Hacker News new | past | comments | ask | show | jobs | submit login
Edward Snowden Demonstrates How Easy It Is to Hack a Voting Machine (ijr.com)
268 points by ColinCochrane on Nov 24, 2016 | hide | past | web | favorite | 200 comments



Looks like we're about to have the same voting/election discussion we've had at least 5 times over the past month or so. If anyone's interested in reading what's already been discussed, here are links to the previous threads:

"American Elections Will Be Hacked" https://news.ycombinator.com/item?id=12921967

"Maryland will audit all votes cast in general election" https://news.ycombinator.com/item?id=12885396

"Cylance Discloses Voting Machine Vulnerability" https://news.ycombinator.com/item?id=12883356

"In Pennsylvania, Claims of a Rigged Election May Be Impossible to Disprove" https://news.ycombinator.com/item?id=12790247

"Votes could be counted as fractions instead of as whole numbers" https://news.ycombinator.com/item?id=12841178


This has come up in many of the related threads -

"Demographics, Not Hacking, Explain The Election Results"

http://fivethirtyeight.com/features/demographics-not-hacking...

That aside, we should, of course, work on securing the vote.


Oh, definitely. I don't mean to imply anything about hacking wrt this election. (Did I?) Frankly I generally don't go down those rabbit holes too far because securing the vote is motivated by ensuring a trusted process, rather than any particular rumor or incident. I'm happy to leave the investigations for incidents to others. They're important as well, I just don't have skin thick enough to handle the partisanship.

I added these links here because the same points get hashed and rehashed in every thread, rather than building on the work that's already been done and figuring out what the next steps should be. (I admit that rehashing is a pet peeve of mine.)

As you note, securing the vote is important. A secure vote and trust in the election process is very important to a democracy, and something that continues to come up for a variety of reasons, and something that can easily be supported by anyone interested in democracy, regardless of party affiliation or political persuasion.


I remember the discussions of Bush rigging the 2004 elections (not on HN).


Secure voting came to my attention after the 2000 Bush-Gore election and recount. There's been a lot of work really interesting work since then. If you're interested in what can be done to improve voting security, I encourage you to see https://www.verifiedvoting.org


Diebold, how people hacked their voting machines, and their campaign against said hackers was mentioned on Slashdot practically weekly back then. I think http://blackboxvoting.org/ was started as a direct result.


Why do Americans use voting machines exactly? I mean, it just prints out their choice at the end right? What benefit do they actually gain from having pressed buttons instead of using a pen? It just seems to fuel the hacking conspiracy every time a president is elected.

In the UK we turn up, go into the booth with the paper slip, and tick our choice with a pen. Then we fold it and post it into a container which later gets shipped off to the counting room. I just can't understand why you guys have to physically turn up if you are just going to select your answer on a computer anyway.


Hi Hacker_9. In Texas, where I vote, the machines don't even print paper. We just have to trust that the machine correctly recorded our vote. The reasons for the machines are, 1. cost cutting over manual counts, 2. profiteering by well connected companies, 3. And potentially making sure only the "right" votes count, although that part isn't proven.

In California we were able to vote at home with a mail-in, paper ballot and I much prefer that.


If we have to use machines why wouldn't we just source two machines from rival vendors. One machine takes the vote from the voter through whatever method, records the vote and prints a receipt that clearly states that voters choices. Machine two reads the receipt in front of the voter and keeps a second tally of votes. The two tallies are then compared at the end of the night.


For starters, cost. Now you have to buy two machines for every single machine you buy. It also means taking up more room. Now, instead of fitting 10 machines in a single space, you can only fit 5, creating even longer lines. This also increase the chances of failures. A single machine failing means both machines in the pair fail. So, you've gone from 10 machines to 5 pairs of machines for twice the cost. You guy from a single machine putting you down to 90% original capacity (assuming 10 machines) where as a single machine brings you down to 80% capacity (40% of original capacity).

Not to mention the additional level of confusion and potential for errors. All of this so you can buy two machines from two different vendors who might, in the end, still have ties via investors.


All good points, maybe there could be one testing machine per area or zipcode instead of one per room. People wouldn't know which voting booth would be tested. If the test pass potential false positive are still there, but you at least a quantifiable bit of error catching and restricted scoping. Cost still up for sure, but maybe people wouldn't mind paying a bit more instead of 100% for trust in the system. Would probably even motivate some to vote.


I don't think we can prevent fraud, the best we can do is source voting machines according to a spec from multiple vendors, and source software from multiple vendors as well, and do independent inspections of both by multiple 3rd parties. It would be a significant undertaking to compromise everything.

With a paper vote, you place trust in those who collect, store and, count, and you can always recount if needed. With electronic voting you place that trust in those that produce the hardware and software.


Trust it is. But the system has to try to reduce it to a minimum.


Some suggest each party should have a set of machines, so that the interest tension would cancel errors a lot.


Make the number of machines inversely proportional to the number of votes in the last election. Suddenly the next president is from the green party.


Where I voted (Massachusetts) you voted with a paper ballot, then watched a poll worker feed it into a machine which recorded it.


Same in VA but the machine in no way indicates that it read it correctly.


Too logical ;)


this with some crypto-sauce would be mixnet voting :)


>> In Texas, where I vote, the machines don't even print paper. We just have to trust that the machine correctly recorded our vote.

This system just begs for being manipulated.


>> This system just begs for being manipulated.

Paper ballots are not immune from such concerns. The concept of votes being added or removed from a count isn't a new phenomena. So the standard should be whether or not the electronic means are better, rather than them being a perfect counting method.


Yes but that is not the point. You can also add votes to electronic voting by just allowing someone to cast more votes at it. But the difference is that with paper voting, you as a single actor can only influence one voting booth, while as a hacker, you can manipulated thousands of voting machines. So the influence of a single actor could be much bigger. Furthermore, while you can manipulate a paper ballot, you can only do so so long as an investigator is not looking. If he keeps the booth in view the whole time, you cannot add anything or change votes or whatever. A computer can not be surveyed that way because I do not see what happens inside as long as its not open source code and hardware which is signed etc.


>> ...with paper voting, you as a single actor can only influence one voting booth, while as a hacker, you can manipulated thousands of voting machines.

That depends where the person is. The people managing the process, those doing the counting, have plenty of opportunity for large manipulations. There are safeguards, but the possibility remains and must be accounted for.


As I know it, you have 2-3 persons that count together one urn. That's not one person doing it. And you can do recounts. And adding large numbers of ballot papers is not easy because its marked how many there are in a ballot. (What is more effective is declaring a number of ballots invalid if they are not the right candidate but still, we are speaking about in extrem cases 100 votes, not possibly millions as would be possible in hacking an electronic voting machine)


One fake vote can be enough if winner takes all.


