
To Protect Voting, Use Open-Source Software - bleakgadfly
https://mobile.nytimes.com/2017/08/03/opinion/open-source-software-hacker-voting.html
======
r721
Recent discussion:
[https://news.ycombinator.com/item?id=14920513](https://news.ycombinator.com/item?id=14920513)

------
blackkettle
No. To protect voting, don't use software. Everyone needs to be able to
_understand_ as well as be able to verify that they successfully voted.

Besides the issues with what software the machine is actually running, most
people cannot comprehend or understand that software - even if it is open
source. That is not acceptable for an open democratic society, or to
sustaining it.

In this particular situation it should not be necessary to rely on an expert
to explain whether the vote counting mechanism is reliable. This only adds to
the problem of unreliable or scheming officials - it doesn't improve anything
in terms of transparency.

~~~
slim
Voting with paper does not scale. You can't make people vote everyday for
example, which is required if you'd like to implement direct democracy.

On the other hand, with direct democracy, the stakes are lower for each vote.
So there is less incentive to manipulate the vote. So it makes sense to use
e-voting for direct democracy.

In the end the voting mechanism in democracy is not really about precision,
it's more about getting an acceptable outcome for all the parties

~~~
EugeneAZ
Public - i.e. everyone knows how others have voted - voting can be both
precise and secure. Public voting can be done electronically, say, via
encrypted SMS.

So why to bother with secrecy in the first place?

~~~
makeee
So you can't pay people to vote for a particular candidate.

~~~
EugeneAZ
Do you know how people take photos of themselves voting at "secret-keeping"
poll-stations? How about politicians, which publicly give lucrative promises
to their particular electorate?

If they want to sell their vote - it is their choice. I'd only say that the
right of citizens to secede from such a society must be respected too.

~~~
SilasX
>Do you know how people take photos of themselves voting at "secret-keeping"
poll-stations?

That's illegal, and (somewhat contradictorily) not non-repudiable. You can
take a picture of yourself with "ballot marked for candidate I'm paid/coerced
to vote for" and then step right out and say "oops, I messed up my ballot,
give me another one" and then submit that.

------
danirod
Electronic voting is a bad idea and I'd be suspicious on anyone trying to
promote it.

How can you know that even if the source code for the voting machine is open,
the voting machine is running the exact same source code? How can you know
nobody has tampered the code the instance is running?

I'm glad my country is still running on paper ballots and glad we require
voter ID.

~~~
Iv
Came here to say that.

Transparent voting boxes, ballots in envelopes, manual redundant counting done
by people, usually voter who were nicely asked if they can come help back in
the evening. That's what we use in France, you get the official result a few
hours after the closing of the voting stations.

The whole process is watchable, from the sealing of the box the morning to the
count in the end and parties send observers in random stations to check
nothing fishy happens. An official log book is open for anyone to notice if
they feel something fishy happened (you were not allowed to vote, the counting
was unfair, etc...)

Oh, and make voting day a holiday, or just put it on Sundays.

I used to wonder how US could not even get that last part right, but then I
understood that a whole party thinks it is in its interest to have less
voters.

~~~
cortesoft
Or make voting last multiple days instead of just one.

~~~
Iv
That makes it harder to keep an eye on the voting process from A to Z, which
people do in the current process. If the box containing the ballots stay
alone, trust is lowered.

Seriously, is it harder to make a daily holiday and a transparent process than
landing a man on the moon with tech from the 60s?

------
danhardman
I'd like to reference Tom Scott's video[0] here. There is no need for an
electronic voting system, paper ballots work perfectly.

[0]
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
warcode
Until you want to scale due to using rapid direct democracy. Paper ballots
will still WORK perfectly, but the workload will be massive.

~~~
zython
Which is something you can justify IMO for a direct, just, free, equal and
confidential election.

------
ai_ja_nai
This is plain bullshit. Opensource gives no guarantee that the vote won't be
altered by whoever runs the machine.

What we need is a zero-knowledge proof: we need the entire voting dataset to
be publicly downloadable and some kind of checksumming so that, while
maintaining anonimity, I can 1)check that my vote is the same 2)run whole the
counting in a blink on my PC.

This gives much better guarantees of no tampering

~~~
Ajedi32
One other requirement too.

3) Users should not be able to prove to another person who they voted for

This is to prevent people from using threats of violence or promise of reward
to coerce others into voting a certain way.

Unfortunately, this requirement is very hard to fulfil while also fulfilling
requirement 1.

~~~
deathanatos
4\. Check that all votes in the tally belong to actual, eligible voters.

Verifying your vote is in the sum, and tallied, is not good enough if the
result is swamped with, or more craftily, the balance just tipped by fake
votes.

I have no idea how you would implement that.

------
beat
First and foremost, use paper ballots. Before anything else. The paper ballots
are the System of Record. If ever in doubt about downstream results, paper
ballots can be hand-counted. (Additionally, use paper voter rolls. Mark
registered voters when they vote, and track any same-day registrations on
paper. The exact number of ballots cast can be extracted from the voter
rolls.)

Second, _never_ allow paper ballots to be handled by just one person, or by
only members of one party - whether blank or used. Require that members of at
least two political parties be present any time the ballots are physically
touched.

Third, if using machines to read the ballots (ScanTron, etc), conduct spot
counts of random machines, to make sure the machine results match the paper
ballots. Conduct spot counts of entire polling stations randomly to make sure
result totals match voter roll totals. Although this isn't 100% certain, it
doesn't take a lot of spot checks to detect any sort of large-scale fraud
effort.

Do these things, and it's exceedingly difficult to do statistically meaningful
vote fraud, because we have a high degree of trust in the paper ballots and
their surrounding process. From there, you can use automatic ballot reading
and tallying to get fast results - the vote counting/tallying automation is
derived data, not the System of Record.

------
noja
A child can understand paper ballots and why they work.

There are probably less than a hundred people in the world who can understand
an electronic voting system at every level down to and including the silicon.

~~~
specialist
Bingo. And those of us who've studied voting computers _extensively_ have
concluded they're to be avoided.

------
cletus
To protect voting don't use electronic voting.

Paper ballots (the kind with marks read optically, not the ridiculous punch
cards at the center of the Florida 2000 debacle) are easy to use and
understand with a very low error rate and keep a paper trail, being the actual
ballots.

I don't understand why anyone other than the companies who sell e-voting
machines actually want electronic voting.

~~~
specialist
You have to hang out with election administrators to grok that. Their
motivations are not the same as the voters. Their election night prayer is
"Please God, don't let this election be close."

They want certainty more than any thing else. For decades, computers were
regarded as more accurate, impartial, certain than human tabulators.

Second factor is appropriations. Elections are big money. And like all
industrires, there's a revolving door between government and industry.

Admin also want control. Their impulse is to centralize, simplify. Think of
the logistics of running 100s of voting sites, 1,000s of precincts. All the
training, people, materials, gear that has to be stored, shuttled around,
repaired, etc. Moving to voting computers, reducing head count, moving to
central count _seemed_ like a huge win. (But you and I people computer people,
we know they just traded problems.)

------
fredley
To protect voting, use paper ballots.

~~~
richardknop
Paper ballots without voter ID requirement are ridiculous.

~~~
dghf
The UK seems to manage OK (ID is only required in Northern Ireland). 2015 saw
37 allegations of personation out of 51.4 million votes cast
([https://www.ncpolitics.uk/2016/12/how-big-a-problem-is-
votin...](https://www.ncpolitics.uk/2016/12/how-big-a-problem-is-voting-fraud-
in-uk-elections.html/)).

~~~
richardknop
Yes. My point would be allegations of personation is a meaningless number.
Because if there is no voter ID you would not get many of these allegations
either way.

~~~
dghf
Only if those perpetrating this kind of fraud somehow knew who wasn't going to
bother voting, otherwise you'd have large numbers of people turning up to vote
only to discover that someone had already voted in their name.

------
boomboomsubban
As someone who is a firm supporter in free software as the best option in
every area, this feels like a subversive attack.

Voting software is bound to fail, no bug bounty is big enough to offset the
billions that could be made off of hacking an election. It is bound to fail
spectacularly, and then for the rest of time people can point at the election
and say "the ability to see the source code let this happen."

------
marcelsalathe
Geneva has made its e-voting software public: [https://republique-et-canton-
de-geneve.github.io/chvote-1-0/...](https://republique-et-canton-de-
geneve.github.io/chvote-1-0/index-en.html)

I'd much prefer electronic to paper. Last year I voted on 24 initiatives, and
that is just the federal level. It also does not include elections.

------
vowelless
Someone needs to start a campaign: "Say No To Electronic Voting"

------
CapsUnLock
Well, IMHO a good way to digitize voting would be to give out a USB-drive-like
(NFC) device with an option to set a value and lock it in the read-only mode
using voter ID.

How it will work: A person gets this device in the voting center enters/gets
his voter ID, does the voting (anonymously), presses the read-only lock and
throws it into the bin. After all the voting these device are scanned and
voting data is retrieved. A voting database is populated in each center in a
transparent way, to prevent tampering (several parties can be allowed to read
this data separately and then all data variants can be compared against each
other, just in case). After consensus on the voting data, each voting center
sends the results for counting. And the voting is completed.

In the end, these devices are reset and the cycle continues.

Well, I'm sure that there must be some problems when voting the aforementioned
way. But I guess it could work out, with some modifications.

EDIT: Grammar.

