Hacker News new | comments | show | ask | jobs | submit login
Hearing on Cybersecurity of Voting Machines: Testimony of Prof. Matt Blaze [pdf] (house.gov)
118 points by warrenm 10 months ago | hide | past | web | favorite | 141 comments

The choice quote:

    I offer three specific recommendations:
    • Paperless DRE voting machines should be immediately
      phased out from US elections in favor of systems, such
      as precinct-counted optical scan ballots, that leave a 
      direct artifact of the voter’s choice.
    • Statistical “risk limiting audits” should be used after
      every election to detect software failures and attacks.
    • Additional resources, infrastructure, and training
      should be made available to state and local voting
      officials to help them more effectively defend their
      systems against increasingly sophisticated adversaries.

It's insane that anybody thought electronic voting machines were a good idea when paper ballots have worked for hundreds of years.

Where paper ballots are transparent and accountable, electronic voting machines have closed source and unaudited software. They go against the core tenets of transparency and fairness that make democracy work.

I don't disagree, but I also don't think that how long something has been done one way is indicative of that way's optimality. By such an argument, microwaves as a form of cooking and airplanes as a form of travel would both be bad ideas.

I think it's more persuasive to focus on the transparency/auditability/fairness argument. Perhaps as an extension, an emphasis on the ability of the average participant/voter to understand the mechanisms behind how the system works?

Fuck optimization. I want vote tallying to be slow, labour-intensive, and repeatable by independent parties with no special knowledge or equipment. Making the system more efficient opens attack vectors. We know how to count and paper ballots have been around so long that the attack vectors are known and can be planned around.

> Making the system more efficient opens attack vectors.

No. Doing that badly might have that effect, but there is no axiom which states that accurate counting must be slow or manual. Have electronic voting with instant tallying, with a parallel optical-scanning verification of the generated paper ballot. Then have manual spot checking of the automated counting process, with whatever sample rate you choose. This is a solved problem (ask the USPS if you want details).

Instant results which are "the ballots got wet" proof and have a totally auditable record.

> Doing that badly might have that effect, but there is no axiom which states that accurate counting must be slow or manual.

No, but there is an axiom that says the more expensive an attack is, the less likely it will be carried out. Hacking manual counting requires so absurd amounts of coordination between so many individuals, that you can pretty much discount the possibility. High technology is a vehicle of multiplying the power of individuals. The same process that makes electronic counting more efficient, makes it also much cheaper to attack.

> This is a solved problem (ask the USPS if you want details).

TBH, postal services screw up in that department regularly, but nobody cares, as the impact is very small.

Hand counting is very likely less accurate than machine counting.

Doesn't have to be perfectly accurate - it only has to be in the ballpark of the correct amount and with low deviation. In voting, a method with consistent +/- 1% error is better than a method that generally has +/- 0.0000001% error but can be trivially hacked to produce +/- 50% error. Elections aren't usually decided on a single vote, and in those rare cases, you can recount stuff few more times to be sure.

with the notable exceptions of: software failures, adversarial exploits, malicious design, et al

OK, but voting is also a very short part of the democratic process. Voting needs to be reasonably fast so that the decisions are then enacted. If recounts cause the process to take months (which I believe was the case back in 2000), then it also makes the transition process take longer and seeds ever more doubt into the process. Just look at what happened in Kenya recently.

All of this used to be done by horse transit in the U.S. Also, the U.S. is by design merely a polyarchy (rather than a monarchy), and only potentially a democracy. Who specifically is elected is less important than the process being accountable. It's made more democratic through participation, and made more of an oligarchy or plutocracy through less participation.

> Voting needs to be reasonably fast so that the decisions are then enacted.

Leaving aside other countries and their transition times, in the U.S. at least, there is always more than enough time to have a recount before the winner takes office. There is also enough time to do the same for things like ballot initiatives and referenda, which don't go into effect immediately, but some reasonable amount of time after the vote.

With reference to the 2000 election, the legal fight over the process to perform manual recounts in Florida took far longer than the actual recounts would have taken, dragging it out to December 12. Interestingly enough, while I have heard some still claim that "Bush stole the election," when the press actually finished a manual recount, the conclusion was that Bush had, in fact, won the vote. But people will believe what they want to believe about the fairness of elections when it doesn't go their way, as has been amply demonstrated recently.

As several studies that looked all the ballots cast in FL have concluded, Gore had slightly more votes than Bush. However ironically if the Supreme Court had ruled for Gore, the selective recount that Gore's lawyers were arguing for would have favored Bush.


If you vote on a decision directly, it makes sense for it to be fast. But for large elections, when you select future rulers that will hold their office for years, a few days of delay between the vote and the results makes pretty much zero difference - especially that you usually do the vote while the old politicians still have months to go.

Yes it's critical for democracy that the mechanism can be not only understood by a layman but verified by a layman. I'm sure we can make a system that experts believe is safe. But it's the voter that has to believe and it's unreasonable to ask them to be experts. If you lose the voter, democracy cannot function.

The core feature of a voting system is to determine who got more votes.

With paper, that's a laborious process, requiring physically adding up millions of pieces of information. And many other things - like horses, sailboats, and slavery existed for hundreds of years but have been phased out for superior technology. An electronic voting machine or computer would, in theory, be able to take votes and output a result without this effort. Electronic voting machines are, at first pass, a good idea.

The presence or lack of transparency, accountability, and auditability are implementation details, not principles of electronic voting machines. In the absence of bad decision making and the presence of properly aligned incentives, the issues current voting machines suffer from could be worked around with a different implementation.

Before computers were an option, paper was not chosen because of these properties it's now lauded to have.

The real risk is full digitization, which these voting machines provide. Our elections cannot be a black box.

There are middle grounds. Paper doesn't have to be manually tabulated.

Punch-hole ballots can be mechanically tabulated, fill-in-the-bubble ballots can be read with minimal software. Results can be aggregated by software and communicated over networks because the results can be audited with the paper trail (both cheap sampling/statistical auditing and an expensive total manual tabulation).

If chads and improperly filled ballots cause problems, create a machine to fill in the paper ballot for people - but give the voter the ballot, let them verify, then walk over and drop it in a ballot box.

If the NSA can't lock down their espionage weapons, we can't trust some second-rate politically-connected software vendors to run our elections. We need auditing, we need paper.

> With paper, that's a laborious process, requiring physically adding up millions of pieces of information.

I'd argue that this isn't a huge deal since the amount of labor available scales essentially linearly with the amount of votes cast.

Unless you follow Saudi Arabia's lead and start granting citizenship to robots. Then you can't use them as labor for counting paper ballots, as that would turn them into electronic voting machines.

Mimic humans: some robots will be lower class, without citizenship, and they can do the counting. Oh wait...

Doesn't change the fact that those non-core features are actually essential in practice.

The core feature of a car is to go places fast, but it's also crucial it doesn't kill its occupants. Similarly, the essential aspects of a voting system are things like perception of fairness (otherwise we're back to killing each other for the seat at the table) and protecting individuals from being bribed or coerced into voting in a particular way. Electronic voting systems fail to provide those features in a reliable way.

Transportation systems get people places. Cars get people places fast, and are so much more effective than the old methods (horses or walking) that their increased danger is worth it. They just need to be safe enough. Equivalently, it's so much easier to tabulate voting results with computers that we just need to make it reliable enough.

Yes. The point is, electronic voting systems are not good enough with respect to the trust general population will have in the system.

Consider that there are, and will always be, people on the losing side that argue the elections were rigged. In the paper version, the scenario is so implausible that it's not worth much attention. In an electronic system, where maybe 1% of the electorate can actually understand how it works, and only 0.1% of that 1% have enough access to actually verify it works the way it says it works, it will be much easier to argue that the other side rigged the election. For democracy to work, it's less important who is elected, and more important that everyone accepts the result of the process.

>With paper, that's a laborious process, requiring physically adding up millions of pieces of information

That is a feature of paper ballots, not a bug. We have plenty of volunteers to count ballots and there's no necessary equipment or domain knowledge to do so. The attack surface is thin and well-known with paper.

Doesn't seem to be a problem in the UK the US population is only 5x

Of course properly implementing the civlservice reforms (of the 19th century) and not electing Judges and other positions that should be filled on merit by civil servants might help

Do you think there is a world that we can safely and securely depend on electronic systems? Aka, enough open source and open hardware then anybody can ensure that the system is secure?

(NOTE: did HN just break? It's cutting my comment in half when I try to submit/edit it...)

In general, we'd have to close the loop over hardware the way we did with software.

In software, you can write open-source code that depends only on other open-source code, and you write and distribute it with open-source tools. Trusting-trust-style attacks aside[0], everything on the software layer can be inspectable by anyone, and in principle you could read through all of the code and understand what's doing[1].

With hardware though, there pretty much isn't any usable open-source hardware stack that's a) fully open-source at every level, and b) verifiable. The latter is particularly damning, because chips are made in commercial factories you can't inspect, and the actual process is secret. (1/2)

(2/2; cut in half because HN is doing weird things tonight.)

Until the day you can literally print[2] your own circuits from sand, using an open-source designed and manufactured electronics printer, you can't trust hardware without trusting people who manufactured it.

Ultimately, I doubt we'll ever be able to have 100% trust in any human-created system. The one thing we can do, though, is to structure our systems to maximize cost of a successful attack, trying to push it so high that the results are not worth the effort.


[0] - http://vxer.org/lib/pdf/Reflections%20on%20Trusting%20Trust....

[1] - it's obviously not true in practice, due to complexity, bugs, and finite lifespan of humans.

[2] - or "nanolathe", as we called it in the late 90s; cheers Total Annihilation fans!

I'm confused how you can say paper ballots have any of those properties.

Once you've handed off your paper ballot, it's no longer "transparent". You have no signature (physical or digital) that verifies that your vote was counted in the final tally. You also have no proof that all other votes submitted in that election were legitimate votes from real, identified eligible voters. Ballot stuffing and mis-recording of votes are both forms of fraud that have been performed under the so-called "transparent" paper voting systems...

"Accountable" implies that you have adequate identification. Last time I checked (last presidential election), I only needed to provide a name and a birthday in order to vote, which are both things that are publicly available information. Without adequate identification of people (see: biometrics + smart cards, ideally), you don't have accountability or even the ability to reliably detect voter fraud. Why would you want to favor a paper system which relies on people (who can be paid off, blackmailed) when better solutions exist that get rid of some of the possibility of human error?

Personally, I'd rather have a public electronic voting system where all voting transactions are stored on a public blockchain. That way I can verify the vote tallies for myself and I can also verify that the vote that I submitted was actually recorded and included on the public blockchain. You add in the assumption that all voting machines must be closed source and un-audited - but that's not an inherent property of voting machines. Governments could just as easily use open source and publicly-audited voting machines.

>I can also verify that the vote that I submitted was actually recorded and included on the public blockchain.

Would this allow you to prove to someone else how you voted in the election? If so, that's not a desired property.

Currently there is no way for you to prove, to yourself or someone else, who you voted for in an election because nobody gets to see your ballot and you cannot take a photo. This makes vote buying and coercion much more difficult. I'd like our voting system to keep this feature.

I can see how that would be a concern, and I'd say to that - it really depends on the implementation.

You could have a blockchain-based system where everything is public (say, like Bitcoin), which from your perspective would be bad.

You could have a blockchain-based system where you need a "view key" in order to actually view the details of a particular transaction (say, like Monero), which from your perspective would also be bad.

In the latter system I'm describing, you could have a procedural control that you have a choice of receiving your "view key" or something along those lines to deter coercion and vote buying.

Other possibilities would be allowing voters to change their votes at a later date, or creating a system that allows voters to vote remotely such that they could do so in the comfort of their own home where they'd be (presumably) free from coercion and other influences.

If it's possible to get vote attestations (using view keys for instance) then coercion and vote buying will happen. Consider that if I can coerce/buy your vote I can coerce/buy your view key (no a duress key doesn't help, if it exists I'll demand both).

The system needs to retain the current property of being able to lie about having voted a certain way with 0 chance that you will be discovered because getting proof is impossible.

Consider that it won't be "comfort of their own home" it'll be the comfort of their union bosses office so he can be sure they voted as directed.

First off, I hope you realize that in the current paper systems that your "union boss" could literally walk down to the voting station themselves and give them your name & birthday and just submit votes on your behalf without needing to "coerce" or "buy" any votes.

Regardless, I said that it was dependent on the implementation. If I am able to change my votes at a later date, then who cares if my union boss can pull me into his office and force me to vote a certain way? I'll just go in that evening and issue a corrective vote and be issued a new "view key" associated with that transaction and my boss would be none the wiser.

Or you could have a system where the blockchain isn't public, but rather it's only accessible by a few designated government machines. Then for auditing purposes if you want to verify your vote, you go into a facility (no electronics [besides your identification] allowed) with your "view key" and prove your identity (biometrics, smart card) and then you're able to then receive assurance that your vote was recorded as expected by viewing the transaction from one of the government machines.

Then your union boss doesn't have the ability to check your votes.

You know what I love though - people who make all discussions black and white and don't consider the large spectrum of possibilities.

> First off, I hope you realize that in the current paper systems that your "union boss" could literally walk down to the voting station themselves and give them your name & birthday and just submit votes on your behalf without needing to "coerce" or "buy" any votes.

Your threat model is nonsense.

Yes, people do commit fraud in elections, but they do it as insiders where they have the opportunity to covertly meddle with large numbers of votes.

They do not do it by walking into a precinct in plain sight and claiming to be someone else, risking everything for the chance to cast one vote, unless they are very, very dumb.

In the Uk with paper ballots when you vote your checked against the electoral register before you get the ballot.

Both sides of this particular debate seem to be stuck in this silly false dichotomy where you either have insecure electronic voting, or entirely revert to traditional paper ballots.

We can have sophisticated and safe electronic voting, but we have to introduce it gradually, with transparency and major, sustained investment.

We must also do something that doesn't come naturally: Critically review and audit progress to-date, and use this information to conservatively set direction for future effort. The aviation industry's approach to technology is the kind of model that is needed here, not that of startups or big corporate.

Schneier once wrote[0], "The worst enemy of security is complexity", and I'm inclined to agree with him. "Sophisticated and safe" is an almost guaranteed contradiction.

[0] https://www.schneier.com/essays/archives/1999/11/a_plea_for_...

Ah, my intent with the use of sophistication was more in the sense of being greatly worked on over time, and adapted based on real-world experience and the complexity of the environment in which it exists.

It was not my intent to suggest that the system itself would need to be greatly complex. Perhaps my use of the term was incorrect.

Don't feel embarrassed.

There are professional security people who disagree, at least in practice, with Mr. Schneier, and would make Rube Goldberg envious with the needless complexity of their constructions.

The suggestions mentioned in this testimony basically recommend doing just that. Paper ballots are used to keep a record of the vote in the case of a system outage or if a manual audit is triggered, but for the most part you would never do it that way. Statistical analysis is used to trigger alerts that there may be fraud happening at a particular polling station.

More importantly, what problems are electronic machines solving? Having to wait until the next day for results?

The existence of a reliable objective audit trail is a "problem" that is solved by electronic voting machines. Well, a problem for people who wish to rig elections. Perhaps the ability to untraceably modify millions of votes with the push of a button at an unaccountable private company's headquarters is a feature, not a bug?

Given how obvious and easy to execute this is, it seems impossible to imagine any justification for the change that does not at least consider this an acceptable plausible consequence of the choice.

Price. I gaurantee that's the problem they were brought in because of.

Because classic counting was too expensive or too cheap?

Too expensive. Classic counting means counting by hand, which means a small army of people (or, for a federal election, a large army of people, literally the size of some armies).

That said I believe that, absent major changes to regulations around voting machines, the labor cost is worth the security, transparency, and accountability benefits.

Automating the counting process must be done in a way that preserves the ability to manually verify the count - voting machines that do not produce a paper audit trail that can be verified by humans are fundamentally insecure.

Classic counting being what? By hand? Does that sound like the most accurate or efficient way to go about this?

The manual mistakes will average out with scale. Software mistakes get multiplied.

I feel like software mistakes are easily identifiable and fixable where human mistakes are not on both accounts. Plus, even small mistakes could lead to elections being decided on just a few votes the wrong way.

The rare truly close race generally faces a recount anyway, so the same mistakes would need to happen multiple times. Unlikely for humans, plausible for machines.

Nobody expects humans to be accurate, and that's why there are checks and balances in place to make sure the counts are accurate and unbiased. It would take a huge conspiracy to swing an election.

Computers represent a single point of failure, one piece of malicious software could affect an election and nobody would even know. This problem is made even worse by the closed source machines in use right now.

This is the key comment of this thread.

Assuming perfect security and absence of software bugs, we'd be insane to prefer human counters to machine counters.

Yes, if we assume away all the problems inherent to machine counting it seems like a great solution.


My point was just that there are obvious up-sides... so it's not like e-voting is some pointlessly insane thing.

I happen to think it's a bad idea even with dead tree audit trails, but I can respect the position that, with appropriate audit trails, it makes the voting process more robust.

Efficiency isn't always a good thing. Efficient systems can be more brittle, more centralized, and with errors that correlate. This is the story of inventing more and more efficient financial products until the whole system collapses due to interdependencies.

Sometimes you gain a lot by having deliberate inefficiencies.

If you are a government, making something easier to measure is a benefit, regardless of the second order effects it might have.

Your words about paper ballots being transparent, accountable, etc are exactly how paper ballots have NOT worked for hundreds of years. At least not "worked" the way some people wish they would "work".

Hence electronic paperless voting with no tamper proof audit trail.

> They go against the core tenets of transparency and fairness that make democracy work.

The reason for the existence of electronic machines is often something as mundane as the cousin of the governor owns a company which happens to make the machines.

um voting should not be transparent you don't want "Vinny" or "Paddy" the block captain coming round and saying "Mr Falcone / Mr Murphy Is very Upset about the way you voted"

Thinking back to the Gore-Bush election and issues of ambiguous paper ballots during the very tight recount. Everyone remember hanging chads? Or double voted ballots? There's an argument to be had that digital systems are more robust and will enforce the proper rules in a non-ambiguous manner.

That's not to dismiss the claims of cost (projected to be cheaper than armies of manual counters) and speed (instant results on election night!) that also likely spurred this decision. In hindsight though we are learning of the other issues we have created while trying to solve the originals.

During the Bush-Gore election, the paper voting machines had ambiguities but the digital ones were actually hacked. https://en.wikipedia.org/wiki/Volusia_error

In the video below, Tom Scott explains why paper ballots are intrinsically more secure than electronic voting. If you're reading this and don't think that electronic voting is a terrible idea, I urge you to spend the next eight minutes of your life watching it.


Well, one type of paper ballot probably tipped a presidential election. There was a sudden push to get rid of any ambiguity. It was an overreaction but that is why it happened.

The ambiguity wasn't necessary in that election, politics made the ballots confusing and they can do the same thing with electronic ballots. And even with that ambiguity, a recount would have solved the issue. The Supreme Court decided that election by stopping the recount.

It's a premature optimisation gone malignant.

It's techno-philia from the techno-ignorant.

It's not insane if you look at the motivations behind who was pushing them.

Please explain I don't know anything about this

I hope you're not implying some sort of conspiracy theory. As far as I can tell, the driving motivation seems to be saving money.

We just had our municipal elections. Plenty of regular people saw the slowness and the expense of paper ballots. Some asked about switching to electronic voting, because even to a layman it's obvious how computers could potentially make tallying votes faster and cheaper.

The part that's not obvious is security and making results auditable. That's much harder for electronic voting, but it's not as obvious to a layman.

Paper ballots are more secure, precisely because they need a lot of people in the process.

If most of those people is chosen randomly between the population, as it happens in my country, the system is pretty robust. As this is HN: It's a distributed system, every node making its own checks.

So, the answer to the complains is that the slowness and the expense are a feature, not a bug.

Luddite much?

It's insane anybody thought electronic baking was a good idea when paper money has worked for hundreds of years.

Electronic voting machines aren't problem.

Bad implementations are the potential problem.

No it isn't. Electronics actually work just great when the vast majority of actors are behaving cooperatively, as when you use your credit card to buy something on the internet. Most of the time your order arrives as specified, you pay the amount expected, and nothing bad happens. It's great.

The problem with voting is that trust doesn't really exist, you have large blocs that are historically willing to undermine the integrity of the process itself because the risks of getting caught the penalties associated with same are low and mild compared to the potential payoffs of success. I would argue that too much power is concenrtated in elective offices, such that the incentives for cheating so vastly outweight the downside risks that shenanigans become inevitable.

