
US election system reveals frightening vulnerabilities at almost every level - throwaway2048
https://www.vox.com/2018/10/25/18001684/2018-midterms-hacked-russia-election-security-voting
======
TheAceOfHearts
Paper ballots are the superior method of voting. It makes it nigh impossible
to cheat at a large scale and there's a paper trail verified by multiple
adversarial parties. It's also way more reliable due to the sheer simplicity
of the system. For a system as important as our elections we should take every
precaution possible.

Maybe I'm paranoid, but I don't even trust mail-in ballots. I'm perfectly
content to fill out my ballot ahead of time and hand-deliver it on election
day.

I think it should also be a requirement to show a state or federal ID before
you can cast your vote. I'm always floored when people try to defend voting
without requiring any kind of identity verification. In Puerto Rico you're
required to register ahead of time for a voter ID and you must present it in
order to vote. If Puerto Rico, which is drastically poorer than all 50 states,
can pull this off without it being considered a problem then I find it really
hard to take seriously the claims of people saying it sets too high of a bar.

~~~
adjkant
> I think it should also be a requirement to show a state or federal ID before
> you can cast your vote. I'm always floored when people try to defend voting
> without requiring any kind of identity verification. In Puerto Rico you're
> required to register ahead of time for a voter ID and you must present it in
> order to vote. If Puerto Rico, which is drastically poorer than all 50
> states, can pull this off without it being considered a problem then I find
> it really hard to take seriously the claims of people saying it sets too
> high of a bar.

The problem is that the state and federal ID system is so fucked up that it
disenfranchises voters. Until that system is fixed, you can't use it for
voting.

This issue then becomes a partisan one because voter fraud is so rare that it
doesn't seem to need any additions, so strong pushes for voter ID laws (which
almost never address the issue of the ID systems) are targeting those who are
less likely to have ID, which tends to be concentrated with voting for one
party. If anyone actually cared about voter ID laws for non-partisan reasons,
it would go hand in hand with a national ID system.

~~~
stouset
The same proponents of stronger voter ID laws are also the same people who are
incomprehensibly paranoid about the notion of a national ID system.

~~~
Mountain_Skies
Is that really so weird? All elections are essentially state elections. Even
the presidency is really a state level election due to the way the electoral
college works. There is no nationwide election so why would there need to be a
nationwide ID system for voting?

I'm in favor of requiring a photo id to vote but am well aware of the problems
some have in obtaining such an id. That's the problem that needs to be
corrected. It does need to be corrected first and we shouldn't just shrug our
shoulders and go back to things the way they've been. Everyone should have
easy access to a state endorsed identification card. It's an essential
function of government and interaction with citizens. As such it should be
funded by general taxation rather than a user fee.

A state issued identification card is used for so much more than just
authorization for driving a vehicle. Why is it in the hands of the DMV/DDS in
most if not every state? Even the non-driver identification cards issued to
those who don't drive are usually still issued by DMV/DDS. It's an odd system
that wouldn't be designed as it is now if we were designing from scratch but
we're use to it because that's how it evolved over time.

~~~
roenxi
Indeed. I hold a similar dual position and it is very easy to rationalise.
Government controls the police and military, and so has the capability to
threaten me in a way that pretty much nothing else does. I want the process of
controlling the government to be transparent, difficult and controlled - hence
voters should be identified on voting. I want the government's power to be
controlled - hence I don't want them to have a database where they can quickly
and easily match bits of my data up.

There tension between those two positions is of little practical importance.
I'm not worried that they can link my name and address, I'm worried about a
sudden outbreak of majority-vs-miniority where someone I really don't like
gets in to power and links, I dunno, tax records-name-address, racial-history-
name-address , travel-history-bank-account-photo or somesuch. I don't think it
is practically feasible to target someone off the information in a voter role.

The real issue to me is that there isn't much organisation against governments
laying the groundwork, and in practice opposing an ID card doesn't mean
anything. In Australia we basically have all the infrastructure for a national
ID card except the formalisation of a little piece of plastic.

~~~
8note
couldn't someone in power just buy that link information from someone like
Equifax?

------
jcrawfordor
My county of over 600k people has a Bureau of Elections staff of five, and
none of them are really technical people, they just do basic work on the
machines and train the temp staff hired for elections. They rely on a
contractor to handle just about every aspect of the technology, including the
pollbook system, and that company is a larger operation but still the kind of
operation where I've heard the elections staff getting on the phone with them
to have them restart a service that had gone sluggish. Some amount of support
is provided by the secretary of state, but the SoS elections office is also
very small, and even the state's department of IT doesn't have a meaningful
security department.

I honestly think that the election system in the United States is simply too
decentralized. Counties, even larger ones like mine, struggle to afford to
hire a staff or retain contractors that have any kind of serious security
expertise - or even expertise in reliable services. The federal elections
commission was created to address some of these problems by providing
centralized resources to states and counties, but it hasn't gone nearly far
enough in my opinion. I have a had time imagining a way to make a serious
improvement here without moving just about the entire platform for voting
systems under the federal government.

