What's stopping the companies from producing a closed box with SoC+board connected to: N buttons, display, card reader/scanner, printer, wifi/ethernet. All you need is to take cards, register the result, add it to some continuously hashing database, print vote proofs, periodically upload data (again, public-key encrypted). If they need to be updated, allow only signed code. (ARM SoCs have secure-boot-like capabilities)
Am I missing something? Why do we get multiple iterations of machines with exposed ports, running XP, having hardcoded passwords, allowing admin access, having physical locks which can be opened without a key, etc. How can these things be created without at least one person saying "this shit is unacceptable"?
All it has is N buttons, accumulators to store presses of each button in non-volatile memory, and a seven-segment LED display to indicate status (ready-to-vote, vote cast, etc.). Vote counting is done offline by connecting to a controller. No wifi or any other remote-access capability.
All that really needs to be done to create a paper trail is to add a printer.
Not implying that they're completely secure, but any breach at least needs physical access to the box. And physical security of the machines is on the same level as those provided for traditional ballot boxes.
Edit 1: The balloting unit does not even have a 7-segment display - just individual LEDs next to their buttons to provide feedback that the button has been pressed.
Edit 2: More details on the internals of the EVM: https://jhalderm.com/pub/papers/evm-ccs10.pdf
If malicious actor swaps the IC, new one won't have the secret material that original had contained (and which IC will only disclosed upon receiving court-signed audit order, permanently burning a fuse at the same time). And if they try to tamper with the IC, they'll need to spend significant amount of time with it.
This isn't even remotely perfect, but can be used as one of the measures. Throw in some more redundant systems with different approaches, ensure their integrity at the end and you'll have some proof that the results are authentic enough to a certain extent (measured in amount of efforts needed to perform a successful attack).
There are better ways to make sure your vote got registered properly, for instance http://www.nytimes.com/2004/03/02/science/did-your-vote-coun...
After voting, each voter would receive a receipt -- a record of his choices that would be encrypted, or put into code, and could be deciphered only by a collaboration of all the election trustees. After polls closed, all receipts would be posted on the Internet. Each voter could use his serial number to find the image of his receipt, and make sure it matched the one he carried.
Not foolproof but still better than what we have now.
For example, here  is a link to the 200-page "volume 1" of the federal standards, merely one of a complex web of certifications that these things go through.
One random paragraph is illustrative:
Vote scanning and counting equipment for paper-based systems, and all DRE equipment, shall be able to withstand, without disruption of normal operation or loss of data, electrical fast transients of:
a. +2 kV and −2 kV on External Power lines (both AC and DC)
b. +1 kV and −1 kV on Input/Output lines(signal, data, and control lines) longer
than 3 meters
c. Repetition Rate for all transient pulses will be 100 kHz
Now I am a software engineer, and quite frankly I have no idea whether these are large tolerances which would require specialized equipment to withstand or whether e.g. my laptop would sail through this kind of event. Nor do I have any idea how I would demonstrate compliance with these requirements to the satisfaction of a federal examiner.
And that is what voting machines are. They are checkboxes on a specification. That means that you can buy them with confidence that somebody else's ass will be on the line when they turn out to be awful. The fact that they actually record votes is ancillary at best, the primary feature and the reason for buying them is that they tick the checkboxes.
As to why they seem overpriced, the reason is that it costs a lot of money to have an engineer hook the thing up to his fancy oscillator and write you a report that yes, this machine complies with requirement 18.104.22.168.c, over and over again.
However, what that opens up, is a way for corrupt officials to favor a vendor and use the others-did-not-meet-this-particular-spec as a justification.
Just my 2c. I really have no idea if it actually was ever used in this way.
Having engineers design and test electronics with such kind of safety standards is good practice. You don't want a failed USB power supply to fail in a way that sends mains voltage to the USB for example.
That kind of testing is par for the course for electronics manufacturing at scale, though it does seem these requirements are quite stringent. The 100kHz repetition rate sounds odd though, and some of the other specs aren't completely clear. But regulatory testing of electronics is, in general, a solved problem, as are the mitigations for voltage surges.