~~~
scaryclam
That sounds a whole lot like paper voting to me...except more expensive and
more complicated. What's wrong with giving everyone a pencil and a ballot
paper, at the polling station, in place of the NFC device?

------
ivanbakel
Previous discussion (5 days ago):
[https://news.ycombinator.com/item?id=14920513](https://news.ycombinator.com/item?id=14920513)

------
kome
My first job was an ethnography of electronic voting in a wealthy region in
northern Italy.

By our observations electronic voting added several layers of complexity that
are difficult to justify.

------
ApolloFortyNine
Why can't you have everything set up so that when you vote, you get what
amounts to a JSON Web Token to be able to later verify that you did in fact
vote? You could use the governments publicly available key to verify that your
vote reached the central service, and part of the JWT could contain your vote
as well as your identifying information (SSN in USA).

Obviously everything could have fancy UIs created for end users so they don't
see that really all have is a JWT (maybe a QR code printed out when they vote?
And all the info easily human readable?). Verification could be handled by a
.gov address and also through manual use of the public key (so other services
could be set up to verify votes as well). And internet connectivity wouldn't
be a problem as they could just require T1 lines at polling locations (I
assume if phones went out across the country the election would be delayed
regardless). You could likely tell if someone had stolen the private key (the
only way I can think of breaking this system), if you have a service to verify
someone's vote, and it doesn't show up there, even though you have a signed
JWT containing your vote. That would prove someone had stolen the private key,
allowing for a makeup election.

Am I missing something basic of how this would be hackable? I'm one of those
who finds it odd that many elections around the world are susceptible to
simple human mistakes/purposeful malicious actions when it comes to counting
ballots.

------
wu-ikkyu
Why is it that electronic voting is so vehemently opposed here on HN and by
many technologists in general when virtually every other existentially vital
system they rely on is run electronically?

~~~
zAy0LfpBZLC8mAC
Because it doesn't work.

~~~
wu-ikkyu
Does a system have to be 100% free of security concerns to "work"?

~~~
zAy0LfpBZLC8mAC
No, but it has to be free of devastating vulnerabilities.

~~~
wu-ikkyu
The electronically run global financial system is not free of devastating
vulnerabilities, and yet it "works"

~~~
zAy0LfpBZLC8mAC
So, what is your point? The financial system is actually going to collapse,
and that's not a problem? Or the vulnerabilities aren't actually devastating,
just bad? Or what?

~~~
wu-ikkyu
That many technologists are being hypocritical by wanting to prohibit
electronic voting because of "security concerns" while at the same time
developing and using other institutional systems with equal or greater attack
surfaces and consequences.

~~~
zAy0LfpBZLC8mAC
Well, OK, that makes sense. Though I get the sense that the overlap might be
limited.

------
Arkanosis
“R. James Woolsey […] former director of [CIA]. Brian J. Fox, […] develop
open-source voting systems” — even if I had no opinion on the matter, it'd
seem to me that there's a clear conflict of interest there.

To protect voting, do NOT use software. At all. Open-Source software is no
more trustable than paper, and is orders of magnitudes more complex to set up
and audit. If you can't explain a 5 years old how it works, your voting
approach is not trustable.

------
Zigurd
First, you have to understand the problem:

1\. You don't need to commit widespread election fraud to throw an election if
you can predict where a small fraud will matter.

2\. Not all election fraud is a miscount of ballots. Throwing out minorities'
registrations is also election fraud, and you can't fight that with more-
reliable ballots.

3\. The best solution might not be a technology solution. Paper ballots make
it hard to scale fraud. But that's not enough, since fraud doesn't always need
to scale.

4\. Early voting and absentee voting need to be taken into considerations and
are a growing part of voting in the US.

5\. If software systems are used in voting, tallying, or anything connected to
election results, the systems should be open to inspection and to pen testing.

------
pjmorris
To protect voting, use paper ballots and count them in public (OK, and voter
ids if you insist).

------
xealgo
Security may not ever be 100% with e-voting systems, but it can be secured
enough to where the probability of any hack attempt would have minimal impact
on the overall outcome. I can think of several ways to a secure, verified
registration could work just off the top of my head. I think the issue is
more, where's the incentive for the government to make this happen?

------
clarkevans
This past election has shown that it's not just the voting software, but the
software/systems that control who is permitted to vote.

------
tiku
why not blockchain voting. everyone receives 1 voteCoin, and transfers it to
the correct wallet address of the person he or she votes for?

~~~
zAy0LfpBZLC8mAC
1\. Because it lacks anonymity?

2\. Because the average voter cannot possibly understand and verify the
security properties of that setup.

------
ruffrey
There's got to be some way to put votes on a blockchain. More important than
voting electronically is being able to verify your own vote was not tampered
with, and that all the votes add up as reported.