Sure, but that is a problem of "winner takes all" and not any voting method.


Using paper ballots you can at least re-count the votes and validate the results of the election. With the electronic system like this you can not validate the results. Does it use an open source firmware? How can you make sure that there is no

IF vote = Clinton AND random <= small error limit not making cheating oblivious THEN vote = Trump;

line in the code?


Yep, you can recount fake paper votes, but how you will distinguish fake votes from real ones? Remember, votes are anonymous, so you cannot track vote back to live being to ask. And even if you will be able to do so, live being can lie you about his vote, to protect himself, or just to not look dumb in eyes of others.


>>> ... but how you will distinguish fake votes from real ones?

Easy. Serial numbers. Like any other anonymous system (paper money, raffle tickets etc) you assign a number to every valid ballot. Should the same number appear twice, or not appear, then you know something fishy is happening. Any extra fake ballots should be discovered, so long as the originals are not removed from the systems. Throw the numbers around randomly and creating undetectable fakes become very difficult.


The order has to be random or you can trace votes to individuals if you keep the order in which they voted.


In some voting systems (eg, the UK's), this is a feature, not a bug. Ballot serials are recorded against electoral register entries, and the courts have de-anonymized ballots in a few cases.


This is a very serious bug, even if courts want to exploit it.


Most systems seem to have two lines so it's not clear the order people voted in. Excluding hidden cameras which also work with voting machines.


> Yep, you can recount fake paper votes, but how you will distinguish fake votes from real ones?

You already have a log of who showed up to vote. Compare the number of shows S with the number of ballots V which must be <= S due to poorly marked/unreadable ballots. Simple.

Edit: and this all statistically correlates with exit polls. It's very, very hard to fake all three of these in order to rig an election.


So yes, you have log, you have votes. How to distinguish real votes from fake ones? State can start election again from scratch, when it will find a problem, but people will vote very differently at this next election, because whole story will affect their minds and votes. Brave fakers can raise stakes and win.


It's not necessary for a subsequent vote to have the same outcome as the first. The issue is whether the election is secure and people have trust in the system.



So first goal of fakers is to ruin that. It even written as one of main goals in Russian trolls goal books. Find a copy of such book and read it: you will learn a lot.


Once there's no longer trust in the system, you're right, secure voting is no longer a problem.

Which is why it's important to fix this earlier rather than later.

If it's your goal to cast more FUD on the issue, that's your choice. I can't even ask to you be honest about it because that wouldn't be congruent with spreading FUD.


Just trust your leaders and FUD will not work.


Explain "fake paper votes". I'm not sure that this is a real problem with normal auditing -- record all voters that come into a precinct, what time they appear, and compare to the number of received ballots. Comparing signatures of voters to the file signature is common for absentee voting. It's just far harder and riskier to mess around with compromising paper ballots than a mistake (or "mistake") in a line of code.


You cannot force voters to come in and confirm that they sold their votes for exchange of money. They will lie. You must catch fakers, which is tricky when they have chance to win election and punish you, like Stalin did.


As is frequently attributed to Stalin:

What counts is not who votes, but who counts the votes.


"You know, comrades," says Stalin, "that I think in regard to this: I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this — who will count the votes, and how."

Original in Russian:

Каменев. стараясь снизойти до уровня Сталина, говорит: "А вот по вопросу, как завоевать большинство в партии". - "Знаете, товарищи, - говорит Сталин, - что я думаю по этому поводу: я считаю, что совершенно неважно, кто и как будет в партии голосовать; но вот что чрезвычайно важно, это - кто и как будет считать голоса". Даже Каменев, который уже должен знать Сталина, выразительно откашливается.

На следующий день Сталин вызывает к себе в кабинет Назаретяна и долго с ним совещается. Назаретян выходит из кабинета довольно кислый. Но он человек послушный. В тот же день постановлением Оргбюро он назначен заведующим партийным отделом "Правды" и приступает к работе.

В "Правду" поступают отчеты о собраниях партийных организаций и результаты голосований, в особенности по Москве. Работа Назаретяна очень проста. На собрании такой-то ячейки за ЦК голосовало, скажем, 300 человек, против - 600; Назаретян переправляет: за ЦК - 600, против - 300. Так это и печатается в "Правде". И так по всем организациям. Конечно, ячейка, прочтя в "Правде" ложный отчет о результатах ее голосования, протестует, звонит в "Правду", добивается отдела партийной жизни. Назаретян вежливо отвечает, обещает немедленно проверить. По проверке оказывается, "что вы совершенно правы, произошла досадная ошибка, перепутали в типографии; знаете, они очень перегружены; редакция "Правды" приносит вам свои извинения; будет напечатано исправление". Каждая ячейка полагает, что это единичная ошибка, происшедшая только с ней, и не догадывается, что это происходит по большинству ячеек. Между тем постепенно создается общая картина, что ЦК начинает выигрывать по всей линии. Провинция становится осторожнее и начинает идти за Москвой, то есть за ЦК.

(Stalin faked election by printing reverted votes in «Pravda»).


Paper ballots at least leave a paper-trail.


How do you distinguish between a real ballot and a fake ballot?

How do you know if someone decided to throw away some of them?

(While also ensuring voters remain anonymous and allowing voters to verify their votes.)


Scrutineers : https://en.wikipedia.org/wiki/Scrutineer

You have a number of differently affiliated persons watching the proceedings, and having at the end a rough idea of the number of votes that were returned per polling station. Then (with some coordination that should be trivial for the smallest of political parties) those results can be independently reckoned and compared back to the official totals. Any irregularities should be quite obvious. Recounts are probably the Achilles heel of paper ballots, as you need a way to verify that they were not tampered with in the meantime


Scrutineers also have the advantage of being understood by anyone with a pulse. "Votes go in here, mutually opposing interests watch them like a hawk until they get to the counting center, then the count is watched by those mutually opposing interests. You can be a scrutineer yourself if you're concerned. The record can also be re-tallied if there's a concern".

Compare to voting machines: "Just trust us. You need to have deep domain knowledge in several fields before you can even start to evaluate our trustworthiness (software, hardware, security, etc)... so just trust us. No, you can't examine the machines."


> In California we were able to vote at home with a mail-in, paper ballot and I much prefer that.

I guess you trust the mail service and the people on the receiving end to properly record your vote.

I prefer the day of (also in CA), where you get to put it into the counting machine yourself—at least then I know it was counted at my polling place.


"At least then I know that I put it in a machine physically, which gave me psychological comfort, but no actual verification that my vote was counted."

^-- Fixed that for you.

But seriously, at some point, unless everyone sticks around to watch everyone else's votes being counted, there has to be some level of trust with the system. The only thing we can do better is to make vote counting machines' code open sourced and have the code signed with a trusted Public Key Infrastructure of some sort.


In my country some people stick around in the voting place to watch how the votes are counted. As long as somebody from your preferred political party stays, you don't have to stick around.

The paper system is very open source already. So open that even non-developers can understand it.


When you do mail-in voting, your ballot has a tab you pull off with a number on it. You can check on a government website whether or not your ballot was counted using this number (though it won't show how you voted).


In the U.K. the ballot staff are volunteers and cheap/free venues are used (schools, church halls, etc.)


(I'm not defending the method you describe from Texas where there's no physical proof to audit against)

I was listening to something specifically talking about California counting mail-in ballots. They said California took longer than most states because it's big, it has liberal laws about eligibility (counting provisional ballots) and citizens are pretty sloppy about filling in mail-in ballots. They described coffee and spaghetti stains obscuring the choice. They will fill out "clean" ballots in pairs with their best guess. I'm sure that's a small number of ballots.

When I've voted in person they deliberately have me feed my ballot into a machine to confirm it was valid.


Mail-in ballots are the devil, they allow vote-buying. It happens with regularity that elections are annulled in ethnic enclaves in the UK over that. Elections don't have to be convenient, first of all they have to be safe.


I find it curious that you don't think this also happens in middle-England Tory stronghold constituencies, or certain middle-class London Labour ones for that matter.


Which elections were annulled?


There was a fairly well publicised incident in Tower Hamlets (part of London) where a local mayoral election was declared void for reasons including "Voting fraud: ballots were double-cast or cast from false addresses" [1]

[1] http://www.bbc.co.uk/news/uk-england-london-32428648

Was this guy https://en.wikipedia.org/wiki/Lutfur_Rahman_(politician)#Fal...


The one I was thinking about was probably this one from Bradford: https://www.theguardian.com/politics/2010/sep/06/men-jailed-...


The whole Luftur Rahman BS is (I think) more to do with the fact that he's a totally dodgy c&nt (as are quite possibly some of his close associates - juicy 'gossip' in Private Eye), not his ethnic or religious background. The long line of DodgyC&nts™ at TH has yet to be broken, even going back to "The-Good-Old-Days".


Haha, keeping with tradition then. The conservative choice: a Dodgy C&nt. :)


In America we prefer the Clinton "walking around money" type of vote buying?


> In America we prefer the Clinton "walking around money" type of vote buying?

Is it just me or does this sentence not make sense?


It kind of makes sense to me, I think the poster is trying to say Clinton buys votes but in a way we prefer/tolerate.

That way being "walking around money" in the sense of mingling with wealthy people at expensive events funded by other wealthy people in an attempt gain favor (and votes) from the people who can afford those events.

I think it's being purposely dramatic, but the English (kind of) adds up.


That's not walking around money.


Walking amongst money?


It doesn't, it sounds like something that a Markov chain would say. It sounds vaguely critical of Clinton, but doesn't quite parse as English and is devoid of actual information or analysis. I fear that Markov chains aren't just a way to replicate things that people might say, but might actually model human cognitive processes in some way. :(


It is legal and common in the US [1]. It's typically done by the democrats because in general more people voting is good for democrats and bad for republicans.

[1] https://en.wikipedia.org/wiki/Street_money


>Why do Americans use voting machines exactly?

It was a knee jerk reaction by Congress to the 2000 presidential election recounts in Florida. They passed a bill that funded the purchase of new voting machines called the Help America Vote Act[1]. It provided a fat pile of federal funds to states for the purpose of replacing voting equipment. Of course, throw a mountain of money in front of federal contractors, and several will rush out poorly designed systems quickly to claim the prize. Secure voting was the last thing on their minds. Diebold actually sued the state of Massachusetts for "wrongful purchase" of competitor systems.[2] Slashdot covered the fiasco generated by HAVA for years. Just search for Diebold or Sequoia in relation to their domain.[3]

[1] https://en.wikipedia.org/wiki/Help_America_Vote_Act

[2] https://yro.slashdot.org/story/07/03/26/1431258/diebold-sues...

[3] https://duckduckgo.com/html/?q=diebold%20site%3Aslashdot.org


A former co-worker of mine wrote software for voting machines in Brazil. He described to me a few reasons why electronic voting machines are important. To be honest I forget the majority, but one story that stuck with me:

One common scheme electronic voting machines help prevent is forced votes. A bad guy gets their hand on a single empty ballot and writes the name of the candidate he wants to win on it. He then comes to you and threatens you and your family. Says hand in this pre-filled ballot and bring me back your empty ballot, or else... You comply, he fills out the empty ballot again, and repeats.

The electronic voting machines protect your identity. They allow you to vote anonymously. They provide data integrity that is harder to spoof than paper voting methods. I explicitly asked why they don't just vote on paper ballots like they do in Canada (or the UK as you describe). His response was that we take for granted the inherit trust our societies have to allow us to vote in such a fashion without it being tampered.


Voter coercion is something to be concerned about but the scenario you describe won't keep me up at night. The number one problem is it's hard to scale up to a level that would actually sway an election. It only takes one hero to call the police while they're at the polling station or after their family is released and the sequence is broken. There's no need for the victim to actually submit the pre-filled ballot, they can throw it out or do something to it to make it invalid then come back with the blank one. The ballots where I vote are on a heavier stock paper that are not trivial to conceal bringing in and taking out; most could do it but one victim slips up and the scheme could fail.

Where I vote, my paper ballot in no way identifies me. I identify myself upon entering the polling station, they find my name on the list of registered voters and mark it. When I'm turning in my completed ballot, I again identify myself and my name is marked on a separate list. So there's a record that I voted but not for whom I voted. How would an electronic voting machine improve upon this?

BTW, where I vote, the paper ballots are the bubble scan kind and the voter feeds it to the machine themselves. This provides very fast tabulations with a paper record for security and recounts.


> How would an electronic voting machine improve upon this?

I am just theorizing here: Someone now takes the box of paper votes and runs it through the scanner machine. And passes this number along to someone. What is stopping them from tampering at this step? I think this is precisely what my co-worker was describing. There is an inherent trust that your paper ballot is scanned and recorded in a fashion that matches your vote.

An electronic voting machine could potentially communicate votes in real time over a secure connection. Or in the case of Brazil's machines, I believe stores it locally, encrypted, with a verifiable cryptographic signature of some sort.

I'm sure we all know the multitude of other attack vectors this introduces. I guess I am just not convinced that paper makes things more secure.


I worked on the 2002 model. It stored the signed voting data on a removable CF card which was under a tamper proof seal. After installation the machines were kept physically secure and, during the election they are never under the supervision of a single person. After the election the machines are returned to local elections authorities (if they are too late, they are invalidated) where the memory card is read and totalized.

We designed a vote printer that would allow the voter to see a paper copy before storing it, but it was never used.


There are many steps along the chain that have to be secured in both electronic voting (which has a variety of meanings) and paper ballots. Paper ballots enable audibility, which is a separate issue that's also important for voting.

Given the number of comments you've made on this thread, it seems this is an area of interest to you. I encourage you to look though the previous HN discussions on this topic. Here's a list of some of those from the past month or so:

https://news.ycombinator.com/item?id=13032743


Thanks!


Depends, different places have different problems. Consider: it only takes one hero to call the police, get beaten to a pulp by the responding LEO, for the chain to continue. Depends who is friends with who and how "civilized" the corruption is.


While I fully agree with your take:

Doesn't scale is a concept that only developers and entrepreneurs understand. Sadly, that makes it an invalid argument for the other 98% of the population.


Color me unsurprised that a person who wrote software for voting machines also finds them useful.

The problem I have with this particular scenario is that it imagines a reality in which someone can afford to collect votes one by one with impunity but can't force these same bunch of people (and one or two simply aren't enough to matter) at the voting station itself.



In Canada, after you fill out your ballot in secret, you fold it up and hand it to the poll worker, who tears off a stub and then hands the ballot back to you, and then you insert it into the ballot box yourself in plain view.

I don't know if this is the current case (or perhaps your scenario is one of the reasons for the current procedure), but they can just put a serial number on the stub so that the poll worker can verify that the ballot that was handed out was the one just filled out.


This is a good low-tech solution!


I am not sure how you vote but in my country, you could not pre-fill the ballot because you only get it at the voting booth. You have a voting registration that you bring to the booth, there you exchange it for the ballot which you fill out in a closed cabine and the pass right into an urn. (Which is basically like a voting machine, you only fill out your vote at the place you are voting). Honestly, not a very good reason for voting machines, only maybe against mail voting.


In the UK, you could just go to the desk and ask for a blank ballot in exchange for your "mistake".


|A bad guy gets their hand on a single empty ballot and writes the...

I am sure there are many reasons to prefer electronic voting, but that just seem logistically impossible when you are talking about millions of people. No way that wouldn't go unreported or undetected.

Whereas, with voting machines, if compromised has much more reach and would be difficult to detect.


Bad guy is easily defeated. "I'm sorry, I've accidentally spoiled my ballot and marked the wrong candidate, may I have a new one to fill?" Bad guy's ballot goes in the trash, you fill the spare new one, you still have the original blank one to hand back to him. Bad guy wasted his time.


Bad guy's friends are likely to be in there watching as the voter does what you suggest.


Don't shoot the messenger! I am just passing along the one story I remembered / found interesting.

I'm not saying this scenario is plausible for swaying the outcome of a presidential election (which is what I am sure is on many of your minds right now). But for locally elected officials? Seems at least plausible to me.

At the end of the day I imagine electronic voting is all about speed. A quick wiki search brings up the following anecdote:

> The voting system has been widely accepted, due in great part to the fact that it speeds up the vote count tremendously. In the 1989 presidential election between Fernando Collor de Mello and Luiz Inácio Lula da Silva, the vote count required nine days. In the 2002 general election, the count required less than 12 hours. In some smaller towns the election results are known minutes after the closing of the ballots.


Each polling place can provide free "stump the chump" ballots that you can give back. So you throw the one they gave you away, fill out and submit your own, then hand them back a dummy ballot that won't get counted.

Or, alternatively, spend tons of money on electronic voting machines that allow the bad guy to game the system on a more massive scale without having to threaten as many people.


> One common scheme electronic voting machines help prevent is forced votes. A bad guy gets their hand on a single empty ballot and writes the name of the candidate he wants to win on it. He then comes to you and threatens you and your family.

I'd be willing to bet money that this scenario has never, ever happened.


This technique is called the "Bulgarian train" and is alleged to have happened throughout the Balkans.

https://insajder.net/en/site/tema/794/

http://www.novinite.com/articles/120632/Bosnians+Name+Vote-B...


he could just force him to make a video of him voting the way he wants with his smart phone (for both, paper ballot and electronic voting machine).


Which is a reason why in some locations it's illegal to photograph or video record voting. Where I vote, you do it in a curtained area so it would be easy to get away with but with setups like where Trump and family voted in New York, you're mostly out in the open with a short partition.


Every state in America (and even different counties within states) vote differently.

I voted on paper and it was put in a box to be counted in a central location. This takes forever and they just now are finishing up counting.

Electronic voting is a lot quicker and cheaper to count. I'd argue that the best system is one in which you vote on paper but it's counted electronically at the polling booth. That way there's a paper trail that can be audited and also quick counting.


In the UK we use paper ballots and manage the count overnight after the election (some seats come back the day after, but the overall parliamentary majority is usually clear by then.)

Our population is only 1/6th yours, IIRC, and you subdivide more heavily into states already.


But why not scan-tron? It seems like that is the best of both worlds. Start with a simple physical paper that everyone can understand and audit as the primary record, but then have each voter feed their own directly into a scan machine that can tally and send counts in quickly?

That's how we do it around me, and it seems like a strictly superior approach. What am I missing?


Scantrons are a big improvement over electronic-only counting, but they can struggle with imperfectly-filled-in ballots... another good alternative, which avoids that particular problem, is to have a machine where you make your selections by button-press - but it prints them onto a physical card, lets you verify the printout through a window, then drops it into a built-in ballotbox.

The machine itself can keep count, or the cards could be designed for scantron-esque machine counting - regardless, in case of a disputed result, the cards can be counted the traditional way (by hand, with observers from each party present, etc).

Not my idea, BTW, but I don't recall where I read it - nor whether it was a description of something actually in use or merely a proposal.


Or just some kind of simple mechanical stamping or cutting machine that assures that each vote is registered in the same way but in an easily understandable and transparent format.


> cutting machine

Do you remember "hanging chads"?

But yeah, that's the crux of the idea: have a machine take the voter's choices, to effectively eliminate accidentally-spoiled ballots (the design of the "hanging chads" machines was sorely lacking on this point); but then have it produce a physical record, visually checked by the voter, to enable auditing & recounts.

Counting the hard copies would be the definitive source of truth, just like traditional paper ballots - any automated score-keeping would just be a bonus for early result reporting (although might also stand in for the manual count in "safe seats" where no-one cares to dispute the expected result).


The key to the system you describe is having the vote-punching machine right next to the vote-checking machine. That way if there's a hanging-chads issue you can catch it before it spoils more than a single vote. And the person just slides the vote down the 'discard' chute and gets a fresh one until they're happy with the results.

Have the checker mark the holes it detects with red ink or something, to make it clear to the user that the system detects their votes properly, and to provide a fallback. In the event another machine fails to count it, the user's intent is double-marked.

And then have the same style of vote-counting, where people manually scrutinize the votes, and have each party's representatives slide the votes into their counting machine. If the machines lose sync, you stop and figure it out at the point of the specific vote that fails to scan.


The scantron machines are expensive and it's not really feasible to have at every polling location. Lots of polling locations are at churches a d such anyways. Additionally, scantrons can be fairly slow depending on the machine.


They do in some counties. I'm a pollworker in Alameda County and every precinct uses an optical scanner (made by Sequoia). At the end of the night the memory pack is removed and taken back to a return center to be counted. The paper ballots are boxed and sealed in case there are any problems with the electronic tally.

Speed-wise, it only takes the machine about 1 second per ballot card.


Just to be clear, you are arguing that that scantron machines are expensive and not feasible at every polling location so instead we should provide dozens of more expensive electronic voting machines at each polling location?


That's how it worked where I voted. We made our selections on a touch screen and it printed a ballot for us to check.


That does sound better, and I left out the rapid counting. Good point.


The UK system wouldn't stop conspiracy theorists because it's not strictly anonymous.

https://www.theguardian.com/notesandqueries/query/0,,-1051,0...


Thanks for posting this, really interesting/terrifying and I hadn't seen it before.


There's a bunch of reasons, probably starting with the voting there being so much more complicated - there are a lot more positions being elected than in the UK. It's hard to say if the machines are really cheaper, but there seems to also be a lack of willingness to adequately fund the process, judging by the queues in many places.

Which is a shame, because it's a fairly effective way to push money back into the economy, at least when a manual system is used.


So there's a couple thing to unravel here. First, each county in the US runs their elections separately so within a single state you might see a couple different systems. Some places like my area in North Carolina use a system like what you describe except the ballots are scanned through an optical scanner then stored in case there's the need to do a recount. There's no central board above the county level that the ballots would be sent to for counting.

Second electronic machines are popular because they speed the election counting and are cheaper to run because the election board doesn't have to print tens to hundreds of thousands of ballots. A good electronic voting machine reports the vote 2 ways digitally to some vote tabulator local to that voting place and with a paper record that can be audited. The paper print out their having printed in this video is the end of the night tally that'll be reported to the county/state board of elections to be combined with the rest of the results.

Third doing it on a centrally located machine instead of over the internet adds a lot of security to the process. Trying to properly secure single purpose hardware like a voting machine that can be kept in a monitored location is a much simpler task than trying to find a way to ensure the Joe/Jane Voter's computer isn't compromised when sending the data to their counties board of elections. Not to mention that by accepting votes over the internet you're opening yourself up to everyone being able to remotely attempt to exploit the system. At least with a voting machine only connected to other election hardware attacks are limited to someone that's physically at the voting location. It's also tricky to prevent double voting while maintaining complete anonymity.


This reminds me about the Russian pencil hoax.


You are still using a voting machine, but you've just introduced a shitty paper input that needs to be scanned into the machine. The counting machine is a voting machine. It can be hacked.

The only benefit is that you have a paper record that can be corroborated if there is evidence of hacking later. But we could do a printout paper record on voting machines too.

You'd be surprised how many of those paper ballots don't get recognized when they are counted. Because the checkmarks don't fill up the box enough or because of optical/scantron error.


> You'd be surprised how many of those paper ballots don't get recognized when they are counted. Because the checkmarks don't fill up the box enough or because of optical/scantron error.

In the UK's 2014 elections for the European Parliament, a Scottish voter wrote against the four parties/candidates listed: "wank"; "wank"; "good guy"; "wank".

The vote was deemed valid as the voter had expressed a clear preference.

(Source: https://twitter.com/JamieRoss7/status/473068708441894912/pho...)


There was another case where the voter drew a penis next to the conservative candidate and it counted as a vote:

http://www.itv.com/news/wales/update/2015-05-08/angry-voter-...


Ballots are counted by hand in the UK.

There are pictures and a description here: http://www.bbc.com/news/election-2015-england-32533064


Yikes that is even worse. Hand counts have been shown to be off by 1-2%.


Actually in the UK votes are counted manually by people in big halls under watch by accredited observers. No voting machine in the process at all.


Sure that happens to a small portion, if the result is close enough though you can go back over them by hand.

The difference is that the voting machine makes it possible to hack the paper trail.


Please post a source or more of an explanation before spreading FUD like this...


This is missing the point though.

The american voting system is actually very secure.

It's highly decentralized, machines are not connected to the internet, implemented in many different ways, which means that they would have to do many attacks many different places without being discovered to even have an effect.

75% of them have paper trails which would require an even bigger achievement to change enough off as it's again highly distributed and decentralized, and it would require mostly physical presence to do it. And thats just a few of the things that makes this more or less impossible.

A bigger concern is access to the actual voter databases but what they can there there is mostly creating chaos which would obviously be horrible but have no effect on voting.

The biggest problem is actually when examples like these spread without the above consideration as that can trigger the population to loose faith in a system that is probably as safe as it has ever been.

P.S. I am highly supportive of whistleblowers like Snowden but this is missing the point.


The election was decided in its totality by 107k votes in WI, MI, and PA (the sum total margin of victory in those three states).

You don't have to manipulate many votes to have an election-deciding effect.


I forget the statistical term but after the fact, you can't go back and say "look at this, only 107K votes determined the outcome" because you can always find such explanations post hoc. I tried to search but couldn't find the discussion but one example is how couples use this type of fallacy to "prove" their love was fated. Typically on the day the fated couple met there were a number of unusual events or circumstances (a missed bus, sick grandma, a power outage, etc.) that played a key role in their meeting and the probability of all these coincidences occurring together must mean they were fated to meet.

Moreover, you have to ask; How could the Simon Bar Sinister have known prior to the election that these three states (and probably one or two counties in each state) would be the decisive counties to hack to manipulate votes and win the election? He can't.


So perhaps one can only practicably rig close elections.


Indeed, but the real fix would be a voting method that has defenses against it, as opposed to the electoral college, which is a lot easier to affect than more advanced systems that have been developed in more recent years.


You would still have to know where it was close.


A lot of online companies classify millions of people by lots of variables each day. You can pay for this information.


Thats not what we are talking about at all. You need access to these machines somehow it's not about classifying people it's about getting access to the ballot machines and altering them or their results. Quite a different task.


I think your parent was implying that some sort of classification would be used to predict where the vote would likely be close, so you would know which precincts to target. As I'm not the poster, this is just speculation of course, and can be worth the electrons used to transmit the comment :)


Yep, that was the idea.


I mean, the swing states were known beforehand. A concerted effort to fix the elections there would decide the election, surely?


> WI, MI, and PA

Wisconsin was not considered to be a battleground state. HRC didn't even campaign in the state after the convention.


I'm not an expert of swing/fling states, but FiveThirtyEight listed 22 states as potentially competitive; Trump also won 194 of the 207 counties that voted for Obama either in 2008 or 2012; and finally I count 8 states that shifted to Trump after voting Obama [1]. Therefore all hands are required to win an election, even for the first 49.9%, even if a few fling states make the difference at the end.

Of course, although it's not possible to earn an election purely by fraud, it could still alter it.

[1] http://www.nytimes.com/interactive/2016/11/09/us/elections/s...


You would have to know where and it's still quite a big decentralized system even if you knew for certain it would be those 3 states. It's simply not that easy.


Beyond the actual security of the voting machines, the other challenge in any hack is making it match the demographic make up of a state. People talk about "red" and "blue" states but the reality is that states are not homogeneous. It would stand out if a traditionally red county suddenly went blue and vice versa.


You would never flip a county. You would increase the percentage your candidate wins by or the percentage of the population that voted. It's raw votes that matter in states, and it's much safer to set up in your home turf.


> It's highly decentralized, machines are not connected to the internet, implemented in many different ways, which means that they would have to do many attacks many different places without being discovered to even have an effect.

Or modify the program loaded on the machines before they're distributed. It's probably easier than you think.


No cause they dont even use the same.


Statewide tampering is still a tempting target.


Even on the state level there is no clear consensus on what, how, when etc. plus again 75% have paper trails.


Relevant video:

Was YOUR vote counted? (feat. homomorphic encryption) - Numberphile : https://m.youtube.com/watch?v=BYRTvoZ3Rho


It's interesting to view recent events in the US as a crisis of measurement. The news media measured the voting public with polling samples, we then measured the voting public with a vast government apparatus. Clearly, the measurements did not agree. Logically there are three possibilities: the media was right, the polls were right, or neither were right.

It's actually quite a good thing that we start to speak openly about threat-models against all voter sentiment measuring tools, especially the official ones.


The last polls before the election put Trump at a 30% win chance. Trump winning is a completely normal outcome in that situation and doesn't signal polling problems.


There are two different types of polls we're talking about here. One are polls conducted during the campaign to capture potential voter sentiment and perhaps predict the outcome. The second are exit polls attempting to measure the election outcome based on what voters say they cast. (Nearly?) all complaints about polls I've seen have been about the former.

There are different sets of issues with both categories of polls. If anything, I believe the issue is not a measurement issue as much as it is educating the public about what the different types of polls are, their limitations, and their usefulness.


The idea that an electoral poll incorporates a random error (and maybe a systematic one too) is alien to the discussion about recounts etc.


Yes, this was one of my questions. What is the accuracy and error margin of the voting system itself (and each state seems to have different methods so its not even uniform). Of roughly 126 million votes cast, 1% accuracy would be 1.26 million votes which would be of the same order of magnitude of Clinton's "win" of the popular vote. I have no idea if 1% accuracy is close or wildly too high or too low but we can't have a meaningful discussion without it.

Correction: Actual total was 126M votes for the presidential election not 160M votes as I stated. But the question remains.


Don't hold your breath.

Consider the case, in the technology of proportional representation, of the Hagenbach-Bischoff quota: https://en.wikipedia.org/wiki/Hagenbach-Bischoff_quota

It's (it seems to me) obviously arithmetically unfit for purpose compared to the Droop quota. In some cases more candidates can meet the quota than seats are available. Yet it remains in use/part of the credible discussion.


This headline massively misconstrues Snowden's role and technical capacity in any such voting machine hack. Snowden merely said that it could be done, and pointed to a video published by Cylance.


[deleted]


Should this be classified as "fake news" and banned from Facebook, Reddit, HN, Hufpo, etc?


Well, that depends: did Krugman actually say those things? That's the objectively measurable fact that matters in this case, because the "news" being reported is that fact that a well-known person said something newsworthy.


Yep. This also demonstrates way of thinking in Russia. Their lies are at one step ahead of common Joe (no more, no less). Russians even has special word for this kind of lies.


Have you checked out Krugman's Twitter recently? The man has lost the plot after the election. And now he's pushing even more bullshit conspiracy theories. Sad.


I just checked it out. It seems like he was concerned about the possibility of vote tampering, and has since backed off. Not sad.


Why exactly would Putin prefer Trump? Honest question as both Hillary (as SoS) and Bill Clinton have been rather soft on Russia - Trump favoring domestic oil production, etc seems would be less preferred. Look how aggressive Russia has become in the past 8 years.


There are many, many reasons. Trump promised to be extra soft on Russia re:NATO, re:Ukraine, etc. His single contribution to the GOP platform was to soften the GOP's position on Ukraine. Some of his staff were also Russian clients. He's also expressed open admiration of Putin and Putin's style of governance, and emphasized that he wants the US to get along with Russia. His son secretly met with Russian reps before the election to discuss US policy in Syria and elsewhere. A Trump win would give Russia tremendously greater influence over Europe. Given Putin's open assistance to Trump in the election Trump would owe Putin favors, and it's likely one of the favors Russia would pursue wold be lightening the massive sanctions Clinton imposed on Trump. Trump's also incredibly easily manipulated which certainly serves Russia's interests.


I'm not sure how the US can be any softer on Russia and the Ukraine than they already have been. Trump has also publicly stated he wants to shoot down Russian warplanes that approach US assets. I think Putin just likes to see one of his rivals in a time of uncertainty.


I don't think most people understand how bad relations between the US and Russia have gotten in the last year and how badly they would have spiraled out of control if Hillary won.

Hillary's favored no fly zone policy in Syria would have unavoidably led to armed conflict between the US and Russia/Syria.

It remains to be seen what will actually happen, but Trump's rhetoric is mostly about working with Russia to take down ISIS. Putin might be a thug, but he's not insane and doesn't want to go to war with the US. He can work with somebody like Trump who wants to talk and take down a common enemy.


Mr Putin knows a certain way of performing politics and excels in this environment. It involves oligarchy, control of the media, nationalism and intrigue over political opponents.

Mr Trump offers that environment on a platter. Mrs Clinton maintains a different style of politics, involving red tape, careful processes, observance of laws. Mr Putin does not work that way.


> Mrs Clinton maintains a different style of politics, involving red tape, careful processes, observance of laws.

This is a joke right?


I think the suggestion usually is that Putin would prefer a disrupted, uncertain, inward-looking U.S


I think you're missing the point. Cute and Russia already benefited from the results of this election. A more divided Europe, check? A United States. that is looking to lessen its global role, check. A contentious, divisive circus of an election where a significant number of people have some doubts on the results, check. A splintering EU, check. A less unified NATO alliance with a weaker US role, under even more threat with surging populist movements rising, check. All this without one single bullet fired and probably nit that much money spent. Putin may be a lot of things, but i cant help but respect how he operates. He's a bad man.

This election has been cyber warfare's coming out party. Even The greatest military and economic force in the world is susceptible to major attacks and that will not change for a while. Recruiting hackers or obtaining assets otherwise must more cost effective diplomatic tool than some over budget multi billion dollar weapons system. I guess thats progress that we have one more tool to use before going to a hot war, but its asymmetrical nature gives regimes like NK a more level playing field.

The rhetoric bloviated by Trumpf has alreafy caused a great amount of concern and in uncertainty. What kind of asshole just casually mentions that yeah, we might not honor treaties that were signed in good faith With Trump in office, you also have a United States much more likely to make a deal in Syria and accept Assad and also accept a new reality in Crimea/Ukraine. IMO, the US is too fixated on Assad leaving. So fucking stupid. How many more times do we need to see what happens when you remove a strong man from that area of the world. Getting rid of Saddam and Qaddafi for "moderate" rebels sure worked out great /s.


Trump hasn't even taken office yet so no blame can really be tied to him just yet. He's said quite a few silly things so far, but hasn't yet done any real damage. Most of the hysteria is being generated by the 24 cable news channels. I can't turn on CNN without another Trump-o-phobia headline on the screen.

To be fair NATO/Europe have been having issues during the Obama administration. Brexit is just a symptom of a long running problem in the EU regarding national sovereignty and bail outs of poor nations (greece/spain). Obama has struggled finding partners in the middle east to provide support to fight terrorism, but even NATO allies like Turkey have refused to even let the US use their airspace.

I personally think that Trump is picking his battles. He can fight a Mexico trade/immigration battle and get an easy win. Fighting Russia over Syria has no winners. As for Assad, it's hard to see how a person responsible for the deaths of over 300K of his own people could ever really hold on to power with or without foreign support. The US has experience in supporting an unpopular foreign leader (south Vietnam) and it didn't go that well.

I think in the long run, Trump will be more of a 'domestic' president. Someone that really spends more time focusing on domestic issues rather than foreign ones. Hillary I think would have been the opposite. In some ways this may be better for foreign countries, because it means that we are more likely to stay out of their business.


For a guy that says "quite a few silly things" and "hasn't done any real damage yet" that sounds like quite a bit of confidence in skills and intelligence that has not been demonstrated. Picking battles?

How about: continue to expect silly things, and ultimately some real damage to become the new norm?


> As for Assad, it's hard to see how a person responsible for the deaths of over 300K of his own people could ever really hold on to power with or without foreign support. The US has experience in supporting an unpopular foreign leader (south Vietnam) and it didn't go that well.

As I say this with a gut-wrenching knot in my stomach, I prefer him vs the alternative due to recent history. As it is right on the doorstep of Russia and Iran, let them deal with the consequences if they want him in office that badly.


> I personally think that Trump is picking his battles.

I think we should all do ourselves a favor and not try to divine what Trump is thinking. The guy is a total wild-card


Putin prefer Clinton, because they will continue Obama's course, which allowed Russia to begin two wars. But, if Putin will say "I like Clinton, vote for her", it will cause opposite effect, so he said "I like Trump, vote for him" to have desired effect.


Opposed to Bush's course, which only let Russia start one war. Plus,saying Russia started the Syrian war is a huge stretch, the US had already been involved for years.


War in Georgia was pretty fast, isn't?

At other hand, Ukraine has USA guaranties[1], which were absolute guaranties before Obama, but now they are useless.

[1] https://en.wikipedia.org/wiki/Budapest_Memorandum_on_Securit...


The guarantees aren't useless due to Obama, the US followed the memorandum and sought UN Security counsel intervention. Russia broke the deal, what do you think the US should do about it?


USA should play in kinder garden, because Ukraine is able to stop Russia with almost no army, while USA cannot.


Why hasn't some state used a hash to allow trustworthy online voting? They could add a unique id on the back of your driver's license and then allow you to use your unique id to generate anonymous/one time use id's. They could then have a publicly accessible server that at all time displays a column with anonymous id, vote and every person can verify that their personal vote is correctly displayed.


In general, any process that allows an individual to verify their vote after the fact will enable coercion over voting. For example, in your proposal, an unscrupulous boss could make a demand before the election: "You must tell me the one-time ID you're voting with. If you choose not to, or if that ID doesn't show up in the registry having cast a vote for <candidate>, you're fired." I think that, no matter what the process is, if I can check how I voted I can also be made to check how I voted while someone watches over my shoulder and threatens consequences.


One solution is to make blackmailing people's votes illegal. Then the risk of someone recording him with a phone or hidden recorder would discourage your boss from blackmailing you. You could also make it illegal to reveal your vote to anyone else, to make it easier to spot coercion.

In extremely dishonest countries where the local courts, police, and election officials are all corrupt, a large mafia-style presence could coerce a lot of people into voting a certain way. But if any of these are at all trustworthy, it seems difficult to coerce anyone. And even then, the mafia abusing too many people(>5%) would cause them to riot.


@jjuhl answered that question somewhere else in the thread with homomorophic encryption (Numberphile : https://m.youtube.com/watch?v=BYRTvoZ3Rho ): The hash out of the machine doesn't tell who you voted for, but the sum of the hashes do tally properly. It's still unclear for me, but it's sure that there are mathematical solutions.


Potentially, a canary id, "show this one and it'll claim you voted for ____ and also alert the state election board that it was accessed"


That solves the boss problem. What about the government?


vote manipulation by a foreign government is solved by having a verifiable id/token in the first place.

vote manipulation by the government the election is happening for isn't really something you can solve because in that case the election isn't the problem.


what if an ID was generated and printed just before voting with an option to print an arbitrary number of additional ID's of already voted people. the boss never knows what ID(s) he'd receive.


So you come into work on Monday thinking that everything will be peachy-keen, and get an all-hands email telling you that any employee that can not prove that they voted for the "correct" candidate will forced to resign.

Any system that can be abused, will be.


Verifiable vote technology generally does not reveal who the vote was cast for, only that the vote was cast and included in the tally. This makes issues of coercion or vote selling moot.


Your scheme seems vulnerable to vote buying, e.g., $20 to vote for my candidate, but you have to show me your number so I can check.


But vote buying is already rampant. Politicians already buy votes - promising benefits to key voting demographics, promising more or higher paying jobs for civil servants or the military, or promising lobby groups favourable laws/taxes/aid. Democracies are practically based around vote buying already. So your concern seems strange.


Making promises that might be implemented isn't "buying" a vote. As you said, that is an intended part of democracy. Promises are not guarantees. Instead, vote buying is giving an explicit quid pro quo such as paying $10 for every "correct" vote receipt.

Yes, this doesn't fix every problem, but it does fix some problems that used to be common.

> So your concern seems strange.

Then I strongly suggest reading more about the history of voting methods and technology. (the talk in my other post has a nice overview)

We no longer have problems like offering whisky for votes or employers that threaten to fire anybody that doesn't vote a certain way (although occasionally they still try).


What a strange straw man argument you make. You feel that any time the government does something that benefits someone it is "vote buying". We're discussing the physical mechanism of voting here and you've redefined basic terms to make some kind of off-topic political point.


Because regularly people don't trust computer scientists...or math (if it's too complex, and hashes definitely are).


And they trust the current blackbox more?

The reality is, people have no choice.


> trustworthy online voting

That doesn't exist. See this[1] talk by Andrew Appel (CS Prof. at Princeton) for a very nice overview of the technology in the traditional pre-printed secret ballot and an why electronic/internet voting cannot be secured from all of the known threats.

TL;DR - Adding anything that can be used as an identifier enables vote buying or coercion. Adding computers introduces "Trusting Trust"-style problems where you never know what is actually running (hashing/verification only pushes the problem around).

[1] https://www.youtube.com/watch?v=abQCqIbBBeM


That's not a valid argument. Nothing is secure from all known threats.

The question is how (in)secure is the system. In this case, the voting protocol doesn't provide a means of verification.

Secure voting protocols have been around for quite a few years. jjuhl left this comment above https://news.ycombinator.com/item?id=13032602

Dan Boneh's Crypto 2 coursera course (https://www.coursera.org/learn/crypto2#) covers the concept.

There are voting protocols that use the same foundations as public-key crypto to allow for vote verifiability - you can validate that your vote has been taken into account in the tally without sacrificing the privacy of your vote. There are solutions for voter fraud too.


> Nothing is secure from all known threats.

Of course. That's why it's important to reduce the attack surface. Adding electronics (or worse, software) adds a huge amount of attack surface. The attack could be at any point from the CPU-internals to the software.

> the voting protocol doesn't provide a means of verification

Yes. That's a feature. Any new system cannot re-enable voter coercion.

> Homomorphic encryption

I already mentioned[1] that video yesterday. It's an interesting idea, but even Prof. Rivest in the video isn't claiming it's ready for use.

More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.

This is still interesting research that may evolve into a new type of voting protocol in the future.

[1] https://news.ycombinator.com/item?id=13020917

[2] https://news.ycombinator.com/item?id=13021517


> Adding electronics (or worse, software) adds a huge amount of attack surface. The attack could be at any point from the CPU-internals to the software.

You're missing the point. The voting protocol is built in such a way that you can verify that your vote was cast as intended, and that your vote was counted in the tally. Once everyone agrees on the voting protocol you don't need to trust someone else's electronics, you can do it on your own device, and use open source software.

> the voting protocol doesn't provide a means of verification Yes. That's a feature. Any new system cannot re-enable voter coercion.

You can have vote verification without enabling coercion. If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.

> More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.

I disagree. The general population doesn't know how RSA or AES work but we have HTTPS and the green-lock-thingy. You don't need to know how or why something works in order to reap its benefits.


> You're missing the point. The voting protocol is built in such a way that you can verify that your vote was cast as intended

No, you're missing the point. You don't know that the crypto was calculated properly, because you are not going to be calculating the crypto by hand. Prove - in the voting booth - that someone hasn't changed the software to give you the wrong crypto token.

> If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.

Do you not see that this is is a contradiction? Someone coercing you simply demands that verification.

"Bring your verification receipt if you want to keep your job."

> HTTPS and the green-lock-thingy

TLS doesn't rely on the public understanding it for legitimacy. The public doesn't care about how it works; they care about if it's a reliable security feature. Legitimacy is lost if there are too many public failures.

Voting requires an understanding how the winner was decided. Your proposal will never be accepted if it is, in the eyes of the general public, a black box you submit your vote into that is only interpreted by a priesthood that they have to trust to interpret the votes. Adding up votes is understandable, but homomorphic encryption might as well be black magic.

This understanding is more important than ever, because we are currently experiencing a revolt against technocracy. Brexit and Trump are aspects of this revolt. If you think you can get the population to accept a voting protocol they don't understand, then you haven't been paying attention to the current political climate.


Check out the many threads about this on HN about why electronic voting is not going to be secure enough


If everyone can verify their votes, then they can sell their votes. E.g. A knows A's hash, and A can show X that A's hash voted for X, so that X will give A $20.


More and more I think our election system is ripe for foreign manipulation. I'd love to be proved wrong in an audit.


E-Voting can be easily solved with ID cards combined with something similar to the blockchain so that you can verify your vote if you need to.

The technology is there but I don't think there is any incentive to make it happen.

The only problem that I can see is that we cannot be certain that any e-voting technology will survive future information security research and as a result the design needs to factor continuous upgrades.


The problem is that if you can verify your vote you can be coerced into voting in a certain way. There would need to be some sort of plausible deniability built in.


Only you will be able to verify your vote. All votes are anonymous. You should be able to verify the very first vote as well and as a result of that verify the entire chain up to your vote. The last vote should also be verifiable to ensure that the chain is complete.


That doesn't solve the problem of verifiable votes. If you are able to verify your vote you can be coerced the verify it in the presence of someone else.


Wouldn't a voting system that let people confirm that their vote is taken into account be trivial to implement?

I can't believe we still rely on trust for this kind of thing.


> Wouldn't a voting system that let people confirm that their vote is taken into account be trivial to implement?

How do you verify that your vote is actually "taken into account?"

You may be shown that your vote matches what you intended, but then it can be manipulated or discarded somewhere else in the process, beyond your ability to verify. It's like reading open source code without validating the operating system or physical machine it runs in - the entire environment contains the potential for hostility, and it's too complex for one person to comprehend in its entirety.

Also, any such system, assuming it works as intended, may also give interested third parties a way to spy on someone's voting habits. Historically, knowledge of a person's vote has been used by governments and employers to coerce votes and to retaliate against political opponents or supporters of unpopular causes.


Let's start with a simple example. A spreadsheet with your name and your vote. You can be sure that your vote is taken into account by the SUM function.


If this is an area of interest to you, I encourage you to take the time to review the work that's already been done in this area. The example you provide doesn't even address the concerns in your parent, much less others that have been identified by those working in the domain.

As a starting point, you can review Rivest's slides for an overview.

Ron Rivest, "Auditability and Verifiability of Elections", March 2016. https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf

Edit to add: I see I've already suggested this to you earlier today.


Here are some links I've found useful:

Wikipedia page on End-to-End Auditable Voting Systems https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy....

Ron Rivest slide deck from March 2016. Auditability and Verifiability of Elections https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: