Hacker News new | comments | ask | show | jobs | submit login
Decertifying the worst voting machine in the US (freedom-to-tinker.com)
296 points by germinalphrase on Aug 18, 2015 | hide | past | web | favorite | 201 comments

I'm having a hard time understanding the way voting machines are created these days. Why are they complete operating systems? Why do they have ports? Why do they look like they're overengineered in so many ways?

What's stopping the companies from producing a closed box with SoC+board connected to: N buttons, display, card reader/scanner, printer, wifi/ethernet. All you need is to take cards, register the result, add it to some continuously hashing database, print vote proofs, periodically upload data (again, public-key encrypted). If they need to be updated, allow only signed code. (ARM SoCs have secure-boot-like capabilities)

Am I missing something? Why do we get multiple iterations of machines with exposed ports, running XP, having hardcoded passwords, allowing admin access, having physical locks which can be opened without a key, etc. How can these things be created without at least one person saying "this shit is unacceptable"?

Electronic voting machines used in Indian elections are custom built for the purpose, and cost about $100.


All it has is N buttons, accumulators to store presses of each button in non-volatile memory, and a seven-segment LED display to indicate status (ready-to-vote, vote cast, etc.). Vote counting is done offline by connecting to a controller. No wifi or any other remote-access capability.

All that really needs to be done to create a paper trail is to add a printer.

Not implying that they're completely secure, but any breach at least needs physical access to the box. And physical security of the machines is on the same level as those provided for traditional ballot boxes.

Edit 1: The balloting unit does not even have a 7-segment display - just individual LEDs next to their buttons to provide feedback that the button has been pressed.

Edit 2: More details on the internals of the EVM: https://jhalderm.com/pub/papers/evm-ccs10.pdf

Indian EVMs are not as secure as ballot boxes. It is dead simple to "inspect" a ballot box once received for any backdoor that might be there, but not the same for Indian EVMs, in fact there is an attack where the attacker can change a single IC, and make the machine remotely editable, or "distribute" votes, and that can be turned on and off. https://www.youtube.com/watch?v=apkSkb6Ak3I

How would you "inspect" a ballot box from which real votes have been discarded and which has been stuffed with fake votes? Once you have sufficient access to open a voting machine (electronic or otherwise) and change components, all bets are off.

I was talking about inspection once it reaches the election agency. After that, till counting both are same, however the fact that they can be tampered with during manufacturing is what bothers me. Essentially the ballot boxes only require one trustable entity the election agency, the EVM requires two trustable entities the EVM manufacturer and the election agency.

The next generation of EVMs apparently come with an additional printer unit (VVPAT) that doubles up as a ballot box. The voter can verify that what got printed was the vote he/she cast, and the papers collected in the printer unit's "ballot box" can be manually counted and used to cross-verify an EVM's result.

Digital signatures and tamper-resistant ICs?

If malicious actor swaps the IC, new one won't have the secret material that original had contained (and which IC will only disclosed upon receiving court-signed audit order, permanently burning a fuse at the same time). And if they try to tamper with the IC, they'll need to spend significant amount of time with it.

This isn't even remotely perfect, but can be used as one of the measures. Throw in some more redundant systems with different approaches, ensure their integrity at the end and you'll have some proof that the results are authentic enough to a certain extent (measured in amount of efforts needed to perform a successful attack).

That's security through obscurity. You want any citizen to be able to audit the security of the device, if you have to trust the government or some institution then what's the point?

There are better ways to make sure your vote got registered properly, for instance http://www.nytimes.com/2004/03/02/science/did-your-vote-coun...

After voting, each voter would receive a receipt -- a record of his choices that would be encrypted, or put into code, and could be deciphered only by a collaboration of all the election trustees. After polls closed, all receipts would be posted on the Internet. Each voter could use his serial number to find the image of his receipt, and make sure it matched the one he carried.

Not foolproof but still better than what we have now.

What you are missing is that the technical part is not the hard part. The hard part is all the rest of it.

For example, here [0] is a link to the 200-page "volume 1" of the federal standards, merely one of a complex web of certifications that these things go through.

One random paragraph is illustrative:

Vote scanning and counting equipment for paper-based systems, and all DRE equipment, shall be able to withstand, without disruption of normal operation or loss of data, electrical fast transients of: a. +2 kV and −2 kV on External Power lines (both AC and DC) b. +1 kV and −1 kV on Input/Output lines(signal, data, and control lines) longer than 3 meters c. Repetition Rate for all transient pulses will be 100 kHz

Now I am a software engineer, and quite frankly I have no idea whether these are large tolerances which would require specialized equipment to withstand or whether e.g. my laptop would sail through this kind of event. Nor do I have any idea how I would demonstrate compliance with these requirements to the satisfaction of a federal examiner.

And that is what voting machines are. They are checkboxes on a specification. That means that you can buy them with confidence that somebody else's ass will be on the line when they turn out to be awful. The fact that they actually record votes is ancillary at best, the primary feature and the reason for buying them is that they tick the checkboxes.

As to why they seem overpriced, the reason is that it costs a lot of money to have an engineer hook the thing up to his fancy oscillator and write you a report that yes, this machine complies with requirement, over and over again.

[0] http://www.eac.gov/assets/1/Documents/VVSG.1.1.VOL.1.FINAL.p...

I used to consult for a company that made WiMax base station equipment in India. Typically, the way government would work, is that they'd send out request for information to multiple vendors. Then, they'd take the list of parameters that they got from each vendor, create a master list of parameters, and pick the "best" under each parameter as a requirement. Then, they'd send out a request for quotes to all vendors with a list of requirements that would be impossible to meet simultaneously.

What happens then ? How did they pick up the most appropriate ? Or maybe they wait for one the vendors (the fastest) to produce a product up to the specs ?

I really don't know. I wasn't there long enough and didn't have full insight into the workings. But my guess is that they eventually settled on a solution that met most of the specs at a reasonable cost.

However, what that opens up, is a way for corrupt officials to favor a vendor and use the others-did-not-meet-this-particular-spec as a justification.

Just my 2c. I really have no idea if it actually was ever used in this way.

Actually, those requirements are par of the course when designing mains-powered devices . You'd be surprised the kind of transient voltage spikes AC motors generate when starting, and I'd assume all devices sold in the US satisfy the same or similar standards.

Having engineers design and test electronics with such kind of safety standards is good practice. You don't want a failed USB power supply to fail in a way that sends mains voltage to the USB for example.

Vote scanning and counting equipment for paper-based systems, and all DRE equipment, shall be able to withstand, without disruption of normal operation or loss of data, electrical fast transients of: a. +2 kV and −2 kV on External Power lines (both AC and DC) b. +1 kV and −1 kV on Input/Output lines(signal, data, and control lines) longer than 3 meters c. Repetition Rate for all transient pulses will be 100 kHz

That kind of testing is par for the course for electronics manufacturing at scale, though it does seem these requirements are quite stringent. The 100kHz repetition rate sounds odd though, and some of the other specs aren't completely clear. But regulatory testing of electronics is, in general, a solved problem, as are the mitigations for voltage surges.

> Vote scanning and counting equipment for paper-based systems, and all DRE equipment, shall be able to withstand, without disruption of normal operation or loss of data, electrical fast transients of: a. +2 kV and −2 kV on External Power lines (both AC and DC) b. +1 kV and −1 kV on Input/Output lines(signal, data, and control lines) longer than 3 meters c. Repetition Rate for all transient pulses will be 100 kHz

The real question seems to be, they apparently have all these stringent electrical engineering requirements set up in the standards, ones that seem to be made with detailed input from a professional electrical engineer, ones that can only be properly understood and tested by someone with electrical engineering knowledge.

So why did all these requirements on electrical engineering get into the standards, but requirements on software security did not?

Not to mention how hard it is to sell to the government. It can take months to get into the system then you need to wait for the RFP process to have a request that matches your capabilities. Then procurement. It's a huge barrier to entry for startups.

For most of the technology governments use, they are reliant on off-the-shelf hardware and software. Only the military has the budget to design solutions from scratch. Police equipment has traditionally been either ancient, or repurposed military hardware, only recently have budget blown up to where it's profitable for companies to design products specifically for police departments.

The private sector literally doesn't have any use, at all, for voting machines. The problem they solve never arises in modern life. So there's no commercial solution available to repurpose. Add that to the fact that election boards are always hideously underfunded and understaffed, there's no one out there to hold the contractors' feet to the fire.

Really, state and local election boards need to just go back to the older systems, but there's nobody making them do it, and you will sound like a Negative Nancy trying to take away all their fancy new kit.

What really needs to happen is for POTUS to make it an issue. With one swipe of his pen he could issue an executive order to throw federal money at a new department whose job is to maintain a body of standards for electronic voting machines and mandate that all new machines have to adopt on a certain time table. They probably won't be secure, but it'll be the department's job to respond to reported vulnerabilities and ensure that they get fixed.

How much would it cost to produce a decent secure voting machine design? No more than a few tens of millions, right?

Maybe a few of the tech billionaires that read HN could pass around a hat and get this done?

"Saved American democracy" would be a good legacy for anyone!

Congratulations you've rediscovered taxes and their purpose.

What has paid for the devices under consideration in TFA? Why have those taxes not resulted in the usable machine described by GP?

Same reason a few billionaires passing around a hat wouldn't result in a secure device. Those billionaires are either already running the government or lobbying the poop out of it. Our system is kinda messed up right now.

Since the outcome of the process facilitated by these machines determines the authority to levy and spend taxes, doesn't it make sense - for this one particular expenditure - to have a wall of independence, both political and financial?

A single million would get you a good solution. You'd need to set aside the remaining tens for lobbying to get it adopted.

Governments didn't make this device. They hired a contractor and/or purchased from a vendor (which likely specifically set up its business to profit from government contracts for voting machines). The vendor is almost exclusively interested in getting paid money from the contract, not with actually delivering a highly secure device that a democracy can depend on.

Commercial viability of a solution is a non-issue. A device is either highly secure or it isn't.

Absolutely this.

Federal and State governments should stop using contractors all together for software projects. Instead, hire a very large shared bank of highly-qualified engineers and pay competitive salaries. Even if those engineers sit around doing nothing most of the time (unlikely), they would still be extraordinarily cost-effective compared to pissing away hundreds of millions on projects that should only cost a few million.

IMO it's impossible to take deficit hawks seriously if they don't back a blanket policy of starving out leeching contractors.

There is a strong current of blind faith right now that private services/products are automatically the most efficient choice. Really there's a lot of market conditions that need to be in place before that's likely for a specific product or service, but careful consideration gets overrun in the bigger meme of gov't bad/companies good.

> Only the military has the budget to design solutions from scratch.

Define from scratch. It's perfectly reasonable and economically feasible to develop a SoM or SoC based hardware platform.

Because the important thing is getting it through the procurement process, which is largely a political wining-and-dining process. The procuring governments have no way of assessing their requirements or whether they're getting a good product.

The solution you describe is the cryptographer's one, the result of taking security seriously. The contract goes to those who take the politics of procurement seriously (and, frankly, pushing unsuitable and unnecessary solutions to non-problems). It's still questionable whether electronic voting is necessary at all.

A lot of the early bad ones were from Diebold, who make ATMs. The ATMs also run WinXP, but are much more physically protected.

>Am I missing something?

Probably - corruption involving the contracts, outsourced or incompetent engineers (chances are, the best and the brightest are working on things that actually turn a profit), and neither party really having a strong interest in a system they couldn't subvert if they wanted to.

I sort of chalk it up to the sort of stuff you get with hucksters that sell stuff to municipalities.

The business is a little different than when some random person buys a phone, because while they are technically inept, there is a layer of brokers/buyers between the manufacturers and the stores. Those guys are smart and know their markets well. If you ever sold something into that market you need to produce a few thousand units, for those guys to beat on. And they have to be perfect, or they won't place orders.

This doesn't exist for something like a voting machine.

So think 'stuff thrown together as quickly and cheaply as possible' in order to land the contract. Quality will vary a lot.

Hurray Capitalism?

Why put in all that cost/effort when you can sell laptops with MS Access voting apps for the same price?

Can you? When we're talking about N machines per each voting point, even volume pricing of MS Access may be larger than a dedicated box. Of course the price of designing a dedicated box is non-zero. But if you can reduce the dedicated box spec to <=$100 and reduce the scope of any review (you're not reviewing the whole OS anymore), I'm not sure laptops would be cheaper.

For small productions runs - and it's hard to sell more than a couple hundred voting machines locally - developing the product (NRE) typically dominates costs.

Imagine that you have one developer who can do enough hardware, software, and documentation in a single man-year, and whose fully-loaded cost is $100 000 per year. Then just paying that developer will cost $1000 per box on a 100-box production run; paying a team of three such developers for two years would still cost nearly $700 per box on a 1000-box production run.

(And those would need to be very productive developers; I'd expect a team of 10-20 people if you want to do the above in a year, once you include sales, staff, and specialists doing projects/consulting work for your company.)

Kinda ancillary to your point, but if you think the developers who write stuff like this make $100k/year, you've lived in Silicon Valley or NYC for too long. These kinds of projects are typically done by someone making half that somewhere in middle America.

Kinda ancillary to your point, but if you don't know what "fully loaded cost" is, it might behoove you to look it up before assuming it means "salary".

I've never hired a $50k/a engineer, so I don't know what the multiplier is, but I've heard people throw around "2x" as a rough estimate. So you and JoachimSchipper are assuming the same salary, more or less.

As someone who's done consulting electronics product development, I agree with your numbers.

Fully-loaded employee cost of 100k is probably 60k in salary. maybe 70, tops. But point taken.

> Then just paying that developer will cost $1000 per box on a 100-box production run; paying a team of three such developers for two years would still cost nearly $700 per box on a 1000-box production run.

That's not correct. Development is a fixed cost -- you don't rewrite all the software and re-design the hardware every time you run a new production run.

Furthermore, this isn't even necessary for hardware stuff where production run size actually does affect cost. If the machines are developed in house and you know you'll be using them for the next 15 years across the whole US, you can do a few medium-sized production runs.

Which is exactly why federal and state governments should have a permanent bank of software engineers and EEs for routine software projects like this. Then they can do what makes sense for the taxpayers, instead of having to play fiddle to the profit motives of an incompetent money grubbing contracting firm.

But that's general cost, not cost compared to current solutions. Hardware, software, documentation also had to be produced for any solution using XP embedded. (Probably shouldn't have continued using "laptops" idea from the parent post, since that's not really what's happening.)

What I don't get is why using access. If it's just to keep count of the number of button pressed, even a text file is good enough.

which is secure?

A simple but elegant product is unlikely to wow the politician making the purchasing decision.

If it's complicated and over engineered, it'll probably be expensive too. Both factors in favour for a politician, as if it's expensive it's a safe bet.

If it's a boring little eight-segment display and a pair of buttons, the voters will go "we spent $10m on this cheap looking crap?!".

So you go for the one with the shiny gui, the crazy price tag, and you've chosen sensibly - or as sensibly as one can in our batshit insane system of the world.

Because those things are decided on basis of what's cheapest, not what's the best. I'm 100% certain that designing your own box with custom buttons is more expensive than buying cheap laptops with XP already pre-installed.

"How can these things be created without at least one person saying "this shit is unacceptable"?"

Because the people who decide what the money is getting spent on have absolutely no idea what is acceptable and what isn't.

I think the main party to blame here is Microsoft. They're pushing this "one-size fits all" solution into everything - from embedded systems to super-computers. To them it doesn't matter if Windows is "over-engineered" for a voting machine - it's just another license sold.

If it were up to me no embedded system would ever use the same operating system that's on a billion PCs. That's just asking for trouble.

Define "embedded system" here: a ban on kiosk PCs? Could you apply the same logic to Linux, which is on hundreds of millions of PCs and also embedded routers? Is the problem just proprietary software?

Linux is not an OS, it's a kernel. There are hundreds of different distros (the actual operating systems) with various degrees of security from being worse than Windows to having ultra-hardened kernels and user-spaces.

So from this point of view, I think it's okay for "Linux" to be in multiple things at once, because it's really pretty far from a "single thing". The embedded versions of Windows seem to be more like 90% of the desktop version of Windows, and with the "unification" strategy of Windows 10 that's probably more true than ever.

It's debatable whether a kiosk PC that handles purchases should run Windows or not. What's the worst that can happen there? The owner loses his records and possibly all of his money. It only affects him so he can choose whatever he likes. If he wants a less secure OS and he's fine with the risk, that's okay.

A voting machine (which is duplicated across a city or state or country) that's not secure affects millions of people. Seems to me that it shouldn't be using "mainstream" solutions that are the target of thousands of hackers.

I've said it before many times, but the government's operating procedures are (accidentally (sort of)) tailored to explicitly filter out all the things that make for good hackers/programmers. This is an old essay I wrote on this subject that I usually post in repsonse to comments like this: http://wademeredith.com/2011/05/why-the-dmv-website-sucks/

Most of your questions can be answered "Because it is cheaper" and "Because certifying boards are useless"

Grandfathered in lucrative government contracts.

It's very much worth reading the comments on this one, in which a Virginia elections official who was involved with these machines repeatedly defends them in a delightfully earnest but disturbingly clueless manner.

One of the points he's stuck on is that WiFi is short-range and unreliable from outside a building. Thus hacking these things from the parking lot would be impractical because you couldn't get access. Apparently the very concept of directional antennas is completely unfamiliar to this person.

Another strange point is that these defects weren't known when Virginia chose these machines. To him, that seems to mean "therefore it was a reasonable decision." To me, it raises the question: why didn't anyone look into their security as the choice was being made? Apparently the process by which Virginia chooses its voting machines, or at least the process it used at the time, involves no third-party security evaluation. What the hell?

> Apparently the very concept of directional antennas is completely unfamiliar to this person.

IMO that was not the disturbing part. I don't expect elections officials to know anything about RF.

What's disturbing to me is that several experts explain in very plain terms why his assumptions are wrong, and he persists in his misunderstanding.

I certainly wouldn't expect advanced RF knowledge, but satellite dishes are a common sight in this country, so I would hope that passing familiarity with the basic concept of directional antennas (even if they don't know what to call them) would exist.

Even barring that, I would at least expect an official to know the depths of their own ignorance. If you don't know anything about WiFi, fine, but then don't try to make arguments about it.

And yes, persisting in making those arguments, not only being ignorant of the subject but after being corrected by people who know, is a special kind of ridiculous.

>>Apparently the process by which Virginia chooses its voting machines, or at least the process it used at the time, involves no third-party security evaluation. What the hell?

Government RFPs pretty much never have a third-party evaluation process. Those cost money, which is almost certainly not in the budget.

Also, the vast majority of the time the government already has a preferred vendor, and the RFP is simply a legally-required formality.

They should sit every government official down and make them watch Mr. Robot to scare the crap out of them on cybersecurity

Voting machines are a very hard problem from a security standpoint to solve. So even a well designed and audited voting machine might still not be safe enough to use when compared with manual voting (which is not perfectly secure, but at least is more generally understood).

This, however, is stuff out of a Dilbert cartoon: "The wireless connection uses WEP (which we knew). What we didn’t know is that a few minutes of wireless monitoring showed that the encryption key is “abcde”, and that key is unchangeable"

In fairness, at this point I don't think "abcde" is any less secure of a WEP password then something like "dahslkgjhalgihao". WEP is really broken at this point.

Yeah, it just highlights the fact that they didn't even seemingly try to make it secure.

Don't forget the hard-wired Administrator password: "admin"... and no logging to let someone know that someone may have removed into the machine and replaced the Access database holding the votes.

Are ATMs also a hard problem from a security standpoint? Because we have relied on them to exchange currency around the world, 24 hours a day, 7 days a week, for decades. And they are basically identical in function to a voting machine, except of course for having more functionality.

Why don't we just use ATMs as voting machines?

ATMs are actually a pretty fruitful point of comparison since people have a good idea of how ATMs work in their heads already. Some differences in the threat model come to mind:

- ATMs and their backend systems invest heavily into making complete transaction records, voting systems must be anonymous.

- ATM transactions can be undone.

- ATM operators can better afford to take a reactive approach, monitoring fraud levels and first taking a liability hit, until they can fixing the systems or must do a temporary network shutdown to stop the losses.

- ATMs get by with fewer controls for insider fraud due to above controls

- ATMs don't worry about nation state level adversaries

- Amount of damage from ATM compromise is clearly bounded, unlike legislation/election

You're missing the most crucial point: ATMs provide instant tangible demonstrable feedback to the user that it has done exactly what it said it would do. The machine spits out money, and the money is not only the result of the interaction, but also the perfect witness.

With voting machines, so far, there has been absolutely no provable feedback whatsoever that allows you to assure your vote has been counted. Even worse, there is no system that allows you to verify no votes have been counted that did not exist. I'm not saying these problems can't be solved with cryptography, all I'm saying is that so far, they haven't been solved/implemented yet.

Voting ballots don't have the same problem.

> Voting ballots don't have the same problem.

How so? How do you know if your vote was really counted? How do you know someone didn't slip in a bunch of votes while you weren't looking? How do you know numbers aren't doctored as they're aggregated?

> while you weren't looking

Well then you don't, and another requirement is that the voting stations may be accessed by the public from start till end. In that case each individual can verify for themselves that ballot boxes are empty at the start. That no one tampers with the ballot boxes during the day, and at night when the boxes are opened and the votes are being tallied.

With optical scanning at least, ballot stubs are linked directly to the signature book (once the stubs are separated from the ballot, matching the ballot back to the stub is extremely difficult if at all possible--perhaps by looking at fiber patterns at the perforation).

At the end of the election day each site's poll workers manually count the number of signatures, the number of stubs, the number of ballots within the scanner's tub, the number of soiled or defaced ballots, the number of provisional ballots etc and numbers reported by the scanner. (whenever actual ballots are handled, at least one Democrat and Republican poll worker must be present). Tracking the number of ballots read in this situation doesn't concern me much. We also sign and post the end of day tapes printed by the scanner on the doors for the public to see.

The biggest questions left really is whether the optical scanner actually reports the tally correctly. The board of elections also rescans all the ballots centrally with different machines in the weeks after the election before it is certified. I don't know the procedures for evaluating the scanners, but in theory the scanner can't tell the difference between real ballots and control ballots so some sort of randomized batch testing where the real ballots are run with control batches should be pretty straightforward.

It's also true with the electronic voting booths that you can match the number of tallied votes at the end of the day against the number of signatures on the books. But I don't think there's any mechanism I'm aware of for performing an actual recount. (Yes, you can re-sum the individual machine totals, but that doesn't go back to raw responses).

I personally don't trust the purely electronic voting at all yet because there's no way I know of to verify or test the accuracy of the machine. I recently moved to a different State and don't do election work anymore. Here we vote using some bullshit touchscreen using some PCMCIA card that the poll worker hands me and that I stick into the computer. Not even a paper receipt is printed. WTF. No, thanks. I think I'll just vote absentee.

Devil you know? I'm sure I'm completely wrong for some reason, but I think it's in the same line as self-driving cars and their detractors.

All of these questions can be answered by "you have to trust the election officials, and the election officials have to do their due diligence."

Which is true of paper voting as well.

Doesn't have to be.

You can have a system with multiple levels of verification. For example in Canada, each party is allowed to appoint an on-site representative for each ballot box to observe the voting process, the count (and ensure it matches the number of voters and ballot stubs) and the paperwork (a copy of which is sealed in the ballot box which can be unsealed in the event of a judicial recount).

Trusting election officials doesn't have to be a passive process like it would be in an electronic voting system.

The US also has this; we call them poll watchers.

My point was just that at some point, you have to trust that someone is paying attention. Paper doesn't magically solve that problem.

Excellent points. A few more things:

1. Voting machines are subject to the fairly unique design objective that, ideally, votes have to be verifiable while still preventing voters from proving who they voted for in order to avoid vote-buying. An ATM can just give you a receipt showing a record of the transaction. But a voting machine can't do anything so straightforward.

2. Using an ATM is part of an ongoing course of dealings between a customer and a bank, where verification is straightforward (and largely inevitable). This allows the customer to evaluate the performance and integrity of the system over time. Voting, on the other hand, tends to be an isolated event where there is no opportunity to evaluate the voting system over the long-term.

Some of the companies building these horribly insecure voting machines are originally ATM companies, so I do not think we have any reason to think that ATMs are secure. There have also been incidents where ATMs have been hacked.

ATMs are also an easier problem since they do not care about anonymity, part of the cryptography is done on the card, and they do not have to work without a netowrk connection.

There's cryptography in a magnetic strip? That's news to me. And sure, some ATMs have been hacked, but in general there's a financial incentive for companies to keep them more secure than not, because, well... it gives you money.

And anonymity? The card itself just has a very long string of numbers to identify someone; information about the human it belongs to is optional. Whatever human that is currently verifying if you are allowed to vote can deal with giving you a card to cast your vote; it doesn't actually have to have anything other than a unique number.

ATMs only need a network connection to authorize a transaction. All the other aspects of it are offline, and it creates a paper trail, and saves records in memory. They could very easily be reconfigured to display voting options (and instructions!) and record the tallies both in memory and printed, both internally and externally, and OPTIONALLY connect to a remote server to log the transaction - securely, I might add.

AIUI most ATM's will still give you money up to a couple hundred bucks with their network connection down, in case of legitimate "storm took out the phone lines but people need cash to buy candles and blankets" situations. This is not as sketchy as it sounds because the financial clearing system is only eventually consistent anyway.

But obviously this attack surface has been exploited quite a lot by ATM crackers.

I do not think many, if any, ATMs in my country accept cards with only the magnetic strip anymore. It was over 10 years ago my ATM card was replaced by debit card when the banks phased out ATM cards.

And anonymity of votes has more aspects than just protecting against the guy by the machine. You also need to protect against to guy issuing the numbers (which you don't for ATMs, it is ok if the bank knows how much money you withdrew :)) and also the anonymity should make it hard to sell votes which disqualifies some cryptographic solutions suggested by other commentors (those where you get a cryptographic receipt which can use to look up afterwards to see what you voted).

And some voting machines work exactlty like you describe, and they are not regarded as secure.

There is cryptography in the chip.

Maybe, note that XP still lives in the form of POSready partly because ATMs. But banks really put effort into logging transactions (why voting isn't a similar transaction is beyond me though), also I don't think you can find ATMs with unnecessarily exposed ports.

Here is a guy playing angry birds on an ATM:


Votes are supposed to be anonymous to prevent retaliation or coercion from strong-arming elections. Logging each vote in a robust way is difficult to impossible to do without breaking the anonymity. If you have a time or sequence number on the vote outside monitoring could match votes to people.

Also ATMs are easier to secure physically because they don't have to be particularly portable. Most units are built into buildings and those that are not are placed once and not moved for years. Compare this to EVMs that have to be moved into place and removed again over a day or two because most voting places are used for that day only then revert to some other purpose.

Follow the money.

People who buy ATMs have a strong vested interest in their security, both physical and virtual. If the machines can be broken into or hacked, the people who buy the machines lose real actual cash. If the machines merely malfunction, it upsets their customers, which then costs the machine owners.

Ultimately, you can run the numbers on security to see how much money it's worth, how much it costs, and find the ideal tradeoff.

Voting machines have completely different incentives. The buyers have no vested interest in their security whatsoever. I would actually argue that they have a bit of a vested interest in insecurity, because a successful voting machine hack would probably cost people their jobs if it came to light, and if a machine is so insecure that you can't even detect hacks then this risk goes away. And if the machines malfunction, users often can't even tell. Even if they can tell, their unhappiness typically won't financially impact the people who buy the machines.

And thus we can see why, for example, Diebold builds good ATMs but craptastic voting machines.

E-voting, at least to me, looks completely idiotic. Why would we trust our most important civic duty, voting, to a collection of hardware that's known to be extremely vulnerable to attacks in every other job we give it?

Having said that, I think you could make it work with a paper audit trail that contained both the current vote tally and the current vote -- and was distributed to the person voting at the time they voted. (Then do random audits) (And of course that information would be obscured in some way, perhaps using encryption)

Why is there the need to use these machines in the first place? IMHO the overengineering started when using a tech solution for a non tech problem.

Voting on paper seems to work for most democratic countries and it's definitely harder to rig than the electronics. I just don't see any siginificant advantage in using technology here (and no, a few $/€ saved every other year is not significant in my honest opinion)

German Constitutional Court agrees with you, having ruled e-voting unconstitutional in 2009:

> While in a conventional election with ballot papers, manipulations or acts of electoral fraud are … only possible with considerable effort and with a very high risk of detection, which has a preventive effect, programming errors in the software or deliberate electoral fraud committed by manipulating the software of electronic voting machines can be recognised only with difficulty. … The voters themselves must be able to understand without detailed knowledge of computer technology whether their votes cast are recorded in an unadulterated manner as the basis of vote counting, or at any rate as the basis of a later recount.



I'm not sure if they've been ruled constitutional in Netherland, but in 2009 the government decided not to use them anymore after pressure from an organization called "Wij vertrouwen stemcomputers niet" ("We don't trust voting computers"), lead by hacker and pioneering ISP founder Rop Gonggrijp.

I'm actually still kind of impressed that a protest from the hacker community was so successful in convincing the government.

It was successful because they were able to detect if someone voted CDA (ChristenDemocratisch Appèl) because the "è" sent out a different radio wave that was detectable from a distance and broke voting secrecy. The main point, that electronics are orders of magnitude harder to secure because they are inherently more complex and less transparent than simple solutions like ballot boxes and voting on paper, is still not well understood in society and even not in the hacker community as you can read in most of the comments here.

Manual vote counting takes significant time and effort, and a properly implemented electronic system would have advantages in tamper-proofness. It also could have advantages in being interactive so users can't fill things out incorrectly, can be guided through the process, etc, which is especially important for people with disabilities.

Unfortunately, all the advantages rely on implementing a good system, so I doubt we'll be seeing them any time soon.

Electronic voting machine implementation, testing and deployment also takes a significant time and effort. Tamper-proofness obviously has a original and natural physical implmentations that do not require first chosing two large prime numbers: tape and sign the damn box! Though you didn't raise the point, some argue that the time it takes to manually count is a problem, as if people seriously can't wait an extra half-day. Just WAIT. It's important.

The clear advantage of paper voting is everyone--the entire electorate-- can see and understand the process. The legitimacy of the outcome depends on this understanding and trust.

Electronic systems introduce single-points-of-failure into the voting process - figure out a way to compromise the machines / vote collection process, and you can steal the election. Doing the same thing with a manual system requires cheating on a massive scale, which is pretty much impossible to do discretely, making it much safer.

I agree with your conclusion. Some remarks though.

I don't think the voting process itself gets sped up a lot just because you tap a screen instead of crossing a field.

The tamper-proofness is certainly attractive, however what we have on the market today is so far from that goal that one has to consider it less secure than paper by several orders of magnitude.

Slighty oftopic: I just found out how embarissing little I knew about accessibility processes in elections. Therefore thank you for mentioning that ;)

Can they really be tamper proof? How do you know they're tamper proof? The only way to really be sure is if anyone can check the correct functioning of the machine. If it's only in the hands of a company and a few officials, there's no way for us to check. There has to be a verifiable paper trail that can be checked to verify everything happened correctly.

As convenient as it might be, I fear electronic voting will always remain vulnerable.

So it's easier to rig elections. Honestly, can't think of another reason.

Another reason is if you have some buddies who are ATM manufacturers who you want to give some lucurative government contracts.

I'd be curious to get HN's opinion on crypto/blockchain voting ideas such as http://www.bitcongress.org.

It seems many of the disadvantages of traditional e-voting machines and the speed/counting effort of paper-based voting are done away with.

So this machine has now been decertified. Fine. What I'd like to know: How could it ever get certified? What does certified even mean if not accountability of a certifier in case a system doesn't do what it's certified to do? Or is the certification process flawed? In that case I guess that should be fixed next.

The certification was done by the Election Assistance Commission, created in the wake of the Florida 2000 punchcard ballot debacle. The EAC hastily certified the first batch of electronic voting machines, issued grants to the states to buy them before the ink on the certifications was dry, and then was promptly forgotten about. (There was a 3-year period when the EAC was unable to do business because all the seats on its board were vacant.)

Why didn't they just fall back to paper and pencil, and manual counting? We've been doing that in the Netherlands since election machines were discredited after a successful campaign by hackers. Haven't had any real problems with it.

Why would an agency create a reliable system for counting votes, when it was created by an administration which came to power because of problems with counting votes?

A commission apparently tasked with ensuring that the hijincks observed in Florida and Ohio are permitted to continue and proliferate.

It likely speaks to my ignorance, but my gut reaction to using electronic voting machines has always been that they are inherently insecure and can't/shouldn't be trusted to provide an accurate tally. There is so much money (available) and motive to cheat an election count that I have a hard time believing large and significant races haven't already been victims of tampering in the US (even if we haven't seen hard evidence of such).

Is this cynicism misplaced?

I am from Brazil, our machines are made by Diebold and a venezuelan company.

I personally think that the 2014 elections were faked, also the machines had been proven to be easy to cheat with, and there are evidence that cheating did happen. (example: in one state election here, the number of votes was higher than the number of voters, one of the candidates complained, and got fined for complaining...)

There is even a video on youtube showing how to cheat elections in a "impossible to trace" manner using diebold machines.

Also the Dutch banned voting machines that don't print a paper copy of the vote (that you then use to put on a normal ballot).

Could you please provide some links?

About the dutch campaign in 2006: http://wijvertrouwenstemcomputersniet.nl/English

And about a follow up campaign in India with some of the same people: https://indiaevm.org/

Also see some recent research done with the Estonian e-voting system: https://www.youtube.com/watch?v=JY_pHvhE4os

It entirely depends if it's using cryptography or not [1]. For example, using zero knowledge proofs you can be given a receipt that lets you verify your vote was included in the total (without allowing you to prove to an attacker which party you voted for).

Using the computers as glorified counters is a security nightmare. Using them for what they're good at (crypto) would be a security boon, with the main downside being how hard it would be for non-computer-scientists to understand the nature of the security.

1: https://www.youtube.com/watch?v=ZDnShu5V99s

I don't think the non expert voters not understanding the security is that big of a concern. Assuming that the security undisputed amongts experts, the media could convey this to the general population (absent some well supported opposition like climate science faces). At this point, the security points that need to be conveyed to the voters are relatively simple:

1) The receipt you are given may be used to confirm that your vote was correctly counted. Here is a list of websites/programs that you can use to verify your receipt.

2) It is impossible to use your receipt to prove to a third party how you voted.

If we could get major news source (New York Times, CNN, Fox News, etc) to publish their own tools for (1), then I suspect that should give a fair amount of credibility for the general public.

The problem I see is that any technical system of plausible deniability I can think of, would require that a voter is able to forge a receipt that would correctly validate as the incorrect vote. Otherwise, if an attacker wanted to verify that Alice voted Democrat, he could assume she voted Republican and attempt to verify the receipt.

How could it prove to you that your vote was included in the correct total without also being able to transfer that knowledge to a third party that is right there with you?

Say A and B were the options. Anywhere you take the receipt to verify it has to then display if it counted towards A or towards B. Someone there with you could then see which it confirms.

Inside the voting booth you pick an identified ballot and are given a zero knowledge proof that it corresponds to the candidate you want. The fact that it's a zero knowledge proof prevents you from using it to convince other people.

The video I linked has a good example where you get 1000 envelopes all claiming to contain "Obama", so you open and verify 999 of them at random and use that as evidence that the one you didn't unseal is good. You can't then use that to convince a third party, because they didn't get to pick the envelope to not open. The video also addresses lots of other security issues; you should watch it.

My concern would be in proving that the envelope you didn't open is the same one that made it into the final count. If you have no more connection with it after you leave the booth, you can not verify that the letter wasn't tampered with (and also no one can coerce you into showing who you voted for). Any way that lets you verify that the last envelope wasn't tampered with would also let some third party see who you voted for.

Anything the machine electronically presents you with can be modified on a compromised machine, while physical printout that can be used later to verify will either be unable to prove that your vote wasn't switched (though it can prove that your vote was counted) or it will be able to prove you did vote for who you choose, the latter case meaning that a third party can then use this to know who you voted for.

You're attacking the parts of the analogy that don't apply to the actual cryptography. Best way to see how they get around the issue you're talking about is to watch the video.

At the very minimum, I would expect a voting machine to create two paper receipts after each vote: one provided to the voter and another stored internally. These would hopefully be on something more durable than thermal paper, though that might suffice. The receipt would contain the machine ID, timestamp and vote recorded.

Administrators could get a quick count from the machine memory, then perform a verification by pulling a sample of votes from the printed receipt and comparing them to the electronic values with the same timestamp. And any voter can compare their receipt with publicly-available voting records.

Of course, then you have to worry about exploits that can cause the machine to print votes on demand, because those would appear legitimate, especially if the voter's receipt printout can be suppressed - there'd be no incriminating receipt trail hanging out of an unattended machine.

You can't print out a person's vote on a receipt an admin could see; that's not a secret ballot. And, using that receipt, the voter can do little to verify his vote was counted.

Edit: the timestamp gives the voter away

No identifying info needs to be printed. Just a GUID. Use a dot matrix printer with triplicate ("biplicate"?), let the voter take their receipt, and keep the other one on the spool.

Yeah, there's still might be some issue with external coercion on the voter to produce their receipt and prove they voted the way they were paid to. I suppose that could be solved by making the voter's copy an XOR of the audit tape, and by only having both copies together, can the vote be verified. Presumably the forces doing the coercion wouldn't have access to the audit tape. If they did, then we're already screwed no matter what system we implement.

Just a thought. Not sure if there's some fundamental contradiction between secrecy in voting and voter-auditability.

The machine may not print a log in order.

i.e. the attack scenario is a small town, where you record each person as they come in. Then later you can look at the vote in order and know who voted what.

> Presumably the forces doing the coercion wouldn't have access to the audit tape.

That is not a valid assumption. Your machine must be resistant even to that attack.

> If they did, then we're already screwed no matter what system we implement.

No. The audit must not be able to be correlated with the person, the order, or the time.

So basically the response to my last sentence:

> Not sure if there's some fundamental contradiction between secrecy in voting and voter-auditability.

Is, "yes, there is"? By "voter-auditability" I mean the ability for any single person to verify that their ballot was cast the same way they intended.

"zero knowledge proofs" is a textbook solved problem. Your local college library has books that explain how to do secure voting. It is how AWS and HTTPS works.

> biplicate

We just say 'duplicate'.

I..., uh, this is embarrassing. :)

Why not print out N copies of the receipt, where N = number of parties (usually 2 in the US, Republicans and Democrats). Then, each receipt is placed in a box dedicated to each party. Then, representatives from each party get a box, and count receipts. All count should match (or be within a certain margin), right?

That might work in the US, but elsewhere it's not uncommon for 10+ parties to contest an election.

You give the voter a paper ballot that they can visually confirm and deposit, themselves, in a ballot box, that can then be consulted to verify the electronic tallies in the event of a challenge. Honestly though, as an Oregon resident, I don't see why all states don't have vote by mail like we do.

Or you could just use a pencil and a piece of paper.

We use this here in Australia and I think it's worth the $197m[0] each Federal election costs. In some State elections, the upper house ballot paper is 100cm metre wide,[1] and if someone numbers all the boxes, their preferential vote has to be tallied manually.

[0]http://www.aec.gov.au/Elections/australian_electoral_history... [1]http://www.northerndailyleader.com.au/story/2970592/upper-ho...

> Is this cynicism misplaced?

I'd call it caution rather than cynicism, and I'd say it's entirely justified.

Your cynicism can be easily mistaken for just being a Luddite, but it doesn't seem too off the mark.

I'm not suggesting we go back to voting with shards in a pot; I am just skeptical that voting machine have been/are secure from tampering. Seems like the kind of question that matters a lot.

so the real question is where is the startup with the solution of $35 tablet "voting machines" on $10 stands and a $30 SBC "voting server" in a $15 lockbox that can deliver 4 "deluxe voting terminals" with a "server" for $2,000? (89% profit)

The references of the current players in the industry I see talk upwards of $3,000 per terminal! The industry standard pricing for this would be $12,000. $12,000 for buggy, insecure, closed-source, non-updateable, unverifiable, crappity crap. Awesomes.

How about this ... a voter walks into the polling station and can either use a terminal or their own smart-phone - connect to the open wireless "voting hotspot" where they can enter in an anonymous token at something that we use as the "hot spot sign-in page" that they are given by the people who volunteer the polling station that they can use to cast their ballot without waiting in line.

It's not like secure voting is an open problem. There just needs to be some crotchety capitalist company with people in suits selling it. Open source, anonymous, verifiable voting machines on open hardware with an optional paper trail (cups + network printer). We can do this making comfortable profits and at atleast a 60% savings to the tax payer.

The best part is that if the company goes out of business, everything is open source and documented, so we don't put communities at risk of the security issues with code rot.

So ... who wants to make some money? email me: kristopolous (at) gmail

How about this: A voter takes a paper ballot. The voter marks the ballot with a felt pen a deposits it in a bin. Polling place staff mark the voter's thumb with indelible ink.

Electronic voting is a problem looking for a problem. You need voter verifiable ballots with a high degree of tamper resistance. As far as trustworthiness goes it's hard to complete with ballot boxes and adversarial observers.

The attack on paper voting is not flipping votes, it is invalidating votes. In Chicago, election officers counting the votes used to hide a small piece of pencil lead under their finger nail. If there were too many Republic votes, they would start putting an extra mark on some of them, thus invalidating the vote because of stray marks.

I think the solution is to crowd-source verifying the vote. If every ballot were given a unique number or code, and when the ballot was counted each ballot with who it was counted for as available for download on the web, third parties could verify that the numbers were counted correctly. And each voter now has an anonymous number that he can use to look at how the vote was counted and verify that it was counted correctly. If it wasn't, he complains. The political parties would be happy to urge their loyal constituents to check that their vote was correctly counted and to sue should they have a sufficient number of members claim theirs was wrong.

In the UK the count is done under the supervision of:

* The candidates themselves

* Journalists

* TV cameras

* Party representatives

* Electoral officials

* Anybody else who has a good reason to be there

The volunteers doing the counting are not going to risk a long stretch in prison with such a high chance of being caught.

In NZ we use GIANT orange felt pens to mark our ballots, good luck hiding one anywhere.

I've heard that pencils are sometimes used to prevent an attacker from substituting pens at the polling booth, with modified pens containing disappearing ink, but that seems like a problem better controlled by using new, easily identifiable pens each election.

As for serialising the ballot-sheets, that enables a third party to check that a person they coerced into voting a certain way actually did as instructed, which undermines the value of a secret ballot.

Wouldn't this allow a bad actor to coerce a voter into disclosing their anonymous number and revealing how they voted?

That is the weakness.

It wouldn't just be that their vote would be revealed, though, it would be that then the bad actor could contest the vote, claiming that they were the voter and their vote was counted wrong.

But if people were in the habit of destroying their unique code immediately after the results are posted, then they at least have plausible deniability. "No, I burned that piece of paper yesterday. Can't remember what the numbers were."

If you can trace a vote to a person, through force or otherwise, then you can coerce said person to vote however you like.

"Vote for this guy or you're fired" type stuff

You are right. I failed to thoroughly think it through.

But I think I would rather have a system where you need to intimidate and coerce people en masse in order to change the vote than a system where you just need to coerce the handful of people who are responsible for counting the vote.

Exactly that. The argument you get against this is that you could say sell your vote and verify to a 3rd party you voted as asked. But frankly I think that is not nearly as bad as hidden vote tampering. Not even close.

Worse than selling votes is coercing votes. Being fired because you didn't vote the way the boss likes? Terrible. Verifying votes this way turns a secret ballot into an open ballot, with all the attendant problems.

Hidden vote tampering of the pencil-under-the-fingernail variety is a solved problem here in Australia. Each vote count is done by an employee of the electoral commission. They're watched by volunteer scrutineers (plural), provided by the major parties, with each scrutineer looking to maximise their own party's response and distrusting all other parties. You effectively have two opposing meatspace inspectors willing to challenge anything that looks shady.

Paper voting isn't perfect, but it's far, far better than any electronic voting system that the general public can use.

EDIT: to clarify, with any electronic medium, the only way to confirm that your vote was counted as cast is to cryptographically sign it in some way with a key that's under your control. Even us techies have problems doing that, and the general public could never be expected to do it, especially the socially disadvantaged members. Not even security conference attendees keep up to speed with their cryptographic signing, so how can we expect mere mortals to do it?

With paper votes, you confirm that your vote goes into the box as you've marked it. You can then opt to be a scrutineer and watch that box travel to the counting area, and confirm the votes are counted correctly. And has the benefit of having the record independently verified if required.

Any form of voting which has a "just trust us on this" stage is not good enough.

I think the best way would be to augment paper ballots with an on site machine vision system that permits votes to be reviewed by the voter and then prints a matrix code on the ballot for future auditing.

Modern paper voting involves a thick black markers, OCR computers, and election monitors from both parties. The 1880s are long ago history.

Not in the UK it doesn't. All pencil and human counting here.

All paper and pencil in The Netherlands after some techies realized black box voting is a dangerous thing. http://wijvertrouwenstemcomputersniet.nl/English

Although some people really want to get the electronics back so it's an ongoing battle of educating people (even most hackers and others in the security industry that did not think a lot about voting in particular).

Not in Sweden. Here it involves paper, pencils and manual counting. Nothing which could not have been done in the 1880s and we still get a preliminary result a few hours after the elections close.

In the couple jurisdictions where I've done most of my voting, the ballot box for the paper ballots has been an electronic tabulator.

I don't see much downside to this sort of system, there is a paper ballot for any checks that are needed or desired, and the vote tally is readily available when the election ends.

I don't see how your proposal can prevent double voting. Voting happens over a period of several days not to mention absentee voting.

Plus, it seems to me the process is not particularly tamper resistant during the ballot tallying phase, when compared with what is possible using cryptographic techniques.

Paper voting works in Australia. You don't even need your ID (edit: and by "don't need", I mean "they aren't allowed to ask for it") - you rock up at a polling station in your electorate, give your name, they mark it off on a sheet. You give verbal confirmation that you haven't already voted. They give you a voting paper, you fill it in at a booth, then drop it in the box on the way out.

(If you're so inclined, you can also just get your name marked off and walk out if you want to donkey vote, which is the equivalent to a protest/blank vote. Or draw penises on the voting paper).

If you don't vote, you get a nice letter in a few months from the Australian Electoral Commission with a fine of about $100 or so for not voting. Voting is also on a Saturday so most have the day off, and there are early polling stations open for a while prior to the day so if you can't make it on the day you can do it then.

There is also online voting. At least in the most recent NSW state election there was. I was overseas during the election and attempted to vote via this method. Unfortunately my hotel's WIFI kept timing out and I gave up in frustration. I returned to Australia and there was a $57 fine waiting for me for failing to vote.

I think our voting system is good but it has flaws. I recall reading an article a few years ago about somebody who showed up to vote (i.e. Got his name marked off) at multiple polling stations on election day just because he could. He received a fine for doing it but all of his votes were counted.

Edit - googled it apparently you can be charged with fraud for multiple voting or for voting under a false name (up to six months prison - so slightly more than a slap on the wrist and a fine).

Hmm I wasn't aware that anywhere in Aus was doing online voting! My only experiences have been either Federal elections or Victoria State Elections, which both follow pretty much the same process.

Yes Australia has quite a good system - we just need to get preferential voting above the line for the upper houses. At the last state election I had to number all the candidates from 1 to 410 if I didn't want to give my vote to the faceless back room political operators.

I should mention that a donkey vote is not a equivalent to a blank vote. A donkey vote is when you number the candidates from 1 to x from top to bottom. You actually give your vote to whoever happens to be at the top.

Qld state election required Id. Each voter was sent a registration slip and they had to provide it at the ballot box.

The loss of the senate ballots and subsequent post-election re-run of the entire state - which had a different outcome - was a massive failure of Australian electoral process.

How would one go about tampering when, as is traditional, representatives from all parties are in the room when the votes are counted?

I appreciate the consumer advocacy, but if the machines are going to exist (and they are), they should be done well.

Cost of customer acqusition. States have to be bagged one-by-one, each with an insanely long sales cycle, your profits have to cover those nice salespeople's salaries, while leaving you with sufficient profit to cashflow expansion. This is not a dev problem; the sort of orgs which are prepared, and can cashflow these sort of sales simply don't have (nor are they incentivized to have) any dev culture whatsoever.

first, that margins are pretty standard on accounting for sales and overhead

but even if they aren't enough here then you sell the machines to those people to flip them to the states at a higher cost. Don't be in THAT sales game. Otherwise, sure, you can add 30% to the cost ... it's not going to be another 600% just to sell the thing.

And even if it was, I'm sure I can personally, in my spare time, produce a far better product than the one outlined in the article.

>where they can enter in an anonymous token that they are given by the people who work the station

That doesn't seem very anonymous. In fact, it seems like a possible way of deanonymizing votes, since in many places you have to sign a ledger or provide identification before voting.

Well, it could happen like this:

- Walk in, present some form of ID

- You sign the slip or give a thumbprint so they record that you've voted

- Random token is generated and given to you

- You enter the token in order to vote

- You keep the token as one way to verify your vote was cast

It'd be hard to match the voter to the token if they don't write down the token and associate it with your name.

That might work, as long as no one (including the voting machine) was recording the time you arrived or the time you voted.

Storing the timestamps is a design decision which can be intentionally omitted.

There is also no law of computing which states that the ordinal of the voting record is determined by the chronology of the votes. That is to say that you don't have to keep things ordered by time - or at all; it's not like an 8AM vote should be treated different than a 5PM one.

Well, couldn't _only_ the voting machine record the time the token was used as long as the token is random? (They could just generate N tokens -- one for each registered voter -- and pull one from the pool each time.)

If they recorded the time you took your token and the time the token was used then they'd have a small enough pool of people to work with. I know in my state if a precinct has a small enough pool of registered voters it doesn't show the vote totals from the precinct because of privacy issues.

you don't have to couple the two.

You don't have to, but unless it's illegal, they'll tend to be coupled just for the sake of convenience.

Please do better than these folks who just won a bid for elections in Los Angeles, and previously held elections in South Dakota, New Jersey, Chicago, IL, Cook County, IL, Denver, CO, Oregon, New South Wales, El Paso, CO, Utah, West Virginia, Honolulu, HI, Franklin County, WA, Swindon Borough, UK: http://www.everyonecounts.com

  so the real question is where is the startup with the
  solution of $35 tablet "voting machines" on $10 stands and 
  a $30 SBC "voting server" in a $15 lockbox that can deliver 
  4 "deluxe voting terminals" with a "server" for $2,000? 
They appear to be using an iPad with their "SaaS voting app": http://www.everyonecounts.com/voting-unit/

I don't understand this race to the iPad ... the LAUSD (Los Angeles School District) had this bizarre iPad for every student program (http://www.scpr.org/news/2015/04/24/51241/lausd-developing-n...).

I say it's bizarre because I know you can get tablets in bulk for $30-$35 each while the lowest price iPad is $400.

After getting past "why does every student need a tablet computer" we get to "why from a single vendor with prices that are 1,333% higher than the cheapest competition?"

I'm not saying the Apple product isn't nice - it's just I don't see why so many tax dollars should be spent when there's other options.

Going back to the voting machine ... we'd not really care about some wonderful durability of the cheap tablet because the owner would only be using it a few days a year at the most; in ideal conditions, without moving it; the thing will survive fine.

> After getting past "why does every student need a tablet computer"

Speak for yourself. I'd rather people didn't get past that quite so easily.

There's a school here in Dublin where the kids were starting to get back trouble from the weight of all the books they had to lug around, so they gave them all iPads and books in digital format instead, which solved the problem; that's certainly a legitimate need.

the idea is to give less affluent students the same access to the "digital divide" as the more affluent ones. I think it's a valid concern ... but this is not a valid solution to the problem.

The cost of a single paper textbook averages anywhere from $150-$400.

Will a $30 voting machine be accessible by those with vision/motor disabilities?

Nope. You can have a special machine for them - just like you have a special porta-potty --- no need to increase the cost of every unit for that.

An accessible system would not increase costs. In fact, it could be more expensive because you'd have to spend a good amount of time testing both the regular voting system, and the accessible voting system. If your voting system requires a separate machine for simple disabilities like vision impairment, you've already given more of a potential of discounting an already marginalized portion of the population.

Thankfully, the guidelines to ensure things are accessible are fairly easy to find, and easy to implement as long as you keep accessibility as a requirement, and not a suggested feature. For example, the National Federation of the Blind has a list of features that cover the spectrum of visual impairment on their website for free [1]. Groups for people with other disabilities, like motor impairment, also have guidelines which aren't that difficult to follow. Smart phones with touch screens and the like are used by people with visual and motor disabilities too, so this isn't uncharted territory, it's just a matter of asking.

[1] https://nfb.org/purchasing-voting-machine

An interesting documentary is "Hacking Democracy" (2006) [0] that championed open voting machines and open election processes to help prevent election fraud. The documented fraud that occurred in the early 2000's really lifted some of my childhood innocence from my teenage brain.

When mistakes that happen are chalked up to "computer glitches", but it only takes such a few bugs in a few key locations to change the outcome of an election, the results can be game-changing.

The full documentary was pretty concerning, and I have carried very little faith in the voting process since.

[0] https://www.youtube.com/watch?v=5Qk95SVRdEo (Last minute contains the section where the grandmother "steals" proprietary Diebold Election Systems code off an open webpage)

[1] https://en.wikipedia.org/wiki/Hacking_Democracy

Why does America have alove affair with voting machines? What is wrong with paper and pencil?

The only reason I can think of, is that the " paper+pencil+sealed cardboard box" solution isn't good at giving lucrative contracts to buddies of election officials. The "speed of counting" argument does not hold : in Canada we get the final results of elections just a few hours after the closing of the vote. Tallying is all manual, and the counting of each box is done under the supervision of members of antagonistic parties.

Because it is easy to see how in a single case a paper and pencil vote can be cheated. Switching votes, a bad counter, throwing away some votes from the guy you don't like... all of these are easy to imagine. In comparison, the types of attacks needed to take out a voting machine seem much more complicated. And so many people seem to assume that this means that voting machines are more secure.

In my own experience, most people who view it this way don't consider scaling. While pen and paper is an easier attack for a single voting station, it is far more difficult to scale. Every voting place brought in on the scheme has more people who could be caught or decide to go public, and that is assuming you are able to get in contact with those people in time to ensure they are able to intercept the voting. With voting machines, one good exploit, especially for wifi enabled machines, can easily infect larger numbers.

As to why other countries don't have people viewing it this same way... I don't think it is because they have better ability to consider scaling attempts to exploit a system.

Paper and pencil aren't a perfect solution either. This page shows a few examples of where things have gone wrong.


In the case of the Florida Presidential vote, they ran into the problem of "hanging chads" where parts of the page that were intended to be fully punched-out so a machine could detect the vote were still attached to the page, leading to further scrutiny over deciphering the true intent of the voter's ballot.

That was not a pencil but still a lot of technology/mechanics. But you're right, paper and pencil are not perfect, just the most secure we can practically achieve these days and probably for the upcoming decade. See this video of J. Alex Halderman on e-voting in Estonia and about electronic voting in general [0]. (Halderman is a professor also known from the cold boot attack and the more recent vulnerabilities in a lot of Diffie-Hellman implementations).


The chads was due to yet more voting machines not pencil and paper.

I kind of feel like "worst voting machine in the US" is a meaningless standard without knowing how much better the "best" such machine is. Or, to restate, are there any of these electronic voting machines that aren't crap?

Without giving details, the author says Diebold machines are 100 time more secure.

No. Pencil and paper will always work better

I feel the need to share this video again:


This is unbelievable. How did they even get certified in the first place? What standards are there for voting machines in the US?

A couple of years ago, a Dutch group of hackers (led by Rop Gongrijp) argued very strongly against the use of any kind of voting machine. Not because they're so easily hacked (I assume the Dutch voting machines were fairly secure), but simply because they're a black box and you simply have to trust that whatever comes out is correct, and there's no paper trail you can verify to check whether it actually is correct. If they've been tampered with, you most likely don't know, and even if you do know, there's no way to correct it.

Netherland has very specific voting laws to ensure that elections are reliable and verifiable, and when voting computers were introduced, an exemption was added to the law because voting computers couldn't possibly meet those rules.

The hackers successfully argued their case, so we're back to voting with pencils again. Cumbersome, but we know (and can verify) that it works.

It would be fascinating to see if there is a correlation between potential signal strength of an external attacker, and votes for a particular candidate. This seems like the only good way to see at this point if there was any tampering by a (somewhat limited) adversary. While this would only work to detect external wifi based attacks, those seem like the most likely.

Perhaps a "simple" first pass could be done by looking at building type (concrete vs. wood?) via aerial maps, and correlating that to local polling data. If anyone does do an analysis like this, I'd love to see the results!

Voting machines should be called voting computers. That is what they are, they "compute" a vote-count (with all problems and fallacies that word implies).

I'd say that for most people if you aren't hacked, or had your identity stolen, it's because no one has tried.

50$ android tablets with USB tethered networking and WiFi physically removed (take out the antenna). Software solution has been described ad nauseum both in this thread and elsewhere. This would be at least as secure as the current state of affairs and you could actually get this up and running quickly.

Why do you need voting machines, when everyone got smartphone, tablet or computer? http://estonia.eu/about-estonia/economy-a-it/e-voting.html

Estonia's Internet voting is worse, because it uses cryptography, so people assume it is safer.

See this video from last December at the CCC in Berlin a famous research professor presents his findings: https://www.youtube.com/watch?v=JY_pHvhE4os

They filmed the whole NOC because they wanted to be transparent, but then it became clear there were passwords sticked on paper on the wall :) Never forget or undermine operational security.

I'd read their report and about their work before, but hadn't seen the CCC talk, thanks for that! The way they presented the OpSec violations at CCC made things funnier :)

"If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried."


It's going to be interesting to see who suddenly gets voted out, as soon as these are replaced.

Most voters aren't relevant anymore.

Princeton confirmed it in a study earlier this year. It's neatly summed up here: https://www.youtube.com/watch?v=5tu32CCA_Ig

I'm curious, what security measures are in place for human vote counters?

Humans are harder to compromise at scale. A single exploit can be replicated against hundreds of thousands of machines without heightening the risk of discovery by that much. Compromising hundreds of thousands of human vote counters without getting exposed due to a mistake is harder... although not impossible (it's in fact standard practice in plenty of countries)

One member from each party, minimum of two, involved in the count.

Thats pretty much how they do it here in Canada. One member from each party plus an Elections Canada official. The ballot box is sealed in front of at least two voters , who determine that it is empty before sealing and then sign the seals. ( I know this because I was so early to vote the last election I had to wait for another voter to show up).

I can only talk about Germany. Election helpers are sourced from the population of the community where the vote is held. (You can be compelled to do it if there are not enough volunteers), at least two election helpers have to be with the urn at any time. Anybody is permitted to stay in the room from the moment it's checked that the ballot box is empty until the vote result is announced. The vote itself is made in a way that loudly announces each individual count.

Afterwards the result from every polling station is posted online. So if you want, you can make sure your vote is accounted.

Now I'v been an election helper since 2009, I've never seen anybody stick around for the vote. It's mainly the election helpers keeping each other in check.

Last time with the European Parliament elections in the Netherlands, there was a small uproar because the elections were held on Thursday (all other elections here are held on Wednesday), but the results could not be announced until Saturday or Sunday because most other European countries held their elections then. However, keeping the final result undercover for a few days is actually against Dutch election rules.

So, a critical web site organized a nationwide system where people could sign up for their polling station, to stay around during the counting and then report the results back to the web site. They got about 70% coverage I think; in the large cities it was near 100%. It was quite interesting. It was a close vote, and their result was slightly off, but close.

I am considering to alternate each election between being an official election helper and unofficial self-appointed monitor.

The European Elections provide some interesting challenges, my favorite being people who, apparently unaware that it's illegal, vote twice: http://www.reuters.com/article/2014/05/26/us-eu-election-ger...

Depends on the country, here in Denmark members of different parties are counting the votes. So they have every reason to keep an eye on the person next to them, which is from a different party. Also the votes are recounted by multiple different people.

Is this really America you are talking about? O.o

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact