
Why Online Voting Is a Danger to Democracy - rezist808
http://engineering.stanford.edu/news/david-dill-why-online-voting-danger-democracy
======
franciscojgo
I am strongly against the view of the author.

I see that the majority (or a large portion) of voters are fanatics that vote
based on affiliation and fanaticism, not policies nor experience.

Ie. The voting numbers are largely biased towards the political fanatic crowd.

I see online voting as a way to increase the number of ordinary people that
vote. Getting the voting population to 80%+ or more is good for democracy. I
see this as a positive.

Saying Online voting is a danger to democracy is like saying autonomous cars
are a danger to safety.

Yes, if the autonomous system doesn't work and is made with loopholes that
allow dangerous stuff, it will pose a danger. But if made to work fail-proof,
it will be infinitely better.

There's no point in saying something will not work if your only argument is
based on the proposition that it's going to be broken before it's even used.

Sure, an unsafe car is not safe. The only way to make it safe is to make sure
it's safe.

The only way "democratic" online voting will work is to make sure it's
"democratic".

~~~
curried_haskell
Your comparisons overlook a major difference between the paradigms of paper
and digital ballots. It's the same problem with autonomous cars. An unsafe car
can cause a single crash. An unsafe autonomous car program could crash every
car everywhere all at once. And with the current state of software
development, we KNOW that these softwares are vulnerable.

With paper ballots, it's not easy to tamper with the entire vote. You need a
huge, widespread effort. Or your country is so fucked that your government
ignores the vote and makes up some numbers. Everybody knows it's fraudulent,
but nobody can do anything about it.

With electronic ballots, it's suddenly trivially easy for just a tiny handful
rogue elements to stealthily forge every vote without anyone even realizing
there was fraud.

~~~
ethbro
I think you underestimate the sophistication needed to tamper with paper
ballots. There's certainly a "boots on the ground" requirement for tampering,
but the knowledge requirements are trivial compared to crypto attacks.

~~~
specialist
The physical chain of custody can be guaranteed with paper ballots. Yes, you
can burn ballots, or stuff the box, but if you're minding the store, someone
would notice.

Source: former poll judge, inspector.

~~~
ethbro
I defer to your expertise but did you ever work in third-world countries? (To
use the phrase as a proxy for inadequate political/physical infrastructure)

To use the engineering aphorism, just because it can be done doesn't mean it
is done. I'm curious about how physical security/verification works in that
environment vs a hypothetical crypto solution.

~~~
specialist
Observing third world elections is on my bucket list.

Election and voting chicanery happens plenty in the USA. No need to look
abroad. Merely lifting the floor here would be transformative.

The silver lining from the oversteer triggered by Gore v Bush 2000 is that
HAVA did lead to greater federal involvement in our locally administered
elections. eg Election Assistance Commission [http://eac.gov](http://eac.gov)
is now fairly proactive.

re _" vs a hypothetical crypto solution"_

Estonia's online voting system hasn't faired well under scrutiny.

------
jacquesm
Some of the people behind 'wijvertrouwenstemcomputersniet' (we do not trust
voting computers) are active in the CCC and have some pretty good arguments on
why electronic voting really is a danger to democracy.

[https://www.ccc.de/en/tags/wahlcomputer](https://www.ccc.de/en/tags/wahlcomputer)

The link between electronic voting and online voting is a strong one and one
would expect the online voting situation to be far more suspect to all kinds
of trickery than the one where the voting computer is set up in a booth. Even
so, there are some unique ways in which a voting computer in a booth might be
manipulated to give incorrect results that do not apply to online voting, but
I don't think it matters much, as soon as it's just bits & bytes and audit
trails who watches the watchers becomes the real issue.

Any voting system without anonymity and a way to do a re-count and some
physical proof is fundamentally broken.

~~~
ElijahLynn
I agree with some of the arguments against online voting. However, it isn't
really realistic to do re-counts right now, nor do people do them regularly.
If the people doing the counting are bought then that is an issue too.

Both ways suck right now.

One thing that I would like to see is an open source, standardized system
though.

There was/is an effort towards this right now.

[http://www.openvotingconsortium.org/our_solution](http://www.openvotingconsortium.org/our_solution)

Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to
program computer software for voting machines and electoral tabulation that
would be publicly owned or open source. Open source software could be checked
by any party or group by hiring a capable computer programmer.

Provides Paper Trail: The OVC recommended procedure for tabulating elections
relies on a paper ballot that is then fed through a scanner into a locked
ballot box so that all originals are saved in case of the need for a recount
or audit (See Sample Ballot).

Scientifically Verifiable: In addition to open source voting machine and
tabulation software, the Open Voting Consortium is also working on a database
checklist for standard practices in vote tabulation that would assure
transparency and accountability. Some aspects of the OVC concept will soon be
enfolded into California legislation.

Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC
open source software could be run on any personal computer (PC) and ballots
could be printed on a normal printer. OVC envisions PCs with tamper-proof
cases as the new voting terminals at a savings of hundreds or thousands of
dollars per terminal.(See page on OVC Cost Analysis).

