mislead.
Of course using paper doesn't magically solve away your problems. The point is that paper-based systems without these problems do exist in the world and they've been successfully used for decades. You just have to copy the successful ones.
Or, put another way, if your government is too incompetent to run paper-based ballots, using electronic system won't make them suddenly competent either.
> There are weaknesses with transport or tampering the same as any mechanical recording or electronic recording.
The really really really nice thing about paper is that the required size of the attack gets proportionally large as stakes get higher. If you try really hard, you can probably sneak a few votes and change one of the twenty town council members, but does anyone care? On the other hand, to hack a presidential election you will have to exchange at least a thousand boxes or so. With a thousand co-conspirators. While everyone is watching.
...And if you're worried about organized gangs replacing a thousand ballot boxes on your election day, you have more problems than voting systems.
> What's the point of half the process being paper?
That it works. Technology is not meant to be cool; it's meant to work.
I read a few articles suggesting that the electronic voting systems in use on the USA wasn't working very well. Even suggesting some kind of malicious manipulation.
I would keep using the paper system that we have on Spain. It's secure and confiable, as a lot of eyes tare watching that no body is doing something dirty.
The recount is done by a few random citizens plus a few political parties representatives watching it. And it's fast. Usually takes 3-4 hours to know is who win.
Airplane safety is necessarily complicated. To make a giant 300 passenger airplane safe to fly requires an incredible amount of engineering, for a reason. You just can't build this in a way that laypeople can understand.
Voting is fundamentally simple. People have been doing this for thousands of years, and it's intuitive how it should work. People mark ballots (in private); people count ballots (and then other people count the same ballots); the ballots aren't destroyed until the vote is finished; everyone calls each other and figures out what the total is. The amazing thing is anyone can look at what goes on and say "yep, that looks right", or "hey, I don't think they're supposed to do that…".
The whole thing needs a pretty significant human effort, but, again, people have been doing this for a long time, and large numbers of those humans can easily be volunteers. Also, that human effort is how you build a democracy. It is not a problem that needs to be solved.
As soon as you add software, you've added hundreds of layers of complexity to what was a very simple problem. You've turned it from a democratic, easy to follow system, to something that very few people can have anything to do with. It's like replacing letter writing with Facebook. Sure, you've made the surface act of communicating easier, but to do that you've added an ocean of complexity that nobody understands.
After every airplane crash, there's a major post-mortem. The root causes are ferreted out, as deeply as possible, in a blame-free way - and the regulations are updated and followed by the entire industry, enforced by laws.
What happens when your system has a 30 minute downtime? There's a meeting, someone suggests running your code through a linter or bumping log levels or adding another unit test, everyone high-fives and you wait until the next downtime - and that institutional knowledge doesn't leave the company, sometimes not even the team. Sometimes, it barely registers with the team members, who then quit the company and go and write voting software.
Part of it is that our industry is still relatively young - although, not that much younger than the aviation industry. But a bigger part is that for the most part, it's very strongly segmented, and most of those segments aren't responsible for people's lives.
1. For any piece of software, a person in the right position should be able to sabotage it. Ken Thompson's Turing acceptance piece (Reflections on trusting trust) showed a trivial example of sabotage...
2. It is REALLY difficult to diagnose software while it is running.
3. Risk vs. Reward. Planes have tremendous performance characteristics versus boats or cars. Elevators provide a means for disabled people to get to different levels on a building. But in terms of voting we're trading the security of paper ballots (which humans have spent centuries putting safety measures on ballot stuffing) for convenience.
4. The potential number bad actors with voting is high. While the number of people that want to alter a plane or elevator for nefarious reasons is hopefully limited.
5. Political legitimacy is a very important concept for governments. In democracies, their legitimacy is largely based on ballots. It is really bad for citizens to question the outcome of an election.
Voting software needs to solve adversarial distributed trust across hundreds of thousands of polling stations. That's way harder than distributing control across three cooperating, redundant avionics packages. Really, it's an unsolved problem in computer science, but that doesn't stop people from selling solutions...
