
To Protect Voting, Use Open-Source Software - evanb
https://www.nytimes.com/2017/08/03/opinion/open-source-software-hacker-voting.html?action=click&pgtype=Homepage&clickSource=story-heading&module=opinion-c-col-left-region&region=opinion-c-col-left-region&WT.nav=opinion-c-col-left-region
======
pedrocr
Don't, use pen and paper instead. Previous HN discussion on it:

[https://news.ycombinator.com/item?id=14891266](https://news.ycombinator.com/item?id=14891266)

~~~
dgudkov
We can trust digital money, but we can't trust digital votes?

~~~
mixmax
correct.

The problem with digital voting is that it needs to be anonymous who votes for
what. That makes the problem much much harder.

~~~
rakoo
To be more precise, there are 3 things that must be met for a vote to be
considered acceptable, digital or not:

* it must be anonymous, ie nobody but you should know you you voted for

* it must keep integrity, ie nobody can change your vote

* it must be verifiable by all participants

Paper vote makes it easy to meet all criterions: just keep an eye on the
ballot and you will be relatively sure that everything is fine. On the other
hand it is impossible to have all those conditions with a digital vote, if
only because digital anything isn't easily verifiable by all participants.

~~~
JumpCrisscross
> _criterions_

One criterion, three criteria.

------
yosito
The number of comments here that assume paper ballots are inherently
unhackable is disturbing. Paper is a technology like any other and subject to
being manipulated by clever folks. The only way to have secure, trustworthy
voting systems is to have them constantly being designed, updated, understood
and publicly auditable. The only downside inherent to digital vs paper systems
is that they're more complex and harder for people to understand and therefore
audit, but there are plenty of upsides and the downsides can be mitigated
through education. Open source is absolutely important for the auditability of
voting software, but the same openness and transparency is just as vital with
paper. tl;dr, it's not hard to hack paper!

~~~
BurningFrog
The important difference is that paper "hacking" scales as O(n) while computer
hacking scales as O(1).

If you hack election software, you can change thousands or millions of votes
as easily as one. The physical nature of paper means you have to work for each
ballot.

~~~
BinaryIdiot
That difference may not be accurate, though. It's assuming there is a way of
networking between the machines and that code will be portable enough to
affect N number of machines. I don't think either is necessarily true.

Even for the paper side. Most paper ballets are counted by machine so they
could easily be tampered with at the count or when they're printed having a
similar scale.

~~~
gandarojin
> Most paper ballets are counted by machine so they could easily be tampered
> with at the count […]

Do you have a source for that statement? In Germany, ballots are counted by
people making tally marks on paper.

~~~
BinaryIdiot
Hmm, not off hand. I'll see what I can find. It was my understanding from the
hanging chad situation in Florida years ago that, at least in the states, most
are initially counted by machine.

Edit: Here you go. I couldn't find research or a study regarding it but this
is probably good enough and was always my experience when I voted by paper:
[https://www.wired.com/2016/11/vote-counts-ballot-get-
counted...](https://www.wired.com/2016/11/vote-counts-ballot-get-counted/)

------
rectang
Open source voting software will never replace proprietary voting software,
because open discussion of voting software security will reveal that it's
impossible to build hack-proof voting terminals.

Paper ballots are a superior technology.

~~~
partiallypro
You can stuff ballot boxes, that's where the term comes from. Nothing is
"hack-proof."

I think it's funny that people are freaking out on HN about this. The hacks at
Defcon all took a long time to do, and I believe all required keys to the
machines, and all were done on older voting machines. There has been no
evidence of people hacking machines during the elections. Stuffing ballot
boxes and other forms of voting fraud have been around for a long time, and
nothing we do is going to stop it 100%.

Also voting machines generally have paper copies that print off the back of
the machine that are anonymized but can be matched if foul play is called into
question, at least in my area. Couple that with monitors that stand near
machines or walk around and I feel pretty comfortable with electronic voting.

The only plausible hack would be an inside job, but I too find this difficult
to believe. It would takes tons and tons of people to hack the machines if it
required physical access. You'd have to hack ever machine, and even when you
were done there are so many districts it would be nearly impossible to swing
the election in any meaningful way.