[https://www.youtube.com/watch?v=q8CSKdMTARY](https://www.youtube.com/watch?v=q8CSKdMTARY)
OVC at LinuxWorld 2008

~~~
matt4077
I don't get the complexity the US creates around voting. I live in a fairly
large city (Berlin, Germany, around 3 million I believe).

\- I walk 150m to my polling place. It's similar for most people.

\- I've never waited more than 5 minutes

\- The polling place is run mostly by volunteers, about 5 or 6 per place, with
civil servants filling spots that can't be filled. Costs are neglible.

\- I get a paper ballot, I mark my vote with a pen

\- After 6pm I sometimes return and watch the counting. I can freely walk
around between the people sorting the ballots and look at anything I want

\- Did the same with friends last time around, we each had a bottle of beer,
nobody cared. They were mostly older people happy to get a few visitors and
talk a bit of politics.

\- Pretty accurate first results (not exit polls) usually around 9pm.

\- I can check the counts from my polling place the next day. Votes for the
large party are in the lower 3-digits, so it's possible for me to specifically
verify a few results.

~~~
coredog64
Here's what most people that are not from the US don't understand:

When I go to vote on election day, I'm not voting for one person/party or even
three people/parties. The typical ballot in my neck of the woods is double
sided and has ~30 questions: National elections (President, HoR rep, maybe
senator), state elections (Governor, SoS, local rep/senator, corporation
commission, referendums/ballot initiatives), county elections (sheriff,
judges), city elections (mayor, city council, dog catcher), and funding
questions (bond overrides and the like). I'm probably forgetting an item or 10
on that list.

~~~
germanier
I never had 30 elections on one day in Germany (I think 5 was the absolute
maximum) as we elect fewer positions in general and don't combine most
elections on one day. Usually the federal election is the only vote on that
day with some states specifically moving their state election day by one week
to avoid a clash. The only usual combination is regional/European elections or
state/regional elections for the small states. Referendums (there only a few)
are usually tacked onto another election if there is one in a reasonable
timeframe.

The elections each use a seperate ballot (and often seperate ballot box) and
are counted one after the other with the most important election being counted
first while the rest is still locked away in sight.

But yeah, for 30 ballots that system might break down.

------
AdrienChey
For a 2016 article about online voting, i'm really surprised to find no
mention of block-chain related solutions... It seems most of the concern
addressed here can be solve with this kind of "open-computing / open-data"
technologies. If you are interested in this topic, I strongly advise you the
reading of: [https://medium.com/@DomSchiener/publicvotes-ethereum-
based-v...](https://medium.com/@DomSchiener/publicvotes-ethereum-based-voting-
application-3b691488b926#.18clpvq09) And more generally what can be done with
contract on the ethereum block-chain.

about anonymity:
[https://bitcointalk.org/index.php?topic=413196.0](https://bitcointalk.org/index.php?topic=413196.0)

~~~
athenot
The article indirectly addresses that in the last paragraph: paper is
something everyone understands.

I'm all for improving processes with technology but I'll have to admit that
even though I've been neck deep in Software development for 2 decades, the
block-chain solutions require a fair amount of mental work for me. They may be
good but I don't readily understand them. And I can guarantee you that my
parents don't.

This brings up the problem of having a solution that only a few experts know
how it works. It's a hard sell on the rest of the population to have them
trust these "certified voting technology experts" that would have to be in
place.

~~~
seangrogg
While that's a decent premise and I agree that less than 5% of the US
population understands blockchains, I would also reckon they don't understand
HTTP (or HTTPS) protocols, B-trees, networks, cryptographic hashes, or even
the compilers that underpin much of technology. But they're more than willing
to trust these things with the _entirety of their liquid assets_ if it spares
them a 20 minute trip to the bank.

I think there would still be a group of people who don't trust blockchains
(or, let's be real, technology whatsoever - like the interviewee). And they're
the people that drive to booths and do their business on paper. And I'm okay
with that.

~~~
pm24601
However, with all of those. If there is a problem: either the consequences are
not significant. Or there is a paperwork around to a problem, which includes
laws and judges.

With online voting, we are deciding the judges that get to say - "everything
is totally perfect with the way I got elected."

~~~
seangrogg
Honestly, given the fact that a significant number of people already think
their vote "doesn't count" (given on average ~40% of people _don 't even
bother_) I doubt they would be more concerned with vote tampering than with
potential identity/bank theft.

------
mantas
I'm strongly against online voting. The problem #1 is buying and manipulation
of votes. Security and/or anonymity is much smaller issue IMO.

In my country, barely 50% of people vote. Most people don't care about
politics. "Incentivized" votes is a huge issue there. People are routinely
brought to polling stations and given a thank-you beer on return. Agitators
are using all kind of borderline-blackmailing techniques on older/less
educated people.

Online voting would make this A LOT easier.

~~~
yummyfajitas
I think you've stumbled across a bigger issue - democracy is fundamentally
broken since no one has any incentive to vote correctly.

I know a lady who's a likely Trump voter. But she also donated money to
Hillary in order to get the "woman card".
[https://shop.hillaryclinton.com/products/the-woman-
card](https://shop.hillaryclinton.com/products/the-woman-card) She's pretty
honest that it's just entertainment for her - like voting on American Idol.

