
Protecting democratic elections through secure, verifiable voting - zachguo
https://blogs.microsoft.com/on-the-issues/2019/05/06/protecting-democratic-elections-through-secure-verifiable-voting/
======
atoav
I shall repeat it like a mantra: voting beeing slow inefficient is a side
effect of it’s transparency. You want a voting system were a average voting
helper can look at it and say: “There was nothing fishy there, I saw it”. This
is because it is about _trust_ and not only about secrecy and security.

Your electronic voting system can be mathematically perfect, but if nobody
average can say from the outside that everything is going by the rules and it
makes sense, then it is worthless.

This is why paper works so well: it takes not much skill to count it, it has
to have a physical place (harder to make it vanish) and everybody can have
their eyeballs glued to it, and if something fishy is going on, it is harder
to hide from the average voting helper.

Even I as a programmer with some crypto knowledge would never be able to fully
gurantee for the integrity of a voting system, because who knows what software
version is running out there in the wild, and whom I have to trust on that
one.

Paper has no software version and errors in the process can (and are) catched
more easily.

Electronic voting is good for decision were power is not involved, or where
the outcome doesn’t really matter. I’d rather improve what we have instead of
replacing it with a mathematical sound blackbox that everybody can with
perfectly rational reasons distrust when the vote went into the wrong
direction.

~~~
jonathanstrange
Electronic voting is the classical solution to a nonexistent problem.

Just so the results of voting can be displayed on TV a bit earlier, we are
supposed to accept substantial risks to democracy posed by blatantly insecure
endpoints, blatantly insecure company infrastructure, insecure network
communications and devices (routers, etc.), private companies that often have
a track record of insecure and sloppy programming, voting machines that have
been shown to be hackable easily (people from CCC and similar groups do that
routinely when they get hold of a machine), voting program code that has been
improperly audited and/or cannot be verified by the public, flawed patching
mechanisms, flawed and insecure operating systems of voting machines, and on
and so forth. The list of flaws of electronic voting systems is nearly
endless, and, what's worse, there is no mathematical proof that the encryption
used in those systems cannot be broken. (There are lots of proofs in
cryptography, but almost all of them are based on very strong idealizing
assumptions. In the end, only OTPs are provably secure. We do not even have a
proof that P!=NP yet.)

~~~
reallydude
> Electronic voting is the classical solution to a nonexistent problem.

That is incorrect. Voting is a feedback loop for the will of the voters. The
slower the process is, the less representative it is. The fidelity of the loop
is paramount, but the issue remains.

EDIT: do the downvoters understand that there is setup involved in a paper
process and getting results is not the end of the feedback loop (not race)?
SMH

~~~
wongarsu
I don't think I understand what feedback loop we are talking about?

Everyone who wants to be on the ballot registers a few months in advance,
which is usually a short enough time. Since people are usually voted into a
job they have to do for 4-6 years you don't want hasty decisions anyways.

Getting poll results while the voting stations are open is usually not a
desired feature because of how it influences voters.

The delay for counting the votes measures in days, which is a tiny amount in a
feedback loop where one iteration takes 4-6 years. Other steps, like forming a
government, routinely take an order of magnitude more time in many nations.

~~~
AsyncAwait
> The delay for counting the votes measures in days, which is a tiny amount in
> a feedback loop where one iteration takes 4-6 years.

I think their argument is precisely that that's too slow of a time to reflect
what the voters want and that a faster turnaround time would allow referendums
and more of a direct democracy, even when it comes to minor issues, since
'representatives' often don't quite represent.

Such a system does need informed voters, otherwise it opens up to reactionary
activism, but that's a whole another debate.

------
couchand
For the most part, this seems like a pretty reasonable application of
homomorphic cryptography to act as an extra voting record. Like others here I
think it would need to be secondary to the paper voting record, and I worry
that would be hard to enforce forever.

But one line stands out as particularly troubling:

 _Our sample reference will showcase how people can make their selections at
home, where they can easily research their choices, then bring a QR code to
the polling place to scan and pre-populate their ballot._

On the one hand, I support the goal of making it easier for people to research
and select their choices. But the risk of enabling a "scan-to-vote" operation
is pretty clear: voters will be given their QR codes pre-populated by some
interested third party.

~~~
rando444
Yes, but there is no proof that the user actually used that QR to make their
vote. This diminishes the incentive to buy votes because there is no
verifiable proof of how someone voted.

I'm not saying it's a perfect solution, but it's more secure than mail-in
ballots, which are currently in use and popular in many locations.

~~~
AgentME
The issue isn't that someone can force you to vote a certain way or check that
you voted in some way. The issue is that someone can make it outrageously
convenient for you to make a whole set of uninformed votes.

Imagine you're very busy and haven't spent the time yet to figure out what to
vote for. Someone tells you that if you vote a certain way, it will be great
for a certain pet issue that you care about, and they give you (and many
others) a QR code. The QR code contains a vote for one candidate who cares
about the pet issue, but the rest of the votes in the QR code are all oriented
around a different issue that you don't know about, don't care about, or
actively care the other way about, but you don't notice and scan it and vote
it as-is.

Mail-in ballots don't have that issue.

------
codedokode
I don't understand how counting verification is achieved. Let's say that
election officials release a list of hashed votes, so that you can verify that
your vote has been counted and included into results. But how can you check
that all other votes in the list are the votes from real people and not
arbitrarily added by sysadmin to get the expected result?

Does anyone know how such things are implemented? I have read about e-voting
in Estonia, but there one has to trust the authorities and cannot
independently verify the results.

~~~
Mindless2112
Who voted is public record (depending on your state [1]), so the numbers
should add up.

[1] [https://www.nytimes.com/2018/11/04/us/politics/apps-
public-v...](https://www.nytimes.com/2018/11/04/us/politics/apps-public-
voting-record.html)

~~~
mehrdadn
If John Doe is listed as having voted, but is fake, how would you know he's
fake?

~~~
dagw
There are also lists of who lives in a county/state/country. If you suspect
foul play you can further look up if John Doe is a person that lives in the
'right' place. Of course this doesn't solve the case where John Doe is a real
person that is allowed to vote, but actually stayed home.

~~~
codedokode
With paper voting, an observer can manually count the number of people coming
to the polling station. With electronic voting, this becomes impossible,
because you either only see the final list or (sometimes) you see the hashes
of votes being cast in real time, but you don't know whether it is a real
person or just sysadmin voting under name of a random person.

So with electronic voting, it becomes necessary to verify lists of voters.

------
zorked
I don't think it's desirable to let individual voters verify that their votes
were counted. That means that the privacy of your vote can be compromised
under duress a long time after the election.

Paper and pen, such a beautiful straightforward system, sacrificed in the
altar of unnecessary use of technology.

~~~
stardek
I was surprised when I read that as well but reading further my impression was
that you can confirm the contents of the ballot only while voting and then
afterwards you only get access to a message along the lines of "Yes, vote
a678b234 was correctly counted" or a message saying otherwise but not the
contents of the ballot.

(which, while more secure, is also slightly less useful)

------
YokoZar
The mechanism for voter verification is based on homomorphic encryption.
Numberphile made a video on this topic recently, with a few basic explainers:
[https://www.youtube.com/watch?v=BYRTvoZ3Rho](https://www.youtube.com/watch?v=BYRTvoZ3Rho)

~~~
teddyh
Very related: _Why Electronic Voting is a BAD Idea - Computerphile_ :

[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
MrStonedOne
no its not.

~~~
suprfnk
Care to elaborate?

~~~
YokoZar
The system for verifiable receipts in the article does not require electronic
voting in either the vote-casting or vote-counting process. It's an explicitly
paper system.

~~~
afiori
so

> no its not.

As in not related not as in not a bad idea.

------
bumby
Can someone smarter than me explain if this system maintains anonymity?

To a layperson, statements like the one below raise a flag. If I can track it
electronically, is it also possible for someone else to see who voted for
whom?

"After the election is complete, the tracker codes can be used by voters to
confirm that their votes were not altered or tampered with and that they were
properly counted"

Again, to a layperson the above statement seems potentially at odds with the
one below at first blush (because I don't understand the technology):

"With homomorphic encryption, individually encrypted votes can be combined to
form an encrypted tabulation of all votes which can then be decrypted to
produce an election tally that protects voter privacy."

So we have privacy but electronic traceability to the individual voter? To the
uninitiated like myself, it seems like we'd have to choose between electronic
traceability and anonymity.

~~~
useerup
The system does not ensure anonymity as to _who has voted_ , but it does
maintain secrecy as to _how you voted_.

The idea is that you can have a public, verifiable "ledger" of voters. You can
verify that you are on the list with _your_ encrypted vote. I.e. you verify
that _your_ vote counts. You can match it to the receipt you received when
voting. You do not, however possess the key to decrypt your vote or the vote
of anyone else.

The public list can also be used (more work) to verify that only real people
voted: They could presumably be contacted.

Homomorphic encryption allows the votes to be tallied _while still encrypted_.
The result is an encrypted tally.

At this point someone with the decryption key can decrypt the final tally and
reveal the result. Presumably this can happen per polling place.

~~~
bumby
Thank you for taking the time to clarify. So if I understand this correctly,
the system can allow an individual to verify that their vote was counted but
not validate that the vote was counted correctly?

From that perspective, it seems analogous to the system in use but perhaps
more efficient. In other words, does this actually introduce any new features
or just translate the existing features of the current system to a new medium?

~~~
PyroLagus
> the system can allow an individual to verify that their vote was counted but
> not validate that the vote was counted correctly

> does this actually introduce any new features

Well, the current system doesn't allow you to verify that your vote was
counted, so that's what it adds.

~~~
bumby
In the U.S. there's a ledger in the current system that provides verification.

------
dang
AP article on this:
[https://www.apnews.com/7e78189c21ce4a7cb7cb73432705c3ca](https://www.apnews.com/7e78189c21ce4a7cb7cb73432705c3ca)
(via
[https://news.ycombinator.com/item?id=19844173](https://news.ycombinator.com/item?id=19844173))

And the Galois post here: [https://galois.com/blog/2019/05/protecting-
election-integrit...](https://galois.com/blog/2019/05/protecting-election-
integrity-with-electionguard/) (via
[https://news.ycombinator.com/item?id=19840683](https://news.ycombinator.com/item?id=19840683))

------
codedokode
I thought about some advantages of paper voting compared to electronic: you
can spoil the ballot, for example, if you don't like any of candidates and
there is no option titled "Against all". In electronic elections, you cannot
do that.

~~~
dao-
You can just not vote. It has the same impact on the results of the election.

~~~
NeedMoreTea
Not always - spoiled ballots can sometimes count, or indicate growing dissent
in society. Not voting can achieve neither.

Here's a case from last week of a spoiled ballot giving someone a majority of
one: [https://www.theguardian.com/politics/2019/may/03/ballot-
pape...](https://www.theguardian.com/politics/2019/may/03/ballot-paper-marked-
brexit-win-tory-councillor)

Was that the result the voter intended? Probably not, but who knows? :)

~~~
dao-
I don't understand your example. That ballot paper was counted as a Tory vote,
i.e. not as spoiled.

~~~
ddebernardy
As I understood the story (the photo of the ballot that is sometimes
circulated is just one taken from Twitter), the ballot had Brexit written all
over it, and an arrow pointing at the Tory candidate's name, so ended up
counting it as a Tory vote because of that.

------
TheTrueTDF
Introducing the new "a box and pieces of papers" system which is sustainable,
secure and low tech.

Microsoft shall I send you my resume ?

------
abathur
I've been accumulating a mental list of properties that would support less-
exploitable, more-auditable paper balloting. This has a surprising number of
the properties.

The main items I don't see represented are all roughly related to auditability
for ballot chain of custody. I think issues/irregularities with the ballot
chain of custody are probably good proxies for triaging hand-audit efforts.

The goal is knowing when ballots go missing, or turn up in unexpected places
(but I'm not sure where the sweet spot is for securing that chain without
making individual votes unmaskable). I think it's a similar process, with lots
of identifiers, and lots of scanning. It would live or die by rapid, simple,
reliable scanning.

This means scanning identified ballots into shipping boxes, and generating an
identifier for the box based on which ballots were scanned in. A pallet gets
an identifier based on the boxes that went in. Shipments get identifiers based
on whatever combination of boxes/pallets they contain. Scan in boxes at the
polling station and accumulate identifiers for the polling place. Perhaps per
poll worker. Scan ballots out of the boxes, back into the completed-ballot
boxes and/or trash. Cumulative identifiers for completed-ballot boxes, trashed
ballots, and unused ballots are scanned back out of the poling place and at
each step back up the chain again.

~~~
laughinghan
I think the whole point of this fancy homomorphic encryption-based system is
that only the endpoints need to be verifiable, you no longer have to worry
about chain of custody anymore. Kinda like how end-to-end encryption means you
no longer have to trust every link in the network that connects you to the
other party.

As long as you can verify that the final tally is correctly calculated from
all the public encrypted votes, that those encrypted votes include yours, and
none are by fake voters, who cares how the encrypted votes are transmitted to
the body that officially calculates the final tally?

~~~
abathur
Maybe? I won't assert it doesn't, since I don't know. It certainly seems to be
a tolerable solution to the questions of whether votes were changed, or
whether ballots were disappeared without counting.

But I don't see how the ability of individuals to verify that their own vote
was counted can sum, at scale, to verifying that real-but-fraudulent ballots
aren't also in the total.

It seems like you could verify this if everyone who voted proved that their
vote was included in the count and the full count was explained by everyone
who proved they voted. In practice, that seems unlikely?

~~~
laughinghan
Well, currently, it's public whether someone voted (though of course not what
their vote was). Assuming that's still true in this fancy system, that count
would then have to match the count of how many encrypted votes there are, so
you can't forge fake ballots from whole cloth (without people noticing). The
best you could do is to try to defraud _both_ systems, by identifying who
won't vote and then submitting a fake vote for them.

Sure, you can't verify _every single vote_ , but it doesn't take that much
time/money to call up, say, 100 people (relative to the expense of running
this whole system). If you contact 100 random people from the public record of
who voted, and all 100 say "yes, I did actually vote", then the real result
(excluding fraudulent votes) is unlikely to differ from the recorded result by
more than 1%. And, obviously, you can drive that probability down as far as
you want with more expense, but that'd only be important for rare close
elections.

~~~
abathur
Good point; I wasn't factoring in the existing public voting records.

I'm not sure what the contact rates would look like if you tried, but
retroactive sampling should have a good chance of spotting systemic abuse if
response rates are sufficiently high. I guess you could even legislate random
audit sample sizes based on the number of votes and victory margins.

I've been thinking about the values of end-to-end auditability as deterrence
and public relations, but I agree that you could capture the majority of that
benefit for a fraction of the cost and complexity with regular sample-based
audits.

~~~
laughinghan
That does make sense; strong deterrence, and deterministic rather than
probabilistic guarantees, are both better for legitimacy, probably.

I don't think there's any need to legislate random audit sample sizes; in
practice, independent groups will do so. (And it's crucial to legitimacy that
it's possible for independent groups to do so in the first place, of course.)

~~~
abathur
Definitely shouldn't preclude independent audits.

Lazy thinking, on my part. The thought was that mandatory audits would help
maintain long-term confidence by avoiding erosion of confidence in long gaps
where no specific evidence triggered audits. Minimum sample sizes would help
protect the mechanism from undersized propaganda-audits that ultimately
undermine trust in the audits themselves.

But you're right; it would probably be easier and more pernicious to do a
sufficiently large audit but give the reins to partisans, ideologues, or
incompetents. Fairly open access would be better, thouguh I'm sure there are
still plenty of "interested" outside parties willing to perform propaganda
audits for cheap. Not sure how to solve that.

~~~
laughinghan
Hmmmm, I guess the key is that each group's auditing process itself has to be
open and "objective"\---paper ballots are pretty easy in this regard, every
group looking at the same ballot will usually agree who the vote is for.
Math/encryption could possibly work too, at least in the sense of being
"objective", although it has other legitimacy problems due to being difficult
for lay people to understand and trust.

As far as I know, controversies over audits or the independent observers
themselves being corrupted aren't really a problem in the US at least, so I'm
not too worried about this.

------
nkkollaw
I don't get what's wrong with paper voting.

If it takes 3 days instead of 1h to get the votes, I think it's worth the wait
since elections are pretty important and with paper you can do a recount, find
physical paper that's been thrown in the trash (happens every time in Italy),
etc.

Also, these corporations seem to have a strong political bias, and how do we
know they're not injecting their software with backdoors that would allow to
manipulate results..?

------
ycombonator
So we are supposed to trust all the digital pixie dust voting and no paper
trail ?

~~~
YokoZar
This isn't an electronic voting system.

> ElectionGuard provides a complete implementation of end-to-end verifiable
> elections. It is designed to work with systems that use paper ballots,
> supplementing today’s tabulation process by providing a means of public
> verification of the accuracy of reported results.

~~~
jakeogh
Digital tabulation is electronic voting.

The paper becomes the recount, which gets challenged in court and might not
even happen.

~~~
alexandercrohde
So, it sounds like you're entirely in support of this article, the only tiny
change you want to make is for the paper to be counted FIRST, and then the
eletronic tabulation to be used as a validator. And any discrepancy results in
an investigation, no?

~~~
jakeogh
I'm opposed to any form of electronic counting. If the first hand count of
paper ballots has a problem, then they can be re-counted. By humans.

------
raister
This is a nice effort, however, don't politicians actually want voting systems
to be really messy? If so, they could shift the balance towards what they want
at will. USA has one of the worst voting systems in the world, however, it
keeps the balance of power, equilibrating elections, i.e., alternating
Democrats and Republicans every eight years or so. If the voting system was
spotless and verifiable and accountable, they couldn't mess with it!

------
johnisgood
Loosely related as it is about democracy:
[https://www.anthonyflood.com/rothbarddemocracy.htm](https://www.anthonyflood.com/rothbarddemocracy.htm)

------
gruez
>After the election is complete, the tracker codes can be used by voters to
confirm that their votes were not altered or tampered with and that they were
properly counted.

So what's preventing vote-buying schemes?

~~~
codedokode
In Estonian e-voting they allowed to change the vote later or re-vote offline.
So that if someone sold their vote or was forced to vote, they can later
change their mind.

But such scheme is still vulnerable: for example, imagine if a large state-
owned or having close ties with government company forces their employees to
vote online under supervision. If the employees are not very good with
computers or don't own one, they cannot change their vote online later, and
employer can set their shifts to a voting day so that they cannot visit the
polling station.

~~~
mehrdadn
Isn't there a much more practical vulnerability? Just forcing people to vote
in front of you in the last 15 minutes or something?

------
devsec0
that's all good in theory, but italian 5 star movement showed how bad actually
the reality can hit you

~~~
pjc50
Are you saying that M5S was the result of widespread vote fraud?

~~~
ghego1
The comment probably refers to the issues their e-voting platform had

------
Tsubasachan
With an American company? Really Microsoft?

~~~
vinay427
It's apparently free and open-source. What exactly is your concern?

------
freshm087
It certainly has nothing to do with democracy, and intended to solve exactly
one problem: Microsoft's need to increase revenue through sweet gov't funded
contracts. Let's not be fooled by opensourced code, once the idea is sold to
politicians, and media, someone should be contracted to implement this useless
staff. And who's this going to be? Not hard to guess.

~~~
YokoZar
While I appreciate the cynicism, I'm not seeing how an open schema for tamper-
evident verifiable voting machines could be anything other than positive.

It's worth noting that Microsoft has discouraged the use of embedded Windows
on voting machines in the past:
[https://www.infoworld.com/article/2680658/gates-undaunted-
by...](https://www.infoworld.com/article/2680658/gates-undaunted-by-
linux.html)

> “We ourselves are not going after the e-voting market or the nuclear reactor
> control market,” Gates said.

~~~
freshm087
For starters, the whole voting machines concept is a essentially a ploy to
exploit wide-spread respect for computer technologies in society to sell
hardware, and software. It reduces observability compared to pieces of paper,
and doesn't solve any real problems.

I don't think Gates words from 2004 can be seen as policy statement for
today's Msft. Apparently, a lot has changed.

~~~
YokoZar
> Microsoft will not charge for using ElectionGuard and will not profit from
> partnering with election technology suppliers that incorporate it into their
> products.

I'm not sure how much stronger of a statement they can make than that. There's
no money in voting machines for Microsoft.

------
shirajec
[https://screenshot-magazine.com/politics/pete-buttigiegs-
tec...](https://screenshot-magazine.com/politics/pete-buttigiegs-technology-
driven-policies-are-here-to-revive-america/)

------
lamchob
Relevant xkcd: [https://xkcd.com/2030/](https://xkcd.com/2030/)

~~~
YokoZar
How is this relevant? This isn't an electronic voting system. It's a system
for verifiable receipts that attach to paper systems.

> ElectionGuard provides a complete implementation of end-to-end verifiable
> elections. It is designed to work with systems that use paper ballots,
> supplementing today’s tabulation process by providing a means of public
> verification of the accuracy of reported results.

~~~
jakeogh
Digital tabulation is electronic voting.

------
jakeogh
Electronic voting isn't a solution, it's an attack.
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
YokoZar
This isn't an electronic voting system.

> ElectionGuard provides a complete implementation of end-to-end verifiable
> elections. It is designed to work with systems that use paper ballots,
> supplementing today’s tabulation process by providing a means of public
> verification of the accuracy of reported results.

~~~
jakeogh
Digital tabulation is electronic voting.

Incrementalism is a powerful technique.

------
nmai10
If you want to protect elections, USE PEN AND PAPER:

[https://www.bundesverfassungsgericht.de/SharedDocs/Pressemit...](https://www.bundesverfassungsgericht.de/SharedDocs/Pressemitteilungen/EN/2009/bvg09-019.html)