~~~
Klathmon
Let's think through the process of "ballot box stuffing".

You'd need to put enough ballots in the box to sway the count in your favor,
while being watched by multiple people from both "sides" who all don't trust
one another.

But let's assume you are able to do that somehow (hey, maybe you paid them all
off?). Great! You've swayed the counts in one precinct... In 2012 there were
2712 voting precincts in Virginia... So to sway one state, you'd need most
likely thousands of people working together and not one of them can reveal the
whole plan. And that will get you one state, so multiply it by 50 to really
sway an election (yes, i know you wouldn't need all 50, but ether way it's
still way beyond realistic). At that scale it seems like it would be easier to
just convince people to vote with you.

And you'd need to do all of that without leaving any kind of paper trail.
Paper costs money, printing costs money, it's not going to be cheap or easy to
hide making all those ballots. Someone is going to notice. And all it takes is
one slip up, and it's all over.

Nobody is saying pencil+paper voting is perfect, just that it's the best thing
we have at scale, and it's extremely difficult to "hack" without someone
noticing.

~~~
valine
You wouldn't need to swing even half the states. Swinging a single key state
like Florida could have a major impact on an election.

~~~
Klathmon
But you are still talking about thousands of people, MAYBE hundreds if it's a
close election and you are really really strategic.

With something electronic, at the very best you end up needing the same number
of people at the same amount of locations. But this time instead of having to
stuff a bunch of ballots into a box without anyone seeing you, you just need
time alone with a machine at any point before voting or even during voting.
(and I'll honestly admit I don't know which of those is easier, but that's
before we get into all the other issues with electronic voting)

I think there is a possibility that electronic voting could be better at some
point in the far off future, but in reality and right now, the benefits don't
even begin to outweigh the negatives.

------
cwyers
Haven't we gotten past the "open source == secure" mindset yet? Yes, open
source software can be audited. But secure software is also _really really
expensive_. "With enough eyes, all bugs are shallow" has been pretty well
repudiated. Finding security bugs and fixing them in open source products is
exactly the sort of drudgery that people don't tend to do on their own; it's
not fun like adding new features is. Open source is not a silver bullet to add
security where other forces are pushing against it. Android is open source,
iOS isn't. Which is more secure? I'm not saying that iOS is more secure
_because_ it's closed source, I'm just saying that "open source == secure" is
overly simplistic.

~~~
BoringCode
Many open-source projects simply don't have the resources to adequately test
their products or provide support. Contrast this with a large company which
has the resources and the willpower to provide support for their software.
Often the best of both worlds is a large company/organization that dedicates
its resources to an open-source product, but that's not always the case.

But this issue is never as black and white as "open-source is more secure."
There are many other factors that go into the security of a product beyond its
source code being readable. Deciding which factors matter largely depends upon
your unique threat model.