Think about how many elections have been swayed due to "I support Obama
because I'm not racist", "Bush looks like a cool guy to get a beer with", "boo
yeah Trump - take that liberals who look down on me", etc? (Amusingly, neither
Bush nor Trump will ever get a beer with you, teetotalers both.)

People get away with this because their vote doesn't matter. If they vote
wrong, they won't lose anything. So why not just do what makes you feel good?
You've got no skin in the game.

~~~
nine_k
Maybe representative democracy is broken (there are reams of good texts
written about it).

OTOH direct democracy may be not as broken, since the effects of voting are
much more immediate _and_ local. See Switzerland that constantly keeps voting
against populist measures like lowering the retirement age. It lasted ~850
years so far, longer than almost all European states and 100% of American
states.

Switzerland is compact, but even then it's a pretty loose union, a
confederation with important laws significantly varying between its many
cantons. This system is more or less imaginable in the US with a more
restricted federal government (despite the size that was the rationale for the
current multi-step representation system), and hardly even imaginable in
highly centralized states like France.

~~~
zanny
People have generally not established direct democracies throughout history
for a _reason_. I personally never want to see a direct democracy in the US,
because if you want to have your faith in your countrymen destroyed go spend
an hour sitting on a bench outside a Walmart and just watch humanity at work.

The _vast_ majority of people are borderline illiterate emotional animals. You
don't see or interact with them because they exist in their isolated silos of
service work and personally proffered bars and TV stations, but the number of
rational informed actors in any given election is in a steep minority.

I don't know the Swiss well, but I'd hope they have a much better culture to
support direct democracy than what the US has, because the US would be a
disaster. Islam would be banned, Hispanics would be kill on sight, police
would be given heavy artillery to demolish drug dens. Whenever any
international news of any kind phases the country there would be immediate
over-reactionary laws passed to diminish liberty and perpetuate a culture of
fear, because that is a large part of what we have now, and giving that animal
brain legitimacy on the national stage would be a global catastrophe.

~~~
nine_k
> borderline illiterate emotional animals

This may be true in some cases; this is why I think universal vote, without
any limitations, is not a good idea. Voting is a privilege and a _job_ of
running (a small piece of) your country. Compare it to a jury duty.

This, again, may be false in some cases. Unless the voting process is framed
as a sports match (like it usually sadly is), the emotions are much easier to
keep in check, and reason is easier to listen to, even without an advanced
university degree.

OTOH if you don't trust your countrymen, I wish you all the luck in importing
infallible Martians to help you rule your country as e.g. a king. On this
planet the only way used to be _growing_ and _educating_ some portion of your
countrymen to be able to run the country (without running it into the ground).
This applies to kings and dictators to a very high degree. This as well may
apply to a wider mass of voters.

I suspect this is what happened to the Swiss: centuries of local self-rule and
rather immediate consequences of it, combined with living in rather harsh
conditions most of its history, must have educated people not to take the
voting lightly. I don't see modern Swiss killing Muslims or Hispanics on sight
(it's not the Reformation wars time), but I do see a ban to build minarets
[1]. Apparently the fallout was pretty small, without a "culture of fear",
Muslims fleeing the country or something like that. Sometimes a minority has
to listen to the majority; it's best when the compromise is as small as this
ban. Regular _not_ listening to the majority and alienating them makes for
what you fear: the mob running over the castle of the highly-cultured but
insolent lord.

[1]:
[https://en.wikipedia.org/wiki/Swiss_minaret_referendum,_2009](https://en.wikipedia.org/wiki/Swiss_minaret_referendum,_2009)

------
sgnelson
The thing about online voting that has always gotten me is that it violates
the ideals behind the "Australian Ballot." [0] ie, one should have the right
to cast a secret ballot, and doing so in a public polling place at least
theoretically guarantees this.

With online elections, there is no proof or protection of this. For me that's
the most important thing. Full Stop. Security implementations, hacking, etc.
are all secondary concerns in my opinion.

[0]
[https://en.wikipedia.org/wiki/Secret_ballot](https://en.wikipedia.org/wiki/Secret_ballot)

note: As a True Capitalist(I say sarcastically), I've actually come to believe
in being able to sell my vote (I'm quite serious), which of course, the secret
ballot precludes me from doing. After all, if I'm going to be forced to
essentially only choose between the lesser of two evils, I should at least be
able to profit from the poorly designed electoral system.

I actually "back of the napkin" calculated this for the last presidential
election, and I believe it came down to something like a rather pitiful $3 for
each presidential vote (forgive me, this was a while ago). Of course,once you
add the other elected positions, this increases, but I believe it was still
generally under $20 per vote. I did not take into account geographic
discrepancies (different number of positions up for election/different amounts
of money spent on highly contested elections, etc)

~~~
relix
This is not an issue with online voting, and paper voting does not guarantee
that right either.

In Estonian e-voting, you can vote as many times as you want, only your last
vote is counted. A week after online voting is closed, there is still a paper
voting day, where you can go and override your online vote with a paper vote
in the traditional booth. If you were coerced to vote a certain way online,
you can still go to this private booth in a public polling place to place your
"real" vote.

There are ways to check your vote even in a public polling place. Let's say
you need to take a picture of your voting paper before you leave the booth,
and you have to send the picture to the person coercing you. The person
coercing you is standing outside the booth so that you can't walk back and
forth to ask for a new paper.