~~~
ISL
The decentralization of the United States is, in my opinion, a feature, not a
bug.

The upside inherent in fifty parallel and bespoke experiments in government is
worth the extra complexity and cost. Ideas are tried out, and can bubble
outward and upward if they work. Bad ideas directly impact only ~2% of the
country.

Furthermore, having state and local control over elections has a direct impact
on legitimacy. I don't have to believe that someone in Washington DC is doing
things right. Instead, I can interact directly with our state's secretary of
state and our local county elections office.

Decentralization with heterogeneous procedures makes election compromise a
much greater logistical challenge for any nefarious actor. It is probably a
lot easier to spend money on lobbying.

Edit: Finally -- if you want your local/state elections infrastructure to have
more resources, your voice and your vote are your tools.

~~~
stephengillie
> _Bad ideas directly impact only ~2% of the country._

If only populations were so evenly distributed. 1/2 of Americans live east of
the Mississippi, on 1/3 of the Continental US, and about 1/2 of the rest live
on the West Coast. The mideastern states have very few residents.

~~~
Armisael16
What are the mideastern states?

If you mean the Midwest then I regret to inform you that Illinois, Ohio, and
Michigan are all in the top 10 most populous states.

~~~
stephengillie
Yes, those 3 Mideastern states are east of the Mississippi.

They're in the middle of the continent, and east of my state, so they are
mideast to me. Not to be confused with Arabia, east Mediterranean, and Persian
gulf.

------
cletus
At this point I'm really wondering what it will take before we accept the
utter insanity that is electronic voting.

Even if there isn't a major breach to the point where hostile actors (foreign
or domestic) "steal" an election, the confidence in e-voting will inevitably
be cast into doubt by the losing side at some point. Guaranteed.

How do you audit or recount an anonymous electronic vote? How do you know if a
vote cast is recorded as such? How do you know votes aren't wiped at some
point?

There are two basic options that work perfectly well:

\- Fill in a paper ballot with pen or pencil marking in spaces for the
candidates you vote for. Have a machine verify your ballot.

\- Vote on a touch screen. Once done print out your ballot and put it in a
box.

In either case you use some kind of paper that isn't impossible to counterfeit
(that's basically an impossibility) but it should be hard enough such that
it's nontrivial.

That's it. That's all you need to do.

Sure local actors can "lose" ballots, ball stuf and so forth but this all has
to be done on a pretty local level. You get rid of any potential vectors like
a Russian or Chinese state agency changing the result from the other side of
the planet because someone forgot to update OpenSSL on one Linux server or
someone clicked on a phishing link on an innocuous looking email.

Apparently we didn't learn our lessons from unreliable voting methods in 2000
(pregnant chad, anyone?) so I'm not super-hopeful.

------
ashleyn
I was floored when I read the responses to malfunctioning equipment in Texas.
"Voters are moving too quickly through the pages." That is a BUG! not user
error in the slightest.

~~~
wizzard
Right? "Voters need to wait until all the choices have populated before making
a selection." Absolute BS. Software design 101.

------
thewhitetulip
I'm from India and every ejection since 1950s has been called rigged by the
Opposition. The party which is in power now, has written a book on EVM
tampering and the party which was in power for most of the time have rubbished
EvM tampering.

Now that roles have reversed, so have their claims.

Coming to the point, isn't US using paperballots? All the papers in my nation
say US holds elections via paperballots and not EVMs.

And why the heck do EVMs exist? Who verifies if they are fine or not? We know
very well abouhow elections are rigged in third world dictatorships.

There needs to be a standard.

~~~
mikeash
I don’t think I’ve seen a paper ballot since I voted absentee in 2004.

Why do electronic machines exist? The charitable interpretation is that they
were chosen in the aftermath of the disastrous 2000 election because they
remove ambiguity and error. The less charitable interpretation is that they’re
used because they’re easier to screw with.

Who verifies them? Mostly the companies who make them.

~~~
dragonwriter
> I don’t think I’ve seen a paper ballot since I voted absentee in 2004.

I've voted in person consistently, and never seen anything else. Different
jurisdictions in the US make different choices.

------
whoisthemachine
Where is our National Security Agency in all of this? Isn't their express goal
the monitoring of foreign signals and the protection of US signals?

~~~
mtgx
And didn't they promise the Cybersecurity Act of 2016 would help them - oh so
much - in stopping these attacks and that it "was not another surveillance
bill in disguise" ?

------
1024core
Democrats have been complaining about this for decades, but what did they do
when they got majorities in 2008? Absolutely nothing.

Like a lot of other things, I feel like Democrats like to keep these issues
around as a rallying cause, instead of fixing them.

Edit: I'll just address some of the comments here. This is not "partisan
sniping", and I write this as a former Obama volunteer and a lifelong
Democrat.

Second: the federal government _can_ do something. Here's an idea: give a
$100M grant to 5 major universities to develop an open-source (hardware and
software) alternative to the current system, and make a FIPS standard out of
it. Then, certify vendors who implement that standard. The states can then buy
systems from those vendors.

~~~
bilbo0s
Guys, we've had three terrorist attacks this week, and a lot of us are just
kind of tired of the partisan sniping.

Can we just kind of give it a rest for a little while? It really is a bad time
right now.

~~~
mikeash
If you don’t want to read partisan sniping, don’t come into the comments about
election systems. It’s not like this is a story about the attacks where people
hijacked the conversation. Don’t seek out a topic and then complain that
people are discussing it, that’s just silly.

------
stretchwithme
It's a winner-take-all electoral system. I'm not getting my interests
represented anyway. So not exactly sure why I should be upset about the
accuracy with which I being denied that.

Sure it's not good. But it is just an enhancement of a greater wrong. I find
most people don't want to deal with that issue at all and would prefer to
believe the current system, as it is supposed to work, is the best way to do
things.

It's a good system for those who are currently able to exploit it for their
own gain. But that's always true everywhere.

------
theseadroid
Isn't election systems the best candidate for open sourcing? So that anyone
with technical knowledge can independently verify the security and
correctness.

I wish every piece of civilian software funded by gov is open sourced. And why
shouldn't they be?

~~~
gsich
Yes. But verifying the source code doesn't guarantee anything, as you don't
know what is actually running on the machine.

~~~
tomrod
Unless you specify open testing protocols that also test for cheating (like VW
emissions).

It shouldn't be this hard to vote and to trust a certified outcome. Regulators
require businesses to run with specified parameters, why do elections get off
the hook?

~~~
DennisP
It's not hard, if you use paper ballots and well-established protocols for
securing elections.

On the other hand, if you use electronic machines without paper backup, it's
basically impossible.

~~~
gsich
Then why do electronic machines in the first place?

~~~
vibrolax
Because they're cheaper. I lived in counties that formerly used mechanical
voting machines. They were replaced by electronic ones when the cost of
maintaining them became higher than the replacement cost. If security was
considered at all, I speculate that it was not the highest priority.

~~~
gsich
I agree but only if paper voting is abolished, otherwise you'll have both
systems in place. Or is the paper only used when there are concerns about the
results?

------
perpetualcrayon
I think it's probably still a little too far outside most peoples' comfort
zone, but I think the future of voting will be 100% electronic with the
capability of being instantly recallable. The voting system will allow me to
see exactly how my vote was tallied after the fact.

From what I have read this is not desirable for the fact that people will more
easily be able to sell their vote because they can prove to their "buyer" how
they voted. I think from a big-picture perspective this isn't a big deal. The
reason is it would be extremely easy to create sting operations on both ends
of this transaction: (a) create a sting to find and prosecute people willing
to sell their vote, and (b) create a sting to find and prosecute people
attempting to buy votes.

I'd prefer to move to a voting system where I can account for my vote after
I've voted and put in place enforcement via these types of sting operations to
prevent the inevitability of people attempting to buy / sell votes more
frequently.

~~~
3pt14159
No the primary problem isn't selling votes. The primary problem is
_fabricating_ votes or people trying to destabilize an election by claiming
they voted for someone else. If even 100 people come out and said their votes
were changed what do we do? Re-run the election?

