
Can Our Ballots Be Both Secret and Secure? - ryandvm
https://www.newyorker.com/news/the-future-of-democracy/can-our-ballots-be-both-secret-and-secure
======
blhack
The inefficiency of in person paper voting is a feature.

It means that large scale fraud is extremely difficult due to the labor
required. This is a good thing. Hundreds of thousands of dispersed voting
locations means that to pull off a “hack” you’d need to hack thousands or
perhaps 10s of thousands of locations all with their own details.

In a digital voting system, you’d need perhaps to find a flaw in 1 system. The
centralized one.

I don’t want digital voting. I want anonymous, and inefficient in person
voting where the issues are small and localized.

~~~
mabbo
But this same lack of efficiency allows governments to make it harder _to_
vote. Eliminate voting locations in regions where those who vote against your
party are more likely. Move voting to days that the less-powerful can't take
off from their jobs. Paper votes "go missing" because there's reason to
believe the box of them contained too many that those in power didn't like.

Making voting _hard_ makes the system ripe for abuse, and that's exactly what
we see happen all the time.

What we need is a system that is efficient _and safe_. There are cryptographic
voting systems in which the government publishes the entire result; everyone
can see that their own vote (only) was counted appropriately; anyone can see
that the overall vote was fairly counted; empowered auditors can randomly
audit to ensure all votes are real. _That_ is far superior to the existing,
corruptible system.

Edit: adding some conditions on the crypto voting systems.

~~~
bpfrh
Why is voting with paper hard?

Voting happens on a day where nearly nobody has to work.

People who can't leave their home, or are not home on the day you can vote,
can still vote, they just request a mail-in vote card.

~~~
dinosaurdynasty
Where do you live? Voting isn't generally a holiday in the United States and
is often on a weekday.

~~~
mmm_grayons
Early voting is available over the weekends in many places. A weird amount of
people don't realize it's a thing and believe they have to go on election day.

------
henrikschroder
> Since 2018, as part of a program called Defending Democracy, Benaloh has
> been working on voting software that attempts to solve the problem of trust
> in secret-ballot elections.

No. Stop. Listen, it's possible to write secure voting software that a domain-
expert software engineer understands, and a general software engineer can
understand. That's not the problem.

But for voting, that is not enough. The entire voting system has to be easily
understandable by everyone in society, in order for society to trust the
system.

Where I'm from, all voting is done with papers and envelopes and urns and
seals, and with people having eyes on the process at all times. And the most
important thing to realize is that this process is infinitely parallellizable,
so getting election-night preliminary results isn't hard, even though every
single vote is manually counted. You just need enough people to count the
votes.

~~~
imustbeevil
No one gets that day off, and voting closes before the line outside is gone.

It is _disturbing_ how much voter disenfranchisement is allowed in this
system.

~~~
Fjolsvith
Every workplace I've been at allowed you to leave briefly to go cast a vote.

Sounds like you worked for some really disenfranchising companies.

~~~
cortesoft
A majority of people don't have the luxury of choosing their employer.

~~~
Fjolsvith
Lincoln abolished slavery years ago.

------
jeffdavis
How are mail-in ballots protected from fraud? I keep hearing that fraud is not
a problem, but I'm wondering (a) how do we know there is little fraud; and (b)
what mechanisms make it safe from fraud?

~~~
jcrawfordor
Mail-in ballots are linked to a voter permit (outer envelope) which serves the
purpose of maintaining the pollbook, that is, ensuring that each voter casts
only one vote. This prevents ballot stuffing.

Mail-in ballots are sealed in a tamper evident fashion inside of the permit,
to prevent modification. Because opening the envelope would probably damage
it, a duplicate enveloped (forged permit) would need to be produced to modify
the ballot. In most cases a duplicate ballot would also be needed, which
presents its own obstacle, although ballots are not generally intended to be
protected against forgery.

The postal service is backed by a particularly strong set of criminal laws
which generally make a felony to interfere with the mail. This is of course on
top of laws protecting the voting system from tampering.

The outer envelope (permit) is a sworn statement and signing for someone
else's ballot would be perjury, a felony, in addition to other laws around
voting that likely exist in the state.

None of these measure are perfect, but combined they make vote-by-mail fraud
difficult to achieve on a meaningful scale. Remember that, to be effective,
voter fraud needs to be successfully committed not once, but many times. The
difficulty of each case and general history of harsh prosecution of small-time
fraud creates a significant disincentive to try.

~~~
coldcode
Sadly this only works if you have a Post Office, which we in the US may not
have in November.

------
Mindless2112
Ballots don't need to be secret, they just need to be anonymous. If you get
rid of the secret constraint, it becomes fairly easy to produce a trustworthy
voting system:

1\. Immediately before identifying at the polling location, each voter takes a
nondescript strip of paper out of a large container of numerous strips of
paper, each with a unique identifier printed on it. (No one but the voter
knows which identifier they took. No one can force a specific identifier.)