Number 2 is the cost of failure.
The worst case scenario for avionics software is a plane crashes and everyone on the plane very publicly dies. An engineer is unlikely to be motivated to cause this on purpose, and if they do then everyone knows about it immediately.
The worst case scenario for voting software is a single engineer gets control over the political direction of the entire country, and nobody notices, ever. There's a ton of motivation to do this.
That doesn't make much sense to me. The engineer is the guy who builds the system. In both cases he is interested to not being a flawed system (crash caused, voting system compromised).
I think it's better described if we distinguish between functional safety and security.
While the avionics software engineer is interested in functional safety and must mostly not be afraid of smart attacks, the voting software developer (or software developers in general) must mostly expect that his system gets attacked by smart attackers.
Although you can do distinguish between both, it's kinda sounds like a lame excuse for me.
I think the real reason is, that computer scientist still suck at building correct and secure systems. There is not that amount of funding in computer security research as it should be (like in functional safety).
In a plane, the passengers, the pilot, the airport and the company owner all want the same thing : a safe fly.
But In a vote, not everybody wants the same. As a mayor / senator / etc., I want as many votes as possible, and so do my opponents. You can't trust anybody, as the expected outcome is different for everyone.
> I bet there are terrorists who are not always interested in safe flies.
They are not the typical customer, though.
> In contrast to voting, the majority of a (democratic) society wants to have a reliable and trustworthy way of voting.
Honestly, I'm not even sure to what extent that is true. Give somebody the opportunity to vote twice (illegally, but with the guarantee of not being caught). How many people would refuse, arguing that their voice is not worth more than anyone else's and that it would break the system?
It is pretty easy to verify that a plane or an elevator behaves correctly. Did it transport its passengers to their destination? Pass. Did everyone die? Fail. (This is obviously simplified).
You cannot do that with voting software. To verify the result of a software-based election, you would have to compare the vote counts the software reports with the actual vote counts. But if you knew the vote counts, you wouldn't need the software anymore.
There a proposals to get around this issue by storing each voter's decision so they can verify that their vote was counted properly. That would abolish the secret ballot, making it a horrible idea.
Even if there were a software-based voting system that could be verified by experts, it would almost certainly be too complicated to be verified by the general public.
It isn't about the software. Ofcourse voting software can be made reliable.
But how do you trust they are reliable? How do you verify them? How do you verify the surrounding systems? It is a dead giveaway if planes start falling out of the sky that something is wrong. Not so when someone steals an election.
If you want a good password hash you don't go for a fast hash that can be implemented in hardware. You go for a really slow hash that is hard to compute. I think this worse is better approach applies with voting systems. You really don't want them to be efficient. Optimising for efficiency takes away some of their other good properties. Paper voting is incredibly inefficient compared with machines and that is why it is so appropriate.
People are much more interested in hacking into voting machines than they are in hacking into public air planes.
Planes and elevators are not connected to an internet, unlike most voting machines, making them harder to hack into.
Also, when people hack into planes/elevators the hack will quickly get noticed and thus the exploit will get fixed pretty soon. With electronic voting machines the hack could remain undiscovered for years since there's no clear visible sign that the machine has been hacked.
Electronic voting machines themselves are not connected to the internet. I don't think software development in this field is that retarded. They can still be hacked of course, but the delivery mechanism would at least be some local network or more likely compromised firmware upload.
Most likely some computer somewhere in the chain of voting machine counts -> official "verified" vote totals is connected, but you could say that of vote rolls coming from manual punch ballots as well.
A lot of people suggest the solution is for electronic voting machines to produce at least an actual vote paper trail, but I don't see that helping as a hacked machine could spoof those just as well as bits.
A computer is a black box. Just because you hit the button to vote X doesn't mean it actually increased the X voter count variable. There is no way (not even theoretically) to fix this without basically just turning the voting machine into an extraordinarily expensive pencil. As soon as you're printing tickets to prove votes you might as well just go for paper voting in the first place.
