I offer three specific recommendations:
• Paperless DRE voting machines should be immediately
phased out from US elections in favor of systems, such
as precinct-counted optical scan ballots, that leave a
direct artifact of the voter’s choice.
• Statistical “risk limiting audits” should be used after
every election to detect software failures and attacks.
• Additional resources, infrastructure, and training
should be made available to state and local voting
officials to help them more effectively defend their
systems against increasingly sophisticated adversaries.
Where paper ballots are transparent and accountable, electronic voting machines have closed source and unaudited software. They go against the core tenets of transparency and fairness that make democracy work.
I think it's more persuasive to focus on the transparency/auditability/fairness argument. Perhaps as an extension, an emphasis on the ability of the average participant/voter to understand the mechanisms behind how the system works?
No. Doing that badly might have that effect, but there is no axiom which states that accurate counting must be slow or manual. Have electronic voting with instant tallying, with a parallel optical-scanning verification of the generated paper ballot. Then have manual spot checking of the automated counting process, with whatever sample rate you choose. This is a solved problem (ask the USPS if you want details).
Instant results which are "the ballots got wet" proof and have a totally auditable record.
No, but there is an axiom that says the more expensive an attack is, the less likely it will be carried out. Hacking manual counting requires so absurd amounts of coordination between so many individuals, that you can pretty much discount the possibility. High technology is a vehicle of multiplying the power of individuals. The same process that makes electronic counting more efficient, makes it also much cheaper to attack.
> This is a solved problem (ask the USPS if you want details).
TBH, postal services screw up in that department regularly, but nobody cares, as the impact is very small.
Leaving aside other countries and their transition times, in the U.S. at least, there is always more than enough time to have a recount before the winner takes office. There is also enough time to do the same for things like ballot initiatives and referenda, which don't go into effect immediately, but some reasonable amount of time after the vote.
With reference to the 2000 election, the legal fight over the process to perform manual recounts in Florida took far longer than the actual recounts would have taken, dragging it out to December 12. Interestingly enough, while I have heard some still claim that "Bush stole the election," when the press actually finished a manual recount, the conclusion was that Bush had, in fact, won the vote. But people will believe what they want to believe about the fairness of elections when it doesn't go their way, as has been amply demonstrated recently.
With paper, that's a laborious process, requiring physically adding up millions of pieces of information. And many other things - like horses, sailboats, and slavery existed for hundreds of years but have been phased out for superior technology. An electronic voting machine or computer would, in theory, be able to take votes and output a result without this effort. Electronic voting machines are, at first pass, a good idea.
The presence or lack of transparency, accountability, and auditability are implementation details, not principles of electronic voting machines. In the absence of bad decision making and the presence of properly aligned incentives, the issues current voting machines suffer from could be worked around with a different implementation.
Before computers were an option, paper was not chosen because of these properties it's now lauded to have.
There are middle grounds. Paper doesn't have to be manually tabulated.
Punch-hole ballots can be mechanically tabulated, fill-in-the-bubble ballots can be read with minimal software. Results can be aggregated by software and communicated over networks because the results can be audited with the paper trail (both cheap sampling/statistical auditing and an expensive total manual tabulation).
If chads and improperly filled ballots cause problems, create a machine to fill in the paper ballot for people - but give the voter the ballot, let them verify, then walk over and drop it in a ballot box.
If the NSA can't lock down their espionage weapons, we can't trust some second-rate politically-connected software vendors to run our elections. We need auditing, we need paper.
I'd argue that this isn't a huge deal since the amount of labor available scales essentially linearly with the amount of votes cast.
The core feature of a car is to go places fast, but it's also crucial it doesn't kill its occupants. Similarly, the essential aspects of a voting system are things like perception of fairness (otherwise we're back to killing each other for the seat at the table) and protecting individuals from being bribed or coerced into voting in a particular way. Electronic voting systems fail to provide those features in a reliable way.
Consider that there are, and will always be, people on the losing side that argue the elections were rigged. In the paper version, the scenario is so implausible that it's not worth much attention. In an electronic system, where maybe 1% of the electorate can actually understand how it works, and only 0.1% of that 1% have enough access to actually verify it works the way it says it works, it will be much easier to argue that the other side rigged the election. For democracy to work, it's less important who is elected, and more important that everyone accepts the result of the process.
That is a feature of paper ballots, not a bug. We have plenty of volunteers to count ballots and there's no necessary equipment or domain knowledge to do so. The attack surface is thin and well-known with paper.
Of course properly implementing the civlservice reforms (of the 19th century) and not electing Judges and other positions that should be filled on merit by civil servants might help
In general, we'd have to close the loop over hardware the way we did with software.
In software, you can write open-source code that depends only on other open-source code, and you write and distribute it with open-source tools. Trusting-trust-style attacks aside, everything on the software layer can be inspectable by anyone, and in principle you could read through all of the code and understand what's doing.
With hardware though, there pretty much isn't any usable open-source hardware stack that's a) fully open-source at every level, and b) verifiable. The latter is particularly damning, because chips are made in commercial factories you can't inspect, and the actual process is secret. (1/2)
Until the day you can literally print your own circuits from sand, using an open-source designed and manufactured electronics printer, you can't trust hardware without trusting people who manufactured it.
Ultimately, I doubt we'll ever be able to have 100% trust in any human-created system. The one thing we can do, though, is to structure our systems to maximize cost of a successful attack, trying to push it so high that the results are not worth the effort.
 - http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust....
 - it's obviously not true in practice, due to complexity, bugs, and finite lifespan of humans.
 - or "nanolathe", as we called it in the late 90s; cheers Total Annihilation fans!
Once you've handed off your paper ballot, it's no longer "transparent". You have no signature (physical or digital) that verifies that your vote was counted in the final tally. You also have no proof that all other votes submitted in that election were legitimate votes from real, identified eligible voters. Ballot stuffing and mis-recording of votes are both forms of fraud that have been performed under the so-called "transparent" paper voting systems...
"Accountable" implies that you have adequate identification. Last time I checked (last presidential election), I only needed to provide a name and a birthday in order to vote, which are both things that are publicly available information. Without adequate identification of people (see: biometrics + smart cards, ideally), you don't have accountability or even the ability to reliably detect voter fraud. Why would you want to favor a paper system which relies on people (who can be paid off, blackmailed) when better solutions exist that get rid of some of the possibility of human error?
Personally, I'd rather have a public electronic voting system where all voting transactions are stored on a public blockchain. That way I can verify the vote tallies for myself and I can also verify that the vote that I submitted was actually recorded and included on the public blockchain. You add in the assumption that all voting machines must be closed source and un-audited - but that's not an inherent property of voting machines. Governments could just as easily use open source and publicly-audited voting machines.
Would this allow you to prove to someone else how you voted in the election? If so, that's not a desired property.
Currently there is no way for you to prove, to yourself or someone else, who you voted for in an election because nobody gets to see your ballot and you cannot take a photo. This makes vote buying and coercion much more difficult. I'd like our voting system to keep this feature.
You could have a blockchain-based system where everything is public (say, like Bitcoin), which from your perspective would be bad.
You could have a blockchain-based system where you need a "view key" in order to actually view the details of a particular transaction (say, like Monero), which from your perspective would also be bad.
In the latter system I'm describing, you could have a procedural control that you have a choice of receiving your "view key" or something along those lines to deter coercion and vote buying.
Other possibilities would be allowing voters to change their votes at a later date, or creating a system that allows voters to vote remotely such that they could do so in the comfort of their own home where they'd be (presumably) free from coercion and other influences.
The system needs to retain the current property of being able to lie about having voted a certain way with 0 chance that you will be discovered because getting proof is impossible.
Consider that it won't be "comfort of their own home" it'll be the comfort of their union bosses office so he can be sure they voted as directed.
Regardless, I said that it was dependent on the implementation. If I am able to change my votes at a later date, then who cares if my union boss can pull me into his office and force me to vote a certain way? I'll just go in that evening and issue a corrective vote and be issued a new "view key" associated with that transaction and my boss would be none the wiser.
Or you could have a system where the blockchain isn't public, but rather it's only accessible by a few designated government machines. Then for auditing purposes if you want to verify your vote, you go into a facility (no electronics [besides your identification] allowed) with your "view key" and prove your identity (biometrics, smart card) and then you're able to then receive assurance that your vote was recorded as expected by viewing the transaction from one of the government machines.
Then your union boss doesn't have the ability to check your votes.
You know what I love though - people who make all discussions black and white and don't consider the large spectrum of possibilities.
Your threat model is nonsense.
Yes, people do commit fraud in elections, but they do it as insiders where they have the opportunity to covertly meddle with large numbers of votes.
They do not do it by walking into a precinct in plain sight and claiming to be someone else, risking everything for the chance to cast one vote, unless they are very, very dumb.
We can have sophisticated and safe electronic voting, but we have to introduce it gradually, with transparency and major, sustained investment.
We must also do something that doesn't come naturally: Critically review and audit progress to-date, and use this information to conservatively set direction for future effort. The aviation industry's approach to technology is the kind of model that is needed here, not that of startups or big corporate.
It was not my intent to suggest that the system itself would need to be greatly complex. Perhaps my use of the term was incorrect.
There are professional security people who disagree, at least in practice, with Mr. Schneier, and would make Rube Goldberg envious with the needless complexity of their constructions.
Given how obvious and easy to execute this is, it seems impossible to imagine any justification for the change that does not at least consider this an acceptable plausible consequence of the choice.
That said I believe that, absent major changes to regulations around voting machines, the labor cost is worth the security, transparency, and accountability benefits.
Automating the counting process must be done in a way that preserves the ability to manually verify the count - voting machines that do not produce a paper audit trail that can be verified by humans are fundamentally insecure.
Computers represent a single point of failure, one piece of malicious software could affect an election and nobody would even know. This problem is made even worse by the closed source machines in use right now.
Assuming perfect security and absence of software bugs, we'd be insane to prefer human counters to machine counters.
My point was just that there are obvious up-sides... so it's not like e-voting is some pointlessly insane thing.
I happen to think it's a bad idea even with dead tree audit trails, but I can respect the position that, with appropriate audit trails, it makes the voting process more robust.
Sometimes you gain a lot by having deliberate inefficiencies.
The reason for the existence of electronic machines is often something as mundane as the cousin of the governor owns a company which happens to make the machines.
That's not to dismiss the claims of cost (projected to be cheaper than armies of manual counters) and speed (instant results on election night!) that also likely spurred this decision. In hindsight though we are learning of the other issues we have created while trying to solve the originals.
Hence electronic paperless voting with no tamper proof audit trail.
It's techno-philia from the techno-ignorant.
We just had our municipal elections. Plenty of regular people saw the slowness and the expense of paper ballots. Some asked about switching to electronic voting, because even to a layman it's obvious how computers could potentially make tallying votes faster and cheaper.
The part that's not obvious is security and making results auditable. That's much harder for electronic voting, but it's not as obvious to a layman.
If most of those people is chosen randomly between the population, as it happens in my country, the system is pretty robust. As this is HN: It's a distributed system, every node making its own checks.
So, the answer to the complains is that the slowness and the expense are a feature, not a bug.
It's insane anybody thought electronic baking was a good idea when paper money has worked for hundreds of years.
Electronic voting machines aren't problem.
Bad implementations are the potential problem.
The problem with voting is that trust doesn't really exist, you have large blocs that are historically willing to undermine the integrity of the process itself because the risks of getting caught the penalties associated with same are low and mild compared to the potential payoffs of success. I would argue that too much power is concenrtated in elective offices, such that the incentives for cheating so vastly outweight the downside risks that shenanigans become inevitable.
The American approach to this has been to distribute power across as many elective offices as possible. This may have been a mistake, and furthermore it makes voting enormously elaborate and complex. American ballots are huge. That's better than the paternalism that obtains in parliamentarian systems, where you get to vote for a small number representatives once every few years and on a referendum maybe once a decade, which makes it easy to do all the ballot-counting by hand.
Paper ballots can't be counted by hand in the US. I mean, yeah, it's theoretically possible, but when ballot papers in a general election can have 40 ro 50 candidates and referendum items, counting has to be automated (eg by scanning) and recounts are limited to specific races in specific precincts. To be frank, it would be very easy for a determined attacker to throw an entire election into doubt by subverting just a few key points. All I need to do is force votes close enough to trigger the recount threshold in multiple (>=3) disparate races in multiple (>=3) busy precincts and then have a few Outraged Citizens show up to protest the injustice simultaneously. To be honest you could probably do that with ad buys and not even use knowing operatives. The amplifying effect of the media will do the rest. On top of the commercial impulses that drive the media to seek spectacle first and substance alter, the wide availability of camera and communications technology is a double-edged sword; on one level it provides an economic and cultural stimulus which is great, but that also means that it's extremely subject to manipulation as the capacity for media production outstrips that of critical consumption - that is to say, our capacity to create rumors often exceeds our capacity to filter them out, and leveraging this at a critical time like an election makes it easy to provoke political instability.
Sp, while paper ballots seem to have greater integrity than electronic voting, they're really not that much harder to undermine and require the acceptance of all kinds of practical problems that come with fetishizing tradition.
Could we not instead have voting machines with open source and audited software, or better yet voting software that we could all have on our phones that met the same standards? That'd be the ideal, but it hasn't happened until now because procurement and the political process itself are deeply corrupted, and in addition to the basic corruption of two sides spending vast sums of money to struggle over power, there's the bigger issue that if you could gain popular acceptance for a solid verifiable open-source voting mechanism we wouldn't need much of our political infrastructure; that is to say, instantaneous, reliable, and credible electronic voting is a threat to the existence of the political class, and by extension to the buyers of said political class's services.
They just take their coupon/candidate of choice and deposit it into a box.
There are no pencils needed, no ambiguity. Ballots are hand-counted and totals are reached rapidly. A far less-hackable alternative to what exists in the US IMHO.
Problem back then was that people would literally beat you up on the way to the poll if they disagreed with your choice. It was an entirely different culture around voting, secret polls were not a thing.
I live in Oregon State and we are one of the few states that does all of our voting entirely by mail. I think it is the best way to do things. No need to go to the polls and you can do research while you fill out your ballot. We have polling offices available if you forget to fill it out on time.
I wasn't implying that voting coupons would still have the issue of people bullying you, just why we don't use that system anymore. And honestly coupons seem a little archaic to me, not to mention easy to manipulate.
I could argue that a system such as that is easier to have fraud simply because all of the tickets for a particular voter look exactly the same and there is noting unique on each ticket (the way it is marked) that can differentiate in a way to make fraud less likely.
The electronic machine has a nice UI. Clear. Offered in multiple languages. Maybe even show pictures of the candidates. Touch screen. It's all great.
It MUST produce a paper ballot that clearly shows what my vote is. I put it in a cardboard sandwith for privacy. I drop the ballot from the cardboard into ANOTHER machine that instantly counts my vote. A readout on the top of the machine shows the total number of ballots counted today. I can see that number increment as my ballot is scanned and dropped into a basket within the machine's guts. That gives me a feeling of assurance that my vote was counted and scanned. What the machine scans is the same exact thing on the ballot that my eyeball scans. That way the "human readable" part of the ballot cannot differ from the "machine readable" part of the ballot since they are one and the same.
Now at various points during the day, the election officials could obtain the number of votes to each candidate in order to update the press on how it is going.
A statistical audit for anomalies can be done -- even on the paper ballots.
If needed, a laborious manual recount could be done using the paper ballots.
You get the reliability of paper ballots and recounts. And the convenience of modern UIs and rapid counting.
Congratulations, you've invented a very expensive pencil.
> ANOTHER machine that instantly counts my vote. A readout on the top of the machine shows the total number of ballots counted today.
Which can be hacked to show you the correct count, but not report the correct count later on. At which points obviously the paper ballots can be emptied out and verified, but then which part of this isn't paper voting except with complex machines needlessly inserted?
Paper votes can be counted quickly by machine if so desired, but the counting machines will have to be monitored and watched carefully to make sure they tally correctly. Essentially they cannot be placed in a public area where just anyone has access.
We had a huge incentive to get it right. Counting ballots should be just as verifiable and accurate.
How would you attack those with a blockchain?
If someone steals the hardware token, you could get it revoked and have a new one re-issued; just as you'd do if you lost your Passport of Drivers License.
The hardware token (as well as some form of biometric identification) could be your assurance of one-man-one-vote. The hardware token would do all of the key management needed to submit votes to the blockchain. The blockchain by itself would not be the full solution - only part of it.
Good luck getting anything like you suggested passed in states like California or New York.
You could set up some decentralized system like the Certificate Authority system that we have for the internet perhaps to verify & issue tokens. That would be fairly difficult, however, as there would also have to be assurance that a single person has not been issued multiple tokens. There would likely require there to be a central registry somewhere.
You can't just "PGP it" in this scenario, as it needs to be one token per voter - and that has to be provable. In a "PGP"-like system - while you can receive higher assurance of identity through other people signing your public key, it provides no assurance against tokens being associated with fake identities, or people owning multiple tokens.
Regardless - identification is just one aspect of voting.
You also need some way to store the votes that have been cast (while maintaining integrity, verifiability, confidentiality) as well as a way to tally the votes (while maintaining integrity, verifiability, confidentiality). That's the component that the blockchain would serve to fill.
That being said, if there is a buck to be made, people will swallow all kinds mess to make it.
I used to be in favor of electronic voting, but after slowly learning more and more about how difficult it is to create secure system, I think voting is one place where we are not yet ready to digitise(if we ever will be).
It's an IT problem that many at HN should understand. Secure this system against potential nation state attackers who are highly motivated:
* System is distributed across locations in every county in the nation
* System is actually a variety of different systems, not built to any standard or spec (AFAIK).
* Software and hardware are not audited or known to be secure. Much of it is well past it's designed lifetime. Level of maintenance varies, but is probably low on average.
* System is operated by amateurs, often volunteers, a different group of them in every location. Operators have a variety of training, but often very little and often minimal security training. Operators are not vetted.
* Physical security is minimal. Also, up to 180 million users are given private, physical access to the system.
Obviously, it's an absurdly impossible task. To any degree that it is possible, the expense would be so high that paper would be the obvious choice.
Sure they are. Attacks against the counting are not, but you can easily attack the voters int heir heads by microtargeting of advertising, both electronic and in more traditional forms like paper mailers or street displays. You can't easily produce a particular outcome across a large population, but you don't need to; all you have to do is throw the integrity of the election into sufficient doubt that the political consensus breaks down and it's off to the races. And that is very very easy to do, as we have seen over and over again.
On the other hand, you know a lot about the general integrity of electronic transactions because you probably use a credit or debit card frequently and in many different places and contexts and it works predictably. So even though that system isn't that secure, enough people believe in it through repetition and general utility that it remains in place. Voting is infrequent and thus easier to get up conspiracy theories about.
We can have immediate results and reduced errors from electronic voting while simultaneously having a perfect, affirmative paper record.
> In September 2016, prior to the 2016 elections, the IT Subcommittee held a hearing entitled “Cybersecurity of Voting Machines”.
> In January 2017, Department of Homeland Security (DHS) Secretary Jeh Johnson designated election infrastructure as “critical infrastructure” with the intent of offering assistance to state and local election officials.
On September 22, 2017, DHS notified 21 states of Russian government hackers’ attempt to breach state systems during the 2016 election. Two weeks later, DHS announced the creation of an election security task force to enhance coordination with state and local election officials.
> On September 8, 2017, the Commonwealth of Virginia’s election supervisors directed counties to end the use of touchscreen voting machines before November’s elections, citing the devices posed unacceptable digital risks.
There's a higher level concept document here: https://github.com/republique-et-canton-de-geneve/chvote-pro...
I post this on every thread involving electronic voting and nobody has yet successfully responded.
Paper is secure by default.
Deniable voting — aka not being able to verify a single vote — is a feature of paper-based voting, not a drawback.
That's not the case. Imagine this system: upon receiving your ballot at the polling place, you find n candidates, each with random numbers from 1 to n associated with them. You pick candidate #i, submit that vote, and take home a receipt saying you voted for candidate #i. Then proof is later posted that your vote was counted for candidate #i (using some fancy crypto). Then you can verify that your vote was indeed counted for the correct candidate, but no one (not even you, were you to forget) can tell who that candidate is.
For more information on these sorts of voting systems, see https://www.usvotefoundation.org/sites/default/files/E2EVIV_.... It's intended as a review of remote voting systems, but a lot of it apply to other types of systems as well.
I've been reading this discussion off and on a lot today because I'm pretty fascinated that so many people feel so strongly against electronic voting and would rather have paper. On Hacker News of all places. Yes there are ways to manipulate any system, but being software developers we should all know that there are ways to fix these things and make it better.
That's what we're all here for, not for regression to old systems that seem great on paper (ha!), but for progression and new systems that work better.
I can understand non-technical people buying bullshit about so-called “secure” software, but anyone having an idea of what software looks like should know that there is no such thing and feel responsible for teaching people about it.
Plus, voting machines in use so far have been so blatantly insecure (eg. requirement to use a well known insecure old version of Java-in-the-browser for French people abroad at the French elections of 2012) that it's just impossible to trust people currently working on these matters.
It doesn't matter whether you actually mark the ballots or not if a sufficiently large number of people believe you might have done so. And considering how we're regularly reminded that laser printers leave tiny microdot patterns that allow the identification of which individual unit printed something, what makes you think voters could not be persuaded to believe the same thing about ballots, regardless of the fact that they're produced by offset lithography? Most people already live in a world where the technology is indistinguishable from magic. Rationalists often mistakenly believe that everyone or at least a substantial majority of the population are as rational and well-informed as they are. They're not.
That can't ever happen. It will create a market for buying/selling votes because it's possible to prove who you voted for. It will also create a system that allows for individuals to be threatened & coerced into voting a particular way.
For example, why do we select our representatives based on where we live, and then have them represent us on every possible issue? This leads to issue voting, where a voter may choose a representative based solely on their stance on a single issue (for example, abortion), even if that representatives does not reflect their stances on all other topics.
An issue-based representative system where you select several representatives, with each assigned a particular topic or subtopic of voter-selected granularity, would allow you to rank your interests and allow your overall political views to be better reflected by your elected representative(s).
For example, you might rank privacy very highly as one of your topics, and elect someone from the EFF to represent you on privacy-related issues (but nothing else, as the EFF knows nothing about these other topics). As a secondary priority, you also care about low taxes, so you choose a fiscal conservative to represent you on most economic and spending issues. However, you also want to ensure that your local community is represented, so you finally elect a local politician to represent you on all other issues.
For additional information on what such a system might look like, you may want to read this article. 
However, as such a system has many scalability problems (logistically) if based on paper-based voting, it is only possible to implement practically using an electronic/digital system. However, the transparency and fairness of such an electronic system are no less important in this case than they are under our existing political structure, and possible more so.
Hopefully this has illustrated some potential long-term benefits of electronic voting systems, even if it doesn't address the short-term problems generated by the closed-source, unaudited systems being deployed now.
Electronic voting machines are a solution in search of a problem.
People want it because it is faster to count.
Use something like a cryptocoin. You go to a voting office, get approved as a legit voter, and they send you a coin. You send it to some address for a candidate. Everyone can see the result.
Obviously you can and people do even though they're not supposed to.
Lack of understanding should not be a deterrent. If it's a public blockchain-based system, people can use open source clients that are coded by an entity they trust (like people use Firefox, Chrome, Edge, etc. for web browsing). If people don't trust the blockchain clients, it's likely a UI issue.
The rest of the posts you're alluding to are weak, media articles by non-experts.