There are some good reasons against online voting, but most of the obvious
ones you can think of are already solved.

~~~
tremon
_In Estonian e-voting, you can vote as many times as you want, only your last
vote is counted. A week after online voting is closed, there is still a paper
voting day, where you can go and override your online vote with a paper vote
in the traditional booth._

So they can unambiguously tie a specific vote to a voter, yet nobody is
concerned about the possibilities of retribution against certain voters?

~~~
relix
Yes, they can at some point in the flow unambiguously tie a specific vote to a
voter. Postponing the "separation" to after the paper ballots have been cast
is then a simple trick. How it works is they encrypt the vote (using
assymetric encryption), and then sign that datapackage with the private key on
your ID card.

Once the votes need to be counted, the signature is removed, and all the
resulting encrypted vote data is then sent (without identifying information)
to a third server which has the private key to decrypt the votes. They are
decrypted and then counted. This third server has no access to identifying
information. The server stripping votes from identifying information has no
access to the decrypted data.

------
adwf
The biggest problem with online/computerised voting is that it is a _single_
point of attack for malicious actors. Even the best software security gets
broken from time to time, online voting would allow zero-day attacks on
elections - an absolute disaster.

Whilst standard paper voting may also be subject to fraud, it takes the
manipulation of _thousands_ of people in order to alter ballots across a whole
country. Computers just need the _one_ hack.

~~~
bigger_cheese
My biggest worry isn't about software security. My worry about online remote
voting is What is to stop physical coercion of the voter?

When you have to gather at a centralised polling point to anonymously vote you
can be damn sure no one is standing over the voter's shoulder twisting their
arm while they vote. If you are voting remotely via a computer screen who is
to know?

~~~
pmontra
Physical coercion is possible also with paper ballots. A modern approach is to
ask voters to shoot a picture to their voted ballot. No picture, big trouble.

For that reason taking a picture of our own voted ballot is a crime in Italy.
Obviously is a crime also to ask people to do that. Cameras are not allowed in
polling places and smartphones should be left outside the polling booth.
However nobody asked me to do that the last time I voted. I remember they did
many years ago. There were many phones lined up on the desk of the president
of the polling place.

~~~
realityking
Not a fool proof system but a little helpful: In Germany you can request a
second (and a third, and a fourth...) ballot.

So fill out the first with fake vote, take picture, ask for second (first one
is destroyed), fill out second with desired vote.

This obviously breaks down when the person coercing you is with you in the
polling station.

------
FatalBaboon
> In fact, online voting is such a dangerous idea that computer scientists and
> security experts are nearly unanimous in opposition to it.

Stopped reading.

Online voting is not just about electing presidents.

If you can poll the people easily, you have a democracy where people directly
chose, instead of having a mafious bunch in a grand building making what
corporations want the law, ahem I meant doing what is good for you.

~~~
burkaman
Nobody will take your comment seriously if you proudly announce that you
didn't read the article.

Why not just think "hmm, I wish the title was a little more specific" and then
keep reading with the understanding that this particular article is about
elections?

~~~
FatalBaboon
You're right, and I did read the whole article, but with a grain of salt.

------
pdkl95
Andrew Appel (CS Prof. at Princeton) gave a very good talk about the problems
of voting systems and why internet voting is a _terrible_ idea.

[https://www.youtube.com/watch?v=abQCqIbBBeM](https://www.youtube.com/watch?v=abQCqIbBBeM)

The secret ballot with counting observed by all parties is a technology that
evolved out of necessity over hundreds of years. Adding _more_ technology adds
complexity which is the same as adding more attack surface.

------
DanielBMarkham
Just a reminder: democracy is not a panacea. In fact, the founders of the U.S.
were all very concerned about democracies. Democracies inevitably lead to mob
rule and chaos. That's why we created a representative republic.

We resolved that by creating a layered system, where small, local groups have
frequent elections for things that have great power over their lives, and up
the chain we elect national representatives much more infrequently to handle
big picture things with little impact on daily lives. We also created a senate
at all the levels, which is responsible for the architecture of the system
itself (which is why we had the state political parties choose senators.
Likewise, using this same theory, you would have local governments choose
state senators).

Didn't work out that way, but that was the solution implemented at the
founding of the U.S. Worked okay for several decades. But nobody wanted a
democracy. In many ways that's worse than a single-person dictatorship.

So regardless of the technical issues, democracy itself is fraught with
problems, even in groups as small as 100-200. Unless those problems are
acknowledged and dealt with, the "online" part won't matter one way or
another.

------
TazeTSchnitzel
Terrifyingly, Estonia thinks it is such a good idea they use it in national
elections.

A good look at potential problems with their system is here:
[https://estoniaevoting.org/](https://estoniaevoting.org/)

~~~
jyriand
Here is a response to this "independent" report:
[https://www.ria.ee/en/e-voting-is-too-
secure.html](https://www.ria.ee/en/e-voting-is-too-secure.html)

~~~
TazeTSchnitzel
Wow, this is a rather… childish response. It doesn't actually rebut the claims
being made, they seem to dismiss everything with “so what”, as if they do not
actually understand what is wrong. And the rest of the post is just deflection
by making ad hominems, or complaining about things that weren't what the
researchers said.

For example:

> 1\. Debian Linux packages were downloaded from a place that the experts
> didn’t like.

> So they should’ve been downloaded a distro from a .ru or .su website?

They should have been downloaded _over a secure connection_ and verified. Do
you know what a MITM attack is?

> 2\. The icon of a poker website could be seen on the desktop (was it
> actually a poker website or ‘an icon similar to the icon of a poker
> website’?).

> Of course, having this icon on the desktop of course discredits the user of
> that computer, their country and the entire European Union.

That they have gambling software, whose legitimacy is uncertain, installed on
computers used for preparing servers for elections is concerning. Why
introduce another possible threat vector?

> 4\. The WiFi password of the local guest network could be seen on the wall.

> Oh dear, because the election servers (with the telephones and computers of
> all guests) are certainly connected to that WiFi network, their ILO ports
> greedily open.

No, the election servers aren't connected, but the computers used to prepare
data _for_ the election servers are.

> 5\. The cameraman who shot the audit filmed an elections observer in such a
> manner that his password was captured on film.

> We do thank you for this observation – we will improve our cameraman’s
> training – but this is an error of the supporting process (the audit) and
> not the main process (the elections).

So? You've still had your password compromised.

I could go on.

~~~
tremon
_They should have been downloaded over a secure connection_

That's not how apt works. The connection is assumed unreliable, the
verification happens after download with the Debian keyring (already
installed, and can be independently inspected and verified).

~~~
TazeTSchnitzel
Sure, apt is secure. However, I don't think that's what's being discussed. If
I remember correctly, the researchers were complaining about how Linux ISOs
were downloaded, not _packages_. (The writer of the rebuttal seems to be
confusing these, which is, again, concerning.) To quote their paper:

> Despite procedural safeguards, an attacker who strikes early enough can
> introduce malicious code into the counting server by using a chain of
> infections that parallels the configuration process. During pre-election
> setup, workers use a development machine, which is configured before setup
> begins, to burn Debian Linux installation ISOs to DVDs. These DVDs are later
> used to configure all election servers. If the machine used to burn them is
> compromised—say, by a dishonest insider, an APT-style attack on the
> development facility, or a supply-chain attack—the attacker can leverage
> this access to compromise election results.

> We experimented with a form of this attack to successfully change results in
> our mock election setup. We first created a modified Debian ISO containing
> vote-stealing malware intended to execute on the counting server. The
> tainted ISO is repackaged with padding to ensure that it is identical in
> size to the original. In a real attack, this malicious ISO could be
> delivered by malware running on the DVD burning computer, by poisoning the
> mirror it is retrieved from, or by a network-based man-in-the-middle.

> During the setup process, election workers check the SHA-256 hash of the ISO
> file against the SHA256SUMS file downloaded via anonymous FTP from
> debian.org. Since regular FTP does not provide cryptographic integrity
> checking, a network-based man-in-the-middle could substitute a hash that
> matched the malicious ISO. However, this hash would be publicly visible in
> videos of the setup process and might later arouse suspicion.

([https://jhalderm.com/pub/papers/ivoting-
ccs14.pdf](https://jhalderm.com/pub/papers/ivoting-ccs14.pdf))

------
doctorstupid
I feel that our fears are misplaced towards the wrong kind of voting machine,
the one that collects the vote. The other kind, the one placing the vote, is
far easier to manipulate. Facebook and Google have the mechanisms at their
disposal to influence elections globally, and within a couple of election
cycles could probably have the world's democracies more aligned to the
interests of the US.

~~~
dave2000
That's what I was thinking, although I don't think Google and Facebook are a
problem as they can only provide slightly different choices from within a
narrow range that people are already interested in. It's the relentess torrent
of brainwashing across all media which frames people's opinions and doesn't
allow them to think seriously outside of the narrow choices (2 party system,
pro/anti [issue]) which ensures that there'll never be change which actually
makes a difference (ie the environment, religious crazies controlling nuclear
weapons, increasing gulf between rich and poor, companies subverting democracy
via lobbying and trade agreements).

~~~
Natanael_L
Can't you do something with multi-stage voting on multiple independent
machines? A way to do error correct coding and consistency enforcement such
that no one malicious machine can successfully alter a vote?

I'm thinking smartcards could make it reasonably easy to use, where you simply
repeat your vote to some degree and where the chip verifies that the voting
machines are all saying the same thing.

------
Mendenhall
I just look at the state of internet "security" and that tells me all I need
to know.

~~~
lucisferre
Can I assume you also have the expertise to comment on the physical security
of current voting systems by comparison as well?

~~~
throwawaysocks
Exactly.

 _Most_ arguments given against online voting systems are equally valid
arguments against in-person voting and especially against mail-in ballots.

Those arguments are the red herrings.

~~~
adwf
Not really. Whilst paper voting fraud is definitely possible - maybe even
easier than online fraud - in an election, paper ballots are distributed
across an entire country. They require "hacking" 1000's of people in order to
corrupt a national vote. Computer hacking just requires breaking the security
of _one_ application.

~~~
eximius
You can't bribe open source.

I find it hard to believe that a modern identity infrastructure (which we
don't have, admittedly) combined with basic cryptography can't get us where we
need to be.

We might not be able to cryptographically prove anonymity, but all it takes is
trusting the government to anonymize the data correctly and make it secure in
transport.

~~~
dlitz
The problem is harder than it sounds when you're talking about something as
high-value as a national election (especially in the US).

Have you read "Reflections on Trusting Trust"?

~~~
eximius
Yes. And the recent paper on backdooring CPUs by adding individual
transistors.

You have to make some higher level assumptions in practice or you won't get
anywhere.

------
swalsh
I have a way to make it better. I think combining old-fashioned checks and
balances, with technology controls can make online voting about as secure as
it is today (maybe more) and anonymous.

To make it anonymous, its really just a password. When a user registers to
vote, they create an online account. On the days that a user votes, they log
into their account and create a ballot. They then create a password for the
ballot. This password hashed with a salt, and than hashed with their
registration id becomes the unique id of the ballot. This way, at any time a
user can login and view their vote... but that vote is not reversible to the
voter.

Now for the checks and balances. 3rd party non-governmental parties should
have a real-time replication of all data. (it's like an exit poll, but more
reliable). Any time a registered voter creates a ballot, 2 things happen. An
email is sent to the record holder, and a mail is sent to the address on
record. Combine this with a public viewable record of all votes + registered
voters who voted online (this information is already public) we should have a
good idea at what business is going on.

Perhaps we can't prevent hackers, but this should be sufficient to know if a
hack occurred. Of course, all software should be open source, so we can
continue to make it more secure.

I think it's more secure than what is available today because today, I can't
look at what is on public record as my vote. If someone changed it after I
cast it... I'd never know.

If I knew someone would use it, i'd write the software.

~~~
mclemme
I can't see how that in any way can be anywhere near secure enough. Online
voting for anything important, is a bad idea.

[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
alexd415
They are describing a system that can't be hacked by a single individual
because there would be a third party with a record of every vote.

The video you cited uses a poorly planned and executed example of an online
vote.

The US voting systems are also a poorly planned and executed set of systems.

------
pi-squared
Not convinced that in an age where I can buy a plane ticket for thousands of
dollars, where we are thinking of sending people to Mars and I can securely
communicate with people, in age where Edward Snowden is able to send private
documents or whatev, and I have computers on my wrist, pocket and dick, I have
to go to a physical place, stand in a queue and draw on a piece of paper to
cast a ballot.

I've been hearing these complaints for years now, I don't buy it. It's a
problem, solve it. Start from here - everyone has a digital signature or
certificate or another mumbo-math-jumbo, the system for collecting votes is
open source. You have an account at the web service and you can see that your
vote has been cast for that candidate that you wished, so who watches the
watchers - everybody. Pick two authorities - one counts votes, other
distribute keys. One gets a summary of votes only, the other has the mapping
of key-person.

Sure there are problems. But it sounds to me like laziness and lame excuses.

~~~
rlpb
Give me a way to permit online voting but also be sure that the person who is
voting was not coerced. I think you'll find that this is impossible.

At least with a polling booth, even if the voter is being coerced, it is
difficult for the coercer to verify which way the voter voted. One might come
up with ways to surveil the booth (whether in general or through the coerced
voter), but at least we have a chance at detecting this.

~~~
yummyfajitas
It's not difficult at all to verify - just insist that the person being
coerced take a selfie with the ballot. I'm told this has already been
implemented by communist terrorists in India, though I can't find any English
language sources.

I think a big chunk of the opposition to electronic voting by techies is
simply a failure to recognize that physical systems can also be hacked. Which
is of course silly - the only time I voted, I did so fraudulently.

(The lack of voter ID laws in NJ made it very easy. To prove a point to a
friend that voter ID laws allowed fraud, I voted as my friend. Then he voted
as me. I won the bet.)

~~~
rlpb
Did you not read my post? "One might come up with ways to surveil the booth
(whether in general or through the coerced voter), but at least we have a
chance at detecting this."

~~~
yummyfajitas
We have a chance at detecting purely electronic hackers also. For example,
hackers made 574 attempts to connect to one of my servers as root since the
logfiles were rotated.

This idea that physical is somehow categorically better than electronic is
just magical thinking.

~~~
rlpb
Let's say I'm an abusive husband. If my wife has the choice of voting online,
I can force her to choose online voting, make her vote at home and in front of
me, and nobody has any way of detecting my coercion. If my wife has no choice
but to go to a polling booth, election observers absolutely do have a chance
of detecting my coercion.

> This idea that physical is somehow categorically better than electronic is
> just magical thinking.

No, it's a demonstrable fact. You have created an "electronic hacker" strawman
here. The problem I am raising is that of coercion, not a man in the middle.
You have not been able to provide any means of mitigating it when not using a
physical polling booth.

Problems such as "electronic hackers" are only problems on top of the problem
of vote coercion, which is clearly made much worse with any ballot system that
does not use physical polling booths.

~~~
marcosdumay
You won't go very far by tampering with a single vote. Try coercing with 10
thousand people, and see how easily you are tracked.

The benefit of online votes is that coercion and data stealing are the only
flaws we must take care of. Instead of this huge structure trying to cover for
all the flaws of paper, we can focus on those two well specified ones.

------
ccvannorman
Maybe OT, but why is one of the requirements for a better voting system
"anonymous"? What's wrong with a voting system in which every citizen's vote
is transparent and available? Seems like it would be much less susceptible to
fraud and easier to audit that way. I don't see a problem with anyone seeing
how I voted!

Maybe I am missing something?

~~~
Dove
In a system where your vote can be verified, you can be coerced into voting a
certain way.

~~~
Bromskloss
As a special case of this, one might see the mild "coercion" in simply being
uncomfortable with going against the grain by voting for something that others
strongly dislike.

~~~
marcosdumay
The votes do not need to be public. It should only be verifiable to people
that know your key.

That does not solve actual coercion, but honest peer pressure isn't a problem.

------
NobleSir
I'm not going to claim that "current" electronic voting machines are good, but
the article makes no convincing arguments beyond an "I am a computer
scientist" appeal to authority that it "couldn't" work. Honestly if you are
going to talk about the problems involved in voting at least discuss some of
the interesting anonymity preserving and deniable cryptographic techniques
people have come up with- ring signatures, blockchain verification, etc. Maybe
he's just assuming the powers that be would never let an actual trustless
system get into play. If I can manage and view my money trustlessly with,
e.g., bitcoin (and verify all transactions back to the original block) then
there is no reason I shouldn't be able to do the same for votes - and verify
all votes back to the original block.

~~~
eyko
Online voting is quite different from electronic voting machines. I've heard
it being referred to as i-voting (online) vs e-voting (electronic voting
machines).

~~~
NobleSir
Thanks I didn't know those terms.

------
nemesis1637
This is based on the premise that we have a democracy in the first place.
There nothing really to endanger here.

------
coroutines
I don't see a way we can have a direct democracy without facing the dangers of
online voting.

We either trust in our politicians to represent us well, or trust in software
we will lobby to peer-review.

Beyond that we trust the majority won't vote for stupid things.

------
mydpy
_In fact, online voting is such a dangerous idea that computer scientists and
security experts are nearly unanimous in opposition to it._

I hate when articles make these ridiculous claims in order to inflate their
credibility. Are there problems the security community needs to address before
using technology to vote in a democracy? Yes. Is online voting a danger to
democracy? No, but there are bigger problems that need to be solved before
online voting should be implemented.

Point: I just tried to temporarily remove a freeze on my credit report after
the Office of Personal Management (aka, the office for federal employees) lost
all of my PII in a large-scale hack that occurred more than a year ago. For
those of you interested, all of my credit is essentially frozen indefinitely
as a result of this hack. Now, in order for me to validate my own identity, I
had to reproduce (sometimes unsuccessfully) a series of data points that
anyone with a hard copy of my credit report combined with my OPM breached data
could reproduce. The real issue is the fallacy that a human being is uniquely
identified by a set of data points (paper or otherwise). This is fundamentally
the issue that must be overcome before we can breach issues like online voting
reliably. We continue to create systems based on this fallacy of personal
identification, and it is creating more problems than it is solving. Again,
paper or otherwise.

~~~
ethbro
Coming to a future near you -- "Whole Gene Sequencing Attestation: What better
to prove you're you, than _you_? Come by one of labs today to refresh your ID
token!"

------
0n34n7
I always thought a large cipher blockchain would be a pretty good idea. One
could argue that "analogue" voting also has many vulnerabilities in the voting
stack.

------
BuildTheRobots
Tom Scott has done a very good video on the dangers of e-voting [1]. Good
watching for me and also entirely suitable for my mum.

[1]
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
drdeadringer
I've watched this video several times now.

Is there any balance to this enthusiastic laundry list of "here's another
negative reason why this is a Very Bad Idea"?

~~~
BuildTheRobots
Sometimes a bad idea is just entirely bad o_0

------
ersii

      "No more taking time out of your workday to travel to a polling place only to stand in a long line."
    

In Sweden, the voting is always scheduled for Saturdays - to interfere as
little as possible with peoples work. (Some work on Saturdays..)

~~~
kalleboo
And in recent elections some polling places have been open for weeks in
advance so you don't have to vote on a specific day.

------
Techbrunch
You should check this article in the last Phrack: Internet Voting: A Requiem
for the Dream -
[http://phrack.org/issues/69/11.html#article](http://phrack.org/issues/69/11.html#article)

------
midoreigh
Ultimately, is paper the gold standard we should stick to? Nope. Come to India
and watch how voting machines are used efficiently in almost all elections,
from local bodies to Lok Sabha elections.

~~~
michalskop
Efficient maybe, but trustworthy? How can you know that the voting machines
are not rigged in any way? (The same goes for e.g. Brasil.)

~~~
klackerz
No party has dominated elections in India over the years since the EVM has
been introduced. The Election Commission is the autonomous authority
responsible for conducting all elections in India and there has been no
information of corruptions regarding them till now.

------
tmat
this is pretty sad coming from stanford. With blockchain tech online voting is
now more safe than ever if we just push for it. Wouldn't want to fix those
rigged elections now would we?

------
diego_moita
Is F.U.D. is the only toolwork activists know?

This article is ludicrous. Some of his proposed scams are so risky that are
borderline childish. E.g.: massive phishing; in recent Canadian elections the
Conservative Party tried something similar (search "Robocall scandal Canada")
and got caught easily.

Truth is: online shopping & banking are way more profitable for hackers and,
still, are very secure nowadays.

B.T.W.: the touchscreens the author despises so much are an huge success in
Brazilian elections.

------
jimhefferon
The current issue of _consumer Reports_ magazine has an editorial arguing for
online voting. They are very well thought-of. If you think it is a bad idea (I
do), you might hope to have some effect by writing the editor (I did).
[http://www.consumerreports.org/cro/about-us/contact-
us/index...](http://www.consumerreports.org/cro/about-us/contact-us/index.htm)

------
fatdog
Yes, the problem with societies is the security of their voting mechanisms.

Physical ballots are manipulated and forged all the time. Doing it online just
dispenses with the pretense of legitimacy altogether.

In the majority of elections, voting is an empty ritual that dresses up a
transfer of power that was already decided among a tiny minority of essential
power brokers.

Voting should be done online if onlyso that people will stop believing the
fairy tales it facilitates.

------
meerita
Anibal Fernandez, who was a candidate for governor of the province of Buenos
Aires by the political party of the former President, Cristina Fernandez de
Kirchner, he spotted going out with his jacket full of voting ballots from
opposition party of current President Mauricio Macri. He (Hannibal) and other
party Kirchner used this practice so that people could not vote the
opposition.

------
a_imho
I do think online voting is not a technology question and discussing
implementation details is a red herring / bike shedding situation.

I see no incentive in disrupting the status quo and engaging more people in
politics from the POV of the current ruling powers benefiting, yet there is a
slippery slope argument for more decentralized/direct governing and less
powermongering further down the road.

------
known
In democracy it's your vote in elections that counts; In FEUDALISM it's your
count that votes;

[http://m.timesofindia.com/india/China-mocks-Indias-
democrati...](http://m.timesofindia.com/india/China-mocks-Indias-democratic-
system/articleshow/46543509.cms)

------
amelius
The danger is not in the voting being online, the danger is in democracy
itself.

------
Dowwie
seems relevant:

"We choose to go to the moon. We choose to go to the moon in this decade and
do the other things, not because they are easy, but because they are hard,
because that goal will serve to organize and measure the best of our energies
and skills, because that challenge is one that we are willing to accept, one
we are unwilling to postpone, and one which we intend to win, and the others,
too."

[https://www.youtube.com/watch?v=TuW4oGKzVKc](https://www.youtube.com/watch?v=TuW4oGKzVKc)

------
known
Online Voting cannot prevent
[https://en.wikipedia.org/wiki/Vote_selling](https://en.wikipedia.org/wiki/Vote_selling)

~~~
tmat
neither can paper ballots.. so what's your point?

------
hectorperez
Some friends have an open source but easy to use as a service online voting
platform: [https://nvotes.com](https://nvotes.com)

------
timwaagh
i do not think these concerns are legitimate any longer. if internet security
was impossible then my bank account (along with others) would have been hacked
long ago. everybody banks online. this is just conservative backlash. the real
problem with elections is that a lot of people do not bother to vote, which
put the legitimacy of the elections into question. online elections can help
solve that.

~~~
tveita
When a bank is hacked, millions of dollars go missing. Police is called in,
investigations are launched.

When an election is hacked, a plausible candidate gets some extra votes in
their favor, tipping the election. Billions of dollars get spent on dubious
but not technically illegal contracts. People shrug and say "Well I didn't
vote for them."

I'm sure an rigged electronic election would leave traces like any crime, but
there is no smoking gun and no body. If done right you would have little basis
to demand an investigation.

------
pmarreck
> Computers are very complicated things and there’s no way with any reasonable
> amount of resources that you can guarantee that the software and hardware
> are bug-free and that they haven’t been maliciously attacked.

Yeah, except that we have reliable open-source systems available now where
every single decentralized transaction is known to everyone, such as Bitcoin.
Thanks for the ignorant FUD, though

------
partycoder
Well, the way provisional ballots and vote by mail flaws have been exploited
is also a danger to democracy.

------
ElijahLynn
Um, I don't think there is much legitimacy of elections right now. How the
fuck did Trump buy his way into the Republican party for one? Do I really
think my vote counts right now?

"Online voting could threaten the fundamental legitimacy of elections?"

The author does have some valid points, I just thought it was funny that some
people think our elections are legitimate.

~~~
rjeli
Do you believe the majority of GOP voters support Trump?

------
acd
There was some allegations from Kansas statistician Elizabeth Clarkson on
voting anomalies.

------
msdos
The key claim is: _there’s no way with any reasonable amount of resources that
you can guarantee that the software and hardware are bug-free and that they
haven’t been maliciously attacked_

The same could be said about other electronic systems that already govern
lives, like planes, cars, phones and medical equipment.

And yet life goes on.

~~~
Raticide
But those things do go wrong all the time. Luckily they don't dictate who
controls the entire country.

------
Findeton
Well he should try [http://agoravoting.org](http://agoravoting.org)

~~~
dlitz
How does this guarantee a secret ballot, i.e. that voters remain _unable_ to
prove to a third party that they voted in a particular way?

Low-value elections don't necessarily need secret ballots, but it's important
for high-value elections, like selecting the POTUS.