~~~
cwyers
I'm not sure about "a large company/organization that dedicates its resources
to an open-source product" being the best of both worlds. I mean, maybe
narrowly defined, sure. But take one of the better examples of the form,
Chrome/Chromium. I'm not sure that a world where we get a free web browser
that is used to funnel us all into an ad-driven model powered by an incredible
surveillance apparatus is strictly better than a world where we all have to
buy our web browsers. There's tradeoffs all the way down. Open source coexists
well with some revenue models and doesn't with others, and the revenue models
that best coexist with open source have some very significant downsides in
terms of how they don't align the interests of the business with that of its
users.

~~~
BoringCode
I am concurring with you. The point I'm making is that it's a matter of
resources and trust, not literal "open source" that matters.

If I trust an organization to put the resources towards properly auditing
their software, that's often far more important then whether or not I can
personally do an audit. The majority of people and organizations do not have
the time or technical skills to properly evaluate software. Whether the
software they use is open-source won't ultimately matter.

The "many eyes" argument often falls apart because most of the time there
simply aren't that many eyes dedicated to a project. What is the practical
difference between Microsoft hiring 100 people to perform security audits and
an open-source project that has 100 volunteers? Resources and trust. If you
trust the open-source project to dedicate resources to security, and their
software fits in your threat model, then use it. Or the inverse, if you don't
trust MS and their software doesn't fit: avoid it. The vast majority of the
time open-source vs closed-source should not be the main differentiator, but
rather a smaller element of an informed decision.

------
Kpourdeilami
Even if they use open source software, what guarantee is there that version of
the software deployed on the machines is the same as one people can inspect?

~~~
mikegerwitz
You could have multiple independent inspectors do such certification provided
state/federal laws are strong enough to discourage bad actors, but there's a
bigger problem than that: how do you guarantee that the hardware is the same?
You don't, especially if malicious State actors are involved.

Even in the case of inspecting software, you'd have to guarantee that the
systems are secured after inspection and not tampered with. That's an even
more difficult problem.

The systems are simply too complex.

~~~
zanny
You need a system for point of use verification of system integrity by the
voter as they are voting.

It also doesn't need to be "simple enough" for anyone to do it. You just need
a system in place to enable voters to verify the authenticity of the machine
(a relatively easy way is a public voting ledger where the voter can match the
id the machine shows with what shows up in the ledger a minute later) and
those with the know-how will do so.

~~~
mikegerwitz
Software can be verified as such if backed by the proper hardware, but the
hardware itself can't be verified in such a manner. You can't produce a
signature of a hash of the atoms in a computer.

------
ivanbakel
A natural extension of the industry requirement for crypto implementations to
be open-sourced. How can you rely on the security of a system you cannot
inspect? The trouble is that security through obscurity is the physical
standard - you can't keep a lock everyone knows the cut for - so the non-
technical approach is sticking with what you know.

It's disturbing that a major corporation has the lobbying power to back that
kind of unsafe position for its own gain, though.

~~~
wongarsu
Security through obscurity is a factor in physical security, but locks are
really not an example of that. The construction of most locks is well
documented, or easy to reverse engineer by buying an identical lock. The thing
keeping a lock secure is the key, which is a regular secret just like any
crypto key. Nobody would claim ssh does security by obscurity because anyone
who knows my key can get into my server.

~~~
ivanbakel
Well, I meant more that, in contrast to an asymmetric keypair, you can't leave
a criminal alone with a lock for as long as you please. With enough time to
gather information about a specific lock, someone can eventually use it to get
a key - no amount of time with your public key will, at present, give you its
private counterpart. The lock itself is not inherently secure in a way that
having it won't compromise the key, so its security comes somewhat from the
obscurity of the internals of each lock.

It's not an exact metaphor, I admit, but it's relevant to the fears of OSS -
people think leaving all your public information on the table is enough to
compromise the system, because in a physical model, it effectively is.

~~~
wongarsu
There are lock design where short of brute-forcing you can't gain any useful
information. But in a way locks are hard to equate to digital concepts because
typical locks are laughably insecure and can be bypassed with a $30 Amazon
purchase and a few seconds of time on the lock.

------
mipmap04
Or use paper ballots.

Additionally, if you really wanted to protect voting and still use computers,
use an open ballot and also allow voters to audit their own vote.

~~~
t_fatus
How do you ensure people able to hack your voting system won't be able to
change what is displayed in the open ballot?

~~~
zanny
You get a transaction id for your vote when you vote, and you can verify it
against the open ballot. If they don't match, either the machine or the ballot
was hacked.

The public ballot is much easier to secure, since you can just use a trustless
ledger. Spinning up a ton of processing power to protect the voting process
day-of elections isn't infeasible.

------
jangerhofer
I have two open-ended questions on the subject of technology in U.S. voting.

(1) Why doesn't our electoral system require public disclosure of each voter's
record? What would the ramifications of publishing each voter's identity &
ballot online be? My thinking, like other comments here, is that a transparent
voting system would make results more easily verifiable, if not easy to
verify.

(2) At what point could we transition toward more of a democracy (in contrast
to the representative, republican system) through the use of digital voting,
which has a lower "barrier to entry" than turning out to a polling center?
Particularly on nationwide issues like healthcare, I presume there are
relatively few technological barriers to letting every citizen vote
individually on a bill and immense political and social consequences. I can't
fathom the outcomes -- do you know of any discussion of such a system?

Non sequitur: I've always wanted to see a "name brand" professional sports
team run, down to the minutiae, by online fan voting. I know it's out there in
small leagues already.

~~~
banned1
(1) Things are crazy right now. As an example that is relevant for the HN
audience, Republican voters would feel the wrath and hysteria of Liberals in
San Francisco who would kick them out of companies or demand their dismissal.
The same would happen to Democrat voters in some Republican stronghold in a
Red state.

(2) Probably not in a long time in the US. The system is built under the
assumptions that you can't trust voters know what is good for them, let alone
what is good for the country overall.

~~~
mentos
(1) What if we gave everyone a voter uuid that they could verify on a website
where hundreds of millions of other voteruuids and votes are posted for
verification

~~~
indigo0086
The trend of wanting to give every citizen random ids tied to their identity
is very scary. Also 'WE" won't give anyone anything. It will be a registration
with a government agency that will eventually lead to their rights being
violated by the govenrment at some point in the future. Why is it people want
to do the government's job of infringing on rights with some faux altruistic
intent.

~~~
xienze
Parent may have worded it poorly, I don't see why you couldn't be given a UUID
for your _vote_ that could be checked online later.

~~~
indigo0086
how many promises of "no personal information will be stored" have we, as
people in various levels of the tech field, know for a fact is a tricky worded
lie.

~~~
xienze
Well that's why it needs to be open sourced.

------
bearcobra
This seems like a problem that requires multiple approaches to fix. Since the
election, I've been thinking that a system with these features would be ideal

1\. Electronic machines powered by OSS \- Provides fast counting, and
potentially better UX in scenarios with large number of items to vote on \-
Ability for the public to review the code 2\. Machines print copy of ballot
that voter can verify before being placed in a secure ballot box \- Provides
auditable backup record 3\. Machines give the option to print a second copy of
the ballot with a unique code. This code can be used to verify selections
later via some kind of online interface. \- Gives the user one more check on
ballot integrity \- Allows voter to keep voting record anonymous if they
choose

I think this would balance pros/cons of pure paper vs. electronic voting
systems

------
SomeStupidPoint
....Or just be reasonable and use paper ballots.

They're not actually that hard to count, they leave a hard to alter record,
they require more effort to fake, etc.

The under investment in voting and the focus on mechanizing it has been a
disaster in the US and is teetering on the edge of being incredibly dangerous
to the well-being of the country.

Electronic voting has none of the features we want and all the failure modes
we don't. Return to entirely paper.

(For what it's worth, my area seems to basically use those test scanning
systems on paper mail-in ballots. That's still more electronics than I like
involved in the process, but is _much_ better than fully electronic and we
might be stuck with that as long as we use mail-in ballots -- which is a
separate debate.)

~~~
wahern
California is almost entirely paper ballots across the state. Moreover, 1% of
ballots are hand-audited to verify the integrity of the electronic tally.

Years ago there was a push for online voting. The state commission came away
from that study suggesting a return to paper ballots, recommending to ditch
even the new electronic voting machines that were becoming popular, because of
the lack of credible, verifiable security. I think paper ballots are
effectively required by law, now, with exceptions for accommodating people
with disabilities.