Its a trusting trust issue. Generally when you ride an airplane or an elevator you are trusting that the engineers who designed it know what they were doing. They have strong incentives to design safe systems, and more importantly and excellent track record.
In the case of a voting machine, who are you trusting? The state governments and some random government contractor. What are their incentives? What is their track record?
There is certainly more accountability when real lives are in danger. Voter fruad doesn't have the same sort of repercussions and so it's ends up being an easier target. You can't harm someone by changing who they voted for.
This is conjecture on my part, since real lives aren't on the line, I would also imagine that error checking isn't held up to to the same standards.
Because you can't make money whether the elevator falls on wednesday or friday, but you can make money if candidate Y wins instead of candidate X. Where there is money to be made, there is people to be corrupted.
I'm a software engineer too. Unlike the chorus of voices here I don't believe it is impossible to develop good voting software. In fact it's already been done.
The algorithms required to do it have been invented, so in a sense technical problem and has already been solved. Look up "end to end verifiable voting". Turns out that Ken Thompson's "reflections on trust" don't apply to these systems: you can run them on utterly untrusted hardware. They use cryptography or course, and like a lot of cryptography (eg, zero knowledge proofs) it first looks magic, but when you take the time to understand it it's just very clever.
Which leads you to the first difficulty: we are talking something more more complex than public key encryption. It adds steps and costs. Inventing a user interface usable by ordinary voters that masks the underlying complexity is major challenge involving the both a lot of new software and new hardware. Still, it has been done. https://arxiv.org/abs/1504.07098
Which leads to the next difficulty. It's not at all obvious to the layman how those extra steps and costs these systems require solve the problem. In fact unless you have an analytical engineering type mind, understanding it may well be beyond you. Which is a problem, at least in Australia, because the people who run the electoral systems are bureaucrats who expertise lies in building a system out of 1000's of unreliable newbies in an unfamiliar role that somehow reliably and incorruptibly counts and collates votes to deliver a timely poll outcome. When you reflect on it, it's an amazing feat of human engineering. These people seem to be acutely aware of sorts of ways humans can go wrong and working around it. Unfortunately they are bloody hopeless at understanding how computer systems go wrong.
It worth reflecting on the difference. Human voting systems are most vulnerable to what computer people call "retail failures". Retail failure occur at or near the ballot box - people voting twice, ballot box stuffing, boxes going missing. It requires many small interventions involving many people. Once the boxes get to the counting room there are so many people watching the process fraud becomes much less likely. Computers remove that central oversight - the thing that does the counting becomes an opaque box. Failures at the back end are called a "wholesale failures" to use the voting lingo. If you aren't very careful, a wholesale failure can mean a single person (a programmer) changes a couple of lines of code to in a way that Ken Thompson's reflects of trust tells us can be undetectable, to alter the outcome of an election. Wholesale failures look completely different to retail failures, but can be even more damaging that rampant ballot box stuffing.
The voting systems developed in Australia weren't a technical failure. They were used in real elections, and did work. But they failed nonetheless because in the end they weren't deployed beyond a few test runs. The reason they weren't deployed is the people who ran the elections where given two choices - one by a commercials companies and the one I've described which was developed by cryptographers and engineers in conjunction which disability groups. The first was very pretty, had a slick UI, and came with ironclad commercial guarantees about their robustness from the suppler. The second was more complex, cost more, wasn't so pretty, and came with a through cryptanalysis done by experts which spelt out all the failure modes and their likelihood. If you are a bureaucrat used to working with people is used to making reliable systems by accumulating interlocking promises from said people and utterly unfamiliar with making systems reliable with mathematical proofs - which would you choose?