2\. The voter fills in the identifier on a Scantron-style paper ballot.
(Easily digitized, with a paper trail.) The ballot box scans the unique
identifier and spits back out out any ballot with an identifier that wasn't
generated for that polling location. (Ensuring no one can force a specific
identifier.)

3\. A list containing the entirety of every ballot is published publicly,
including the unique identifier. (The voter can look up their ballot later. It
becomes difficult to coerce a voter because they can say any one of the
published ballots is theirs.)

4\. A list of names of people who voted is published publicly. (Registered
voters who didn't vote can check if a ballot was cast in their name. This is
already done in many places.)

You can also have mail-in ballots with user-generated statistically-unique
identifiers (requiring only several rolls of a die, so anyone can do it at
home), but you can't prevent voter coercion that way.

~~~
amalcon
_> The voter fills in the identifier on a Scantron-style paper ballot._

The voter will mess this up a disturbing fraction of the time. It will be
rejected. The voter will try again, possibly have it rejected again, give up,
and go on Twitter to complain about the new system.

Also, I can go to vote, surreptitiously take two strips of paper, use one,
pocket the other. I coerce my spouse into using that one, and pocket the one
they took.

 _> It becomes difficult to coerce a voter because they can say any one of the
published ballots is theirs._

Maybe for simple ballots. A question including e.g. a ranking of ten
candidates has about 3.6 million possible configurations -- more if undervotes
or other ties are permitted. The voter can be coerced to fill this out in a
specific way to self-identify, and then vote in a prescribed way on another
question.

edit: Of course, _this_ vulnerability already exists: the voter could be given
that same instruction. An observer of the ballot counting process can tell if
the correct ballot was cast.

~~~
Mindless2112
Good points, though they're rather at odds. If you assume voters will mess up
their ballots that frequently then the voter being coerced can just find a
ballot that's close to what they were coerced to do and say they messed up the
rest.

No way to prevent surreptitiously taking more than one strip of paper comes to
mind. Someone should be observing the voters take the strips of paper to
ensure only one is taken, but that doesn't prevent sleight of hand. But if
there are mail-in ballots, you've already basically given up on voter coercion
anyway.

------
spaetzleesser
Like with a lot of political things in the US I strongly believe that none of
the decisions makers really want to have a system that works impartially. They
just want to have an advantage for their side because it’s about “winning” at
any cost no matter how destructive it is for the country.

Otherwise I can’t explain the problems this supposedly developed country has.
I am from Germany and have never heard anybody having doubts about the
integrity of the system there. If the US wanted to have a system that works
they could look around and see how it get countries do to. But it seems they
don’t want to have such a system.

------
spenrose
"VotingWorks is a non-partisan non-profit building a secure, affordable, and
simple voting system. Our vote-by-mail solution lets you scale vote-by-mail
quickly and affordably. Our risk-limiting audit software ensures votes cast on
any paper-based system are correctly tabulated. Our voting machine creates
paper ballots that voters can directly verify. Our source code is available on
GitHub. You can help by making a tax-deductible donation, joining our team, or
reaching out."

[https://voting.works](https://voting.works)

------
neverartful
As others have pointed out, digital voting systems can be hacked, exploited,
or otherwise derailed from centralized location. They also can contain subtle
software errors.

Paper ballots can have problems like we saw in Florida (hanging chads).

When I was growing up, we had big mechanical voting machines. I have no idea
how common (or uncommon) these were in different parts of the country. The
machine opens up and has a set of retractable curtains. You walk through the
open curtains and then pull a big lever that closes the curtains behind you.
Then you vote by flipping mechanical switches for the candidate (or yes/no for
policy ballot). When you're done voting, you reverse the big lever. This
action increments the machine counters based on your votes and opens the
curtains for you to exit. Once the polls close, the polling folks simply sum
up the counters across all the machines in the polling station.

The downside is that the machines are big and heavy to store and move. I'm
sure they're not cheap for the initial purchase. However, they're efficient
for tallying yet very difficult to hack. In my opinion, they're the best
overall voting mechanism.

~~~
specialist
Agree with all.

 _" digital voting systems can be hacked, exploited, or otherwise..."_

Paper mediated systems have visible failure modes. Missing ballots. Spoiled
ballots. Etc.

Black box voting systems fail silently.

------
alex_young
Why can't PKI be used?

If I sign a vote with my private key, and my public key is used exactly once,
and is registered with the electoral body, and a list is printed of signed
votes by candidate, I can validate that my key was used to sign a vote for the
person / issue I voted for, and we can also know that everyone only voted
once.

Key distribution could be based on the current registration system we have in
place now, and you could use the key they send you to change your key pair so
the state can't forge your vote. One could even automate this, even with an
open source app we could all inspect.

It seems conceptually simple.

~~~
Mindless2112
1\. Whoever issued you the key pair can know which vote is yours.

2\. Someone can coerce you to vote a specific way by forcing you to provide
them with your private key.

~~~
alex_young
1\. Can’t the state already know who voted for what right now? That seems like
a nonissue.

2\. Someone can also force you to give them your mail in ballot. How is this
different?

~~~
RcouF1uZ4gsC
> Can’t the state already know who voted for what right now? That seems like a
> nonissue.

No. That is one of the most fundamental features of our system. In the secrecy
of the voting booth, you can make your voice heard with no consequences to
you.

~~~
techntoke
And they can flip the vote as soon as you leave the polling booth, or not even
record it, and you'll never know. Just "trust the system"

~~~
RcouF1uZ4gsC
You can actually put the ballot in the box. You or someone you trust can stay
as an observer until the voting is done. You or someone you trust can watch as
the ballots are removed from the voting box and counted.

I think it has been recommended before, if you want to see this, sign up to be
a poll observer. You will get to see the whole process.

~~~
techntoke
[https://www.heritage.org/voterfraud](https://www.heritage.org/voterfraud)

Thousands of issues of voter fraud, and these are only the instances where
they got caught. Polling officials are usually the ones that are responsible
for mass voter manipulation, just look at what happened in Iowa and Georgia.

Poll watchers are appointed by political parties. It is not something anyone
can sign up for and get to do. Monitors also do not directly prevent electoral
fraud.

~~~
anoncake
> It is not something anyone can sign up for and get to do.

Looks like you've found the problem. Of course you don't get the benefits of a
public election if the election isn't public.

~~~
techntoke
Yet I'm being downvoted for pointing it out

~~~
anoncake
The joy of discussing local to statewide policies on an international forum.

------
joveian
The Oregon vote by mail system lets you get a notification when your ballot is
received by the counting center. I'm not sure exactly how it works but the
counting might be observable from that point.

~~~
Fjolsvith
I bet it also tells you when the mail ballot someone swapped for yours was
received.

~~~
Kednicma
Oregonian here! My signature is on file with the state, and both an OCR system
and a human look at my signature on the ballot to make sure it matches.
Additionally, my ballot has a barcode on it and a security weave, so that a
"counterfeit" ballot and envelope would have to have come from inside the
ballot-production system; loss-prevention techniques can be used to track down
any stolen envelopes. Finally, the attack would have to come from inside the
postal system as well, because only post officers and voting officials touch
my ballot. In my specific case, I can even drop my ballot directly at a ballot
box and not have to post it.

If you have any evidence of widespread voting fraud in Oregon, please show it.
Otherwise, no, we're not interested in your attempts to denigrate a convenient
and reliable voting system; it reeks of antidemocratic sentiment and I don't
see why we should tolerate it.

~~~
Fjolsvith
Lots of incidents to prevent me from feeling trusting enough, irregardless of
your accusing insult:

[https://www.ktuu.com/content/news/Stolen-Vote-by-Mail-
ballot...](https://www.ktuu.com/content/news/Stolen-Vote-by-Mail-ballot-
packages-found-damaged-and-wet-in-the-snow-477165303.html)

[https://urbanmilwaukee.com/2020/04/08/city-calls-for-usps-
in...](https://urbanmilwaukee.com/2020/04/08/city-calls-for-usps-
investigation-into-missing-ballots/)

"Even in Oregon, where VBM processes and integration with the postal service
are well-tuned, over 1,000 ballots were lost in a January 2010 election." \-
[http://iiisci.org/Journal/CV$/sci/pdfs/HPA468KX.pdf](http://iiisci.org/Journal/CV$/sci/pdfs/HPA468KX.pdf)

~~~
Kednicma
Your first two links are for Alaska and Wisconsin. I'll agree that the latter
is clearly not experiencing fair voting; their legislators need to step up and
be better. The third, the survey, is quite interesting. It shows two problems:
First, people are filling out other household members' ballots; and second,
ballots get lost in the post, usually on the way out to voters.

There's nothing that can be done about that first problem. Being pressured to
vote in a certain way is as old as voting, as are laws against pressuring
others. The survey claims about 5% of voters are so pressured in Oregon, which
is a dreadful but realistic number. Worse, though, it says that about 2.5% of
ballot signatures are forged. We could do better at detecting forged
signatures, but since stylometry is already such an imprecise art, it's
probably not great to rely further on signatures. Ultimately, though, forcing
people to the polls doesn't solve this problem at all; it just hides the
problem behind layers of people telling each other behind closed doors to vote
in certain ways.

Edit: Oh, right, and this survey's source doesn't work. They link to KVAL, a
real news station in Eugene, but their link is dead and has never been seen by
the Internet Archive. I have no problem believing that humans are so horrible
to each other that the rate of voter intimidation is over 5%, but hard data
would be nice.

That second problem, though, where ballots are lost on the way to and from
voters? That's easy to fix. Just have a notification system that tells voters
when their ballot has been posted. And that brings us back to the top of the
thread; in Oregon, one can sign up to get text notifications about ballots.
Checking my phone, I have notifications going back to 2016, in pairs; the
first message is along the lines of:

> This is Multnomah County Elections, your ballot for the Month Year General
> Election has been sent, look for it soon in your mailbox!

And the second is like:

> This is Multnomah County Elections, your ballot for the Month Year General
> Election has been accepted and will be counted.

If I don't receive my ballot within a few days after that first text, or I
don't receive that second text within a few weeks of voting, then I know that
something is wrong and I can go to the elections office to try again. This
hasn't ever happened to me personally. Note that, because voting by mail takes
place over several weeks, there is time to remediate missing ballots!

I hope this was enlightening. And if you don't trust this system, then you can
always go to pick up and hand-deliver your ballots or go to a poll. But on the
whole, I'd just as much rather that you didn't vote in Oregon at all; if you
don't live here, then politely leave us alone and let us vote in our preferred
style.

~~~
Fjolsvith
> if you don't live here, then politely leave us alone and let us vote in our
> preferred style.

I don't live there. However, since Oregon VBM topic was brought up in an
international forum, I assumed (incorrectly by your standard) that it was open
for discussion.

~~~
Kednicma
If you want discussion, then discuss things. So far, all you've done is make a
couple snide remarks, one about how Oregonians must suffer so much voter
fraud, and one about how Oregonians must not be fairly represented if they're
not electing Republican governors; as well as throw some links into the mix
and wait for others to try to figure out what you meant.

You don't really seem interested in discussion, but in taking cheap shots at
cultural practices of which you neither understand nor approve.

~~~
Fjolsvith
At least I'm not taking cheap shots at people in the discussion.

Edit: And furthermore, you still haven't satisfactorily addressed the concerns
I expressed regarding VBM.

Which is a topic of national concern right now.

------
Shared404
I would write a comment, but this sums it up.

[https://xkcd.com/2030/](https://xkcd.com/2030/)

~~~
pbasista
I agree that designing an objectively reliable online voting system is very
difficult. But at the same time I think that in principle it can be done.
However, in my opinion the current unavailability of such a reliable system is
not the largest issue with online voting.

Instead, it is its potential for giving the people with power more ability to
control and enforce the voting behavior of the people over which they have
some kind of influence.

For example, a boss can offer a bonus to employees who would verifiably (e.g.
under supervision) cast an online vote according to the "company's
recommendation". Or a landlord can say that the rent will be raised next month
unless the tenant votes under the landlord's supervision and according to the
landlord's preferences.

Such practices probably exist today as well. But the difference is that in the
physical voting system, even the people who are being pressured to vote in a
certain way are in the end required to be alone and behind a privacy screen
while casting their vote. So, even if they have been forced to promise to vote
in a certain way, they eventually have the freedom to vote as they like
without having to fear that their actual voting behavior will be revealed.

That freedom originates from the requirement to cast a vote in private.
Availability of online voting removes such a requirement.

~~~
orthoxerox
Then the system should be designed to let you avoid such demands:

\- you vote once under supervision and another time later in private. Only
your last vote counts

\- you are given multiple private keys and only one of them is real. If you
vote using any other one, the system behaves as if your vote was recorded, but
actually doesn't count it

~~~
pbasista
Yes, that would help in theory. But in practice it would only change the way
how the people inducing the pressure would verify that the votes have in fact
been cast according to their preferences.

For instance, if voting multiple times is allowed and only the last vote
counts, they would require the people to vote during the last 10 minutes of
the polling period and afterwards they would withhold their ID card with the
signing capability from them until the polling is closed.

If there are multiple private keys to choose from, they would require people
to at first prove which one is usable for this particular election by checking
it with the issuing authority. The owner must have been given this information
in some verifiable form at some time, so the demand will simply extend to
include that information as well.

------
s_T_e_v_o
German physicist Werner Heisenberg's uncertainty principle states that the
more precisely the position of some particle is determined, the less precisely
its momentum can be predicted from initial conditions, and vice versa. (Edited
Definition from wiki)

I want to posit that secrecy and security have the same relationship as the
uncertainty principle ascribes to electrons.

------
Animats
That's awfully complicated, compared to systems with backup printers.

------
noja
Aren't they already? Or are we having this efficiency debate again?