------
tzs
If you need open source voting software in order to trust that your voting
system is working reliably, you have already lost, because that implies your
voting system is depending on software working correctly.

Look at Scantegrity [1]. It provides end to end independent verifiability of
elections and lets voters check to see if their vote was counted correctly,
without depending on the voting software functioning correctly.

[1]
[https://en.wikipedia.org/wiki/Scantegrity](https://en.wikipedia.org/wiki/Scantegrity)

------
khrm
I find Rivest's video(
[https://www.youtube.com/watch?v=BYRTvoZ3Rho](https://www.youtube.com/watch?v=BYRTvoZ3Rho)
) on homomorphic encryption as voting mechanism quite interesting. It looks
more secure than pen and paper.

All user get a receipt which they can verify is same during vote counting.
They themselves can vote count using all others receipt. At the same time,
they can't sell their vote as it's encrypted.

------
uncletaco
Use paper voting, or if you want everyone to have easier access use mail-in
paper voting.

~~~
wongarsu
I don't think we should encourage mail-in voting. It opens the door to all
kinds of voting fraud.

A major point of the polling booth is that nobody can see what you put on you
ballot, and you can lie to anyone about it. No family member can pressure you
to vote in a certain way, and if somebody offers you money in exchange for
your vote you take their money and vote for somebody else. And if your
employer threatens to fire anyone who votes for the wrong person, you just
tell them you voted for their favorite candidate, they can't tell the
difference.

Mail-in voting is nice for people who physically can't visit a voting booth,
either due to disability, sickness, or scheduling problems. But it should
never become the norm.

~~~
djrogers
At least in my district I can mail in a vote, then go on Election Day and fill
out a provisional ballot that will override my mail in ballot.

------
GlitchMr
There was once a GNU project for electronic voting
([https://www.gnu.org/software/free/](https://www.gnu.org/software/free/)),
but it was stopped after realizing they were trying to do was almost
impossible to do and changed the direction into recommending to not use
electronic voting systems at all.

------
dilap
Give each vote a uuid. Give the voter a receipt with their uuid and results.
Post the full results online by uuid; voters can verify the recorded online
result is faithful.

Label the online results by voting site. Keep a count at each site of the
number of people that voted. Verify this count more or less matches the
results posted online.

~~~
denom
That would result in scenarios like this: "I'll pay you X amount for a 'Yes'
UUID". It's far better to keep the result anonymous.

As for the counts, where I vote my name is recorded in a book and then I cast
my ballot. So it should be possible to verify that the book tally and vote
tally match.

~~~
novalis78
I thought that's how democracy currently operates: you vote for me and I give
you xyz. Now, combining this with a Blockchain and actually getting paid...
hmmm...

------
zAy0LfpBZLC8mAC
Just no.

Very relevant to this topic: Ken Thompson's "Reflections on Trusting Trust":

[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

~~~
43224gg252
Did Ken write anything on trusting the government?

------
marcoperaza
The most computerization I'm comfortable with for voting is having machines
count paper ballots.

------
denom
Paper and pen is the way to go. It provides a verifiable record of votes cast
and means you need physical/personal access to to tamper with the result. That
also means people with no special skills can provide security for all segments
the voting process.

------
jjawssd
I think a lot of you guys mentioning paper ballots are also missing something
very important: what is counting the paper ballots? Is a Scantron machine
reading the ballots? If so, the firmware could be compromised to bias results
in a particular direction in a stealthy manner.

Please observe a real world example of this:
[https://www.youtube.com/watch?v=8mBMHPxdljE](https://www.youtube.com/watch?v=8mBMHPxdljE)

~~~
jeltz
I have never assumed anything other than that it would be humans, presumably
mostly volunteers from the various political parties, doing the counting. That
is how it is done in Sweden, and I think also a bunch of other European
countries. It worked fine for us before we have computers and it still works.
We get a preliminary result within a few hours, and a final result in like 3
or 4 days. And the problem of manually counting votes scales linearly with the
population so the size of the country should not matter much.