Just use paper ballots. This isn't that hard.

~~~
perpetualcrayon
The way I look at it fabrication would be impossible if done right.

1) precinct has record of every eligible voter 2) voter can (via encrypted
means) retrieve their vote so it's still "private", but the voter can view it
after they've voted.

So as long as (a) the precinct confirms only eligible voter records are
counted and (b) each voter can confirm their vote counted how they intended
then I can't see how fabrication comes into play.

Granted this assumes the systems in place to onboard new voters is solid, but
even if it's not breaches should in theory expose the weaknesses and make it
possible for us to iterate toward an even more perfect system. By not exposing
the core data it's kind of like "security through obscurity".

[https://en.wikipedia.org/wiki/Security_through_obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity)

------
djohnston
This goes back to the whole, “hacking the election” 2016 fiasco. Why are we
talking about these potential flaws more than the glaring flaw that
adversaries already exploited, that of a relatively dumb populous easily
manipulated via social media? There’s already a 0 day we don’t know how to
patch, our adversaries don’t need to invest in complex cyber attacks when they
can achieve the same end via free broadcasting platforms.

------
8bitsrule
I'd guess that it has had frightening vulnerabilities since it started.

Ideals are hard to live up to ... for many.

------
m3kw9
Every election is rigged according to the loser, or the non-incumbent

~~~
monocasa
Trump started a voting security investigation, saying the voting system was
rigged. He also won.

~~~
kevin_thibedeau
He started that narrative because he wanted to be a Fox News pundit after
losing the election, selling the idea of a rigged election to bask in the
attention and fuel his Hillary bashing. Winning ruined that plan.

------
mycall
If the system is already so rigged and/or fragile, why don't we explore the
blockchain world more? If people could get private/public keys into their
hands, they could vote using these and no one can change it. They could vote
at home or at poling places.

~~~
eksemplar
I work in the public sector of Scandinavia, where we’ve digitised voter
registration to make queues more efficient but kept the actual voting part on
paper.

Overall there isn’t a reason to have voting machines, and if you do, they
should really just print a piece of paper with your vote so that you can make
sure it’s what you picked.

You’ll sometimes hear finance and efficiency as a reason, but unless American
licensing for government software/hardware is significantly different from
every where else, it’ll always be cheaper to manually count the votes than to
buy voting software/hardware.

I mean, we digitised part of the process like I said, but we did it to make
citizens wait less not because it was cheaper. It’s actually really expensive
compared to doing manual voter registration, but we pay the money because no
one likes queues.

Blockchain isn’t really a suitable option. It could be, but in the real world
it would never be truly decentralised because no government is ever going to
trust that, and if it isn’t, it’s just as easy to change and manipulate as any
other database structure. And you still wouldn’t know if the voting machine
actually did what you told it to do.

You can never vote from home in a democracy, because people might force you to
vote a way you didn’t want to. I don’t really think groups would show up at
your house to force you to do anything, but we frequently get husbands ask if
they can vote for their wives, and if they could do that from home, no one
would be there to stop them.

I know we live in a time where we want to digitise everything, but the paper
vote is probably the safest and most efficient way to run voting in a
democracy.

~~~
int_19h
> You can never vote from home in a democracy, because people might force you
> to vote a way you didn’t want to. I don’t really think groups would show up
> at your house to force you to do anything, but we frequently get husbands
> ask if they can vote for their wives, and if they could do that from home,
> no one would be there to stop them.

The states that implement vote-by-mail in US (which, coincidentally, uses
paper ballots), ensure that the person casting the vote is the person to whom
the ballot was mailed by requiring a signature. To implement secret voting,
the ballot is enclosed in two envelopes, and only the outer envelope has any
personally identifiable information, including said signature. The signature
is checked against the one in the voter registration database, and if there's
a mismatch, the election department will contact the voter to ensure that the
ballot was, in fact, theirs. Once the check is done, the outer envelope is
discarded, and the still-sealed ballots are transferred to the people who will
actually count them.

This doesn't preclude forcing someone to vote in a certain way, or paying them
to vote in a certain way. But that is just as feasible with voting booths with
modern tech - you simply demand that the victim records filling the ballot
with their smartphone or a similar device. Some countries are banning camera
phones from voting booths for this reason, but enforcement is usually
impractical.

~~~
eksemplar
If you want to mail order in my country you have to go to a voting place and
go through the regular process. Exactly to prevent forced voting.

We set these up at libraries and other muniplacity buildings that already
offer citizen things (English is my third language sorry).

We also have voting busses that go to low voting neighbourshoods and we
obviously setup voting in nursing homes, hospitals and such.

But the process is always you, alone in the booth, with a piece of paper.
Unless you have a physical handicap, then two officials will help you vote.

Taking a photo of your ballot is illegal, but as you say, it’s impossibil to
enforce. You do have options though, we use pencils in the booth and you can
always ask for a replacement ballot until your vote is cast. So you could
technically take a photo and still vote another way.