The real question seems to be, they apparently have all these stringent electrical engineering requirements set up in the standards, ones that seem to be made with detailed input from a professional electrical engineer, ones that can only be properly understood and tested by someone with electrical engineering knowledge.
So why did all these requirements on electrical engineering get into the standards, but requirements on software security did not?
The private sector literally doesn't have any use, at all, for voting machines. The problem they solve never arises in modern life. So there's no commercial solution available to repurpose. Add that to the fact that election boards are always hideously underfunded and understaffed, there's no one out there to hold the contractors' feet to the fire.
Really, state and local election boards need to just go back to the older systems, but there's nobody making them do it, and you will sound like a Negative Nancy trying to take away all their fancy new kit.
What really needs to happen is for POTUS to make it an issue. With one swipe of his pen he could issue an executive order to throw federal money at a new department whose job is to maintain a body of standards for electronic voting machines and mandate that all new machines have to adopt on a certain time table. They probably won't be secure, but it'll be the department's job to respond to reported vulnerabilities and ensure that they get fixed.
Maybe a few of the tech billionaires that read HN could pass around a hat and get this done?
"Saved American democracy" would be a good legacy for anyone!
Commercial viability of a solution is a non-issue. A device is either highly secure or it isn't.
Federal and State governments should stop using contractors all together for software projects. Instead, hire a very large shared bank of highly-qualified engineers and pay competitive salaries. Even if those engineers sit around doing nothing most of the time (unlikely), they would still be extraordinarily cost-effective compared to pissing away hundreds of millions on projects that should only cost a few million.
IMO it's impossible to take deficit hawks seriously if they don't back a blanket policy of starving out leeching contractors.
Define from scratch. It's perfectly reasonable and economically feasible to develop a SoM or SoC based hardware platform.
The solution you describe is the cryptographer's one, the result of taking security seriously. The contract goes to those who take the politics of procurement seriously (and, frankly, pushing unsuitable and unnecessary solutions to non-problems). It's still questionable whether electronic voting is necessary at all.
A lot of the early bad ones were from Diebold, who make ATMs. The ATMs also run WinXP, but are much more physically protected.
Probably - corruption involving the contracts, outsourced or incompetent engineers (chances are, the best and the brightest are working on things that actually turn a profit), and neither party really having a strong interest in a system they couldn't subvert if they wanted to.
The business is a little different than when some random person buys a phone, because while they are technically inept, there is a layer of brokers/buyers between the manufacturers and the stores. Those guys are smart and know their markets well. If you ever sold something into that market you need to produce a few thousand units, for those guys to beat on. And they have to be perfect, or they won't place orders.
This doesn't exist for something like a voting machine.
So think 'stuff thrown together as quickly and cheaply as possible' in order to land the contract. Quality will vary a lot.
Imagine that you have one developer who can do enough hardware, software, and documentation in a single man-year, and whose fully-loaded cost is $100 000 per year. Then just paying that developer will cost $1000 per box on a 100-box production run; paying a team of three such developers for two years would still cost nearly $700 per box on a 1000-box production run.
(And those would need to be very productive developers; I'd expect a team of 10-20 people if you want to do the above in a year, once you include sales, staff, and specialists doing projects/consulting work for your company.)
I've never hired a $50k/a engineer, so I don't know what the multiplier is, but I've heard people throw around "2x" as a rough estimate. So you and JoachimSchipper are assuming the same salary, more or less.
That's not correct. Development is a fixed cost -- you don't rewrite all the software and re-design the hardware every time you run a new production run.
Furthermore, this isn't even necessary for hardware stuff where production run size actually does affect cost. If the machines are developed in house and you know you'll be using them for the next 15 years across the whole US, you can do a few medium-sized production runs.
Which is exactly why federal and state governments should have a permanent bank of software engineers and EEs for routine software projects like this. Then they can do what makes sense for the taxpayers, instead of having to play fiddle to the profit motives of an incompetent money grubbing contracting firm.
If it's complicated and over engineered, it'll probably be expensive too. Both factors in favour for a politician, as if it's expensive it's a safe bet.
If it's a boring little eight-segment display and a pair of buttons, the voters will go "we spent $10m on this cheap looking crap?!".
So you go for the one with the shiny gui, the crazy price tag, and you've chosen sensibly - or as sensibly as one can in our batshit insane system of the world.
"How can these things be created without at least one person saying "this shit is unacceptable"?"
Because the people who decide what the money is getting spent on have absolutely no idea what is acceptable and what isn't.
If it were up to me no embedded system would ever use the same operating system that's on a billion PCs. That's just asking for trouble.
So from this point of view, I think it's okay for "Linux" to be in multiple things at once, because it's really pretty far from a "single thing". The embedded versions of Windows seem to be more like 90% of the desktop version of Windows, and with the "unification" strategy of Windows 10 that's probably more true than ever.
It's debatable whether a kiosk PC that handles purchases should run Windows or not. What's the worst that can happen there? The owner loses his records and possibly all of his money. It only affects him so he can choose whatever he likes. If he wants a less secure OS and he's fine with the risk, that's okay.
A voting machine (which is duplicated across a city or state or country) that's not secure affects millions of people. Seems to me that it shouldn't be using "mainstream" solutions that are the target of thousands of hackers.
One of the points he's stuck on is that WiFi is short-range and unreliable from outside a building. Thus hacking these things from the parking lot would be impractical because you couldn't get access. Apparently the very concept of directional antennas is completely unfamiliar to this person.
Another strange point is that these defects weren't known when Virginia chose these machines. To him, that seems to mean "therefore it was a reasonable decision." To me, it raises the question: why didn't anyone look into their security as the choice was being made? Apparently the process by which Virginia chooses its voting machines, or at least the process it used at the time, involves no third-party security evaluation. What the hell?
IMO that was not the disturbing part. I don't expect elections officials to know anything about RF.
What's disturbing to me is that several experts explain in very plain terms why his assumptions are wrong, and he persists in his misunderstanding.
Even barring that, I would at least expect an official to know the depths of their own ignorance. If you don't know anything about WiFi, fine, but then don't try to make arguments about it.
And yes, persisting in making those arguments, not only being ignorant of the subject but after being corrected by people who know, is a special kind of ridiculous.
Government RFPs pretty much never have a third-party evaluation process. Those cost money, which is almost certainly not in the budget.
Also, the vast majority of the time the government already has a preferred vendor, and the RFP is simply a legally-required formality.
This, however, is stuff out of a Dilbert cartoon: "The wireless connection uses WEP (which we knew). What we didn’t know is that a few minutes of wireless monitoring showed that the encryption key is “abcde”, and that key is unchangeable"
Why don't we just use ATMs as voting machines?
- ATMs and their backend systems invest heavily into making complete transaction records, voting systems must be anonymous.
- ATM transactions can be undone.
- ATM operators can better afford to take a reactive approach, monitoring fraud levels and first taking a liability hit, until they can fixing the systems or must do a temporary network shutdown to stop the losses.
- ATMs get by with fewer controls for insider fraud due to above controls
- ATMs don't worry about nation state level adversaries
- Amount of damage from ATM compromise is clearly bounded, unlike legislation/election
With voting machines, so far, there has been absolutely no provable feedback whatsoever that allows you to assure your vote has been counted. Even worse, there is no system that allows you to verify no votes have been counted that did not exist. I'm not saying these problems can't be solved with cryptography, all I'm saying is that so far, they haven't been solved/implemented yet.
Voting ballots don't have the same problem.
How so? How do you know if your vote was really counted? How do you know someone didn't slip in a bunch of votes while you weren't looking? How do you know numbers aren't doctored as they're aggregated?
Well then you don't, and another requirement is that the voting stations may be accessed by the public from start till end. In that case each individual can verify for themselves that ballot boxes are empty at the start. That no one tampers with the ballot boxes during the day, and at night when the boxes are opened and the votes are being tallied.
At the end of the election day each site's poll workers manually count the number of signatures, the number of stubs, the number of ballots within the scanner's tub, the number of soiled or defaced ballots, the number of provisional ballots etc and numbers reported by the scanner. (whenever actual ballots are handled, at least one Democrat and Republican poll worker must be present). Tracking the number of ballots read in this situation doesn't concern me much. We also sign and post the end of day tapes printed by the scanner on the doors for the public to see.
The biggest questions left really is whether the optical scanner actually reports the tally correctly. The board of elections also rescans all the ballots centrally with different machines in the weeks after the election before it is certified. I don't know the procedures for evaluating the scanners, but in theory the scanner can't tell the difference between real ballots and control ballots so some sort of randomized batch testing where the real ballots are run with control batches should be pretty straightforward.
It's also true with the electronic voting booths that you can match the number of tallied votes at the end of the day against the number of signatures on the books. But I don't think there's any mechanism I'm aware of for performing an actual recount. (Yes, you can re-sum the individual machine totals, but that doesn't go back to raw responses).
I personally don't trust the purely electronic voting at all yet because there's no way I know of to verify or test the accuracy of the machine. I recently moved to a different State and don't do election work anymore. Here we vote using some bullshit touchscreen using some PCMCIA card that the poll worker hands me and that I stick into the computer. Not even a paper receipt is printed. WTF. No, thanks. I think I'll just vote absentee.
Which is true of paper voting as well.
You can have a system with multiple levels of verification. For example in Canada, each party is allowed to appoint an on-site representative for each ballot box to observe the voting process, the count (and ensure it matches the number of voters and ballot stubs) and the paperwork (a copy of which is sealed in the ballot box which can be unsealed in the event of a judicial recount).
Trusting election officials doesn't have to be a passive process like it would be in an electronic voting system.
My point was just that at some point, you have to trust that someone is paying attention. Paper doesn't magically solve that problem.
1. Voting machines are subject to the fairly unique design objective that, ideally, votes have to be verifiable while still preventing voters from proving who they voted for in order to avoid vote-buying. An ATM can just give you a receipt showing a record of the transaction. But a voting machine can't do anything so straightforward.
2. Using an ATM is part of an ongoing course of dealings between a customer and a bank, where verification is straightforward (and largely inevitable). This allows the customer to evaluate the performance and integrity of the system over time. Voting, on the other hand, tends to be an isolated event where there is no opportunity to evaluate the voting system over the long-term.
ATMs are also an easier problem since they do not care about anonymity, part of the cryptography is done on the card, and they do not have to work without a netowrk connection.
And anonymity? The card itself just has a very long string of numbers to identify someone; information about the human it belongs to is optional. Whatever human that is currently verifying if you are allowed to vote can deal with giving you a card to cast your vote; it doesn't actually have to have anything other than a unique number.
ATMs only need a network connection to authorize a transaction. All the other aspects of it are offline, and it creates a paper trail, and saves records in memory. They could very easily be reconfigured to display voting options (and instructions!) and record the tallies both in memory and printed, both internally and externally, and OPTIONALLY connect to a remote server to log the transaction - securely, I might add.
But obviously this attack surface has been exploited quite a lot by ATM crackers.
And anonymity of votes has more aspects than just protecting against the guy by the machine. You also need to protect against to guy issuing the numbers (which you don't for ATMs, it is ok if the bank knows how much money you withdrew :)) and also the anonymity should make it hard to sell votes which disqualifies some cryptographic solutions suggested by other commentors (those where you get a cryptographic receipt which can use to look up afterwards to see what you voted).
And some voting machines work exactlty like you describe, and they are not regarded as secure.
Here is a guy playing angry birds on an ATM:
Also ATMs are easier to secure physically because they don't have to be particularly portable. Most units are built into buildings and those that are not are placed once and not moved for years. Compare this to EVMs that have to be moved into place and removed again over a day or two because most voting places are used for that day only then revert to some other purpose.
People who buy ATMs have a strong vested interest in their security, both physical and virtual. If the machines can be broken into or hacked, the people who buy the machines lose real actual cash. If the machines merely malfunction, it upsets their customers, which then costs the machine owners.
Ultimately, you can run the numbers on security to see how much money it's worth, how much it costs, and find the ideal tradeoff.
Voting machines have completely different incentives. The buyers have no vested interest in their security whatsoever. I would actually argue that they have a bit of a vested interest in insecurity, because a successful voting machine hack would probably cost people their jobs if it came to light, and if a machine is so insecure that you can't even detect hacks then this risk goes away. And if the machines malfunction, users often can't even tell. Even if they can tell, their unhappiness typically won't financially impact the people who buy the machines.
And thus we can see why, for example, Diebold builds good ATMs but craptastic voting machines.
Having said that, I think you could make it work with a paper audit trail that contained both the current vote tally and the current vote -- and was distributed to the person voting at the time they voted. (Then do random audits) (And of course that information would be obscured in some way, perhaps using encryption)
Voting on paper seems to work for most democratic countries and it's definitely harder to rig than the electronics. I just don't see any siginificant advantage in using technology here (and no, a few $/€ saved every other year is not significant in my honest opinion)
> While in a conventional election with ballot papers, manipulations or acts of electoral fraud are … only possible with considerable effort and with a very high risk of detection, which has a preventive effect, programming errors in the software or deliberate electoral fraud committed by manipulating the software of electronic voting machines can be recognised only with difficulty. … The voters themselves must be able to understand without detailed knowledge of computer technology whether their votes cast are recorded in an unadulterated manner as the basis of vote counting, or at any rate as the basis of a later recount.
I'm actually still kind of impressed that a protest from the hacker community was so successful in convincing the government.
Unfortunately, all the advantages rely on implementing a good system, so I doubt we'll be seeing them any time soon.
The clear advantage of paper voting is everyone--the entire electorate-- can see and understand the process. The legitimacy of the outcome depends on this understanding and trust.
I don't think the voting process itself gets sped up a lot just because you tap a screen instead of crossing a field.
The tamper-proofness is certainly attractive, however what we have on the market today is so far from that goal that one has to consider it less secure than paper by several orders of magnitude.
Slighty oftopic: I just found out how embarissing little I knew about accessibility processes in elections. Therefore thank you for mentioning that ;)
As convenient as it might be, I fear electronic voting will always remain vulnerable.
It seems many of the disadvantages of traditional e-voting machines and the speed/counting effort of paper-based voting are done away with.
Is this cynicism misplaced?
I personally think that the 2014 elections were faked, also the machines had been proven to be easy to cheat with, and there are evidence that cheating did happen. (example: in one state election here, the number of votes was higher than the number of voters, one of the candidates complained, and got fined for complaining...)
There is even a video on youtube showing how to cheat elections in a "impossible to trace" manner using diebold machines.
Also the Dutch banned voting machines that don't print a paper copy of the vote (that you then use to put on a normal ballot).
And about a follow up campaign in India with some of the same people: https://indiaevm.org/
Also see some recent research done with the Estonian e-voting system: https://www.youtube.com/watch?v=JY_pHvhE4os
Using the computers as glorified counters is a security nightmare. Using them for what they're good at (crypto) would be a security boon, with the main downside being how hard it would be for non-computer-scientists to understand the nature of the security.
1) The receipt you are given may be used to confirm that your vote was correctly counted. Here is a list of websites/programs that you can use to verify your receipt.
2) It is impossible to use your receipt to prove to a third party how you voted.
If we could get major news source (New York Times, CNN, Fox News, etc) to publish their own tools for (1), then I suspect that should give a fair amount of credibility for the general public.
The problem I see is that any technical system of plausible deniability I can think of, would require that a voter is able to forge a receipt that would correctly validate as the incorrect vote. Otherwise, if an attacker wanted to verify that Alice voted Democrat, he could assume she voted Republican and attempt to verify the receipt.
Say A and B were the options. Anywhere you take the receipt to verify it has to then display if it counted towards A or towards B. Someone there with you could then see which it confirms.
The video I linked has a good example where you get 1000 envelopes all claiming to contain "Obama", so you open and verify 999 of them at random and use that as evidence that the one you didn't unseal is good. You can't then use that to convince a third party, because they didn't get to pick the envelope to not open. The video also addresses lots of other security issues; you should watch it.
Anything the machine electronically presents you with can be modified on a compromised machine, while physical printout that can be used later to verify will either be unable to prove that your vote wasn't switched (though it can prove that your vote was counted) or it will be able to prove you did vote for who you choose, the latter case meaning that a third party can then use this to know who you voted for.
Administrators could get a quick count from the machine memory, then perform a verification by pulling a sample of votes from the printed receipt and comparing them to the electronic values with the same timestamp. And any voter can compare their receipt with publicly-available voting records.
Of course, then you have to worry about exploits that can cause the machine to print votes on demand, because those would appear legitimate, especially if the voter's receipt printout can be suppressed - there'd be no incriminating receipt trail hanging out of an unattended machine.
Edit: the timestamp gives the voter away
Yeah, there's still might be some issue with external coercion on the voter to produce their receipt and prove they voted the way they were paid to. I suppose that could be solved by making the voter's copy an XOR of the audit tape, and by only having both copies together, can the vote be verified. Presumably the forces doing the coercion wouldn't have access to the audit tape. If they did, then we're already screwed no matter what system we implement.
Just a thought. Not sure if there's some fundamental contradiction between secrecy in voting and voter-auditability.
i.e. the attack scenario is a small town, where you record each person as they come in. Then later you can look at the vote in order and know who voted what.
> Presumably the forces doing the coercion wouldn't have access to the audit tape.
That is not a valid assumption. Your machine must be resistant even to that attack.
> If they did, then we're already screwed no matter what system we implement.
No. The audit must not be able to be correlated with the person, the order, or the time.
> Not sure if there's some fundamental contradiction between secrecy in voting and voter-auditability.
Is, "yes, there is"? By "voter-auditability" I mean the ability for any single person to verify that their ballot was cast the same way they intended.
We just say 'duplicate'.
I'd call it caution rather than cynicism, and I'd say it's entirely justified.
The references of the current players in the industry I see talk upwards of $3,000 per terminal! The industry standard pricing for this would be $12,000. $12,000 for buggy, insecure, closed-source, non-updateable, unverifiable, crappity crap. Awesomes.
How about this ... a voter walks into the polling station and can either use a terminal or their own smart-phone - connect to the open wireless "voting hotspot" where they can enter in an anonymous token at something that we use as the "hot spot sign-in page" that they are given by the people who volunteer the polling station that they can use to cast their ballot without waiting in line.
It's not like secure voting is an open problem. There just needs to be some crotchety capitalist company with people in suits selling it. Open source, anonymous, verifiable voting machines on open hardware with an optional paper trail (cups + network printer). We can do this making comfortable profits and at atleast a 60% savings to the tax payer.
The best part is that if the company goes out of business, everything is open source and documented, so we don't put communities at risk of the security issues with code rot.
So ... who wants to make some money? email me: kristopolous (at) gmail
Electronic voting is a problem looking for a problem. You need voter verifiable ballots with a high degree of tamper resistance. As far as trustworthiness goes it's hard to complete with ballot boxes and adversarial observers.
I think the solution is to crowd-source verifying the vote. If every ballot were given a unique number or code, and when the ballot was counted each ballot with who it was counted for as available for download on the web, third parties could verify that the numbers were counted correctly. And each voter now has an anonymous number that he can use to look at how the vote was counted and verify that it was counted correctly. If it wasn't, he complains. The political parties would be happy to urge their loyal constituents to check that their vote was correctly counted and to sue should they have a sufficient number of members claim theirs was wrong.
* The candidates themselves
* TV cameras
* Party representatives
* Electoral officials
* Anybody else who has a good reason to be there
The volunteers doing the counting are not going to risk a long stretch in prison with such a high chance of being caught.
I've heard that pencils are sometimes used to prevent an attacker from substituting pens at the polling booth, with modified pens containing disappearing ink, but that seems like a problem better controlled by using new, easily identifiable pens each election.
As for serialising the ballot-sheets, that enables a third party to check that a person they coerced into voting a certain way actually did as instructed, which undermines the value of a secret ballot.
It wouldn't just be that their vote would be revealed, though, it would be that then the bad actor could contest the vote, claiming that they were the voter and their vote was counted wrong.
But if people were in the habit of destroying their unique code immediately after the results are posted, then they at least have plausible deniability. "No, I burned that piece of paper yesterday. Can't remember what the numbers were."
"Vote for this guy or you're fired" type stuff
But I think I would rather have a system where you need to intimidate and coerce people en masse in order to change the vote than a system where you just need to coerce the handful of people who are responsible for counting the vote.
Hidden vote tampering of the pencil-under-the-fingernail variety is a solved problem here in Australia. Each vote count is done by an employee of the electoral commission. They're watched by volunteer scrutineers (plural), provided by the major parties, with each scrutineer looking to maximise their own party's response and distrusting all other parties. You effectively have two opposing meatspace inspectors willing to challenge anything that looks shady.
Paper voting isn't perfect, but it's far, far better than any electronic voting system that the general public can use.
EDIT: to clarify, with any electronic medium, the only way to confirm that your vote was counted as cast is to cryptographically sign it in some way with a key that's under your control. Even us techies have problems doing that, and the general public could never be expected to do it, especially the socially disadvantaged members. Not even security conference attendees keep up to speed with their cryptographic signing, so how can we expect mere mortals to do it?
With paper votes, you confirm that your vote goes into the box as you've marked it. You can then opt to be a scrutineer and watch that box travel to the counting area, and confirm the votes are counted correctly. And has the benefit of having the record independently verified if required.
Any form of voting which has a "just trust us on this" stage is not good enough.
Although some people really want to get the electronics back so it's an ongoing battle of educating people (even most hackers and others in the security industry that did not think a lot about voting in particular).
I don't see much downside to this sort of system, there is a paper ballot for any checks that are needed or desired, and the vote tally is readily available when the election ends.
Plus, it seems to me the process is not particularly tamper resistant during the ballot tallying phase, when compared with what is possible using cryptographic techniques.
(If you're so inclined, you can also just get your name marked off and walk out if you want to donkey vote, which is the equivalent to a protest/blank vote. Or draw penises on the voting paper).
If you don't vote, you get a nice letter in a few months from the Australian Electoral Commission with a fine of about $100 or so for not voting. Voting is also on a Saturday so most have the day off, and there are early polling stations open for a while prior to the day so if you can't make it on the day you can do it then.
I think our voting system is good but it has flaws. I recall reading an article a few years ago about somebody who showed up to vote (i.e. Got his name marked off) at multiple polling stations on election day just because he could. He received a fine for doing it but all of his votes were counted.
Edit - googled it apparently you can be charged with fraud for multiple voting or for voting under a false name (up to six months prison - so slightly more than a slap on the wrist and a fine).
I should mention that a donkey vote is not a equivalent to a blank vote. A donkey vote is when you number the candidates from 1 to x from top to bottom. You actually give your vote to whoever happens to be at the top.
The loss of the senate ballots and subsequent post-election re-run of the entire state - which had a different outcome - was a massive failure of Australian electoral process.
but even if they aren't enough here then you sell the machines to those people to flip them to the states at a higher cost. Don't be in THAT sales game. Otherwise, sure, you can add 30% to the cost ... it's not going to be another 600% just to sell the thing.
And even if it was, I'm sure I can personally, in my spare time, produce a far better product than the one outlined in the article.
That doesn't seem very anonymous. In fact, it seems like a possible way of deanonymizing votes, since in many places you have to sign a ledger or provide identification before voting.
- Walk in, present some form of ID
- You sign the slip or give a thumbprint so they record that you've voted
- Random token is generated and given to you
- You enter the token in order to vote
- You keep the token as one way to verify your vote was cast
It'd be hard to match the voter to the token if they don't write down the token and associate it with your name.
There is also no law of computing which states that the ordinal of the voting record is determined by the chronology of the votes. That is to say that you don't have to keep things ordered by time - or at all; it's not like an 8AM vote should be treated different than a 5PM one.
If they recorded the time you took your token and the time the token was used then they'd have a small enough pool of people to work with. I know in my state if a precinct has a small enough pool of registered voters it doesn't show the vote totals from the precinct because of privacy issues.
so the real question is where is the startup with the
solution of $35 tablet "voting machines" on $10 stands and
a $30 SBC "voting server" in a $15 lockbox that can deliver
4 "deluxe voting terminals" with a "server" for $2,000?
I say it's bizarre because I know you can get tablets in bulk for $30-$35 each while the lowest price iPad is $400.
After getting past "why does every student need a tablet computer" we get to "why from a single vendor with prices that are 1,333% higher than the cheapest competition?"
I'm not saying the Apple product isn't nice - it's just I don't see why so many tax dollars should be spent when there's other options.
Going back to the voting machine ... we'd not really care about some wonderful durability of the cheap tablet because the owner would only be using it a few days a year at the most; in ideal conditions, without moving it; the thing will survive fine.
Speak for yourself. I'd rather people didn't get past that quite so easily.
Thankfully, the guidelines to ensure things are accessible are fairly easy to find, and easy to implement as long as you keep accessibility as a requirement, and not a suggested feature. For example, the National Federation of the Blind has a list of features that cover the spectrum of visual impairment on their website for free . Groups for people with other disabilities, like motor impairment, also have guidelines which aren't that difficult to follow. Smart phones with touch screens and the like are used by people with visual and motor disabilities too, so this isn't uncharted territory, it's just a matter of asking.
When mistakes that happen are chalked up to "computer glitches", but it only takes such a few bugs in a few key locations to change the outcome of an election, the results can be game-changing.
The full documentary was pretty concerning, and I have carried very little faith in the voting process since.
 https://www.youtube.com/watch?v=5Qk95SVRdEo (Last minute contains the section where the grandmother "steals" proprietary Diebold Election Systems code off an open webpage)
In my own experience, most people who view it this way don't consider scaling. While pen and paper is an easier attack for a single voting station, it is far more difficult to scale. Every voting place brought in on the scheme has more people who could be caught or decide to go public, and that is assuming you are able to get in contact with those people in time to ensure they are able to intercept the voting. With voting machines, one good exploit, especially for wifi enabled machines, can easily infect larger numbers.
As to why other countries don't have people viewing it this same way... I don't think it is because they have better ability to consider scaling attempts to exploit a system.
In the case of the Florida Presidential vote, they ran into the problem of "hanging chads" where parts of the page that were intended to be fully punched-out so a machine could detect the vote were still attached to the page, leading to further scrutiny over deciphering the true intent of the voter's ballot.
A couple of years ago, a Dutch group of hackers (led by Rop Gongrijp) argued very strongly against the use of any kind of voting machine. Not because they're so easily hacked (I assume the Dutch voting machines were fairly secure), but simply because they're a black box and you simply have to trust that whatever comes out is correct, and there's no paper trail you can verify to check whether it actually is correct. If they've been tampered with, you most likely don't know, and even if you do know, there's no way to correct it.
Netherland has very specific voting laws to ensure that elections are reliable and verifiable, and when voting computers were introduced, an exemption was added to the law because voting computers couldn't possibly meet those rules.
The hackers successfully argued their case, so we're back to voting with pencils again. Cumbersome, but we know (and can verify) that it works.
Perhaps a "simple" first pass could be done by looking at building type (concrete vs. wood?) via aerial maps, and correlating that to local polling data. If anyone does do an analysis like this, I'd love to see the results!
They filmed the whole NOC because they wanted to be transparent, but then it became clear there were passwords sticked on paper on the wall :) Never forget or undermine operational security.
Princeton confirmed it in a study earlier this year. It's neatly summed up here:
Afterwards the result from every polling station is posted online. So if you want, you can make sure your vote is accounted.
Now I'v been an election helper since 2009, I've never seen anybody stick around for the vote. It's mainly the election helpers keeping each other in check.
So, a critical web site organized a nationwide system where people could sign up for their polling station, to stay around during the counting and then report the results back to the web site. They got about 70% coverage I think; in the large cities it was near 100%. It was quite interesting. It was a close vote, and their result was slightly off, but close.
I am considering to alternate each election between being an official election helper and unofficial self-appointed monitor.