So they chose the commercial system for mass deployment (I think there were all from US suppliers), and of course in doing so utterly pissed off the very clever academics and engineers who built the home grown system. They were so pissed off that they broke the commercial system on the first night with a wholesale attack - not literally, but demonstrated how they could have hacked it to obtain any outcome they wanted, without the bureaucrats in charge knowing. https://theconversation.com/thousands-of-nsw-election-online... The bureaucrats responded to this activism by labelling it "great marketing" and threatening to prosecute the academics and engineers who proved the commercial system was insecure.
In India, its actually very hard and time consuming to accurately count around a billion paper votes. Paper votes kind of do not scale. Also India used to face a lot of incidences of booth capturing[1] which came to a stop after EVMs.
Of course paper scales. Because if you have more people then you have more people to count the votes. In the UK every vote count happens with observers from the local area, in a semi-public manner.
The process is very simple, and hard to manipulate, because the observers (from all sides) ensure it.
And the best part of a process like that is how inclusive it is.
Anyone can help verify. Your 90 year old grandmother that doesn't speak much english can count along just the same as that 19 year old comp-sci student.
With an electronic voting system you cut the people capable of verifying votes down to the thousands, and in many cases significantly less than even that due to the code being closed source.
The point of xem mentioning booth capturing is that it is the practice of the "observers" from one side forcibly ejecting the observers from the other sides and then proceeding to rig the ballot.
And in that case you need to have police involved.
And if your response there is that the police will help one side against the other then your problem is massive corruption, and no technological solution will fix your voting problems (other than members of the public having the ability to record it and then make it public).
No, in that case the ECI introduced voting machines, and the rate of booth capturing reportedly went down. EVMs foiled some of the things that the booth capturers had in their favour with paper systems: the ability to stuff ballots at high speed with an organized gang of people (EVMs only allow a maximum of 1 vote every 12 seconds.) the ability to stuff a large number of ballots (EVMs have a cap on the number of ballots that a machine can store.). EVMs also had a panic button which could be used to shut them down in the event of an attempted booth capture. What they lacked was an auditable paper trail, and they have been surrounded by claims of hackability countered by counterclaims of intellectual property theft.
Their first use was in 1982. You have over 35 years of Indian history and debate over these matters to catch up on in order to make an informed response to what z3phyr said.
The process of Booth Capturing happened during the ballot, not the counting. It was actually a very serious problem of rigging which vanished after the introduction of EVMs
Before the introduction of EVMs, there was a massive problem of "Illegal Votes" due to illiteracy (for most part). That vanished to because pressing buttons is absolute and intuitive.
I get where you are coming from though. Ideally, civilized behavior and rule of law should reign supreme, but a populace cannot be educated and society reformed with a single button. And we cannot forsake democracy "until the rule of law reigns us". We must find the middle ground
There were impeding cases of rigging with paper ballots anyway and people did not trust the people who counted during the paper ballot time. Everything's the same. Now people do not trust the machines.
> That vanished to because pressing buttons is absolute and intuitive.
Are you really implying that pushing a voting machine button is more intuitive and "absolute" than using a pencil to mark a box on a piece of paper?
Have you seen these voting machines? The ones I've used before in PA were wildly complicated, and while I was there waiting to vote 2 different people had to call someone in to help them vote correctly.
>people did not trust the people who counted during the paper ballot time
The beauty of a well run paper ballot system, is that if you don't trust the counters, you can go count along with them. If you don't trust someone to not tamper with the box, you can go watch it all day. If you think the "other team" is trying to pull one over on you, you can get all of your friends to go down and watch the box all day, and count along. It doesn't matter their age, their primary language, their knowledge or the amount of schooling they went to, everyone capable of voting is capable of verifying those votes.
I personally am not arguing that it's impossible to rig a paper ballot system, just that it's significantly more costly (to the point that it would probably be easier to just run for the position legally if you are going to sink that much money into it), and it's magnitudes harder to get away with.
Let's look at florida, a state with a population of about 20 million. In 2016 9.4 million votes were cast. Let's look at one county, st. johns county. There were 136,000 votes cast in that county across about 46 precincts. So let's assume even distribution and say about 3000 votes cast per precinct.
In order to sway the election in one county, in one state, in one election, you would need to pay off or threaten around 46 people, probably a lot more. And you'd have to make sure that not one of them makes a mistake or "comes clean", and that nobody in any of the precincts you are trying to rig will sit around and decide to watch the process and blow the whistle at the first sign of something shady. And even if you were able to sway that county, you have another 66 in florida alone, and another 3000 or so across the rest of the country.
Now I know a "smart" way to rig would only touch "swing states", and would be smart with where they spend their money and time on to maximize the impact, but you are still talking about thousands of people all across the country.
If there were impending cases of rigging, they were found because it's monumentally difficult to cover up something on that scale.
It's a fairly safe assumption that a person from India, where EVMs have been in widespread use since the late 1990s, with the first fully-EVM general election almost a decade and a half ago in 2004, has seen an electronic voting machine. (-:
Ironically, the argument that you make about how hard it is to rig a paper election is exactly the same as the argument that the supporters of EVMs and the ECI make about how hard it is to rig the EVM system. It claims that there are roughly 1.5 million machines that one would have to tamper with, randomly assigned to voting stations (which one would have to predict ahead of time), and monitored by canditates' electoral agents and the police all of whom you would have to threaten/bribe. You're both making the same argument.
Ironically enough, voting software being accurate will arguably save more people's lives than space shuttle software being accurate, it's just less visceral and immediate so people care less.
Blockchain only solves one part of the problem.
All end devices are not secure. My mother keeps clicking on funny ads and single hardware components may be compromised.
No technology (aerospace engineering, building engineering, voting machines) is 100% resilient as long as there is an entity with tools, money, and knowledge to bring it down. I guess the comparison holds here because voting machines can be approached by said entity in a remote fashion, unlike an aircraft or an elevator.
That is true, but the XKCD cartoon is pointing out that there is a fundamental difference here.
In aerospace or elevators, the experts say that what we have is really quite safe, although a determined adversary could potentially cause harm.
In voting machines, the experts say that what we have is fundamentally UNSAFE, and that a half-hearted effort from a bright college student could bring it to its knees.
That difference should DEEPLY concern the people who run elections.
A half-hearted effort from a bright college student can also bring an airplane or elevator to its knees. The security standard for voting machine software is higher; airplane engineers get to inflict TSA checks on their users.
In software we often ask ourselves about dedicated attackers with no other goal than to cause harm, and often try to make our products defended against that. This is because the cost to achieving this is largely limited to doing more engineering work. In physical products, people do not try to protect their work from hypothetical hammer-armed attackers with no other goal than to cause harm. Protection there is more expensive so its not worth it.
Agreed, but even if we got voting machines to the level of resiliency of aircraft engineering, the effort of a determined adversary would still carry enormous consequences.
Perhaps the most important political message I have seen on XKCD. Related Computerphile episode: https://www.youtube.com/watch?v=w3_0x6oaDmI
I guess that some computer-powered elections are coming in the US, EU ?
It's pretty incredible that the state government is going to send retirees a notice that tells them to install the "voatz" app on their phone. Might as well call it xXxl33t v0+exXx. It doesn't look like an official government anything.
If people repeat a lie enough it becomes the truth. That's the goal when misinformation like this is spread. Even better when ignorant people with only secondhand knowledge begin to spread the message.
Voat had existed for just over a year before the mass subreddit ban on Reddit. The timeline is easy to look up on their Wikipedia page [0]. It was already a trollfest 4chan-like-community version of Reddit before the users of banned subs joined.
- Founded as WhoaVerse in April 2014
- Subreddits banned June 2015
With that domain, I thought it was your half-assed attempted at a joke, or maybe something you found on 4chan. Then I clicked the first link.
There is no way in hell I'm trusting my enfranchisement to an application called "voatz" (or an application, period. But especially not...). Bonus points for the fact that they've got that blockchain bullet point covered: https://blockview.voatz.com/
The most important one (in my opinion) is the problem that the companies that sell voting machines aren't making enough money and their profits would be improved if enough county election boards were convinced (or required, though state or national legislation) to buy new systems.
Another very significant problem that electronic voting is attempting to address is that election officials are evaluated (to some extent) by the public based on what appears in the newspaper on just one or two days per year -- and THAT depends largely on how quickly results are reported. So a tool that takes 2 hours to report results will look much better for election officials than a tool that takes 48 hours, even if the second produces elections that are more trustworthy and there are 2-3 months before the new candidates actually need to take office.
Another problem is that existing methods using paper look "old-fashioned". A fancy system that takes video images of the voter's face to identify them and then allows them to vote from overseas using a cell phone may not be as reliable or secure as mailing in a paper ballot, but it sure FEELS modern.
I guess my point is that there are definitely reasons these machines are being used, but "improved security" or "transparence and thus confidence in the reported results" are not the motivating forces.
" A fancy system that takes video images of the voter's face to identify them and then allows them to vote from overseas using a cell phone may not be as reliable or secure as mailing in a paper ballot"
Sure about it?
I mean I don't know if there are additional measures with mail voting, but opening a mail seems quite trivial to me.
Just have someone in the mail working for you, to lookout for those letters.
The 2000 presidential election was a big driver. No one wanted to spend November of an election year hearing about "chads" ever again, so the Help America Vote Act was passed. Among other things it provided federal funding for states to replace problematic punch-card voting machines. Electronic voting, in theory, could be easier to use than a paper ballot and can automatically check that the ballot is filled out correctly (e.g. not voting for multiple candidates for a single office). And of course there were companies lining up to help states spend those federal dollars on overpriced touchscreen PCs running Windows XP.
Where I live, the paper ballots are collected, moved and counted by volunteers (in big open halls and other public spaces where anyone can go along and watch). So I guess cost doesn't have to be an issue.
Voter turnout: People prefer screens to paper or something? Sounds odd that voter turnout would be affected by the exact method of voting.
Maybe we've been looking at the wrong cost. As you suggest, voting machines wouldn't make it cheaper to count the votes. They would make it cheaper to hack the election!
"No matter how cynical I get, I just can't keep up." --Lily Tomlin
Why don't we start with voting machines that either produce or consume a paper ballot (with user confirmation that paper/electronic records match). Then have people count the paper ballots and compare their count to the computed electronic counts. The counts should match.
For the US, the Oregon/Washington/Colorado style vote by mail ballot seems best. There is no need for anyone to stand in a line to vote and a human count of the paper ballot is possible if necessary. The computers involved are not in direct contact with the general public.
The way I understand, most of the inefficiencies in paper-based voting are actually features, that make the process a) verifiable and trustworthy to anyone with most basic education, and b) prohibitively expensive to attack at scale. All voting machines seem to do is to reduce either of those. I obviously cannot prove it, but I strongly suspect that the paper implementation is overall cheaper than any alternative electronic implementation comparable in trustworthiness and security guarantees.
Maybe when we'll have a colony in the Alpha Centauri system, then we can revisit electronic voting. Right now, there's no need for it.
Exactly, you want to hack a voting machine? a few key lines of code, deployed at the right time, or a shipping container full of bad hardware, and you have it. You want to disenfranchise a specific set of voters? Oh sorry some thug broke in and smashed up the voting machines last night... Suddenly voter turnout for that area is 10% of what it would have been because they had to ship in 1 machine from another location rather than the 10 they should have had.
You want to change 1% of paper votes? That means you need to buy enough materials to even create those fake votes, you need to pay off enough people to cast them, you need to spread them out geographically, you need to ensure no random person decides to sit and watch the ballot box all day, you need to ensure that not a single one of these people ever talk, etc...
Paper ballots can be cast on anything, run out of paper? Go to the corner store and buy more. Not enough pencils because of extreme turnout? Same thing. No worries about cryptographic proof, you can personally watch your ballot go into the box, and then sit there until they are counted and not let the thing out of your sight.
It's expensive because it makes breaking it that much more expensive. The manpower, the money, the time, and the chances to get caught all make paper voting extremely reliable, and it's something we as society have had a LONG time to refine and get right.
Unless I'm misunderstanding your post, the concept of a "voting receipt" would enable vote buying. The inability to prove how you voted after the fact is a deliberate feature of voting systems.
How can you verify your vote was counted correctly without a receipt?
Vote buying is an issue without receipts. See tax cuts for the high income earners (right), welface increases (left), etc. If someone pays you $200 to vote for them, is that substantially different from a $200 tax cut or benefit increase?
Citation? Or at least the locale you have in mind? Voter turnout in the US is usually far less than 50%. The 2018 California primary had an uptick to 38%. [1]
I was talking with a friend about this. The key is verification, and paper is a cheap form of verification. That said, if we are to have voting machines, I believe they simultaneously need to be developed by the government and have open source code so that it is independently verifiable and we have a way to check that the binary build is exactly what it says it is.
Fundamentally, voting is a hard problem that looks like an easy problem precisely because the incentives to break it are so high.
Even if a hypothetical voting machine was open source, and developed by an independent 3rd party, it's still not enough IMO.
How many people in the country can correctly audit complicated cryptographic protocols? How many can fully audit a codebase like this? And how many of those do you think would instantly shut up if threatened with a lifetime of jail or death?
Have you ever seen the underhanded C contest? It's nearly impossible for seasoned developers to find the problems with some of those, in a contest where they KNOW for a fact that there is an exploit, and even sometimes what that exploit is trying to achieve.
I can make a complete guess at the number of people capable of auditing this in the US being less than 1000, and the number of people in that position willing to sacrifice everything to tell the world about their discoveries being basically zero.
But let's even ignore that, let's say that there are tens of thousands of capable engineers chomping at the bit to review this. How do you prove that code is what is running on your voting machine? How do you know the hardware is secure? If you come up with steps to fullproof verify, how many people will check it? How many people will be capable of checking their cryptographic proof (if the scheme has one).
This is voting, 1-2% can make all the difference, and if a bad actor can modify 1-2% in some key areas, they can swing the whole election.
Stick with paper checkmarks thrown into a ballot box, written on with pencils. Then every single person that is able to count can help "verify", they can guard that box all election day if they want, 1 or 100's of people can all do it, old, young, english speaking or otherwise.
We have a nearly perfect system right now, but nobody wants to use it, and I can't for the life of me see why.
I agree with you, and think a paper trail is vital. However, we currently have machines that count those checkboxes/scantrons, and I'd like to put that same standard to those counting machines.
And I think we should get rid of those counting machines as well.
Humans are perfectly capable of counting, and they don't mistake a half-filled bubble for "no vote", and aren't susceptible to changing 1% of votes at random or at the final tally. And it's not nearly as possible to trick or force hundreds or thousands of humans to help rig an election, compared to a handful of people at the final assembly line of that counting machine factory.
You don't think humans can't or won't misread votes, especially as a mistake? You have to have two people (one D, one R) both looking at each one at that point.
I think a human can and will misread votes, but 2 humans? 5 humans? 20 humans?
The more contentious the voting is, the more people can gather around and count along. And there isn't really a limit to how many can be a part of it, if it grows to be too large, additional work can be done to accommodate the extra people. Counting will take longer, but it will be that much more secure.
Hell, go ahead and throw a counting machine on there as well, but don't rely on it, and don't have it be the single source of truth, or only use humans in case of a "recount" or something.
Verifiable proofs of voting is not hard. It is anonymous verifiable proofs that are hard.
In the past various forms of "vote for X or I will shoot" have happened. By having anonymous votes we ensure that everybody can say "I voted for X", and nobody will know they voted for Y.
The field of programming simply isn't mature enough to reliably manage an election with millions of participants, especially when we have ancient traditions of vote counting that work well enough right now. Look at how fast the people at DefCon rooted a voting machine!
https://www.usatoday.com/story/tech/2017/07/30/hackers-defco...
Think about the development of heavier-than-air flight. It was a thing for 50 years or so before commercial flights became common, and they had the collective world's genius spurred on by 2 World Wars to advance the field.
Entrusting something as critical and nigh-sacred as our elections to such a provably immature and insecure as modern voting machines, and there's little impulse to remedy the situation right now.
> Is he unaware that planes have millions of lines of code?
He's an ex-NASA engineer, so he's perfectly aware of that.
> Writing robust software is possible, but nobody wants to pay for it when it isn't safety-critical.
That's the core reason why the field of software engineering is bad at what it does, while aviation isn't. Somehow, aviation can get people to pay for doing the job right, while software cannot.
"bad at what it does" can't be inferred from the fact that a lot of software is buggy. People want buggy cheap software.
If there were a market for unreliable cheap planes I'm sure the aviation market would provide.
You can get crap cheap microphones, and nice expensive ones but we don't claim that microphone designers are "bad at what they do" because the cheap ones they make sound bad.
I had hoped "software engineer" would have meant more of a focus on making systems reliable, vs "software developer," but in my experience it's only a trendy job title preference.
In Canada you can't call yourself an engineer unless you're an actual engineer. While I don't know if it helps actual software quality, it can't hurt that there's been at least some rigor applied. When the title is totally users choice and interchangeable with software developer/programmer/code monkey/Mr. Pill the Wonderful Computer Magician, it doesn't mean anything.
Though now I am wondering if there have been studies correlating work performance and title. My initial thought is there is no correlation, considering all the technical support analysts running around.
Moreover, designing to not crash is a task requiring understanding of the laws of physics, which is something that STEM education is good at providing. Meanwhile, protecting against hacking requires large doses of empathy, which is something that the profession seems to weed out. I would trust engineers to design against physics long before I'd trust them to even design an interface for a non-technical user. The laws of physics don't try to adapt to your security measures.
To be completely fair, the problem is likely not the voting machines themselves. The problem, at a fundamental level, is that most democracies are deeply corrupted. Some from within. Some from with-out. Some corrupted from with-in and from with-out. (Most probably fall into the latter category if we're being honest.)
The voting machines simply represent another tool in the box of the corrupt. Like money, or judges and politicians, or social media. Is it a good idea to refrain from using voting machines? Probably. But realize that you've only eliminated a single attack vector for corrupting an electoral process. There are many, many, many more. And they are probably a lot easier and more effective than breaking into a voting machine.
A few for instances:
The entire nation has been thoroughly Gerrymandered. This is a fairly effective method of corrupting elections and it is a fact of life for us here in the US.
Professional manipulation campaigns. Yeah, I don't think I need to tell anyone how effective these are. Basically, any comment on the internet that is remotely political ought to be discounted, as it should be assumed to be part of a professional manipulation campaign. Including this and every other comment on this thread to be perfectly frank.
Another example. In North Carolina, they simply deleted all the black people from the voter registration database during the last election. Fast. Simple. Effective. And WAY easier than hacking into Heaven only knows how many different voting machines to tamper with the numbers.
My only point is that, yes, voting machines are corruptible. Anyone who says they aren't is being willfully dishonest. (And probably trying to screw you.) That said, there are so many other methods of corrupting a modern election that I'm not at all sure that breaking into the voting machines would be option number one for all those political types out there.
So, yes, by all means, stay away from voting machines. It probably makes sense for you to agitate for their removal in your municipality.
But realize there are many, many other threat vectors out there that you should probably be more worried about.
I live in a country with compulsory voting and paper ballots and we have proportional voting in one house and we still manage to get a concession speech within a few hours typically. If it ain't broken... I don't see what is gained from taking human observers out of the loop and hiding everything under the skirts of a computer system with a sign saying "trust us".