------
digikata
Open source voting software is not sufficient. Paper ballots are better, but I
suspect that electronic + verified paper receipt + an audit process is a
fuller solution. Paper alone can be more easily locally subverted, electronic
alone can be more globally. But if you have to alter both an electronic
record/reporting and the paper ballots in a way that correlates then you have
a better resistance than either paper/electronic alone.

------
fapjacks
I would take it one step further: I should be able to build my own voting
machine from the open source plans, and cast my vote with it this way, which
prints out a receipt for me that I have verified matches the (paper) printout
on the receiving end.

------
Findeton
Whether we like it or not, electronic voting has probably arrived to stay. So
perhaps the best way of proceeding is trying to harden the electronic voting
systems as best as we can instead of letting other less informed people try.

------
wolfgang42
I see lots of debate on paper vs electronic voting, but I don't see anyone
who's mentioned another option: mechanical voting machines. For those who
haven't encountered one, here's how they work:

1\. You go to your local polling place, show the volunteer your ID, and sign a
book next to your name. They check your signature, then walk you to a voting
machine and unlock it.

2\. You go into the voting booth and pull the operating lever to the right.
This closes the curtain, increments a counter, and unlocks the vote levers.

3\. You make your vote selections on the voting levers. The machine prevents
spoiled ballots with a mechanical interlocking: if the ballot says "pick any
two", the other vote levers will be locked out once you've selected two of
them.

4\. Once finished, pull the operating lever to the left. This increments
various counters for your votes, clears the voting levers, opens the curtain,
and relocks the machine.

At the end of the night, the election volunteers open the back of each machine
and read off the values of each counter, then report the results to the
election board. There, the numbers are subtracted from the original counter
values (the counters are non-resettable) and cross-checked to ensure validity
(casting a vote increments both a vote counter and various 'checksum'
counters), then aggregated with the other machines to get the final result.

This system has, in my view, most of the advantages of the other two systems:
it is very difficult to tamper with (all the voting machines, once configured,
are cross-checked and sealed; the seal is on the side of the machine and can
be inspected by any voter to detect tampering), anonymous (all votes are
aggregated in-machine), and provides fast counting (all of the counter values
are entered into a digital system at the end of the night).

Unfortunately, they were banned by the Help America Vote Act, and are
sometimes panned as difficult to use. (I never got a chance to use them
myself, as New York replaced them shortly before I became eligible to vote,
but I got to go into the voting booth with my parents and even as a nine-year-
old they didn't seem especially confusing to me.) Also, the machines are
complex mechanical beasts, with some 28,000 moving parts, and they're probably
becoming increasingly difficult to repair.

Even if mechanical voting machines are a thing of the past, I think it's
important to at least look at them to see how they provided for the important
aspects of a voting system, and possibly take some of the ideas to be used in
current and future systems.

------
jgamman
why don't you mix the two and have electronic as 'indicative' with paper being
the ultimate decider. no way i want 100% e-voting but having a machine spit
out a picture of the person i'm voting for that i deposit in a box seems fine
- the instant-news cycle gets it's data realtime, the data is then fact
checked over the next 24 hours. what's the downside? i like democracy, i think
a bit of belt-and-braces to its mechanics is a Very Good Idea.

------
vmarshall23
eVacs!

[https://lwn.net/Articles/44077/](https://lwn.net/Articles/44077/)
[http://www.softimp.com.au/evacs/products.html](http://www.softimp.com.au/evacs/products.html)

------
vmarshall23
Open Source Voting Machines - with a take-away symmetric key paper receipts
for auditing.

------
soufron
To protect voting, keep up with transparent urns and paper ballots

------
Dowwie
Paper and Rust.

