Besides the issues with what software the machine is actually running, most people cannot comprehend or understand that software - even if it is open source. That is not acceptable for an open democratic society, or to sustaining it.
In this particular situation it should not be necessary to rely on an expert to explain whether the vote counting mechanism is reliable. This only adds to the problem of unreliable or scheming officials - it doesn't improve anything in terms of transparency.
On the other hand, with direct democracy, the stakes are lower for each vote. So there is less incentive to manipulate the vote. So it makes sense to use e-voting for direct democracy.
In the end the voting mechanism in democracy is not really about precision, it's more about getting an acceptable outcome for all the parties
It's like an ecosystem. The more homogeneous the system then the more vulnerable we are to a single virus (or hacker) we become.
So why to bother with secrecy in the first place?
If they want to sell their vote - it is their choice. I'd only say that the right of citizens to secede from such a society must be respected too.
That's illegal, and (somewhat contradictorily) not non-repudiable. You can take a picture of yourself with "ballot marked for candidate I'm paid/coerced to vote for" and then step right out and say "oops, I messed up my ballot, give me another one" and then submit that.
Also, California allows for absentee voting with no particular reason. I've voted in every election I've ever been eligible to vote in and I have never once set foot in a physical polling place.
Yes, it does, it just scales less well than electronic/internet voting. Each voting method (and arguably, voting system) have their + and - but paper voting has the most important benefit. Specifically, the most important one is that whilst counting we have the benefit of many eyes watching over (one of the things NSA improved post-Snowden). I know this first hand as I have participated as vote counter in the 2017 Dutch election on March 15 (can recommend volunteering for the educational experience and ability to observe alone, plus it can be seen as a civil duty). Our team consisted of approx 8 or 9 volunteers. How many people audit the source code? The patches? The build process? The hardware? Are those random people? Are computer experts biased? You don't need to be intelligent or even familiar with computers to count paper votes. You do have to be a computer expert  to audit the software or hardware.
> You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.
I'd rather have authentic results for a few elections than have many elections with a higher potential of being bogus.
We should also not neglect that a direct democracy can be dangerously manipulated in times of fake news. The same is true with 2 or 3 elections every 4 years, but the vulnerable choke points are higher in a direct democracy.
Finally, a disadvantage is that you got so many elections that people are tired of elections. I don't know the scientific name for this phenomenon but I know an analogy: visit a supermarket and have a look at all the brands for product X where X can be peanut butter, ice cream, or beer. Result: brand loyalty. So people are gonna vote e.g. 'peanut butter' (I don't wanna name a realistic example to avoid reader assuming I'm partisan) in each of those direct democracy elections w/o looking further. Do not want!
There's an adagium in computerland "if it ain't broken, don't fix it". Paper voting isn't broken, it has a proven track record.
PS: For anyone who is interested in the history of voting security and the risks of electronic & internet voting I can recommend the course "Securing Digital Democracy" by J. Alex Halderman (one of the researchers in the Diebold affair some 15 years ago) on Coursera .
 Not sure on a better term here. Computer expert is an inaccurate global term; what is required is a rather specific skillset. Perhaps programmer or hardware hacker is more accurate. But even then programmer doesn't tell us about which programming languages are mastered, and hardware hacker is equally vague. You get the gist.
You can throw cryptographic verification on top of that if you like.
Paper doesn't matter if it isn't being counted. Spotting irregularity in voting results might be possible with statistical methods but how often were votes really recounted?
If the actual votes are printed, how do you make sure no one can prove their vote to third parties and so be paid for it?
Having a merkle tree and voting from your device instead of a polling station is not just more convenient - it's more secure too. Everyone can verify their vote was counted!!
And right now? Right now we have a government database of who voted for what. That's crazy.
With electronic voting, I can't be sure my vote got counted, and even less sure others weren't tampered with.
And now do both things _publicly_! For money (or others things you own) you will need a Torrens-like title system with a replicated database among your fellow-citizens. For voting - it will be a database replicated on DVDs (or something that can be read, say, by a microscope:)
You may be astonished how secure that will be.
Have they told you about it?
I'm not sure what the choice of media has to do with anything.
Who has told me what about what now?
Biometrics are only a one-time proof when eg you are issued a token. They can be replayed later and can't be used anywhere except where there's a physical security guard preventing tampering. And even then you trust the security guard.
Obviously you use your device, and you can lock it with a password. You can use two factor authentication.
It's straightforward, really. You sound like identity has never been solved electronically.
If anything, holding a physical paper id document is far less secure than a personal device with your private keys in the Secure Enclave.
Imagine bitcoin but with votes instead of transactions. Boom.
The bad part about that is that if I can validate my vote after the fact, someone else can also demand to see what I voted for, and that opens the door for vote buying, intimidation etc.
As for rubber hose crypanalysis, that is possible now.
Buying votes is already done.
I'm not sure why you would do it in a non-corrupt country though.
We have a secure, provable, relatively cheap method right now: Paper ballots and public observers at elections. Compared to the stakes the cost is peanuts.
The fact that virtually anyone both capable and eligible to vote is also capable of understanding the voting process, as well as what kinds of physical acts are signs of fraud means that many more people can evaluate the process, and determine - even just by looking - whether something fishy is going on at their voting station.
Your average voter will be easily convinced that he "doesn't know enough to judge" whether something is fishy with his voting machine, even if something seems to be clearly malfunctioning; "oh don't worry sir, the print out might be wrong, but your vote was definitely counted correctly internally".
The rise of any form of electronic voting is really troubling - and don't even get started on anonymity concerns...
It's basically a login that's tied to a piece of paper containing a hash table of numbers you use for two factoring.
It's the safest citizen verification system we've ever had and it's basically used for any for of identification in the digital world from banking to using our public sector.
Our government as an example used it to send digital mail to everyone in a secure mailbox called "eBoks" saving us billions in not sending paper (and bankrupting our postal service as a side effect).
We still use paper ballots for elections but it's frankly easier to fake an identity using those than if you were to sign in with "nemId". Today all you need to be allowed to vote is the paper you received and the right sex/age range. So basically I could vote for my brother if I obtained his ballot. With NemId I'd need his username/password as well as his keycard.
Obviously you'd have to anonymize it, but some digital systems being broken doesn't mean they all are or that our current system is that great.
I've observed elections in the balkans, and they sure aren't safe or democratic despite being done they way you prefer, because it's so easy to exploit if you manipulate the paper trail.
1. I take someone's ID, I look them up on the voter list. If they are not on the voter list I take their proof or the sworn testimony of someone that does live in the district that they live where they say they live. Either way, observers can record their name and supposed address.
2. I hand them a folded ballot and they go, with assistance from a family member if necessary, to behind a security wall to mark their ballot.
3. They place the ballot in the slit of the box, folded so their vote is secret, but visible to all observers so that they couldn't not have snuck in a second ballot.
4. The ballot box never leaves public view. In the event of an emergency I take the ballot box and hold it high so that everyone can see it, especially the observers, until we get outside.
5. Anyone in line by the time the polls close is allowed to vote and number of voting locations are determined by a public service (not politicians) so we don't disenfranchise voters or unduly burden voters.
6. In full view of my assistant poll clerk and all observers we count every ballot. As DRO I have final say over questionable ballots. If I make an obviously unfair call observers can alert my superiors at Elections Canada. I only had to make one decision on one ballot out of around 500.
7. We compare the count of people, the count of the ballots we gave out, and the count of the ballots in the box. These all must match. If they do not match we count again. It's harder than you'd think because people accidentally fuck up ballots or someone can have the same name but be a different person. This can even happen at the same address! Usually a son being named after a father.
8. I fill out the vote totals and give one copy to Elections Canada, one copy to each party observer, and I keep one copy for myself. We then put security tape around a tamper evident bag with the original ballots for them to be counted again by Elections Canada HQ.
Now tell me, how are you going to fraud that system? We wrote down everyone's name, at most you might be able to get someone to vote on behalf of their brother here or there. Or the people voting by mail might have their ballots disregarded or changed, but most people vote on election day and Elections Canada is trustworthy and explainable to anyone.
I could never fully trust your NemId system because you could never prove to me that everyone that supposedly voted existed. In Canada's system we can literally count the people walking through the door and we can literally count the individual ballots.
Aside from that it's literally impossible to obtain a nemid if you don't exist, and, once you cease existing so does your id.
False nemids can be created. Prove me wrong.
See the problem? Even if what you are saying is true it is very hard to prove the inverse and just the ability for foreign propaganda to delegitimise a voting process is enough reason to move to a voting system that is impervious to this type of attack.
What you are asking me to do is impossible because there is no way I can convince you when you've turned your back on facts.
Aside from that, the system you've described which works pefectly fine in Canada is extremely similar to the voting system in Iraq, Russia and Serbia, places where telling on liars obviously isn't hindering elections from being manipulated.
You may be safe right now, but you're protected by the people running your system, not the system itself.
It's true that it's easier to manipulate a terrible digital system but that doesn't mean pen and paper is safe.
Block chain technology would offer an open record that couldn't be manipulated, something paper does not.
I mean, I live in Denmark, one of the least corrupt countries in the world and we've had politicians caught changing votes with a pencil and an eraser during the count.
We've had two full-on hand recounts at the state level in the past decade or so, and the final results where within a few hundred from the original count in each case, with three million votes cast. Good process solves a lot of problems.
On top of that the block chain could offer us a record that couldn't be manipulated.
Sure we don't have a lot of problems with voter fraud in our current system, but that doesn't mean it's not extremely vulnerable because it relies on honest counting.
How can you know that even if the source code for the voting machine is open, the voting machine is running the exact same source code? How can you know nobody has tampered the code the instance is running?
I'm glad my country is still running on paper ballots and glad we require voter ID.
Transparent voting boxes, ballots in envelopes, manual redundant counting done by people, usually voter who were nicely asked if they can come help back in the evening. That's what we use in France, you get the official result a few hours after the closing of the voting stations.
The whole process is watchable, from the sealing of the box the morning to the count in the end and parties send observers in random stations to check nothing fishy happens.
An official log book is open for anyone to notice if they feel something fishy happened (you were not allowed to vote, the counting was unfair, etc...)
Oh, and make voting day a holiday, or just put it on Sundays.
I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.
Sums it up.
Historical reasons: http://www.whytuesday.org/answer/
Seriously, is it harder to make a daily holiday and a transparent process than landing a man on the moon with tech from the 60s?
In my district we vote by coloring in little circles with a #2 pencil, we then feed that directly into an electronic machine that tallies the results for my district. While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.
With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway. It would be my preference that the pieces of the system that perform this processing are backed with open source software.
At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository. This would prove in a clear and straightforward manner that tampering has occurred.
As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state. Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing? Or when regions of the state send their votes up to whatever the next link might be? I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
I think the main argument for physical voting is that it's much safer precisely because it doesn't scale well - and so attacks against it don't scale well either. The manpower requirements buy you security.
> As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state.
I agree, but I think it does not apply to elections - simply because it's the one place where both the ruling party and competing groups have very strong incentives to mess with the process.
> Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing?
Yes, but again, the argument goes, the less scalable and more manpower-intensive the whole process is, the more difficult is to hack it.
> I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.
I agree with the call for transparency, but I also agree with the people who point out that inserting electronic systems destroys that transparency (too easy to hack, too complex for general population to inspect).
Spot on. Democratic process means "owned by people". So the voting system must be able to be run in the hands of the people. Hence the necessity to have it in the form of a simple technology such as pen/paper.
Moreover, having the votes counted in some hours instead of a night doesn't make a big difference, considering the time that is needed for example, to form a government once the vote is closed.
I love computers, but it's not the right tool for this job. It's not much different than free software : the problem here is political rather than technical.
Yeah, in the US it takes 2 months to get the new President actually in the White House, no matter how quick votes are counted. They can easily spare a day or two to count everything three times over, the country will not go to the dogs in the meanwhile.
Ironically, timings are much more imperative in Europe, where electronic voting is less popular. Maybe because multi-party governments often require weeks of haggling, so a few extra hours counting votes are not particularly important.
A paper ballot system where local volunteers from the district count the votes at the polls in a manner that can be observed would absolutely work for the US. It would be pretty easy to just write down what the volunteers counted and then check later whether that matched up with the nationally posted numbers. No long chain to decipher, no obscure software to worry about. And, as a bonus, there are places where this is already done this way, so really nothing needs to change policy wise (other than eliminating the other methods).
With your system I can cast doubt on the entire chain, and there is no problem because you can remove all doubt by taking those paper ballots and counting them all by hand. With several hundred million ballots to count it is obviously expensive (in man-hours), but you can see how to verify that counts. Note that the above verification is something your average idiot with no knowledge of computers can understand and trust.
There exist systems that are all electronic: the voter pushes a button (on a touch screen) and from there on we only have the count. As a programmer I can think of many ways I can make the voting system change a few votes and there is no way to know that the machine's count is wrong.
Part of what make this hard is anonymous votes are important. There are cases in history where someone was forced (with a gun) to vote for someone they probably wouldn't have voted for otherwise. We have solved this problem by having watchers at the polls (from all sides) ensure that nothing funny happens at the polls, and once you leave the booth nobody has any way to know who you voted for.
The above is why I think absentee voting needs to be restricted to those who physically cannot get to the polls on voting day (I'm fine with a voting week or month)
I've worked with the New York City Board of Elections . We have what I consider to be best in class: electronically-scanned paper ballots.
When a voter walks in, their name is checked against the rolls and the stub number on the blank ballot they're given is recorded. The voter marks the ballot in confidence and then inserts it, themselves, into an optical scanner. The scanner increments a "public count" by one and drops the ballot into a locked box.
At the end of the day, the public count is compared to the count at the beginning of the day. (These counts are publicly recorded for each machine and do not increment down over the life of the machine.) The aggregate votes to each candidate are then printed to a tape and posted publicly.
The machine also uploads these data to a USB drive, which is taken to a computer at the poll site for electronic transmission to the Board. Before transmission, anyone may compare those numbers to the tape or pubic count. (The scanner workers have to certify the electronic transmission before it's sent.) The NYPD then collects the machines, paper ballots and tapes.
Throughout the day, anyone may see the public count at each scanner. At the end of the day, anyone may review the publicly-posted tapes. Stub numbers for the paper ballots issued and public counts recorded are reconciled, with multiple poll workers certifying the reconciliation.
It's a messy system, but it's robust. The public count means you'd have to compromise everybody at a poll site to add or destroy ballots. (Or, you'd have to predict who won't vote and manually commit fraud.) To tamper with the votes, you'd have to compromise machines before they print their tapes. You'd then have to hope the Board's random audits don't attempt to reconcile the paper ballots with the compromised tapes.
How can you be sure about that?
> With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway.
The point is that if you are not convinced, you can go and observe the process. The point is to remove as much trust as possible. The point is not to just have some human in the loop, but to make sure that people who distrust each other can personally make sure that the correct procedure is being followed.
> It would be my preference that the pieces of the system that perform this processing are backed with open source software.
The problem is that you have no way to verify that what is actually processing your vote is the open source software that you hope it is.
See also Ken Thompson's classic "reflections on trusting trust":
> At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository.
No, they can't. The only way to check what software is running on the computer is to use software that is running on the computer, which is thus also suspect. That is, short of decapping each and every chip in the one computer that you are trying to check and extracting all the circuitry and all storage bits in it.
But ensuring trustworthiness of elections is not one of those. Elections are the anchor that all the other trust that we put into democratically elected governments is anchored at, it's the one lever that we have to remove governments that turn out to not be trustworthy. You cannot trust the government to remove itself in case you want to have it replaced.
If the election is run properly: No.
Represenatives from each party will be observing the election process at every polling station, and the general public can usually also observe if they wish to, from opening until the votes are counted. Also, election results should generally be published broken down by polling station, so each of the observers can check that what they observed at their polling station actually matched what went into the total.
There is absolutely no place for trust in elections.
We need a high-profile hack of some local elections to drive that point home. Something done completely for teh lulz, leading to a result so absurd the elections would have to be redone.
I would not risk it for a million, I will certainly not risk it for the lulz. Plus, in most cases, it involves (laughably weak) physical security. I am less confident on how to hide my tracks there and I suppose many would-be hackers feel the same.
In fact, the media is already trying to CYA, and the state is already trying to expand control, by claiming that such a hack was perpetrated by a nation-state in the 2016 election, and that that's why they were so egregiously wrong in everything they said about Clinton/Trump in the preceding 18 months.
Or the processor is trustworthy ? Many voting machines are using old processors, such as 68000, and it would not be too hard to emulate a a rogue processor that will have a different behavior, whatever the source code is.
You can also change the behavior of the voting machine at a certain time, or in certain conditions (such as detecting a voting session has started)
The problem is not that voting machines are vulnerable to one or two attacks. There are thousands of ways of compromising them.
The only answer to this is that cryptography specialists do not have any answer to a secure electronic voting not involving a physical element (a bulletin, a receipt, etc.). This means that there is no THEORETICAL solution.
Sadly, as far as I know, none is without issues (older systems were found to have various problems, and newer stuff is still bleeding edge that wasn't yet reviewed thoroughly).
Thinking out loud here, how about a blockchain based solution? Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.
Short of some very very clever cryptography, you really, really don't want to be able to verify your individual vote, because that means you can verify it to others - the entire point of this process is to avoid coercion, or else there's much simpler solutions. (Pull everyone into the polling station at once and have a show of hands, for example.) You want to verify that one ballot was given to each person registered to vote, and that all votes were counted correctly, but you don't want to verify that an individual person's vote was counted correctly.
Putting aside theoretic possibilities, at this point in time approximately nobody is going to trust a blockchain system. Between "Isn't that the stuff you use to by drugs online?" ignorance and the all-too-real history of everything that has happened with Ethereum to date, that just won't fly.
>Each user gets a new address, and that address is printed on a receipt after you vote. This way you can verify your vote at anytime, and the votes can be counted in public.
Voting receipts like this are bad. They enable people in power (bosses, spouses, etc) to intimidate you into voting the way they want to see and threatening to punish you if you don't because they can force you to prove the way you voted. It also allows vote buying.
As for blockchains: Voters sign in before they cast their ballot. If the order in the pollbook matches the order the ballots are recorded, no more secret ballot.
Any crypto- blocko- based system that both protects the secret ballot and ensures the public vote count (aka Australian Ballot) has to create a digital equivalent to the physical secure one-way hash (shuffle) of dropping a ballot into a box.
Way too many factors...
How would you know the shell itself, running on the machine you're trying to verify, isn't lying to you?
It's just a former CIA Director signing the op-ed. It's not like they have a collection of zero-days and other exploits is it?
The more you allow people to vote from their homes, the more likely it is that people can be coerced into voting the way their partner, employer, or otherwise, want them to.
In the US, only one of those is guaranteed . In California, where I can get an absentee ballot just by asking for it, none of those is guaranteed.
For me it's important that the barrier to voting is as low as possible, and we don't have a governement issued ID that is free.
They were having to be talked through filling in the form only to hit a roadblock when it came to proof of address. After expressing their voluble disbelief at some length that the handwritten doctor's note they had would not suffice, they eventually left empty-handed. (Incidentally, they were only looking the card to use it for ID for flying, they had no interest in voting).
Now these guys were obviously jokers, but it shows you will need a certain degree of application and time to get even the most rudimentary of verifiable ID. Even the conscientious may find themselves not getting around to getting the ID before election and losing their vote.
Why not have a national ID like in some European countries? Issue it at age of 15, you can go to a government office with parents when you are 15 and get your ID.
You can pass a sensible legislation for this. Have a grace period of 2 election cycles to allow all the people who want to vote enough time to get their ID (10 years is more than enough time to prove your address).
Government can issue IDs without proof of address. This is matter of implementation. For national election at least you shouldn't need it. For local elections it should be required.
Presumably at least a few of them anticipate the easy problems and design a methodology appropriate to dealing with them.
For instance, if voter ID is highly effective, you'd expect much higher rates of double votes under a given registration in places that don't require it (unless the cheaters are masters of anticipating registrants that aren't going to vote).
That being said, from times to times articles show up about someone who claimed to have invented a viable solution. So we should not diss the idea and keep an open mind. Eventually someone will find a solution.
First define the problem.
I demand the Australian Ballot: private voting, public counting.
After studing this extensively, I believe there is no way to digitize elections and preserve the Austalian Ballot. Because there is no digital equivalent of the physical secure one-way hash (shuffle) of dropping ballots into a box.
Any crypto- blocko- based system has to design for the whole election. Not just the voting. Including pollbooks, which record when ballots are issued to voters. Including precinct-based election counts, because every single precinct gets a different ballot (say 500 voters).
Maybe someone will prove me wrong. Cool. Then show me. The burden of proof is one them, not me. Otherwise, stop wasting everyone's time with technophilia sideshows. We've got real democracy with real work to do.
Alternately, any proposal has to replace the Australian Ballot with something new. Some ideas which would simplify the problem space:
- replace winner takes all with Approval Voting;
- issue separate ballots for federal, state, county, and local elections;
- decide that time-boxed privacy, where the secret ballot is preserved until an election is certified and then made public, is sufficient
- supplant our current loose voter ID regiment some kinda of U2F futuretech.
That doesn't handle auditing the machines themselves, but as the 2016 US presidential election recount found in Wisconsin, the tamper-evident machines showed evidence of tampering, so maybe we're closer to knowing whether the trusted systems we use to count votes are trustworthy.
Of course, the current machines are still Diebold ("Premier Election Solutions"), so who knows. Ken Blackwell will make sure only the right folks vote, anyway, just like he did in 2008.
Quoting from the website:
"Pvote is small. The current version is 460 lines of Python. It uses Pygame for graphics and audio."
So, add to that 130000 lines of pygame, 1.5 million lines of cpython, 14 million lines for gcc, 20 million for the linux kernel, ... and you haven't even begun to list all the stuff you would need to audit?
Mapping, voter files, candidate filings, canvassing reports, ballot artwork, translations, ballot tracking, etc.
All of it should be open source. The way it used to be. Before the vendors smelled blood. (Especially after HAVA.)
I traveled my state advocating "citizen owned software". Everyone gets that phrasing. Overwhelming support.
To say a machine hasn't been hacked is trying to prove a negative.
So yeah. Doesn't really matter whether it's electronic or not.
You know this how, exactly?
In the USA, average precincts are 500 voters. Totally doable. In fact, that's how many jurisdictions did it.
What we need is a zero-knowledge proof: we need the entire voting dataset to be publicly downloadable and some kind of checksumming so that, while maintaining anonimity, I can 1)check that my vote is the same 2)run whole the counting in a blink on my PC.
This gives much better guarantees of no tampering
3) Users should not be able to prove to another person who they voted for
This is to prevent people from using threats of violence or promise of reward to coerce others into voting a certain way.
Unfortunately, this requirement is very hard to fulfil while also fulfilling requirement 1.
Verifying your vote is in the sum, and tallied, is not good enough if the result is swamped with, or more craftily, the balance just tipped by fake votes.
I have no idea how you would implement that.
I suppose the only benefit of people is that they are more difficult to coordinate.
In a properly run paper election, there is no individual that you have to trust. In principle, anyone can go and watch, and usually there are representatives of many/all parties in every polling place, watching every step of the process. It's not just that people are more difficult to coordinate or control in general, it's that if someone distrusts you, they can come and watch for themselves.
Second, never allow paper ballots to be handled by just one person, or by only members of one party - whether blank or used. Require that members of at least two political parties be present any time the ballots are physically touched.
Third, if using machines to read the ballots (ScanTron, etc), conduct spot counts of random machines, to make sure the machine results match the paper ballots. Conduct spot counts of entire polling stations randomly to make sure result totals match voter roll totals. Although this isn't 100% certain, it doesn't take a lot of spot checks to detect any sort of large-scale fraud effort.
Do these things, and it's exceedingly difficult to do statistically meaningful vote fraud, because we have a high degree of trust in the paper ballots and their surrounding process. From there, you can use automatic ballot reading and tallying to get fast results - the vote counting/tallying automation is derived data, not the System of Record.
There are probably less than a hundred people in the world who can understand an electronic voting system at every level down to and including the silicon.
Paper ballots (the kind with marks read optically, not the ridiculous punch cards at the center of the Florida 2000 debacle) are easy to use and understand with a very low error rate and keep a paper trail, being the actual ballots.
I don't understand why anyone other than the companies who sell e-voting machines actually want electronic voting.
They want certainty more than any thing else. For decades, computers were regarded as more accurate, impartial, certain than human tabulators.
Second factor is appropriations. Elections are big money. And like all industrires, there's a revolving door between government and industry.
Admin also want control. Their impulse is to centralize, simplify. Think of the logistics of running 100s of voting sites, 1,000s of precincts. All the training, people, materials, gear that has to be stored, shuttled around, repaired, etc. Moving to voting computers, reducing head count, moving to central count seemed like a huge win. (But you and I people computer people, we know they just traded problems.)
With paper ballots how do we guarantee those with a right to vote who cannot travel to a secure voting location have the ability to do so?
ID requirements are frequently used in order to deny voting to people who are poor or otherwise find it difficult to get particular documents.
Very hard to defraud if you are in, purely for example, Russia.
But think about it logically, if voter ID is not required than it is easier to fraudulently vote. That seems logical to me. Do you have counter argument?
You can't just turn up at any polling station and say "give me a ballot paper", you turn up at the right polling station for your address and tell them your name and address.
They cross you off the list and if the same person tries to vote again, the voter is challenged, and a special (tendered) ballot paper is issued (which isn't counted in the vote). If a ward returns a significant number of tendered papers, then the returning officer can take action.
Polling places are small, and serve no more than 2500 voters.
So. In order for an individual to vote fraudulently, they must pretend to be an actual voter, they must know the name and address of the voter(s) they are pretending to be, they must do it early in the day, and they can't just keep going into the same polling station over and over, pretending to be someone new, otherwise they are likely to be recognised.
In order for a group to do this at a scale that matters, they must also be pretty sure that most of the real voters aren't actually going to turn up to vote.
Given all that, it is probably easier to engage in intimidation and/or bribery of actual voters, than to fraudulently complete ballot papers yourself. Voter ID doesn't protect against that.
If it is true or not I don't know, but is a real concern if so.
> If it is true or not I don't know, but is a real concern if so.
This is the most important part of your post. The same could be said of sea monsters and getting stuck if the wind changes when you're pulling a funny face.
Can you please walk me through a scenario for how someone could commit voting fraud in a way that would be stopped by a voter ID? The only one I can think of is saying you are someone else in your community, like your neighbor... but they are going to find that out right away when your actual neighbor goes to try to vote and finds out someone else has already voted in their name.
How would you commit your fraud?
Voting software is bound to fail, no bug bounty is big enough to offset the billions that could be made off of hacking an election. It is bound to fail spectacularly, and then for the rest of time people can point at the election and say "the ability to see the source code let this happen."
I'd much prefer electronic to paper. Last year I voted on 24 initiatives, and that is just the federal level. It also does not include elections.
How it will work:
A person gets this device in the voting center enters/gets his voter ID, does the voting (anonymously), presses the read-only lock and throws it into the bin. After all the voting these device are scanned and voting data is retrieved. A voting database is populated in each center in a transparent way, to prevent tampering (several parties can be allowed to read this data separately and then all data variants can be compared against each other, just in case). After consensus on the voting data, each voting center sends the results for counting. And the voting is completed.
In the end, these devices are reset and the cycle continues.
Well, I'm sure that there must be some problems when voting the aforementioned way. But I guess it could work out, with some modifications.
By our observations electronic voting added several layers of complexity that are difficult to justify.
Obviously everything could have fancy UIs created for end users so they don't see that really all have is a JWT (maybe a QR code printed out when they vote? And all the info easily human readable?). Verification could be handled by a .gov address and also through manual use of the public key (so other services could be set up to verify votes as well). And internet connectivity wouldn't be a problem as they could just require T1 lines at polling locations (I assume if phones went out across the country the election would be delayed regardless). You could likely tell if someone had stolen the private key (the only way I can think of breaking this system), if you have a service to verify someone's vote, and it doesn't show up there, even though you have a signed JWT containing your vote. That would prove someone had stolen the private key, allowing for a makeup election.
Am I missing something basic of how this would be hackable? I'm one of those who finds it odd that many elections around the world are susceptible to simple human mistakes/purposeful malicious actions when it comes to counting ballots.
Granted what is publicly known, it not working is a very likely outcome, but nobody will ever be able to contest it.
How can you be sure the financial system you use is working?
>nobody will ever be able to contest it.
See blockchain. If everyone has a copy of the vote registry, then they can contest it if things don't match up.
For other systems, a disruption is just inconvenient for most people. Like if I can't use my credit card for a day, I don't care (of course this may be of more consequence for some people). Same thing with a power outage (and people that need it can have a backup for grid power; how do you have a backup for legitimate governance?).
Would there not be far more immediate and direct inconvenience if no one could use their credit cards for a day, than if they couldn't vote for a day? (Assuming the following day both systems were back up and running) What is so inconvenient about have to wait an extra day to cast a vote on who your senator will be for the coming years versus being able to buy food or medicine?
Credit cards are a convenience, voting is both a privilege and (in most western countries) a right. They're not really comparable in their importance.
You also ignore the biggest problem: voter fraud. It's so much easier to mess with the vote with electronic voting than it is with paper ballots. Technical people don't like electronic voting, because they understand this. There's no way to be sure no-one's manipulating a voting machine. You'd need to physically interfere with each single person and their single paper ballot with paper voting. That's way harder to pull off.
Hasn't blockchain technology shown itself to be more reliable at preventing fraud than the old fashioned way of simply trusting that someone is keeping the books in perfect order?
So it isn't just a matter of voting the next day, it's a matter of determining whether you have to redo the entire election, and whether you have to do that with different procedures or equipment and whether other jurisdictions have to redo their elections and whether past election are legitimate and on and on.
Are you implying that these aren't already pre-existing problems that we haven't witnessed in recent decades?
To protect voting, do NOT use software. At all. Open-Source software is no more trustable than paper, and is orders of magnitudes more complex to set up and audit. If you can't explain a 5 years old how it works, your voting approach is not trustable.
1. You don't need to commit widespread election fraud to throw an election if you can predict where a small fraud will matter.
2. Not all election fraud is a miscount of ballots. Throwing out minorities' registrations is also election fraud, and you can't fight that with more-reliable ballots.
3. The best solution might not be a technology solution. Paper ballots make it hard to scale fraud. But that's not enough, since fraud doesn't always need to scale.
4. Early voting and absentee voting need to be taken into considerations and are a growing part of voting in the US.
5. If software systems are used in voting, tallying, or anything connected to election results, the systems should be open to inspection and to pen testing.
2. Because the average voter cannot possibly understand and verify the security properties of that setup.
NB: this is not an indication of which side I fall on the debate, it is an observation.
[EDIT] Also, I'm aware similar issues exist with a website, but it seems a lot of focus goes on the actual machine.
Verifying actual real identity over the internet is impossible. Even if you did webcam-based biometric authentication of identity - these are fooled by a photograph. Going to a polling station and verifying your identity to a human being is much harder to fake, and almost impossible to scale.
The web is an untrustworthy delivery mechanism. What say if a nation state wants to disrupt your election, and starts DDoSing the hell out of it all. Protecting against such attacks at that scale would be extremely difficult.
Also on the topic of state-level disruption, it is well known that orgs such as GCHQ, the NSA etc. hoard zero-days. How do you know your extensively tested system isn't vulnerable to a zero-day that another state has and you don't?
When I created my government account I provided passport and driving licence numbers on top of the above.
I feel this invalidates your veracity point, and probably the scaling point too?
The second and third points seem more viable and are potential issues. Especially the third, this would be the main concern IMO. Though I'm sure there are protections against this too (thinking virtually distributed).
Why did anyone ever think computerising voting was a good or useful idea?
It isn't even definitively known who invented blockchain, it is behind the pyramid scheme known as bitcoin and no, no way should that ever be used in voting system computers.
Things like land ownership is vulnerable to manipulation. We don't think about it much in the west because our governments don't change the name of the owner of your house for money, but it's a real problem in corrupt countries.
It's also a major problem in shipping. Where ownership of containers is done with paper forms, that because of corruption have a higher cost of shipping than the actual container itself, and containers still get claimed with faked forms.
Know what Mærsk did to secure the container contracts? They used the block chain.
Much like container forms or land contracts, paper votes are only safe if your system isn't corrupt. With the block chain you could remove the need of relying on the system to be honest because everyone would be able to read the record.
Right now you rely on independent observers, and I hate to tell you this, but we've been unable to influence elections in corrupt countries so far.
When Putin wins with 900% of the votes in regions that hate him you can say that it seems unlikely, if they'd used block chain you would be able to see that it was a lie.
How about learning the definition of the words you use before throwing them around?
You could even create your ballot offline, even by hand.
In Australia a lot of this work is done by volunteers from the major parties.
Edit: I agree, its difficult to scale an attack on paper :)
It could come useful, e.g., for keeping census data to avoid some forms of fraud. E.g. prevent rouge organizers loading elections with "dead souls" voters (Gogol-style). But I don't see any immediate use for election themselves.
Say, the blocks would store anonymized votes (nothing about blockchain itself implements the anonymization). One immediate issue I see is that blockchain only verifies integrity of the blocks after they're in there and out to the public, so it could be verified. Sending them too early would skew election results (observers would be able to see the intermediate results and bias their votes accordingly), and sending them too late would probably make blockchain mostly pointless.