Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] To Protect Voting, Use Open-Source Software (nytimes.com)
228 points by bleakgadfly on Aug 9, 2017 | hide | past | favorite | 229 comments

No. To protect voting, don't use software. Everyone needs to be able to _understand_ as well as be able to verify that they successfully voted.

Besides the issues with what software the machine is actually running, most people cannot comprehend or understand that software - even if it is open source. That is not acceptable for an open democratic society, or to sustaining it.

In this particular situation it should not be necessary to rely on an expert to explain whether the vote counting mechanism is reliable. This only adds to the problem of unreliable or scheming officials - it doesn't improve anything in terms of transparency.

Just have the electronic system return a clearly labeled ballot to the voter, which would be verified and turned in before leaving. A physical count can be used to confirm the electronic count or vice-versa (physical counting has vulnerabilities too).

New York uses the reverse of that. You fill out a paper ballot, which then gets fed into a machine for counting. A random sample (of sufficient size) of the paper ballots are then counted to verify the electronic results.

Voting with paper does not scale. You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.

On the other hand, with direct democracy, the stakes are lower for each vote. So there is less incentive to manipulate the vote. So it makes sense to use e-voting for direct democracy.

In the end the voting mechanism in democracy is not really about precision, it's more about getting an acceptable outcome for all the parties

The fact that it doesn't scale is exactly why we should stick with it. We want voting to be hard, distributed, and diverse. That prevents a single county or state from destabilizing the rest of the country. It should prioritize accuracy over speed and all else.

It's like an ecosystem. The more homogeneous the system then the more vulnerable we are to a single virus (or hacker) we become.

Wait, why do we want voting to be hard? If voting is hard, that means it takes more time to vote, and not everyone is equally able to take extra time to vote. A disproportionate percentage of the voters will end up being people with more time and/or more flexible schedules.

They mean vote counting should be hard.

neither do the attacks, which is the point

Public - i.e. everyone knows how others have voted - voting can be both precise and secure. Public voting can be done electronically, say, via encrypted SMS.

So why to bother with secrecy in the first place?

Secret ballots protect voters from intimidation and blackmail. That particular bit of secrecy is absolutely essential in a democracy.

So you can't pay people to vote for a particular candidate.

Do you know how people take photos of themselves voting at "secret-keeping" poll-stations? How about politicians, which publicly give lucrative promises to their particular electorate?

If they want to sell their vote - it is their choice. I'd only say that the right of citizens to secede from such a society must be respected too.

>Do you know how people take photos of themselves voting at "secret-keeping" poll-stations?

That's illegal, and (somewhat contradictorily) not non-repudiable. You can take a picture of yourself with "ballot marked for candidate I'm paid/coerced to vote for" and then step right out and say "oops, I messed up my ballot, give me another one" and then submit that.

Didn't SCOTUS recently uphold peoples right to take selfies in the ballot box? Seems that ship has already sailed in the US.

Also, California allows for absentee voting with no particular reason. I've voted in every election I've ever been eligible to vote in and I have never once set foot in a physical polling place.

> Voting with paper does not scale.

Yes, it does, it just scales less well than electronic/internet voting. Each voting method (and arguably, voting system) have their + and - but paper voting has the most important benefit. Specifically, the most important one is that whilst counting we have the benefit of many eyes watching over (one of the things NSA improved post-Snowden). I know this first hand as I have participated as vote counter in the 2017 Dutch election on March 15 (can recommend volunteering for the educational experience and ability to observe alone, plus it can be seen as a civil duty). Our team consisted of approx 8 or 9 volunteers. How many people audit the source code? The patches? The build process? The hardware? Are those random people? Are computer experts biased? You don't need to be intelligent or even familiar with computers to count paper votes. You do have to be a computer expert [2] to audit the software or hardware.

> You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.

I'd rather have authentic results for a few elections than have many elections with a higher potential of being bogus.

We should also not neglect that a direct democracy can be dangerously manipulated in times of fake news. The same is true with 2 or 3 elections every 4 years, but the vulnerable choke points are higher in a direct democracy.

Finally, a disadvantage is that you got so many elections that people are tired of elections. I don't know the scientific name for this phenomenon but I know an analogy: visit a supermarket and have a look at all the brands for product X where X can be peanut butter, ice cream, or beer. Result: brand loyalty. So people are gonna vote e.g. 'peanut butter' (I don't wanna name a realistic example to avoid reader assuming I'm partisan) in each of those direct democracy elections w/o looking further. Do not want!

There's an adagium in computerland "if it ain't broken, don't fix it". Paper voting isn't broken, it has a proven track record.

PS: For anyone who is interested in the history of voting security and the risks of electronic & internet voting I can recommend the course "Securing Digital Democracy" by J. Alex Halderman (one of the researchers in the Diebold affair some 15 years ago) on Coursera [1].

[1] https://www.coursera.org/learn/digital-democracy

[2] Not sure on a better term here. Computer expert is an inaccurate global term; what is required is a rather specific skillset. Perhaps programmer or hardware hacker is more accurate. But even then programmer doesn't tell us about which programming languages are mastered, and hardware hacker is equally vague. You get the gist.

I like the model where you vote electronically and you can see (through a clear material) that the machine prints out a copy of your votes and drops them into a bin.

You can throw cryptographic verification on top of that if you like.

That's one very expensive pen.

Paper doesn't matter if it isn't being counted. Spotting irregularity in voting results might be possible with statistical methods but how often were votes really recounted?

How do you check that your votes were actually taken into account? Even if you can do that, how do you check that no votes were added on top of legit votes?

If the actual votes are printed, how do you make sure no one can prove their vote to third parties and so be paid for it?

That's silly. Do you need to use paper and pencil to do banking? If we as a society and individually can trust our money to technology then why not voting?

Having a merkle tree and voting from your device instead of a polling station is not just more convenient - it's more secure too. Everyone can verify their vote was counted!!

And right now? Right now we have a government database of who voted for what. That's crazy.

With electronic banking I can verify that my money are where they should be.

With electronic voting, I can't be sure my vote got counted, and even less sure others weren't tampered with.

That's right.

And now do both things _publicly_! For money (or others things you own) you will need a Torrens-like title system with a replicated database among your fellow-citizens. For voting - it will be a database replicated on DVDs (or something that can be read, say, by a microscope:)

You may be astonished how secure that will be.

How do you verify the entities that are registered on the chain are who they are supposed to be? It may show a commit log of Citizen X voted in a certain way, but how do you verify it was Citizen X that actually voted or that they even exist?

The same way as you supposed (not:) to check it under a paper-ballots voting system. By the Citizens Database - when every citizen's biometric data (photos, eye or ear scans, body measurements, etc.) and contact data is published on holographic discs, magnetic tapes (IBM has one with 330 TB storage). It will allow anyone to verify there are no fake identities there. One may store just a hash table for all entries, if he can't afford those storage mediums.

Have they told you about it?

I'm sorry but I'm having difficulty understanding what you're trying to say. You still need a body to oversee adding entries, otherwise anyone could add anything? How do you verify exactly, you've just got a bunch of data, which may or may not be legitimate. It still boils down to the best way to protect voting, isn't by the more exotic systems whereby fudging can be done at scale. It's by making the exploits not scale and keeping anonymity by having another process for voter registration.

I'm not sure what the choice of media has to do with anything.

Who has told me what about what now?

No one requires these biometrics to make bank transactions. The bank can give you a simple security device, but with smartphones even that is optional now.

Biometrics, seriously?

Biometrics are only a one-time proof when eg you are issued a token. They can be replayed later and can't be used anywhere except where there's a physical security guard preventing tampering. And even then you trust the security guard.

The same way you verify that the person using the banking app is the one they are supposed to be. Or any other service.

Obviously you use your device, and you can lock it with a password. You can use two factor authentication.

It's straightforward, really. You sound like identity has never been solved electronically.

If anything, holding a physical paper id document is far less secure than a personal device with your private keys in the Secure Enclave.

It's not been solved though, at least here in the UK where people are against mandatory ID cards.

That's a separate issue. Why would you want to allow voting without any ID?

It's definitely not a separate issue, it's fundementally linked. Voter registration is separate and not tied to any electronic ID, so you saying it's a solved problem isn't true.

Sure you can. If you signed your vote and all votes got included in a markle tree then you can for sure verify that your vote is counted.

Imagine bitcoin but with votes instead of transactions. Boom.

I don't know the technology, but I assume that system could be built.

The bad part about that is that if I can validate my vote after the fact, someone else can also demand to see what I voted for, and that opens the door for vote buying, intimidation etc.

No, not at all. You can vote anonymously and verify your vote but no one else can map that back to your identity.

As for rubber hose crypanalysis, that is possible now.

Buying votes is already done.

You can buy the promise of a vote now, but it can't be verified on the individual level. On the precinct level you can, and that happens.

I think you could do some secure voting software if all your citizens had a secure two factor signature and you used block chain.

I'm not sure why you would do it in a non-corrupt country though.

And how do you prove that all of those citizens exist?

We have a secure, provable, relatively cheap method right now: Paper ballots and public observers at elections. Compared to the stakes the cost is peanuts.

Exactly, and the simple, physically decentralized, distributed, and somewhat resource/time intensive aspects of paper-based balloting are all great checks against easy attacks.

The fact that virtually anyone both capable and eligible to vote is also capable of understanding the voting process, as well as what kinds of physical acts are signs of fraud means that many more people can evaluate the process, and determine - even just by looking - whether something fishy is going on at their voting station.

Your average voter will be easily convinced that he "doesn't know enough to judge" whether something is fishy with his voting machine, even if something seems to be clearly malfunctioning; "oh don't worry sir, the print out might be wrong, but your vote was definitely counted correctly internally".

The rise of any form of electronic voting is really troubling - and don't even get started on anonymity concerns...

I live in Denmark, every citizen has a social security number and we all have access to a digital identification method called "nemID".

It's basically a login that's tied to a piece of paper containing a hash table of numbers you use for two factoring.

It's the safest citizen verification system we've ever had and it's basically used for any for of identification in the digital world from banking to using our public sector.

Our government as an example used it to send digital mail to everyone in a secure mailbox called "eBoks" saving us billions in not sending paper (and bankrupting our postal service as a side effect).

We still use paper ballots for elections but it's frankly easier to fake an identity using those than if you were to sign in with "nemId". Today all you need to be allowed to vote is the paper you received and the right sex/age range. So basically I could vote for my brother if I obtained his ballot. With NemId I'd need his username/password as well as his keycard.

Obviously you'd have to anonymize it, but some digital systems being broken doesn't mean they all are or that our current system is that great.

I've observed elections in the balkans, and they sure aren't safe or democratic despite being done they way you prefer, because it's so easy to exploit if you manipulate the paper trail.

I've worked as a DRO in the Canadian election. There is no way to steal an election in Canada. Whatever the Balkans have, that isn't what I'm talking about because the way it works in Canada is like this:

1. I take someone's ID, I look them up on the voter list. If they are not on the voter list I take their proof or the sworn testimony of someone that does live in the district that they live where they say they live. Either way, observers can record their name and supposed address.

2. I hand them a folded ballot and they go, with assistance from a family member if necessary, to behind a security wall to mark their ballot.

3. They place the ballot in the slit of the box, folded so their vote is secret, but visible to all observers so that they couldn't not have snuck in a second ballot.

4. The ballot box never leaves public view. In the event of an emergency I take the ballot box and hold it high so that everyone can see it, especially the observers, until we get outside.

5. Anyone in line by the time the polls close is allowed to vote and number of voting locations are determined by a public service (not politicians) so we don't disenfranchise voters or unduly burden voters.

6. In full view of my assistant poll clerk and all observers we count every ballot. As DRO I have final say over questionable ballots. If I make an obviously unfair call observers can alert my superiors at Elections Canada. I only had to make one decision on one ballot out of around 500.

7. We compare the count of people, the count of the ballots we gave out, and the count of the ballots in the box. These all must match. If they do not match we count again. It's harder than you'd think because people accidentally fuck up ballots or someone can have the same name but be a different person. This can even happen at the same address! Usually a son being named after a father.

8. I fill out the vote totals and give one copy to Elections Canada, one copy to each party observer, and I keep one copy for myself. We then put security tape around a tamper evident bag with the original ballots for them to be counted again by Elections Canada HQ.

Now tell me, how are you going to fraud that system? We wrote down everyone's name, at most you might be able to get someone to vote on behalf of their brother here or there. Or the people voting by mail might have their ballots disregarded or changed, but most people vote on election day and Elections Canada is trustworthy and explainable to anyone.

I could never fully trust your NemId system because you could never prove to me that everyone that supposedly voted existed. In Canada's system we can literally count the people walking through the door and we can literally count the individual ballots.

Your system requires the people involved with counting not to lie. Works great in Canada, not so well in Serbia.

Aside from that it's literally impossible to obtain a nemid if you don't exist, and, once you cease existing so does your id.

No it doesn't, we have observers from every party. If I lie the press finds out.

False nemids can be created. Prove me wrong.

See the problem? Even if what you are saying is true it is very hard to prove the inverse and just the ability for foreign propaganda to delegitimise a voting process is enough reason to move to a voting system that is impervious to this type of attack.

This isn't how empirical evidence works. It's a system you know nothing about that has never been compromised, unlike a faked passport. It's impossible to prove you wrong because the burden of evidence is on your table.

What you are asking me to do is impossible because there is no way I can convince you when you've turned your back on facts.

Aside from that, the system you've described which works pefectly fine in Canada is extremely similar to the voting system in Iraq, Russia and Serbia, places where telling on liars obviously isn't hindering elections from being manipulated.

You may be safe right now, but you're protected by the people running your system, not the system itself.

Why do something simple, when we can do something complicated instead?

Well if your country is doing digital elections without citizen signatures and block chain, then chances are you live in a corrupt country. :p

The point is to do pen&paper elections instead. It's the ultimate "open source" solution since everybody who can hold a crayon in the right direction can participate in the verification of the process.

The problem with pen and paper elections is that they rely on honest counting.

It's true that it's easier to manipulate a terrible digital system but that doesn't mean pen and paper is safe.

Block chain technology would offer an open record that couldn't be manipulated, something paper does not.

I mean, I live in Denmark, one of the least corrupt countries in the world and we've had politicians caught changing votes with a pencil and an eraser during the count.

In Minnesota, honest counting is enforced by process. Any ballot handling, whether marked or unmarked, requires the presence of members of at least two different parties. At no point is a single person (or group from just one party) ever left alone with ballots.

We've had two full-on hand recounts at the state level in the past decade or so, and the final results where within a few hundred from the original count in each case, with three million votes cast. Good process solves a lot of problems.

No, you can't. Elections as completely unlike any other scenario that you might be trying to secure. Two-factor auth is of no use for elections.

I live in Denmark where we have a digital identity called "nenId". It's the safest form of citizen identification we've ever had and it would be immensely more safe for elections than our current system of sending out paper cards to be traded in for a vote.

On top of that the block chain could offer us a record that couldn't be manipulated.

Sure we don't have a lot of problems with voter fraud in our current system, but that doesn't mean it's not extremely vulnerable because it relies on honest counting.

There is no such thing as "safest form" of anything. You have to consider what threats you are trying to defend against. The threats that you have to defend elections against are completely different than anything else. In particular, elections have to defend against a government that tries to stay in power. A centralized form of identification can be the most dangerous thing for an election ever.

There is no such thing as a non-corrupt country.

Electronic voting is a bad idea and I'd be suspicious on anyone trying to promote it.

How can you know that even if the source code for the voting machine is open, the voting machine is running the exact same source code? How can you know nobody has tampered the code the instance is running?

I'm glad my country is still running on paper ballots and glad we require voter ID.

Came here to say that.

Transparent voting boxes, ballots in envelopes, manual redundant counting done by people, usually voter who were nicely asked if they can come help back in the evening. That's what we use in France, you get the official result a few hours after the closing of the voting stations.

The whole process is watchable, from the sealing of the box the morning to the count in the end and parties send observers in random stations to check nothing fishy happens. An official log book is open for anyone to notice if they feel something fishy happened (you were not allowed to vote, the counting was unfair, etc...)

Oh, and make voting day a holiday, or just put it on Sundays.

I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.

About the author of the article: R. James Woolsey is a former director of the Central Intelligence Agency.

Sums it up.

> Oh, and make voting day a holiday, or just put it on Sundays. > I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.

Historical reasons: http://www.whytuesday.org/answer/

Same in Germany.

The most funniest thing is who is just eligible to be a candidate (not mention his chances to win). And how the chosen legislation, which is the result of those elections, is far from the most fair - one approved by score voting in direct democracy.

Or make voting last multiple days instead of just one.

That makes it harder to keep an eye on the voting process from A to Z, which people do in the current process. If the box containing the ballots stay alone, trust is lowered.

Seriously, is it harder to make a daily holiday and a transparent process than landing a man on the moon with tech from the 60s?

The vote processing chain is lengthy, it is inevitable that a computer system will be inserted somewhere in that chain. Right now the push is to have these systems right at the front, facing the voter, but that isn't the only time the votes are processed electronically.

In my district we vote by coloring in little circles with a #2 pencil, we then feed that directly into an electronic machine that tallies the results for my district. While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.

With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway. It would be my preference that the pieces of the system that perform this processing are backed with open source software.

At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository. This would prove in a clear and straightforward manner that tampering has occurred.

As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state. Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing? Or when regions of the state send their votes up to whatever the next link might be? I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.

> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.

I think the main argument for physical voting is that it's much safer precisely because it doesn't scale well - and so attacks against it don't scale well either. The manpower requirements buy you security.

> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.

I agree, but I think it does not apply to elections - simply because it's the one place where both the ruling party and competing groups have very strong incentives to mess with the process.

> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?

Yes, but again, the argument goes, the less scalable and more manpower-intensive the whole process is, the more difficult is to hack it.

> I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.

I agree with the call for transparency, but I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).

>>> I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).

Spot on. Democratic process means "owned by people". So the voting system must be able to be run in the hands of the people. Hence the necessity to have it in the form of a simple technology such as pen/paper.

Moreover, having the votes counted in some hours instead of a night doesn't make a big difference, considering the time that is needed for example, to form a government once the vote is closed.

I love computers, but it's not the right tool for this job. It's not much different than free software : the problem here is political rather than technical.

> having the votes counted in some hours instead of a night doesn't make a big difference, considering the time that is needed for example, to form a government

Yeah, in the US it takes 2 months to get the new President actually in the White House, no matter how quick votes are counted. They can easily spare a day or two to count everything three times over, the country will not go to the dogs in the meanwhile.

Ironically, timings are much more imperative in Europe, where electronic voting is less popular. Maybe because multi-party governments often require weeks of haggling, so a few extra hours counting votes are not particularly important.

And we didn't know the result of the 2000 election until December (when Bush v Gore was decided) so the country isn't going to descend into anarchy if counting takes an orderly couple of days.

Your entire premise is based on there being a long complicated chain, which I think is a bit of a red herring. Voting happens in districts. The totals for those districts are already posted publicly. There's no need to validate the entire chain when the lowest level is already open and free to be audited by anyone. Additionally, for the districts I'm familiar with, polls are staffed by volunteers and anyone is free to stand around and watch the whole process.

A paper ballot system where local volunteers from the district count the votes at the polls in a manner that can be observed would absolutely work for the US. It would be pretty easy to just write down what the volunteers counted and then check later whether that matched up with the nationally posted numbers. No long chain to decipher, no obscure software to worry about. And, as a bonus, there are places where this is already done this way, so really nothing needs to change policy wise (other than eliminating the other methods).

Electronics isn't a problem. The problem is electronics that you cannot personally verify. Every step can be electronic and things be just fine. However if someone decides to cast doubt on any point in the chain it needs to be possible to verify that link actually was done correctly.

With your system I can cast doubt on the entire chain, and there is no problem because you can remove all doubt by taking those paper ballots and counting them all by hand. With several hundred million ballots to count it is obviously expensive (in man-hours), but you can see how to verify that counts. Note that the above verification is something your average idiot with no knowledge of computers can understand and trust.

There exist systems that are all electronic: the voter pushes a button (on a touch screen) and from there on we only have the count. As a programmer I can think of many ways I can make the voting system change a few votes and there is no way to know that the machine's count is wrong.

Part of what make this hard is anonymous votes are important. There are cases in history where someone was forced (with a gun) to vote for someone they probably wouldn't have voted for otherwise. We have solved this problem by having watchers at the polls (from all sides) ensure that nothing funny happens at the polls, and once you leave the booth nobody has any way to know who you voted for.

The above is why I think absentee voting needs to be restricted to those who physically cannot get to the polls on voting day (I'm fine with a voting week or month)

> While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system

I've worked with the New York City Board of Elections [1]. We have what I consider to be best in class: electronically-scanned paper ballots.

When a voter walks in, their name is checked against the rolls and the stub number on the blank ballot they're given is recorded. The voter marks the ballot in confidence and then inserts it, themselves, into an optical scanner. The scanner increments a "public count" by one and drops the ballot into a locked box.

At the end of the day, the public count is compared to the count at the beginning of the day. (These counts are publicly recorded for each machine and do not increment down over the life of the machine.) The aggregate votes to each candidate are then printed to a tape and posted publicly.

The machine also uploads these data to a USB drive, which is taken to a computer at the poll site for electronic transmission to the Board. Before transmission, anyone may compare those numbers to the tape or pubic count. (The scanner workers have to certify the electronic transmission before it's sent.) The NYPD then collects the machines, paper ballots and tapes.

Throughout the day, anyone may see the public count at each scanner. At the end of the day, anyone may review the publicly-posted tapes. Stub numbers for the paper ballots issued and public counts recorded are reconciled, with multiple poll workers certifying the reconciliation.

It's a messy system, but it's robust. The public count means you'd have to compromise everybody at a poll site to add or destroy ballots. (Or, you'd have to predict who won't vote and manually commit fraud.) To tamper with the votes, you'd have to compromise machines before they print their tapes. You'd then have to hope the Board's random audits don't attempt to reconcile the paper ballots with the compromised tapes.

[1] http://www.vote.nyc.ny.us/html/home/home.shtml

> While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.

How can you be sure about that?

> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.

The point is that if you are not convinced, you can go and observe the process. The point is to remove as much trust as possible. The point is not to just have some human in the loop, but to make sure that people who distrust each other can personally make sure that the correct procedure is being followed.

> It would be my preference that the pieces of the system that perform this processing are backed with open source software.

The problem is that you have no way to verify that what is actually processing your vote is the open source software that you hope it is.

See also Ken Thompson's classic "reflections on trusting trust":


> At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository.

No, they can't. The only way to check what software is running on the computer is to use software that is running on the computer, which is thus also suspect. That is, short of decapping each and every chip in the one computer that you are trying to check and extracting all the circuitry and all storage bits in it.

> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.

But ensuring trustworthiness of elections is not one of those. Elections are the anchor that all the other trust that we put into democratically elected governments is anchored at, it's the one lever that we have to remove governments that turn out to not be trustworthy. You cannot trust the government to remove itself in case you want to have it replaced.

> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?

If the election is run properly: No.

Represenatives from each party will be observing the election process at every polling station, and the general public can usually also observe if they wish to, from opening until the votes are counted. Also, election results should generally be published broken down by polling station, so each of the observers can check that what they observed at their polling station actually matched what went into the total.

There is absolutely no place for trust in elections.

Where is the good old Anonymous when we need them?

We need a high-profile hack of some local elections to drive that point home. Something done completely for teh lulz, leading to a result so absurd the elections would have to be redone.

If all that was at risk was a night in police jail and a slap on the wrist, it would be done, but reading the sentences one faces for election tampering is really chilling.

I would not risk it for a million, I will certainly not risk it for the lulz. Plus, in most cases, it involves (laughably weak) physical security. I am less confident on how to hide my tracks there and I suppose many would-be hackers feel the same.

It doesn't matter what gets done, it matters how it's portrayed. Such a hack would just be used by the media to vilify their target-of-the-week, and politicians to institute ever-more-prominent centralized electronic controls that don't grant any related protection, but allow them to expand their personal influence and institutional surveillance surfaces (see also: TSA).

In fact, the media is already trying to CYA, and the state is already trying to expand control, by claiming that such a hack was perpetrated by a nation-state in the 2016 election, and that that's why they were so egregiously wrong in everything they said about Clinton/Trump in the preceding 18 months.

At defcon this year they had a bunch of the popular electronic voting booths set up, and they were all hacked within 6 hours. A big problem is having physical access to the booth. All of the hacks involve picking a lock.

Given that the voting computers sit in some warehouse between elections, that's not really a big hurdle.

Yep, here's the post from Science Friday: https://www.sciencefriday.com/segments/hacking-the-vote-how-...

Unfortunately it would need to be a hack that purposefully gets itself caught in order to drive any point home. I can imagine the risk vs reward on something like that would be very undesirable.

> the voting machine is running the exact same source code?

Or the processor is trustworthy ? Many voting machines are using old processors, such as 68000, and it would not be too hard to emulate a a rogue processor that will have a different behavior, whatever the source code is.

You can also change the behavior of the voting machine at a certain time, or in certain conditions (such as detecting a voting session has started)

The problem is not that voting machines are vulnerable to one or two attacks. There are thousands of ways of compromising them.

The only answer to this is that cryptography specialists do not have any answer to a secure electronic voting not involving a physical element (a bulletin, a receipt, etc.). This means that there is no THEORETICAL solution.

There are attempts to create an end-to-end auditable voting systems. Where you don't have to trust the organizers or machinery to not trick you, and you can validate that your vote was counted correctly.


Sadly, as far as I know, none is without issues (older systems were found to have various problems, and newer stuff is still bleeding edge that wasn't yet reviewed thoroughly).

The trick is that you don't just have to convince somebody (a security expert) that the system is trustworthy, you have to convince everyone (voters) that the system is trustworthy. Anything more complicated than paper ballots counted in public will leave room for doubt.

There are systems that are essentially paper ballot and by no means remove the "classic" experience, but have extra properties that allow audit, e.g. https://en.wikipedia.org/wiki/Punchscan

Paper ballots leave a lot of room for doubt in my mind. How you can you recount the ballots and come up with a different number? This shouldn't be possible, but it happens all the time: https://en.m.wikipedia.org/wiki/Election_recount

Thinking out loud here, how about a blockchain based solution? Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.

The entire point of a recount is that when the votes are close enough to swing the balance of an election, they're recounted, potentially repeatedly until we can be sure they're correct. They're essentially never more than a few votes off either way. If it's not close enough to swing the balance of the election, it doesn't really matter that a dozen votes were miscounted - we'd prefer that not to be the case, obviously, but not by breaking the other properties of the system.

Short of some very very clever cryptography, you really, really don't want to be able to verify your individual vote, because that means you can verify it to others - the entire point of this process is to avoid coercion, or else there's much simpler solutions. (Pull everyone into the polling station at once and have a show of hands, for example.) You want to verify that one ballot was given to each person registered to vote, and that all votes were counted correctly, but you don't want to verify that an individual person's vote was counted correctly.

If you're concerned with inaccurate recounts, you should be more concerned with systems for which recounts are not possible at all. Like the US'es closed-source black-box voting computers that are currently in use.

Putting aside theoretic possibilities, at this point in time approximately nobody is going to trust a blockchain system. Between "Isn't that the stuff you use to by drugs online?" ignorance and the all-too-real history of everything that has happened with Ethereum to date, that just won't fly.

A ballot design that is prone to getting different results when recounted (hanging chads, etc) is a bad ballot design. Fix your ballot design first.

>Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.

Voting receipts like this are bad. They enable people in power (bosses, spouses, etc) to intimidate you into voting the way they want to see and threatening to punish you if you don't because they can force you to prove the way you voted. It also allows vote buying.

Good question. Volunteer to help with your local elections. Learn how it's done.

As for blockchains: Voters sign in before they cast their ballot. If the order in the pollbook matches the order the ballots are recorded, no more secret ballot.

Any crypto- blocko- based system that both protects the secret ballot and ensures the public vote count (aka Australian Ballot) has to create a digital equivalent to the physical secure one-way hash (shuffle) of dropping a ballot into a box.

The wikipedia link mainly mentions crypto-methods...how exactly is a non-engineer supposed to end to end verify this? If you use paper ballots you can simply sit down and count...heck not even that basic math if you get creative with sorting

I agree with you entirely. There is no absolute way that we know of to truly know the code running is the exact code on GitHub. You can fake that it is in many ways, I don't see people running shell commands on the software before and after they vote to make sure it's the correct software. Even IF that software remains uncompromised, who owns the database? Who stops them from-

Way too many factors...

On top of this, we all know that if it was implemented as well as physically possible, there would still be vectors for attack. However, if current voting machine trials are anything to go by, it's usually implemented extremely poorly.

> I don't see people running shell commands on the software before and after they vote to make sure it's the correct software.

How would you know the shell itself, running on the machine you're trying to verify, isn't lying to you?

> and I'd be suspicious on anyone trying to promote it.

It's just a former CIA Director signing the op-ed. It's not like they have a collection of zero-days and other exploits is it?

Not just the software we should be concerned about, hardware too.

Why use a voting machine at all? Isn't the main point of having a polling location simply so you can verify your identity? If we could come up with a system that allowed one's identity to be verified online, or by postal service, then do we really need thousands of machines collecting the votes. Couldn't it be centralized to a handful of more easily audited systems?

No, the point of a polling station is so that there's provably no coercion. You fill out your ballot in secret, you're not permitted to take a photograph of it, and you place it in the ballot box without telling anybody what you've voted for.

The more you allow people to vote from their homes, the more likely it is that people can be coerced into voting the way their partner, employer, or otherwise, want them to.

You missed one important criterion. After you vote there is no way for you to prove who you voted for. If you could verify it after the fact then it opens up potential for coercion or incentives.

>You fill out your ballot in secret, you're not permitted to take a photograph of it, and you place it in the ballot box without telling anybody what you've voted for.

In the US, only one of those is guaranteed [0]. In California, where I can get an absentee ballot just by asking for it, none of those is guaranteed.

[0] https://www.bloomberg.com/news/articles/2017-04-03/ballot-se...

Yes, well, the US also broadly thinks electronic vote recording is a good idea. Let's not pretend it's any good at designing voting systems.

There's some challenging requirements around this. You need to positively identify someone as having the right and ability to vote (no dead people voting like in Illinois). You need to make sure they vote only once (no ballot box stuffing). You need to make sure their vote wasn't coerced (as far as you can). You need to make sure their vote is anonymous (to protect the voters from retaliation). And it needs to be easy enough so that your 80 year old grandmother can do it.

Well, could you turn on the web cam and attach a picture of the person voting while they are voting?

My country doesn't require voter ID at all, other than confirming a few details and most studies here has shown that requiring ID didn't cut down on fraud.

For me it's important that the barrier to voting is as low as possible, and we don't have a governement issued ID that is free.

That should be solved by issuing a free government ID, not by compromising and creating a giant loophole when potentially citizens of other countries can vote in your election and there is no way to verify that.

Not as easy as it sounds. I was in a Government office for some tax related reason and was in line behind some guys trying to apply for their 'electrical card' (sic, electoral). This is in N. Ireland, which unlike the rest of the UK requires ID to vote.

They were having to be talked through filling in the form only to hit a roadblock when it came to proof of address. After expressing their voluble disbelief at some length that the handwritten doctor's note they had would not suffice, they eventually left empty-handed. (Incidentally, they were only looking the card to use it for ID for flying, they had no interest in voting).

Now these guys were obviously jokers, but it shows you will need a certain degree of application and time to get even the most rudimentary of verifiable ID. Even the conscientious may find themselves not getting around to getting the ID before election and losing their vote.

That's implementation problem, not an argument against making sure only eligible citizens can vote.

Why not have a national ID like in some European countries? Issue it at age of 15, you can go to a government office with parents when you are 15 and get your ID.

You can pass a sensible legislation for this. Have a grace period of 2 election cycles to allow all the people who want to vote enough time to get their ID (10 years is more than enough time to prove your address).

Why do you need to have an address? What is wrong with being homeless?

I was reacting to the parent comment. For some reason in Northern Ireland example cited there proof of address was required.

Government can issue IDs without proof of address. This is matter of implementation. For national election at least you shouldn't need it. For local elections it should be required.

Governments can and do issue ID using whatever criteria they see fit. But the lesser the criteria the weaker the proof. I mean, you need a photo at least, right? And presumably some means of proving that photo is you (for passports in UK you have to get a doctor or similar person of authority to sign a declaration). So it's not such a simple matter.

In my country where everybody has a national ID, you go to police station when you turn 15 to pick it up. You don't have proof of address when you are 15 because you live with your parents. So they send letter to the address of parents.

Like I said, studies shown that having an ID didn't change much. Plus, they already can! Commonwealth citizens can vote in UK elections pretty much as soon as they arrive.

I question the results of these studies. I think it's very difficult to measure empirically how many people are cheating if it is not required to have voter ID / some sort of proof of your identity when voting.

Have you read the unnamed studies?

Presumably at least a few of them anticipate the easy problems and design a methodology appropriate to dealing with them.

For instance, if voter ID is highly effective, you'd expect much higher rates of double votes under a given registration in places that don't require it (unless the cheaters are masters of anticipating registrants that aren't going to vote).

If you're primarily worried about attacks which can modify the result of elections, your threat model is broken.

What should you be primarily worried about? It's like serving your e-commerce website over HTTP because there have been very few security breaches. Why not get a certificate and use HTTPS? It's a massive improvement in security for a very small cost.

Not analogous,because attacks relying on coordinating large numbers of people (with a high rate of detection) simply doesn't scale. We should be worried about electronic attacks on voting infrastructure, political attacks on districts, political attacks on the registration process etc.

I'd rather say it's a good idea but it also is a technical problem that is not yet convincingly solved. It is clear though that open source by itself is not a solution, for the very reason you mention (how can one be sure about what code is running on a machine one doesn't own?).

That being said, from times to times articles show up about someone who claimed to have invented a viable solution. So we should not diss the idea and keep an open mind. Eventually someone will find a solution.

"Eventually someone will find a solution."

First define the problem.

I demand the Australian Ballot: private voting, public counting.

After studing this extensively, I believe there is no way to digitize elections and preserve the Austalian Ballot. Because there is no digital equivalent of the physical secure one-way hash (shuffle) of dropping ballots into a box.

Any crypto- blocko- based system has to design for the whole election. Not just the voting. Including pollbooks, which record when ballots are issued to voters. Including precinct-based election counts, because every single precinct gets a different ballot (say 500 voters).

Maybe someone will prove me wrong. Cool. Then show me. The burden of proof is one them, not me. Otherwise, stop wasting everyone's time with technophilia sideshows. We've got real democracy with real work to do.


Alternately, any proposal has to replace the Australian Ballot with something new. Some ideas which would simplify the problem space:

- replace winner takes all with Approval Voting;

- issue separate ballots for federal, state, county, and local elections;

- decide that time-boxed privacy, where the secret ballot is preserved until an election is certified and then made public, is sufficient

- supplant our current loose voter ID regiment some kinda of U2F futuretech.

pvote.org seems like a decent solution, it's <500 lines of code that needs to be audited.

That doesn't handle auditing the machines themselves, but as the 2016 US presidential election recount found in Wisconsin, the tamper-evident machines showed evidence of tampering, so maybe we're closer to knowing whether the trusted systems we use to count votes are trustworthy.

Of course, the current machines are still Diebold ("Premier Election Solutions"), so who knows. Ken Blackwell will make sure only the right folks vote, anyway, just like he did in 2008.

> pvote.org seems like a decent solution, it's <500 lines of code that needs to be audited.

Quoting from the website:

"Pvote is small. The current version is 460 lines of Python. It uses Pygame for graphics and audio."

So, add to that 130000 lines of pygame, 1.5 million lines of cpython, 14 million lines for gcc, 20 million for the linux kernel, ... and you haven't even begun to list all the stuff you would need to audit?

There's a lot more to elections than tabulation.

Mapping, voter files, candidate filings, canvassing reports, ballot artwork, translations, ballot tracking, etc.

All of it should be open source. The way it used to be. Before the vendors smelled blood. (Especially after HAVA.)

I traveled my state advocating "citizen owned software". Everyone gets that phrasing. Overwhelming support.

I agree, you'd need a way to verify every machine is running the the open source software. The risk are too great you'll fail and the rewards for anyone that can hack the machines too great.

To say a machine hasn't been hacked is trying to prove a negative.

Every time we vote, there is more talk about the burned ballots, unopened chests, uncounted votes and fraud concerning votes being collected from neighboring countries posing as people from my nation.

So yeah. Doesn't really matter whether it's electronic or not.

So you mean it doesn't really matter whether we even know about the fraud happening?

Most fraud other than most primitive attempts by idiots goes unnoticed. If voter ID is not required it is not possible to prevent people who don't have right to vote from voting.

> Most fraud other than most primitive attempts by idiots goes unnoticed.

You know this how, exactly?

It is my personal opinion. I think it's logical that it is easier to fraudulently vote if you don't need a voter ID.

It is also logical that voter fraud isn't necessarily an outcome of having no voter ID.

I'd like to reference Tom Scott's video[0] here. There is no need for an electronic voting system, paper ballots work perfectly.

[0] https://www.youtube.com/watch?v=w3_0x6oaDmI

Depends on what your need is. If you need to alter votes, it's an extremely good system!

This video is absolutely an amazing summary. Thanks for linking it!

Until you want to scale due to using rapid direct democracy. Paper ballots will still WORK perfectly, but the workload will be massive.

Which is something you can justify IMO for a direct, just, free, equal and confidential election.

The gold standard is paper ballots cast at a precinct, counted the moment the polls close.

In the USA, average precincts are 500 voters. Totally doable. In fact, that's how many jurisdictions did it.

This is plain bullshit. Opensource gives no guarantee that the vote won't be altered by whoever runs the machine.

What we need is a zero-knowledge proof: we need the entire voting dataset to be publicly downloadable and some kind of checksumming so that, while maintaining anonimity, I can 1)check that my vote is the same 2)run whole the counting in a blink on my PC.

This gives much better guarantees of no tampering

One other requirement too.

3) Users should not be able to prove to another person who they voted for

This is to prevent people from using threats of violence or promise of reward to coerce others into voting a certain way.

Unfortunately, this requirement is very hard to fulfil while also fulfilling requirement 1.

4. Check that all votes in the tally belong to actual, eligible voters.

Verifying your vote is in the sum, and tallied, is not good enough if the result is swamped with, or more craftily, the balance just tipped by fake votes.

I have no idea how you would implement that.

I think this make a lot of sense. I'm not sure a checksumming method that can indicate tampering can be devised, but my hope would be that by making the data publicly available for every stage of the processing pipeline, auditors or interested parties might be able to detect fraud.

But the data is worthless if you cannot trust the way is has been acquired.

I'm not sure there's a way that a skeptical person can ever trust that data, short of physically handling each piece of paper and manually summing up the totals. People are as much of a black box as any software.

I suppose the only benefit of people is that they are more difficult to coordinate.

The point is not using people in place of machines as trust anchors. The point is that you remove the trust anchor (or move it to the public at large, really).

In a properly run paper election, there is no individual that you have to trust. In principle, anyone can go and watch, and usually there are representatives of many/all parties in every polling place, watching every step of the process. It's not just that people are more difficult to coordinate or control in general, it's that if someone distrusts you, they can come and watch for themselves.

This does not ensure the data itself isn't wrong.

First and foremost, use paper ballots. Before anything else. The paper ballots are the System of Record. If ever in doubt about downstream results, paper ballots can be hand-counted. (Additionally, use paper voter rolls. Mark registered voters when they vote, and track any same-day registrations on paper. The exact number of ballots cast can be extracted from the voter rolls.)

Second, never allow paper ballots to be handled by just one person, or by only members of one party - whether blank or used. Require that members of at least two political parties be present any time the ballots are physically touched.

Third, if using machines to read the ballots (ScanTron, etc), conduct spot counts of random machines, to make sure the machine results match the paper ballots. Conduct spot counts of entire polling stations randomly to make sure result totals match voter roll totals. Although this isn't 100% certain, it doesn't take a lot of spot checks to detect any sort of large-scale fraud effort.

Do these things, and it's exceedingly difficult to do statistically meaningful vote fraud, because we have a high degree of trust in the paper ballots and their surrounding process. From there, you can use automatic ballot reading and tallying to get fast results - the vote counting/tallying automation is derived data, not the System of Record.

A child can understand paper ballots and why they work.

There are probably less than a hundred people in the world who can understand an electronic voting system at every level down to and including the silicon.

Bingo. And those of us who've studied voting computers extensively have concluded they're to be avoided.

To protect voting don't use electronic voting.

Paper ballots (the kind with marks read optically, not the ridiculous punch cards at the center of the Florida 2000 debacle) are easy to use and understand with a very low error rate and keep a paper trail, being the actual ballots.

I don't understand why anyone other than the companies who sell e-voting machines actually want electronic voting.

You have to hang out with election administrators to grok that. Their motivations are not the same as the voters. Their election night prayer is "Please God, don't let this election be close."

They want certainty more than any thing else. For decades, computers were regarded as more accurate, impartial, certain than human tabulators.

Second factor is appropriations. Elections are big money. And like all industrires, there's a revolving door between government and industry.

Admin also want control. Their impulse is to centralize, simplify. Think of the logistics of running 100s of voting sites, 1,000s of precincts. All the training, people, materials, gear that has to be stored, shuttled around, repaired, etc. Moving to voting computers, reducing head count, moving to central count seemed like a huge win. (But you and I people computer people, we know they just traded problems.)

To protect voting, use paper ballots.

Valid ID should also be required.

With paper ballots how do we guarantee those with a right to vote who cannot travel to a secure voting location have the ability to do so?

ID is only necessary if you haven't already established the right to vote in a particular location. After that, you're on the list and it's remarkably difficult to get you off of it; as it should be.

ID requirements are frequently used in order to deny voting to people who are poor or otherwise find it difficult to get particular documents.

Paper ballots without voter ID requirement are ridiculous.

The UK seems to manage OK (ID is only required in Northern Ireland). 2015 saw 37 allegations of personation out of 51.4 million votes cast (https://www.ncpolitics.uk/2016/12/how-big-a-problem-is-votin...).

Yes. My point would be allegations of personation is a meaningless number. Because if there is no voter ID you would not get many of these allegations either way.

Only if those perpetrating this kind of fraud somehow knew who wasn't going to bother voting, otherwise you'd have large numbers of people turning up to vote only to discover that someone had already voted in their name.

Works fine in the UK, voter fraud is tricky (although there have been cases with postal votes) when there's a piece of paper that can be physically counted again.

Very hard to defraud if you are in, purely for example, Russia.

Lots of EU nationals living in UK who have no right to vote. But they are physically in UK. I think vast majority of them would never think about fraudulently voting.

But think about it logically, if voter ID is not required than it is easier to fraudulently vote. That seems logical to me. Do you have counter argument?

Voting still requires registration, which requires eligibility. At this point, you are also checked for uniqueness, so you can't just keep moving house to get more and more votes.

You can't just turn up at any polling station and say "give me a ballot paper", you turn up at the right polling station for your address and tell them your name and address.

They cross you off the list and if the same person tries to vote again, the voter is challenged, and a special (tendered) ballot paper is issued (which isn't counted in the vote). If a ward returns a significant number of tendered papers, then the returning officer can take action.

Polling places are small, and serve no more than 2500 voters.

So. In order for an individual to vote fraudulently, they must pretend to be an actual voter, they must know the name and address of the voter(s) they are pretending to be, they must do it early in the day, and they can't just keep going into the same polling station over and over, pretending to be someone new, otherwise they are likely to be recognised.

In order for a group to do this at a scale that matters, they must also be pretty sure that most of the real voters aren't actually going to turn up to vote.

Given all that, it is probably easier to engage in intimidation and/or bribery of actual voters, than to fraudulently complete ballot papers yourself. Voter ID doesn't protect against that.

Though, here in the UK, I've actually had more than one polling card show up at different addresses. Technically, I could have traveled to the other town and voted there as well. Not that that's legal mind.

Different locations do it differently. I know of one are where all you need is someone with an ID to vouch that you are a resident of that area and you can register (under any name you want) and vote. Poll watchers have told me about cases where a bus shows up one person vouches for everybody on the bus and so they vote. They are sure it is fraud, but nothing can be done about it.

If it is true or not I don't know, but is a real concern if so.

That sounds like a ludicrous system, designed specifically to encourage fraud.

> If it is true or not I don't know, but is a real concern if so.

This is the most important part of your post. The same could be said of sea monsters and getting stuck if the wind changes when you're pulling a funny face.

I am really trying to figure out how not requiring an ID makes it easier to fraudulently vote.

Can you please walk me through a scenario for how someone could commit voting fraud in a way that would be stopped by a voter ID? The only one I can think of is saying you are someone else in your community, like your neighbor... but they are going to find that out right away when your actual neighbor goes to try to vote and finds out someone else has already voted in their name.

How would you commit your fraud?

As someone who is a firm supporter in free software as the best option in every area, this feels like a subversive attack.

Voting software is bound to fail, no bug bounty is big enough to offset the billions that could be made off of hacking an election. It is bound to fail spectacularly, and then for the rest of time people can point at the election and say "the ability to see the source code let this happen."

Geneva has made its e-voting software public: https://republique-et-canton-de-geneve.github.io/chvote-1-0/...

I'd much prefer electronic to paper. Last year I voted on 24 initiatives, and that is just the federal level. It also does not include elections.

Someone needs to start a campaign: "Say No To Electronic Voting"

Well, IMHO a good way to digitize voting would be to give out a USB-drive-like (NFC) device with an option to set a value and lock it in the read-only mode using voter ID.

How it will work: A person gets this device in the voting center enters/gets his voter ID, does the voting (anonymously), presses the read-only lock and throws it into the bin. After all the voting these device are scanned and voting data is retrieved. A voting database is populated in each center in a transparent way, to prevent tampering (several parties can be allowed to read this data separately and then all data variants can be compared against each other, just in case). After consensus on the voting data, each voting center sends the results for counting. And the voting is completed.

In the end, these devices are reset and the cycle continues.

Well, I'm sure that there must be some problems when voting the aforementioned way. But I guess it could work out, with some modifications.

EDIT: Grammar.

That sounds a whole lot like paper voting to me...except more expensive and more complicated. What's wrong with giving everyone a pencil and a ballot paper, at the polling station, in place of the NFC device?

The only winner in that scenario is the company manufacturing the NFC devices. That system is too complex.

Previous discussion (5 days ago): https://news.ycombinator.com/item?id=14920513

My first job was an ethnography of electronic voting in a wealthy region in northern Italy.

By our observations electronic voting added several layers of complexity that are difficult to justify.

Why can't you have everything set up so that when you vote, you get what amounts to a JSON Web Token to be able to later verify that you did in fact vote? You could use the governments publicly available key to verify that your vote reached the central service, and part of the JWT could contain your vote as well as your identifying information (SSN in USA).

Obviously everything could have fancy UIs created for end users so they don't see that really all have is a JWT (maybe a QR code printed out when they vote? And all the info easily human readable?). Verification could be handled by a .gov address and also through manual use of the public key (so other services could be set up to verify votes as well). And internet connectivity wouldn't be a problem as they could just require T1 lines at polling locations (I assume if phones went out across the country the election would be delayed regardless). You could likely tell if someone had stolen the private key (the only way I can think of breaking this system), if you have a service to verify someone's vote, and it doesn't show up there, even though you have a signed JWT containing your vote. That would prove someone had stolen the private key, allowing for a makeup election.

Am I missing something basic of how this would be hackable? I'm one of those who finds it odd that many elections around the world are susceptible to simple human mistakes/purposeful malicious actions when it comes to counting ballots.

Why is it that electronic voting is so vehemently opposed here on HN and by many technologists in general when virtually every other existentially vital system they rely on is run electronically?

Because it doesn't work.

Does a system have to be 100% free of security concerns to "work"?

No, but it has to be free of devastating vulnerabilities.

The electronically run global financial system is not free of devastating vulnerabilities, and yet it "works"

So, what is your point? The financial system is actually going to collapse, and that's not a problem? Or the vulnerabilities aren't actually devastating, just bad? Or what?

That many technologists are being hypocritical by wanting to prohibit electronic voting because of "security concerns" while at the same time developing and using other institutional systems with equal or greater attack surfaces and consequences.

Well, OK, that makes sense. Though I get the sense that the overlap might be limited.

It's worse than not working. It's because nobody can ever be sure if it's working or not.

Granted what is publicly known, it not working is a very likely outcome, but nobody will ever be able to contest it.

How can any one person be sure that a completely paper based voting system is working fraud-free in a country with hundreds of millions of people?

How can you be sure the financial system you use is working?

>nobody will ever be able to contest it.

See blockchain. If everyone has a copy of the vote registry, then they can contest it if things don't match up.

The cost of disruption is extremely high for voting, for pretty much everyone.

For other systems, a disruption is just inconvenient for most people. Like if I can't use my credit card for a day, I don't care (of course this may be of more consequence for some people). Same thing with a power outage (and people that need it can have a backup for grid power; how do you have a backup for legitimate governance?).

>For other systems, a disruption is just inconvenient for most people. Like if I can't use my credit card for a day, I don't care

Would there not be far more immediate and direct inconvenience if no one could use their credit cards for a day, than if they couldn't vote for a day? (Assuming the following day both systems were back up and running) What is so inconvenient about have to wait an extra day to cast a vote on who your senator will be for the coming years versus being able to buy food or medicine?

Where I vote, if you couldn't vote that day, you don't get to vote. So, yeah, I'd prefer to be able to vote than eat for that particular day, given that the consequences can be so vastly different (someone manipulating the voting system to win, and then execute their damaging agenda vs being kind of uncomfortable for one evening).

Credit cards are a convenience, voting is both a privilege and (in most western countries) a right. They're not really comparable in their importance.

You also ignore the biggest problem: voter fraud. It's so much easier to mess with the vote with electronic voting than it is with paper ballots. Technical people don't like electronic voting, because they understand this. There's no way to be sure no-one's manipulating a voting machine. You'd need to physically interfere with each single person and their single paper ballot with paper voting. That's way harder to pull off.

So fraud seems to be the biggest reason why?

Hasn't blockchain technology shown itself to be more reliable at preventing fraud than the old fashioned way of simply trusting that someone is keeping the books in perfect order?

A disruption in voting brings the results into question.

So it isn't just a matter of voting the next day, it's a matter of determining whether you have to redo the entire election, and whether you have to do that with different procedures or equipment and whether other jurisdictions have to redo their elections and whether past election are legitimate and on and on.

>it's a matter of determining whether you have to redo the entire election, and whether you have to do that with different procedures or equipment and whether other jurisdictions have to redo their elections and whether past election are legitimate and on and on.

Are you implying that these aren't already pre-existing problems that we haven't witnessed in recent decades?

“R. James Woolsey […] former director of [CIA]. Brian J. Fox, […] develop open-source voting systems” — even if I had no opinion on the matter, it'd seem to me that there's a clear conflict of interest there.

To protect voting, do NOT use software. At all. Open-Source software is no more trustable than paper, and is orders of magnitudes more complex to set up and audit. If you can't explain a 5 years old how it works, your voting approach is not trustable.

First, you have to understand the problem:

1. You don't need to commit widespread election fraud to throw an election if you can predict where a small fraud will matter.

2. Not all election fraud is a miscount of ballots. Throwing out minorities' registrations is also election fraud, and you can't fight that with more-reliable ballots.

3. The best solution might not be a technology solution. Paper ballots make it hard to scale fraud. But that's not enough, since fraud doesn't always need to scale.

4. Early voting and absentee voting need to be taken into considerations and are a growing part of voting in the US.

5. If software systems are used in voting, tallying, or anything connected to election results, the systems should be open to inspection and to pen testing.

To protect voting, use paper ballots and count them in public (OK, and voter ids if you insist).

Security may not ever be 100% with e-voting systems, but it can be secured enough to where the probability of any hack attempt would have minimal impact on the overall outcome. I can think of several ways to a secure, verified registration could work just off the top of my head. I think the issue is more, where's the incentive for the government to make this happen?

This past election has shown that it's not just the voting software, but the software/systems that control who is permitted to vote.

why not blockchain voting. everyone receives 1 voteCoin, and transfers it to the correct wallet address of the person he or she votes for?

1. Because it lacks anonymity?

2. Because the average voter cannot possibly understand and verify the security properties of that setup.

and it could even help with vote counting per city, if they originate from a "city" wallet, that came out of a "region" wallet and so on..

There's got to be some way to put votes on a blockchain. More important than voting electronically is being able to verify your own vote was not tampered with, and that all the votes add up as reported.

To protect voting, use this or something similar:


Related comment to a related thread


A lot of talk about securing voting machines/verifying that they run the correct software. Why do we have to have physical machines? If it's electronic, surely a website would do if you have the correct means of ID?

NB: this is not an indication of which side I fall on the debate, it is an observation.

[EDIT] Also, I'm aware similar issues exist with a website, but it seems a lot of focus goes on the actual machine.

In case anyone can't see why this is a whole heap more terrible on top of the terribleness of electronic ballots...

Verifying actual real identity over the internet is impossible. Even if you did webcam-based biometric authentication of identity - these are fooled by a photograph. Going to a polling station and verifying your identity to a human being is much harder to fake, and almost impossible to scale.

The web is an untrustworthy delivery mechanism. What say if a nation state wants to disrupt your election, and starts DDoSing the hell out of it all. Protecting against such attacks at that scale would be extremely difficult.

Also on the topic of state-level disruption, it is well known that orgs such as GCHQ, the NSA etc. hoard zero-days. How do you know your extensively tested system isn't vulnerable to a zero-day that another state has and you don't?

Last time I voted I took a driving licence. All they did was check my face matched my card, and the name and address matched my registration no real check on whether or not the card was genuine.

When I created my government account I provided passport and driving licence numbers on top of the above.

I feel this invalidates your veracity point, and probably the scaling point too?

The second and third points seem more viable and are potential issues. Especially the third, this would be the main concern IMO. Though I'm sure there are protections against this too (thinking virtually distributed).

All that, in addition to the problems that would arise from voter coercion and threats to vote a certain way.

For me the biggest issue with voting that is not a "paper ballot cast in a sealed secure room" is that there is no way to guarantee that the person is voting for the party they like. This is because somebody could break into your home and coerce you to vote for some party, they will also be able to verify that you have voted as they have instructed you. With a secure room they can maybe pressure you to vote one way or other, but in the end they can not verify it. Unless they can hack the electronic system and reverse the ID->vote link. This problem disappears with paper ballot (if it is reasonably secured, in my country at some point you received a ballot for every party and only cast the one you liked, the third party could ask you to bring them all the other ballots as proof)

Also, whether it is actually possible with an electronic system or not: It is really important that the (below) average voter actually understands that it is impossible for anyone to figure out who they voted for.

I wonder about biometrics though. How expensive would it be to connect the national fingerprint database with a ballot scanner of some sort?

Paper ballots are handled by multiple people, not just the voter. Even if you manage to filter out all the volunteers, getting access to the actual ballots might prove difficult, as they're handled quite publicly.

Filtering the volunteers should be quite easy as they will be the only people who have prints on more than one ballot. Depending on what happens to ballots after one could grab them once they are no longer under heavy public scrutiny.

Because then you need to secure the computer used to access the website. Good luck with that.

The amount of anti-free-software FUD in this thread is staggering. Did Microsoft buy off all of you?

Wait, what? I haven't seen a single anti-free-software comment in this thread; most people are against electronic voting entirely, whether it is open or closed source. Why would Microsoft be anti-electronic voting?

To protect voting use paper.

Why did anyone ever think computerising voting was a good or useful idea?

To what extent is voting fraud an issue in the developed world and why is Nytimes upset about it?

This story has been posted four times now. Click the 'past' link at the top.

Use open source software that prints a paper ballot then count the paper ballot.

Retire voting in favor of sortition.

"The blockchain is an undeniably ingenious invention – the brainchild of a person or group of people known by the pseudonym, Satoshi Nakamoto."

It isn't even definitively known who invented blockchain, it is behind the pyramid scheme known as bitcoin and no, no way should that ever be used in voting system computers.

We detached this subthread from https://news.ycombinator.com/item?id=14969875 and marked it off-topic.

The block chain is best known for bitcoin, but it's actually a really awesome tool for keeping public records safe.

Things like land ownership is vulnerable to manipulation. We don't think about it much in the west because our governments don't change the name of the owner of your house for money, but it's a real problem in corrupt countries.

It's also a major problem in shipping. Where ownership of containers is done with paper forms, that because of corruption have a higher cost of shipping than the actual container itself, and containers still get claimed with faked forms.

Know what Mærsk did to secure the container contracts? They used the block chain.

Much like container forms or land contracts, paper votes are only safe if your system isn't corrupt. With the block chain you could remove the need of relying on the system to be honest because everyone would be able to read the record.

Right now you rely on independent observers, and I hate to tell you this, but we've been unable to influence elections in corrupt countries so far.

When Putin wins with 900% of the votes in regions that hate him you can say that it seems unlikely, if they'd used block chain you would be able to see that it was a lie.

If you consider Bitcoin a pyramid scheme I would love to hear your treatise on fiat currency, fractional reserve banking, and capitalism in general.

I'll bite. What's the failure mode for a paper-money based fractional banking system with deposit insurance that makes it a pyramid scheme?

I don't think you know what a pyramid scheme is.

How about learning the definition of the words you use before throwing them around?

Personal attacks will get you banned on HN, regardless of how wrong someone else is, so please don't post like this again.


Personal attacks and incivility will get you banned on HN, regardless of how wrong someone else is, so please don't post like this again.

One word: blockchain

to protect voting, audit your software/system extensively. Openssh is open-source and we all know the story..

But how can I (a voter), audit it in the voting booth? How can I verify that the extensively audited software is actually running on the machine in front of me?

You can't. And even if the software is open source, it doesn't guarantee that state or election officials will set aside budgets to deploy such patches swiftly, or even care to deploy them.

You can't. Especially at scale (every person validating the software before voting). Paper ballots with a anonymised ledger of votes placed is, in my opinion, the best method.

You can audit your ballot in some systems. For example https://nvotes.com (open source software here https://github.com/agoravoting/).

You could even create your ballot offline, even by hand.

Paper doesn't scale well, attacks on paper are extremely difficult to scale well, which is why paper is a good system for voting.

It scales "well enough", in that we currently do it, and pay for people to verify the results.

In Australia a lot of this work is done by volunteers from the major parties.

Edit: I agree, its difficult to scale an attack on paper :)

do you think these questions are addressed by open-source software? I mean, if you only have a few buttons in front of you, how can you verify/audit the software it's running?

plus, I might add, you can create secure software, that can't be penetrated from outside, but what about the hardware? Unless you write this (software) too, how can you trust the underlying hardware? e.g.: broadpwn. Yes, open source makes it easier to audit/collaborate/patch but it's not enough.

I'm not a crypto fanboy or anything, but I feel like voting is a great application of blockchain technology. It seems like the system could be made to be both anonymous and publicly verifiable, and the vote count would return more or less immediately.

Uh. Blockchain is just a doubly-linked list with hashes. And a set of rules how the peers validate blocks and come to a consensus. Not some magic crypto pixie dust that brings anonymity or prevents fraud.

It could come useful, e.g., for keeping census data to avoid some forms of fraud. E.g. prevent rouge organizers loading elections with "dead souls" voters (Gogol-style). But I don't see any immediate use for election themselves.

Say, the blocks would store anonymized votes (nothing about blockchain itself implements the anonymization). One immediate issue I see is that blockchain only verifies integrity of the blocks after they're in there and out to the public, so it could be verified. Sending them too early would skew election results (observers would be able to see the intermediate results and bias their votes accordingly), and sending them too late would probably make blockchain mostly pointless.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact