
Casting a vote online can be secure and convenient - niccl
http://spectrum.ieee.org/telecom/internet/online-voting-isnt-as-flawed-as-you-thinkjust-ask-estonia
======
tyre
(We work with local governments.)

This isn't why we don't have online ballots. The issue is specifically that
you aren't in a voting booth, which means there is no control over voter
influence.

Imagine a husband and wife plus a ballot initiative on outlawing flowers. The
husband is strongly pro-flowers while the wife is strongly anti-flowers.

With online voting, the husband or wife can force the other to vote in front
of them. There is no plausible deniability, so individuals are easily
pressured into voting one way or another. Groups can say, "you need to vote in
front of another group member" to pressure everyone to do what they want.

Voting booths prevent this, to a large extent.

Another issue is electioneering. By current law, one cannot campaign within
100ft of a polling station. This gives a "safe-space" where people can think
about their options and make up their own mind. If I can vote on my phone, a
random volunteer can get me all hyped up on the street and I can impulse-vote
on the spot. Not a great way to run a nation.

(I'm not saying the current system is perfect, or anywhere close to it.)

~~~
nixos
It does. The article says that you can always cancel your vote later.

So vote pro-flowers in front of husband, and then change your vote on your
cellphone or in the library

~~~
tyre
Same problem. There has to be some deadline, so if you want to ensure
compliance than you wait until the last minute and watch them until
expiration.

~~~
nixos
You can also vote in advance (in person), which overrides the e-vote

------
xorcist
I'm sure the director of the self described "leading provider of voting
technologies" thinks this all makes sense. But the premise here, that the US
has a low voter turnout and e-voting somehow makes it all better, is wrong.
Countries with e-voting don't generally have better voter turnout than
comparable countries. The countries with the best voter turnout doesn't have
any electronic voting systems at all! What they generally have are "boring"
things including well functioning free media and high education.

But funny he should mention Estonia's e-voting scheme specifically. There was
a very interesting look at Estonia's e-voting system at a previous CCC. Here
is a video of the talk:
[https://youtu.be/JY_pHvhE4os](https://youtu.be/JY_pHvhE4os)

(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's
interesting.)

And the system in Estonia is not an especially bad example. E-voting in is
hard even in theory, with issues like transparency and voting secrecy, but the
systems in actual use have hasn't even nailed the engineering problems yet.

~~~
TazeTSchnitzel
From what I gather, Estonia's is one of the better systems deployed, and it
seems to have had a lot of thought put into its design. Nonetheless, it's
insecure, if only because of the poor operational security of the people
running it.

------
TazeTSchnitzel
Estonia's e-voting system has well-known flaws:
[http://estoniaevoting.org/](http://estoniaevoting.org/)

Voting requires authentication, verifiability and anonymity.

Online electronic voting only allows you to pick two.

They may be lo-fi, but paper ballots work very well here, and engineering a
secure Internet voting system which maintains these attributes is a difficult
problem.

The people who understand computer security and voting systems well will never
design an Internet voting system, because they know it can't be safe.
Unfortunately, that means we're left with systems deployed by those who don't
understand these well.

~~~
lazaroclapp
Well, you can pick: full verifiability, full authentication, and anonymity-as-
long-as-you-dont-share-your-vote-receipt, which might work in some settings
where the social norm against something like vote buying is strong enough that
the party that tried this would end up with more of its own voters deflecting
than opposing voters selling their vote to them.

But there is one more problem: most verifiable voting protocols are fiendishly
complex for the average voter to validate, specially if they need to keep in
mind how to verify things in a way that is robust to their devices being
compromised. If you were holding an election where only people with a crypto
or security systems Ph.D. voted and where they would rather punch you in the
face than sell you a vote for 1 million USD, then you could have very secure
online voting. The real world is a little bit more complex than that... one of
the main advantages of paper ballots is that the technology involved is quite
widely understood.

~~~
marcosdumay
You jumped from "hard to verify" into "hard to vote" with no explanation
there.

There's little problem in an election where only people with knowledge of
cryptography can verify the official results.

~~~
lazaroclapp
Not quite. Ok, I might be exaggerating with the CS Ph.D. requirement for the
average voter, but there are two steps:

1) Verify that my vote was correctly encoded and cast as intended. Every voter
must verify this. It can be as "easy" as: printing a hash produced by a voting
terminal/device you trust (which doesn't need to be government provided),
submitting the resulting encoded vote into a (untrusted) government website
where you authenticate with a smartcard, and then later comparing your
original hash against a hash published in a newspaper... This exceeds the
level of sophistication/care of most voters in any large country.

2) Some organization must check a large trail of signatures, zero-knowledge
proofs of correctness, re-encryption mixnets, etc, etc. This can be done well
enough as long as every political party and election watchdog has one or two
crypto professionals in their employ.

I am not really worried about #2, even though it is harder, I am worried about
#1. The important part is that all the checking of the world regarding #2 is
useless without at least a representative subset of voters performing #1 (~1%
would be enough, but only if distributed uniformly at random, otherwise you
can flip votes from the population(s) least likely to check).

~~~
marcosdumay
Yes, #1 is a bit too hard for everybody to do it. Yet, you can help some
random set of your friends, while I help some random set of my friends, we add
some neighbors at random, and much quicker than you thought, there will be a
representative set of verified votes.

~~~
lazaroclapp
No, you won't. You will get a representative set of "votes for voters who have
at least one friend who went to college or had the resources to be a computer
geek growing up". Then if I want to manipulate the election, I will just flip
votes from elderly lower income voters in rural communities and likely not get
caught at all.

For an analogy: I grew up in Mexico during the 70 years PRI rule, and I can
tell you in my city, in my polling station, with watchers from all major
parties and a few ONGs, it is actually very unlikely that anyone stuffed the
ballot. But in a rural area, where Spanish is not the primary language and the
poll watchers were all from one party or few enough to be for sale... well...
My point being that a similar scheme is quite possible when the barrier is
"computer literacy" instead of "rights literacy" or plain old literacy (in the
country's majority language, I mean). Either way, the smaller the group of
people who understand how the election works, the easier it is to
disenfranchise people.

------
djrogers
And when the next mirai bonnet is turned against the online voting
infrastructure, what happens then? Or perhaps ISP hubs in specific areas are
targeted to suppress entire groups of voters?

Not to mention, the ability to 'undo' a vote is only marginally helpful in
preventing voter coercion or vote buying - it only changes the way it's done a
bit.

------
adventured
I've followed Estonia's efforts in online voting for quite a while and it
always reminds me of the premise about platforms of the greatest scale
acquiring the most attention by bad actors (and typically leading to more
exploits accordingly).

How would Estonia's online voting hold up to the kind of global assault that a
US system would inevitably draw for example? If Russia, China and the US all
went to work on trying to influence (or damage) the outcome by attacking
Estonia's voting system, what would happen? All online voting systems will not
all receive the same level of assault or garner the same kind of attention
toward that end. The best technology companies in the world find it difficult
to create an atmosphere of extremely high level security around information,
transactions, etc. Outside of very large monetary theft, could there be a
juicer target than being the group or hacker that collapses the US online
voting system? It would make the front page of every newspaper on earth and
would cause as much or more immediate financial damage than 9/11 did. The US
stock market would at least temporarily shed hundreds of billions of dollars
the next open day.

There is a very strong argument to be made that one size will never and could
never fit all when it comes to online voting.

------
sluggg
"One remaining problem is that the personal devices that voters use to cast
their ballots can become infected with malware that reads their passwords and
PIN codes from their keystrokes or that allows hackers to remotely control
their desktops."

"The Estonia National Electoral Committee responded to their criticisms
shortly after by saying that the theoretical attacks they described were not
feasible."

But why wouldn't those attacks be feasible?

------
phs318u
> Casting a vote online can be secure and convenient

I don't recall convenience being a fundamental attribute of maintaining
democracy.

Having said that, some countries' current voting systems are a mish-mash of
different methods, approaches, technologies and even rules (I'm looking at you
USA), that make paper-ballot voting less "convenient" than it could be.
There's no reason why paper-ballot voting needs to be inconsistent across
electoral boundaries, difficult to execute, or difficult to validate (cf:
Australia's system).

~~~
nitrogen
_I don 't recall convenience being a fundamental attribute of maintaining
democracy._

Convenience is important to ensure a representative sample of the population
is heard, and not just those who have enough free time to wait in line to
vote. Mail-in ballots are a good example of convenience allowing greater
participation.

~~~
phs318u
Absolutely agree, but convenience does not trump security, verifiability etc.
In the example you gave, mail-in ballots were primarily introduced as an
exception to the rule, in order to increase participation. They are not a
wholesale replacement for ballot-box voting.

~~~
jbkly7
In Washington, Oregon, and Colorado, voting is entirely by mail.

~~~
phs318u
Really? You Americans and your strange ways :-)

I can see then, why for some, the argument that "e-voting can enable use of
standover tactics" falls on deaf ears - because the risk is no different than
what is currently the case.

~~~
jbkly7
It's true. I can see the risk here, since I could easily pressure my wife into
voting a certain way or even fill out her ballot and forge her signature (if I
ignored the warnings that it's a felony to do so). I think we have to weigh
that risk against the benefits of greater participation/accessibility that
vote by mail provides.

------
ebalit
This doesn't explain how you prevent against paying or pressuring people for
their vote. If someone can potentially watch you as you vote, this is not an
anonymous voting scheme anymore.

~~~
nixos
It does. One can drop by the next day and vote for someone else (and the last
vote wins over earlier, and physical voting overrides e-voting).

However, it still requires that people "undo" their vote. I can imagine that a
large percentage of people won't, so it will still be a net gain to coercion.

~~~
ebalit
I missed this part.

It seems like a good idea indeed but it could be countered. Force or pay a
person to vote the last day and then to give you their ID until the vote is
closed.

Of course, it's still a step in the right direction as it makes a large vote
buying scheme harder.

------
nixos
My fear is that:

1\. _Right now_, I don't know how many nation states are trying to hack the
election in Estonia. I know of quite a few who would be more than happy to do
so in the US. And while it's true you can send spies... it's much easier and
safer to hack from a safe base than to go into foreign countries (and no
plausible-deniability).

2\. You're _assuming_ no one's logging anything. There's no way to ensure
that.

------
awqrre
It can be "secure" but paper ballots are probably the most temper-proof.