------
tzs
To protect voting, use this or something similar:

[https://en.wikipedia.org/wiki/Scantegrity](https://en.wikipedia.org/wiki/Scantegrity)

------
jjawssd
Related comment to a related thread

[https://news.ycombinator.com/item?id=14921935](https://news.ycombinator.com/item?id=14921935)

------
jk563
A lot of talk about securing voting machines/verifying that they run the
correct software. Why do we have to have physical machines? If it's
electronic, surely a website would do if you have the correct means of ID?

NB: this is not an indication of which side I fall on the debate, it is an
observation.

[EDIT] Also, I'm aware similar issues exist with a website, but it seems a lot
of focus goes on the actual machine.

~~~
fredley
In case anyone can't see why this is a whole heap more terrible on top of the
terribleness of electronic ballots...

Verifying actual real identity over the internet is impossible. Even if you
did webcam-based biometric authentication of identity - these are fooled by a
photograph. Going to a polling station and verifying your identity to a human
being is much harder to fake, and almost impossible to scale.

The web is an untrustworthy delivery mechanism. What say if a nation state
wants to disrupt your election, and starts DDoSing the hell out of it all.
Protecting against such attacks at that scale would be extremely difficult.

Also on the topic of state-level disruption, it is well known that orgs such
as GCHQ, the NSA etc. hoard zero-days. How do you know your extensively tested
system isn't vulnerable to a zero-day that another state has and you don't?

~~~
jk563
Last time I voted I took a driving licence. All they did was check my face
matched my card, and the name and address matched my registration no real
check on whether or not the card was genuine.

When I created my government account I provided passport and driving licence
numbers on top of the above.

I feel this invalidates your veracity point, and probably the scaling point
too?

The second and third points seem more viable and are potential issues.
Especially the third, this would be the main concern IMO. Though I'm sure
there are protections against this too (thinking virtually distributed).

------
thescriptkiddie
The amount of anti-free-software FUD in this thread is staggering. Did
Microsoft buy off all of you?

~~~
cortesoft
Wait, what? I haven't seen a single anti-free-software comment in this thread;
most people are against electronic voting entirely, whether it is open or
closed source. Why would Microsoft be anti-electronic voting?

------
davidgerard
To protect voting _use paper_.

Why did anyone _ever_ think computerising voting was a good or useful idea?

------
return0
To what extent is voting fraud an issue in the developed world and why is
Nytimes upset about it?

------
peterwwillis
This story has been posted four times now. Click the 'past' link at the top.

------
wnevets
Use open source software that prints a paper ballot then count the paper
ballot.

------
a_imho
Retire voting in favor of sortition.

------
scierama
"The blockchain is an undeniably ingenious invention – the brainchild of a
person or group of people known by the pseudonym, Satoshi Nakamoto."

It isn't even definitively known who invented blockchain, it is behind the
pyramid scheme known as bitcoin and no, no way should that ever be used in
voting system computers.

~~~
cgmg
I don't think you know what a pyramid scheme is.

How about learning the definition of the words you use before throwing them
around?

~~~
dang
Personal attacks will get you banned on HN, regardless of how wrong someone
else is, so please don't post like this again.

------
joseppe
One word: blockchain

------
alkoumpa
to protect voting, audit your software/system extensively. Openssh is open-
source and we all know the story..

~~~
fredley
But how can I (a voter), audit it in the voting booth? How can I verify that
the extensively audited software is actually running on the machine in front
of me?

~~~
Sholmesy
You can't. Especially at scale (every person validating the software before
voting). Paper ballots with a anonymised ledger of votes placed is, in my
opinion, the best method.

~~~
fredley
Paper doesn't scale well, attacks on paper are extremely difficult to scale
well, which is why paper is a good system for voting.

~~~
Sholmesy
It scales "well enough", in that we currently do it, and pay for people to
verify the results.

In Australia a lot of this work is done by volunteers from the major parties.

Edit: I agree, its difficult to scale an attack on paper :)

------
nkohari
I'm not a crypto fanboy or anything, but I feel like voting is a great
application of blockchain technology. It seems like the system could be made
to be both anonymous and publicly verifiable, and the vote count would return
more or less immediately.

~~~
drdaeman
Uh. Blockchain is just a doubly-linked list with hashes. And a set of rules
how the peers validate blocks and come to a consensus. Not some magic crypto
pixie dust that brings anonymity or prevents fraud.

It could come useful, e.g., for keeping census data to avoid some forms of
fraud. E.g. prevent rouge organizers loading elections with "dead souls"
voters (Gogol-style). But I don't see any immediate use for election
themselves.

Say, the blocks would store anonymized votes (nothing about blockchain itself
implements the anonymization). One immediate issue I see is that blockchain
only verifies integrity of the blocks after they're in there and out to the
public, so it could be verified. Sending them too early would skew election
results (observers would be able to see the intermediate results and bias
their votes accordingly), and sending them too late would probably make
blockchain mostly pointless.