The American approach to this has been to distribute power across as many elective offices as possible. This may have been a mistake, and furthermore it makes voting enormously elaborate and complex. American ballots are huge. That's better than the paternalism that obtains in parliamentarian systems, where you get to vote for a small number representatives once every few years and on a referendum maybe once a decade, which makes it easy to do all the ballot-counting by hand.

Paper ballots can't be counted by hand in the US. I mean, yeah, it's theoretically possible, but when ballot papers in a general election can have 40 ro 50 candidates and referendum items, counting has to be automated (eg by scanning) and recounts are limited to specific races in specific precincts. To be frank, it would be very easy for a determined attacker to throw an entire election into doubt by subverting just a few key points. All I need to do is force votes close enough to trigger the recount threshold in multiple (>=3) disparate races in multiple (>=3) busy precincts and then have a few Outraged Citizens show up to protest the injustice simultaneously. To be honest you could probably do that with ad buys and not even use knowing operatives. The amplifying effect of the media will do the rest. On top of the commercial impulses that drive the media to seek spectacle first and substance alter, the wide availability of camera and communications technology is a double-edged sword; on one level it provides an economic and cultural stimulus which is great, but that also means that it's extremely subject to manipulation as the capacity for media production outstrips that of critical consumption - that is to say, our capacity to create rumors often exceeds our capacity to filter them out, and leveraging this at a critical time like an election makes it easy to provoke political instability.

Sp, while paper ballots seem to have greater integrity than electronic voting, they're really not that much harder to undermine and require the acceptance of all kinds of practical problems that come with fetishizing tradition.

Could we not instead have voting machines with open source and audited software, or better yet voting software that we could all have on our phones that met the same standards? That'd be the ideal, but it hasn't happened until now because procurement and the political process itself are deeply corrupted, and in addition to the basic corruption of two sides spending vast sums of money to struggle over power, there's the bigger issue that if you could gain popular acceptance for a solid verifiable open-source voting mechanism we wouldn't need much of our political infrastructure; that is to say, instantaneous, reliable, and credible electronic voting is a threat to the existence of the political class, and by extension to the buyers of said political class's services.

But profit!

FWIW, it's "tenets" (not "tenants"). I agree with your point, just thought you might want to know :)

Thanks, fixed the typo

A bit oversimplified, but in France, voters are essentially given a printed coupon book, with each candidate on a different coupon.

They just take their coupon/candidate of choice and deposit it into a box.

There are no pencils needed, no ambiguity. Ballots are hand-counted and totals are reached rapidly. A far less-hackable alternative to what exists in the US IMHO.

This was the system the US had for a long time. In fact the newspapers would have coupons you could cut out and bring to the polls.

Problem back then was that people would literally beat you up on the way to the poll if they disagreed with your choice. It was an entirely different culture around voting, secret polls were not a thing.

I live in Oregon State and we are one of the few states that does all of our voting entirely by mail. I think it is the best way to do things. No need to go to the polls and you can do research while you fill out your ballot. We have polling offices available if you forget to fill it out on time.

Surely voting by mail has the same problem - your family members, abusive partner, employer, etc etc, could force you to vote a certain way?

Sure, polling places are still offered in that case. The benefit of voting from home greatly outweighs the cons IMO.

I wasn't implying that voting coupons would still have the issue of people bullying you, just why we don't use that system anymore. And honestly coupons seem a little archaic to me, not to mention easy to manipulate.

Postal voting does have problems like granny farming and stealing postal ballots.

Do you have some sources on that? I think it would be really interesting to read up on.

New Yorker article I had read some time ago. Took me awhile to find it again, its not a very widely talked about topic apparently. https://www.newyorker.com/magazine/2008/10/13/rock-paper-sci...

> There are no pencils needed, no ambiguity.

I could argue that a system such as that is easier to have fraud simply because all of the tickets for a particular voter look exactly the same and there is noting unique on each ticket (the way it is marked) that can differentiate in a way to make fraud less likely.

I don't have a problem with electronic voting if:

The electronic machine has a nice UI. Clear. Offered in multiple languages. Maybe even show pictures of the candidates. Touch screen. It's all great.

It MUST produce a paper ballot that clearly shows what my vote is. I put it in a cardboard sandwith for privacy. I drop the ballot from the cardboard into ANOTHER machine that instantly counts my vote. A readout on the top of the machine shows the total number of ballots counted today. I can see that number increment as my ballot is scanned and dropped into a basket within the machine's guts. That gives me a feeling of assurance that my vote was counted and scanned. What the machine scans is the same exact thing on the ballot that my eyeball scans. That way the "human readable" part of the ballot cannot differ from the "machine readable" part of the ballot since they are one and the same.

Now at various points during the day, the election officials could obtain the number of votes to each candidate in order to update the press on how it is going.

A statistical audit for anomalies can be done -- even on the paper ballots.

If needed, a laborious manual recount could be done using the paper ballots.

You get the reliability of paper ballots and recounts. And the convenience of modern UIs and rapid counting.

> It MUST produce a paper ballot that clearly shows what my vote is.

Congratulations, you've invented a very expensive pencil.

> ANOTHER machine that instantly counts my vote. A readout on the top of the machine shows the total number of ballots counted today.

Which can be hacked to show you the correct count, but not report the correct count later on. At which points obviously the paper ballots can be emptied out and verified, but then which part of this isn't paper voting except with complex machines needlessly inserted?

Paper votes can be counted quickly by machine if so desired, but the counting machines will have to be monitored and watched carefully to make sure they tally correctly. Essentially they cannot be placed in a public area where just anyone has access.

FYI, it's generally ill-advised to report official vote counts from a polling location before those polls are closed, because doing so is likely to discourage later voters.

I worked at Three Mike Island inspecting a steam generator during a refueling outage. A robot arm operated by a person ran a sensor down each pipe to inspect its integrity. After completion a random set of pipes were chosen for verification. If even one pipe in the verification set differed from its original scan, the entire steam generator had to be reinspected.

We had a huge incentive to get it right. Counting ballots should be just as verifiable and accurate.

Tom Scott has a good video about this: https://youtube.com/watch?v=w3_0x6oaDmI

Despite all the comments here denouncing electronic voting, I think it could work if done right and provide a better security than paper ballots. This, however, would involve something like some blockchain voting proposals I've seen floated around. Being able to provide a paper trail that's extremely hard to tamper with (as opposed to paper ballots which really aren't), along with, depending on how it's implemented, allowing easier access to voting by allowing remote options like internet or phone.

Votes may be secret, but there is an identity issue for one-man-one-vote, as well as an authorization issue for minors and convicted felons.

How would you attack those with a blockchain?

There are entities in existence that issue identification (SSNs, Passports, Drivers License) - why not just have them issue a hardware token once you've proven your identity to them?

If someone steals the hardware token, you could get it revoked and have a new one re-issued; just as you'd do if you lost your Passport of Drivers License.

The hardware token (as well as some form of biometric identification) could be your assurance of one-man-one-vote. The hardware token would do all of the key management needed to submit votes to the blockchain. The blockchain by itself would not be the full solution - only part of it.

Ah, now you've run into one of the many political problems surrounding voting: most states don't require a government issued ID to vote and 40% of states don't require voter ID at all.

Good luck getting anything like you suggested passed in states like California or New York.

Sounds more like an administrative solution with a blockchain as a 3rd wheel. If we're going full administrative, could just PGP it, and limit the franchise to nerds.

I see voting systems as multiple components. You don't necessarily need to use the government or the existing structure to issue the hardware tokens - I was just proposing that as one potential idea as logistically it seems like it'd be the easiest.

You could set up some decentralized system like the Certificate Authority system that we have for the internet perhaps to verify & issue tokens. That would be fairly difficult, however, as there would also have to be assurance that a single person has not been issued multiple tokens. There would likely require there to be a central registry somewhere.

You can't just "PGP it" in this scenario, as it needs to be one token per voter - and that has to be provable. In a "PGP"-like system - while you can receive higher assurance of identity through other people signing your public key, it provides no assurance against tokens being associated with fake identities, or people owning multiple tokens.

Regardless - identification is just one aspect of voting.

You also need some way to store the votes that have been cast (while maintaining integrity, verifiability, confidentiality) as well as a way to tally the votes (while maintaining integrity, verifiability, confidentiality). That's the component that the blockchain would serve to fill.

PGP and limit to nerds was a joke. Using crypto to simultaneously anonymize and identify (which is being done at least indirectly to enforce one-vote-per-person) sounds more like a contradiction than an engineering problem.

That being said, if there is a buck to be made, people will swallow all kinds mess to make it.

Each eligible voter gets a unique key they can vote with. Only way to get around that would be impersonation of someone else's key. 2-step verification could be used.

One very important point in favor of paper based voting systems which often comes up on HN is that attacks against paper based voting are inherently not scalable, while electronic voting is prone to large scale attacks by a corrupt government or a determined and resourceful adversary.

I used to be in favor of electronic voting, but after slowly learning more and more about how difficult it is to create secure system, I think voting is one place where we are not yet ready to digitise(if we ever will be).

> after slowly learning more and more about how difficult it is to create secure system

It's an IT problem that many at HN should understand. Secure this system against potential nation state attackers who are highly motivated:

* System is distributed across locations in every county in the nation

* System is actually a variety of different systems, not built to any standard or spec (AFAIK).

* Software and hardware are not audited or known to be secure. Much of it is well past it's designed lifetime. Level of maintenance varies, but is probably low on average.

* System is operated by amateurs, often volunteers, a different group of them in every location. Operators have a variety of training, but often very little and often minimal security training. Operators are not vetted.

* Physical security is minimal. Also, up to 180 million users are given private, physical access to the system.


Obviously, it's an absurdly impossible task. To any degree that it is possible, the expense would be so high that paper would be the obvious choice.

attacks against paper based voting are inherently not scalable

Sure they are. Attacks against the counting are not, but you can easily attack the voters int heir heads by microtargeting of advertising, both electronic and in more traditional forms like paper mailers or street displays. You can't easily produce a particular outcome across a large population, but you don't need to; all you have to do is throw the integrity of the election into sufficient doubt that the political consensus breaks down and it's off to the races. And that is very very easy to do, as we have seen over and over again.

