There are plenty of sound arguments for electronic voting. The perfect system would be way more trustworthy than backroom hand counting by party insiders where the only metric to try to avoid corruption is to have two parties counting at the same time.
Just black box stand alone machines that are networked together with no outside scrutiny while popping out a magical final number is completely unreasonable.
> The perfect system would be way more trustworthy than backroom hand counting by party insiders where the only metric to try to avoid corruption is to have two parties counting at the same time.
I studied cryptography, and it's hard for me to imagine a cryptographic proof I'd trust more than that system; it's almost impossible for me to imagine an implementation that I'd trust as much.
Most people have never studied cryptography, and will never trust a cryptographic proof at all.
You don't need crypto. You just need a machine that prints out a human readable receipt that the voter can see but not alter, which then drops into a secure holding area on the machine.
At the end of the day, you randomly select say 1% of all the machines and hand count all the ballots inside, making sure the counts and votes match. If they do, then you can be reasonably sure it wasn't tampered with, and if they don't match, then you can hand count all the paper ballots using the old system to verify the computer.
>At the end of the day, you randomly select say 1% of all the machines and hand count all the ballots inside, making sure the counts and votes match. If they do, then you can be reasonably sure it wasn't tampered with, and if they don't match, then you can hand count all the paper ballots using the old system to verify the computer.
If you're working on the assumption that there's a possibility that the machines may have been tampered with, does it not stand to follow that the procedures for redress may also have been?
Not really. We all know it's easy to tamper with an electronic system, which is why we don't trust them.
It's a lot harder to tamper with a paper and pen system where many people are involved. To many people to rat you out, too many people to have to all do the right thing at the right time, etc.
"...it's almost impossible for me to imagine an implementation that I'd trust as much."
Further, who would provide that implementation? A vendor.
Our election administration is increasingly outsourced (privatized). Using crypto would be the final nail in the coffin of public, citizen administered elections.
I studied a few of the crypto voting systems a while back. TLDR: For real world elections, they leak information. Meaning they don't protect the secret ballot.
Each system I studied relies on a hash collision to hide your ballot in the herd of ballots. Alas, our precincts are too small and our ballots to complex (too many choices, meaning too many combinations, meaning too much information) so the trick doesn't work.
Heck, it often doesn't now with mail ballot processing.
For comparison, when using paper ballots, dropping the ballot into the ballot box is the secure one-way hash that separates you from your ballot. Because it's physical, poll site based can also ensure the chain of custody, which is also not possible with electronic voting or tabulating.
Who builds the boxes? Who sets up and configures them? How are the parts sourced? What software do they run? Who has physical access to the machines while they are running?
Given active malevolent actors and the stakes at hand, the "perfect system" sounds very difficult indeed. Just take a look at how much Google's search algorithm is gamed/tweaked to see the arms race involved.
Give me pen&paper, and a transparent, well understood process over some unicorn-rainbow perfect system.
> backroom hand counting by party insiders where the only metric to try to avoid corruption is to have two parties counting at the same time.
The reason this builds trust is that it is adversarial. Each party has huge incentive to find fraud or mistakes by the other. If they both agree that a result is valid, we can trust it's valid, because neither side gains anything by lying about that.
This is the same reason our system of criminal justice is adversarial.
A computer cannot replicate that, no matter how good the code. And it seems impossible to build a computer system that is completely trusted; for one thing the halting problem seems to imply that we can never fully predict all outputs of a given piece of code; for another:
Here in Canada we still use paper ballots and put them in a cardboard box. The polls close at 9:00 PM and we usually have the projected results by 10:30.
I must admit however that the voting system is much simpler than in the US, we check one single circle.
We (the USA) could do that too. Simply separate our complicated ballot into federal, state, county, and local portions. Could be perforated and torn apart.
Counting the presidential race per precinct (~400 ballots) is trivial. Manual counting using sort and stack.
The other ballots (races and issues) can be done at leisure.
Texas is bigger than California by area, but Alaska is bigger than either by area. So a well informed reader would look at the statement: "You're the biggest state in the country" and make the correct assumption that the speaker was talking about population and not area.
MS Access database, password 'shoup' (company that made the machine)
The machine I used was a Hart eSlate with comic sans fonts, microsoft clipart graphics, and exposed ports. What happens when I plug in a rubber ducky that presses shift 5 times?
If you Google the secretary of state election results sites (where everyone scrapes the information from), you see html tables straight out of the 90s, and some of the servers run Windows Server 2003. https://www.google.com/search?q=secretary+of+state+election+...
And the unacknowledged problem is, we don't really know if it's already happened.
To quote from the article: 'Electronic voting machines can be hacked, and those machines that do not include a paper ballot that can verify each voter's choice can be hacked undetectably. Voting rolls are also vulnerable; they are all computerized databases whose entries can be deleted or changed.'
It doesn't need visible chaos or detection on voting day.
Also, even the machines that generate paper trails are never actually recounted unless there's a problem. If you don't test your restore procedure then the value of a backup is effectively zero.
A lot of the paper trails aren't necessarily even in machine-readable form. We are drastically unprepared for a large-scale recount (anything more than a county is going to take weeks+).
Also, the backup is effectively the checksum here too - unless you actually look for an error, how would you ever know if one occurred? We need x% of counties to be randomly recounted from the paper trail to validate the tabulations.
"...we don't really know if it's already happened."
What measure of proof do you require?
Voter Action proved in a court of law that Kerry won New Mexico. No votes cast on spanish language were recorded. Hacking? Bad code? Bad set up? Either way, what's the difference? Regardless of intent, outcome is the same.
Voter Action chose NM because its electoral votes wouldn't the outcome (less controversy) and they had ample evidence.
This is not a unique story. In fact, its depressingly common.
My thoughts exactly. A successful hack job or covert operation is one that you don't hear about. Non-detection is one of the goals and one of the criteria for defining success. So the ones that are found out, should be assumed to be the low end of the competency/success scale.
Edit: Sort of a form of survivorship bias going on. The ones that "survive" (i.e. get found out) can't be used to draw conclusions about the others.
The FEC should be in charge of the entire voting process. What is worse: a custom designed U.S. government voting machine for all federal elections made by the FEC, or tens of different companies, selling their closed source machines to state governments for profit.
I see issues in both systems, and in fact I'll take the current set up because my proposal requires me trusting the government more than I do now.
"What is worse: a custom designed U.S. government voting machine for all federal elections made by the FEC, or tens of different companies, selling their closed source machines to state governments for profit."
Um, I see what you're getting at, but the government would definitely create a monoculture and may create a single point of failure. The choice is less obvious than you may think is based on your phrasing.
To which I'd say the solution is less about getting the FEC to do it, and more about the process. This needs to be an open and very public affair. It doesn't help us to have the FEC do it if they do it behind closed doors and create a closed-source computer-based system that requires all voting machines to be hooked over insecure networks to a central closed-source insecure server or something.
>It doesn't help us to have the FEC do it if they do it behind closed doors and create a closed-source computer-based system that requires all voting machines to be hooked over insecure networks to a central closed-source insecure server or something.
I did say the FEC isn't a good option now and I didn't really want to enumerate all my reasons, but you are covering a good number of them.
Part of the problem is voting is run at the local level. I'm not sure the federal government even has the authority to tell states and counties that they must use a particular voting machine.
So you make it so the states and counties and cities and voting districts that want to use a different process for their elections don't have to use the federal machines for anything but federal votes, but you still allow the federal machines to be used for down-ballot processes.
You're still assuming that the federal government has the authority to dictate the voting process used for federal elections. IANAL and I don't actually know what the legality here is, but my assumption is the federal government doesn't have that authority, given that if it did, it probably would have exercised it by now.
The incumbent government is somehow more of a threat of hacking the elections than the private corporations now?
I can understand your opposition to the government as is, it's a closed off and opaque system with little interest in citizen affairs. How about you come up with some ways that we can make the government better and suggest those instead of just stopping the conversation with a big flat "no"?
There are ways of providing receipts that prove you voted and can be used to prove your vote was included in the final tally without revealing (by choice or otherwise) who you voted for. See Punchscan[0] or Scantegrity[1] for examples.
Pretty interesting stuff from a comp sci point of view.
It's interesting thinking about the threat models of the way the U.S. is designed.
For example, when I voted in MA I didn't have to show ID or anything, just said my name and confirmed my address; I think the idea here is we're protecting from disenfranchising citizens who don't have IDs?
And there's no national ID because I think the founders didn't want there to be a single record of all citizens at the federal level? Or was it just a logistical reason? I know that was part of the reason the SSN system is so brittle and crappy - there was great pushback against a national database, but it still ended up as one, kind of, but it's a shitty one because it wasn't designed for it.
Another example is you don't really have a way to verify your vote was counted / tallied. Imagine if when you voted you got a UUID, and all votes were made public and searchable at the end of the election: UUID, Voting District, Vote.
This system would let everyone verify that their vote was counted and correct, and statistics could be done per voting district to try to make sure no extra votes were included. However, it's susceptible to vote-buying, which is a major part of the current election system's threat model.
But is that really still a concern? I feel like catching and prosecuting vote buying in my scenario is a lot easier than identifying large-scale vote fraud, hacking, or errors, in the current scenario. Or maybe there's a solution that fixes both?
There are known methods of vote verification and auditing that prevent the actual vote from being disclosed, voluntarily or otherwise. See Punchscan or Scantegrity for examples.
Pretty interesting stuff from a comp sci point of view.
>However, it's susceptible to vote-buying, which is a major part of the current election system's threat model.
Hmm, there is extensive evidence of suppression of thousands of votes, but no evidence of large-scale vote buying in recent years. I think the impracticality of pulling it off at a scale that can influence results without getting caught is prohibitive. Manipulation of who is allowed into the ballot box, when, and where is the main threat model you should be worried about.
>However, it's susceptible to vote-buying, which is a major part of the current election system's threat model.
This isn't the only issue with making votes public. There's an issue of political discrimination as well. For instance, a Hilary supporter could be found and attached, or an employer could fire all of his employees for voting for Trump.
Hacking individual voting machines is possible but not on scale one at a time. Far more likely is hacking at the place where the votes go later, in the end they are just a few numbers. As Stalin said, it doesn't matter who votes, it matters who counts the votes.
People are spending 10's of $ per vote in some areas, flipping a few per machine would easily be worth it. Just the presidential race can spend up to 40$ per vote, add in senators and local officials and votes are worth quite a bit.
Remember some poling places have 10,000+ votes. If you change 500 votes that's both hard to detect and frankly likely to tip many local elections. Now, different people doing this to a few different locations and well it adds up.
Not all voting systems are easy to compromise or standardized across states. Simply crashing the machines to create long lines is some areas is enough to tip a close election.
I wonder what the odds are that the voting machines are hacked vs. abuse of absentee ballots? It seems to me that any solution that requires a person to physically appear at scattered polling places and tamper with hundreds of machines in a single day is probably not a huge problem.
If you can mass mail fake ballots to the registrar then that could be more of a problem. I would presume that most absentee ballot systems have some sort of check that they're not receiving a ballot back from someone who did not request one, but I also know that this sort of thing could fall through the cracks if there aren't proper safeguards in place.
At least in Washington there is a 1:1 mapping between your registered address and the envelope send your ballot in (I don't believe its to the ballot itself but I could be wrong). Once you send in your ballot you can verify on the county voting site that your ballot has been counted. I'm guessing this is the main way they check that fraudulent ballots aren't being submitted as you would then have > 1:1 mapping in many cases.
And that's the problem with US elections - I would love to see a public showing (instead of the incessant back and forth) after the election of a good old review/audit of the election process.
Even if it's only a few who participate/watch, knowing the process is audited would make me a lot more invested in it.
American Election(s) Have been hacked. This may or may not have changed the outcomes, but looking at various machines that where used at various times the odds that nobody hacked any of them, ever, is very low.
If it's not (and I think it isn't) the code used in the voting machines needs to be open source and publicly available in a government repo. That would be a start. There's still the issue of ensuring that that code is the code that is running on the actual machines, and that the compiler used to compile that code hasn't been compromised, and that the source for the compiler is available and on and on....
I'm not a security expert, but what would be a good way to publicly verify all this?
I'm not a security expert either, but my very first thought was that if we've successfully maintained a public ledger of financial transactions ( blockchain via bitcoin ), then that technology seems useful for large scale voting which is nothing more than another series of transactions.
Maybe someone more educated about blockchain could illustrate some of the pros/cons about using it in this manner?
There's no reason to use the blockchain for this. There are existing methods that allow people to be able to confirm their vote is included in the final tally without revealing (by choice or otherwise) what their vote is.
An immediate huge problem is the fact that the blockchain works because the signer can prove their ability to sign, but voting is supposed to be anonymous. If every vote was a transaction then every vote would be public knowledge, but anonymity of voting is one of the cornerstones of our voting process.
It's actually much much worse than that. Votes not only have to be anonymous but not verifiable by the voter (i.e. they should have no way to prove who they voted for after their ballot is submitted). You don't want to live in a world where rioters could target anyone who couldn't prove they voted for their candidate or domestic violence for the same reason. Also, if votes are verifiable then it becomes easy for a person to buy votes or for companies to offer 'incentives' to vote for a particular candidate.
Probably solvable. Here's one solution that would only require registration of write-ins (which many states already do).
Issue everyone a secret key (the digital equivalent of a ballot). They publish hash($key, $name). There are only N values for $name so that can be solved in O(N) time, but without knowledge of $key you couldn't determine whom someone voted for. For the sake of the user you could even pre-compute the hash values so it literally becomes "publish this string to vote for X".
You could authenticate the user by having them give their pubkey at their secretary of state. The pubkey signs the hash like a standard blockchain transaction.
Here's the problem. Anyone who has $key could determine who they voted for. Not only would the average person not know how to sufficiently protect this key but it makes votes trivially verifiable by the voter which is equally as bad.
Well, I disagree that having keys be trivially verifiable by the voter is a problem. That's a selling point - you can be sure that your vote wasn't altered in-transit. In fact that's largely the point of the system.
This is a general problem with absentee/mail voting, though, and it's a strong argument. If your boss/spouse/etc is being an asshole there's little to stop them from coercing you to show your paper absentee ballot, marking it in for you, etc. Yes, it's illegal, but what are you going to do about it after your at-will employment is terminated without cause next month? In the privacy of a voting booth, you can vote however you want and nobody will ever know. It's real easy.
I think you can still keep votes secret if you have in-person voting. Just have the secret key never leave the polling place, it's equivalent to collecting the ballot after tabulation (we have paper ballots that are run through a ScanTron machine, we don't get to keep the ballots). You get a printout of the hash values you selected (but not the key) and can validate that the hash exists on the blockchain afterwards (signed by the polling place's private key), but there's no proof as to what the particular hash values actually indicated.
Really though you have to trust that people will treat their electronic ballot with just as much import as their paper ballot. I don't think an electronic works without some kind of secret key/token.
A cabal of miners can censor transactions. If those transactions are ballots, then all it takes is a cabal of 3-4 people (who run the mining pools) to decide the result of the election.
My notion was ballot tabulators (of the opscan variety) would boot off a CD-ROM. The only code on the machines would be the bootstrap. Then it'd be comparatively easy to guard the physical chain of custody.
You need a public blockchain voting record. Citizens would need to independently verify the results of their votes cast and contest faulty ones.
There are a lot of problems with that system to be answered:
* Can individuals who catch fraudulent votes revoke them? How would that mechanism work? We know we can fairly easily give users private revocation keys for something on a blockchain like that, but in such a protocol a compromised vote would make it impossible to recieve or produce a valid credential like that. The alternative is you use traditional legal systems to contest and investigate fraudulence.
* Alternatively, you tie voter id to the revocation key, but then you have the problem of lost or stolen revocation tokens, plus...
* Anonymity. The easiest way to make a blockchain voting system both anonymous and verifiable to generate a random transaction id for voters to follow for their vote. But because any given id does not provably correlate a person to their vote (you would want to print it on generic paper or even better just send it as an NFC token to a handheld device as a generic string) then the actual voter can be confident in the correlation, but manipulators cannot. This does have its own problem of the machines potentially just emitting false ids, again promoting the idea you might need both a personal and session key combined to be able to verify authenticity of the machine itself.
* There are ways to mitigate compromised endpoints - having voters sign off on their votes success independently of the voting machine will eliminate the ability to produce false ids of someone elses vote, for example.
Note this would not be anything like a cryptocurrency blockchain. Participation would be limited to a collective network of state computers providing consensus with no outsider participation. The chain would not be active year round, it would only generate blocks per election. The actual blocks would contain metadata beyond just the votes, and in the best implementation would provide a searchable database of voter heuristics.
Additionally, a lot of the privacy requirements are a bit overblown. Almost all US states presently support mail in ballots, which have dramatically more vectors for compromise than any electronic system because it cannot be anonymous and authorized simultaneously the way algorithms can be. You could lax the anonymity to just public anonymity - the state itself knows your voter id, you know it, but the public does not. You can share your results because you always know your id, and while it does leave you open to intimidation, it already happens now. Friends force friends to take photos of their ballots, and write ins are implicitly compromisable. It depends on the voters themselves to go to authorities when their votes are being coerced.
But fundamentally the blockchain consensus model of voting makes sense. It eliminates the ability for bad actor endpoints ruining the integrity of the whole. It makes the whole process transparent, where the only way to rig the election is to compromise a majority of participating "miners" in the state. In traditional elections, that is still achievable - if you control the count, you can produce whatever results you want.
Any kind of audit log records the order of the ballots cast. Which (mostly) corresponds to the order ballots were issued.
Meaning blockchain voting would eliminate the secret ballot.
I don't think it's possible to have electronic tabulation which safeguards either the secret ballot or the public vote count. But I try to be open minded about it. Some of my besties are nuts for the blockchain stuff, so they keep me in the loop about each new notion.
Except blockchains aren't timestamped, and you can introduce mechanisms to randomize block acceptance.
With a bitcoin transaction you cannot know the order confirmations were requested, just when the transaction was finalized, and there is no correlation between the two in finalized blocks.
Given that such a blockchain would only be active one day (or up to a week) of the year and see ~120m+ transactions in 20 hours or so, there would be no way to predict what transaction any one individuals vote was.
So the secure one-way hash (protecting the secret ballot) is smudging the timestamp. Hmmm. I'll ponder this.
I really do consider these ideas. Both to see if there's a way to make them them work within existing election administration laws, rules, and procedures, as well as to see if there's some future perfect system that might work (even if we have to change how we run elections)
We need to have voter registration and vote tally databases that have the characteristics of Git repositories. Because every piece in a Git repo has a SHA1 hash, you can verify that each and every piece is what it says it is and has the correct relationships to each and every other piece. You can verify that copy A is exactly the the same as copy B and has not been tampered with. All modifications are recorded; you may not know exactly who made each change (author info can be falsified) but you can at least know exactly what changes were made.
I wouldn't mind seeing electronic machines that print paper ballots. They could even record the count into a database somewhere for ease of use. And it's important for the voter to see the paper ballot that gets printed, before he drops it in.
That way, we can all find out who won in real-time, while the counties recount the paper ballots by hand over the next week to confirm. When you count the ballots, record a video and allow independent citizen auditors to view the video.
Also note that because American elections tend to hinge on a handful of swing states (and then, often only on particular counties in those states) you do not need to commit fraud on a wide scale to commandeer the election. It should be possible to measurably influence the election by hacking a handful of influential counties, actually.
The Oregon/Washington/Colorado vote by mail system is very convenient. We get paper ballots by mail which can be returned by mail or dropped in official boxes and the results are scanned. This leaves a paper trail that is possible to recount if necessary.
Voters in a little over half of US states can vote at home[0], but they need to explicitly request ballots.
The ability to vote at home does seem to increase voting percentages. It is hard to compare before/after since all states that have so far switched entirely to vote by mail had a popular option for a while before, but all three states seem to do fairly well in national rankings, maybe particularly so in non-presidential election years. I found a site that collects such data [1] (relative to voting eligible population not registered voters) and in 2014 Colorado was 4th highest, Oregon #5, and Washington #21. For this election it looks like Colorado was #6, Oregon #13, and Wasington #16. So voting percentages might not go way up if everyone did this, but seem likely to go up some at least.
The possibility of voting fraud will make a blip in the news and then be forgotten, just as it was in the much more contentious election of Bush v Gore.
"Voting fraud"? That wasn't an issue in 2000 (or ever in the US, as far as I know). There were famously problems with Florida's ballot. I don't know what Florida did, if anything, but there was federal legislation in 2002. This is how everyone got the money to buy electronic voting machines.
"It'll take a while to find out how the election went in California because we don't use computers"
"You're the biggest state in the country and you don't use freakin computers?!" <-Texas resident
"You work in IT, you of all people should know why we don't use computers"