But all these attacks still remain possible with whatever electronic voting system you choose. So I don't see how electronic voting offers us any help here.

I expanded on this in greater detail in one of my other comments and omitted to mention it again here, sorry. In addition to forcing a close vote by whatever means, you then attack the integrity of the ballot-counting process at the local level. This is easy to do in a a paper-based system because of the information asymmetry that exists from voting precincts; you don't know much about the integrity of the vote in any other precinct besides your own, and likely not even in that unless you're really interested.

On the other hand, you know a lot about the general integrity of electronic transactions because you probably use a credit or debit card frequently and in many different places and contexts and it works predictably. So even though that system isn't that secure, enough people believe in it through repetition and general utility that it remains in place. Voting is infrequent and thus easier to get up conspiracy theories about.

This is a false dichotomy. Read Matt's testimony.

We can have immediate results and reduced errors from electronic voting while simultaneously having a perfect, affirmative paper record.

From [1] (also note that video of this testimony is there):


> In September 2016, prior to the 2016 elections, the IT Subcommittee held a hearing entitled “Cybersecurity of Voting Machines”.

> In January 2017, Department of Homeland Security (DHS) Secretary Jeh Johnson designated election infrastructure as “critical infrastructure” with the intent of offering assistance to state and local election officials. On September 22, 2017, DHS notified 21 states of Russian government hackers’ attempt to breach state systems during the 2016 election. Two weeks later, DHS announced the creation of an election security task force to enhance coordination with state and local election officials.

> On September 8, 2017, the Commonwealth of Virginia’s election supervisors directed counties to end the use of touchscreen voting machines before November’s elections, citing the devices posed unacceptable digital risks.

[1] https://oversight.house.gov/hearing/cybersecurity-voting-mac...

CHVote is a fun read. The formal document is here: https://eprint.iacr.org/2017/325.pdf

There's a higher level concept document here: https://github.com/republique-et-canton-de-geneve/chvote-pro...

Is it possible to remotely brick the most insecure voting machines before election day?

Why the fuck do we need electronic voting.

I post this on every thread involving electronic voting and nobody has yet successfully responded.

Paper is secure by default.

Some electronic voting systems would allow the voter to confirm their vote was counted and correct after the fact. Imagine if a webpage posted all the votes (crypto secured of course) such that any voter could verify their vote. IMO this would help end the corruption. If a statistically significant enough people stand up after a vote and say "I didnt vote that!" the we can be made aware of corruption.

If you can verify your own vote after the fact, then you can be compelled to prove what you've voted, thus making vote selling and vote under threat possible.

Deniable voting — aka not being able to verify a single vote — is a feature of paper-based voting, not a drawback.

> If you can verify your own vote after the fact, then you can be compelled to prove what you've voted, thus making vote selling and vote under threat possible.

That's not the case. Imagine this system: upon receiving your ballot at the polling place, you find n candidates, each with random numbers from 1 to n associated with them. You pick candidate #i, submit that vote, and take home a receipt saying you voted for candidate #i. Then proof is later posted that your vote was counted for candidate #i (using some fancy crypto). Then you can verify that your vote was indeed counted for the correct candidate, but no one (not even you, were you to forget) can tell who that candidate is.

For more information on these sorts of voting systems, see https://www.usvotefoundation.org/sites/default/files/E2EVIV_.... It's intended as a review of remote voting systems, but a lot of it apply to other types of systems as well.

This doesn't actually solve the problem in any meaningful sense. If you have no way of checking to make sure who candidate #i is, you have no way of verifying that your vote was counted correctly, regardless of what you read on a screen when you voted. "fancy crypto" doesn't magically solve this problem.

That's pretty clever.

I've been reading this discussion off and on a lot today because I'm pretty fascinated that so many people feel so strongly against electronic voting and would rather have paper. On Hacker News of all places. Yes there are ways to manipulate any system, but being software developers we should all know that there are ways to fix these things and make it better.

That's what we're all here for, not for regression to old systems that seem great on paper (ha!), but for progression and new systems that work better.

I'd argue that “being software developers we should all know that there” is no way “to fix these things” reliably.

I can understand non-technical people buying bullshit about so-called “secure” software, but anyone having an idea of what software looks like should know that there is no such thing and feel responsible for teaching people about it.

Plus, voting machines in use so far have been so blatantly insecure (eg. requirement to use a well known insecure old version of Java-in-the-browser for French people abroad at the French elections of 2012) that it's just impossible to trust people currently working on these matters.

It's easy to subvert that. The Nazis established compliance through a mix of rumor and intimidation; creating the belief that ballots were secretly marked or numbered in some contexts, or simply forcing open voting in others.



It doesn't matter whether you actually mark the ballots or not if a sufficiently large number of people believe you might have done so. And considering how we're regularly reminded that laser printers leave tiny microdot patterns that allow the identification of which individual unit printed something, what makes you think voters could not be persuaded to believe the same thing about ballots, regardless of the fact that they're produced by offset lithography? Most people already live in a world where the technology is indistinguishable from magic. Rationalists often mistakenly believe that everyone or at least a substantial majority of the population are as rational and well-informed as they are. They're not.

> Imagine if a webpage posted all the votes (crypto secured of course) such that any voter could verify their vote.

That can't ever happen. It will create a market for buying/selling votes because it's possible to prove who you voted for. It will also create a system that allows for individuals to be threatened & coerced into voting a particular way.

We already have that for all practical purposes.

If I understand you correctly, wouldn’t that open up an avenue for vote buying? Confirm what you voted for at home?

Although I don't think the current implementation of electronic voting is needed, some kind of electronic voting may be needed to facilitate novel developments in representation.

For example, why do we select our representatives based on where we live, and then have them represent us on every possible issue? This leads to issue voting, where a voter may choose a representative based solely on their stance on a single issue (for example, abortion), even if that representatives does not reflect their stances on all other topics.

An issue-based representative system where you select several representatives, with each assigned a particular topic or subtopic of voter-selected granularity, would allow you to rank your interests and allow your overall political views to be better reflected by your elected representative(s).

For example, you might rank privacy very highly as one of your topics, and elect someone from the EFF to represent you on privacy-related issues (but nothing else, as the EFF knows nothing about these other topics). As a secondary priority, you also care about low taxes, so you choose a fiscal conservative to represent you on most economic and spending issues. However, you also want to ensure that your local community is represented, so you finally elect a local politician to represent you on all other issues.

For additional information on what such a system might look like, you may want to read this article. [0]

However, as such a system has many scalability problems (logistically) if based on paper-based voting, it is only possible to implement practically using an electronic/digital system. However, the transparency and fairness of such an electronic system are no less important in this case than they are under our existing political structure, and possible more so.

Hopefully this has illustrated some potential long-term benefits of electronic voting systems, even if it doesn't address the short-term problems generated by the closed-source, unaudited systems being deployed now.

[0]: https://bford.github.io/2014/11/16/deleg.html

Paper isn't secure by default. You have people miscount, steal, forge, destroy, and do other unscrupulous things to change the results.

But it's much harder to do any of those things undetected on a scale that would actually affect the results.

This is a very good point.

Electronic voting machines are a solution in search of a problem.

No voting paradigm is secure, that's inevitable. But voting machines are /efficiently/ insecure (ie. you can miscount, steal, forge, destroy and change the results /at scale/).

Secure by what standard? Its fairly easy to forge paper ballots or mis-report counts.

How? you only get the ballot sat the poling station and tampering with the boxes is hard as all parties have observers and the boxes are sealed before transport.

Not at scale.

It doesn't need to be at scale if the elections are won by very small margins. Successfully executing voter fraud on a few key districts can sway an entire election.

Even in fptp systems like the UK and the US correctly predicting the precise polling stations to infiltrate and compromise to stuff the required 1000-100000 ballots is tricky. And in the UK your whole plot would probably fail anyway - as random people and representatives of the other parties would be present observing you.

We don't.

People want it because it is faster to count.

Results in places like France and the UK are known within a few hours.

Do they vote for as many electoral offices and ballot propositions at the same time as is typical in American elections? Comparing American and European election mechanisms is like comparing a truck with a bicycle.

Not sure. In UK often local, European and e.g. police commissioner elections will be held on the same day. But these are handled using multiple ballot papers. So the counting process scales purely horizontally.

Even there people occasionally suggest electronic voting as a means to speed things up.

Are they the real results or the exit polls?

Exit polls are instant. The national implications of elections are usually declared around 3-5am (counting starts around 10pm). The last constituencies usual declare by midday the next day. In the last UK general one constituency took two days - there were about 12 votes between the top two parties so they did a few recounts.

in the UK That's part of the fun staying up to watch the returns come in even more so if your actually working I got home after dawn one time

Someone must have mentioned this idea somewhere:

Use something like a cryptocoin. You go to a voting office, get approved as a legit voter, and they send you a coin. You send it to some address for a candidate. Everyone can see the result.


I commented this somewhere below, but it also applies here:

Would this allow you to prove to someone else how you voted in the election? If so, that's not a desired property.

Currently there is no way for you to prove, to yourself or someone else, who you voted for in an election because nobody gets to see your ballot and you cannot take a photo. This makes vote buying and coercion much more difficult. I'd like our voting system to keep this feature.

you cannot take a photo

Obviously you can and people do even though they're not supposed to.

Google 'ballot selfie photo' and prepare to be surprised at the fact that this is not actually prohibited in many jurisdictions. Terrible idea? Sure. Actually existing reality? Yes.


Con: Voting systems not only require confidentiality, integrity and availability, citizens must have confidence in those properties. Very few people understand blockchain; it would be a mumbo-jumbo black box to almost everyone and invite suspicions of tampering, manipulation by politicians, and actual tampering.

Yet people gladly trust TLS when they're making online purchases, despite many of them having no understanding at all of how it works beyond the little green lock on their URL bar.

Lack of understanding should not be a deterrent. If it's a public blockchain-based system, people can use open source clients that are coded by an entity they trust (like people use Firefox, Chrome, Edge, etc. for web browsing). If people don't trust the blockchain clients, it's likely a UI issue.

Why do these make it to the front page like once a month? Do we really need to say "we don't need electronic voting" this often?

They don't. This post is a rare congressional testimony by a subject matter expert, on a security & technology topic.

The rest of the posts you're alluding to are weak, media articles by non-experts.

"Subject matter expert". LOL. Hardly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact