Hacker News new | more | comments | ask | show | jobs | submit login
Voting system to be used in West Virginia elections is vulnerable (twitter.com)
277 points by grey-area 6 months ago | hide | past | web | favorite | 154 comments

"'You take a photo of your photo ID and then they take a selfie of themselves,' Kersey explained. 'Facial recognition software is then deployed to compare the photo on the ID and the photo of the person who took the picture.'"

So it sounds like they verify your identity based on two photos that you provide? So if two photos provided by an unknown person match, then they become a trusted person? Even if there's a separate step that matches that to the DMV database or something... all you actually need is a photo of the person you want to impersonate.

But pretending to be someone else for remote voting is already a weak point, and one that would be expensive to exploit on a large enough scale to make a difference. The much much bigger risk is that we have absolutely no way to verify that the votes recorded are correct. This company's app sends the vote to the company's server which stores it in this company's database. That's three steps at which the votes can be easily changed.

The question to ask with any proposed voting system is: how can we verify that the counts are accurate? The _only_ way to do that in anything close to a trustworthy manner, is by having an established network of trusted agents (one or more witnesses from each interested party organization at each physical voting location) monitor a human-visible process for collecting paper ballots which can be counted and recounted at will by multiple groups of interested parties.

Any system where the votes are ever hidden away from witnesses and accessible, say, in a back room with an unlocked door leading to an empty alleyway ... or on any computer system, is inherently insecure.

> So it sounds like they verify your identity based on two photos that you provide? So if two photos provided by an unknown person match, then they become a trusted person? Even if there's a separate step that matches that to the DMV database or something... all you actually need is a photo of the person you want to impersonate.

I recently signed up for two different mobile banks (Monzo and bunq). Both of them verified my identity by having me take a photo of my passport, but then also recording a video of myself (with my face clearly visible) saying an exact phrase they specified, in one case “My name is $legalname and I'd like to open a Monzo account” and in the other a sequence of random numbers.

That seems way more secure.

The problem isn't who opened the account, it's whether they authorized a massive electronic transfer somewhere.

The problem with voting is not and has never been physical people people voting fraudulently. It is the alteration of the votes on a central machine. (For example as an easily editable excel file on at least on occasion)

The extra barriers to confirm the physical person standing at the booth is a redirection of a serious problem with Putin into a little more voter suppression.

There is no way to be sure that voting is private and uncoerced with remote voting. Someone from a spouse to a precinct captain could be watching you vote on your phone under some threat of penalty.

Nobody stops the interface from allowing the voters to vote as many times as they want before the deadline. Only the last vote counts. If the vote is tied to an ID then it’s definitely going to be unique.

More secure yes, but photoshop does exist.


Face2Face would defeat this: anyone with enough images of the victim (and copy of ID) could impersonate them in this scheme.

> But pretending to be someone else for remote voting is already a weak point

It's kinda' not, because of practicality. There's enormous risk and time involved to get that one erroneous vote. Who's going to do that for a vote that has a smaller chance of swinging an election than you have of winning the lottery?

If you have a stray actor doing that on election day they maybe vote 10 times if they're a logistical genius doing an Ocean's 11 of voter fraud. That's enormous risk of actual jail for still almost zero chance of actually swaying an election. That's why no one does that.

And the idea that you're going to coordinate that effort? You've increased the odds of possibly being statistically significant a tiny iota but have exponentially increased the chances of being caught.

This is why voter fraud arguments are complete bullshit and just cover for voter suppression.

This is an established ID verification process that is used by banks, financial institutions, etc... (assuming they integrated with a vendor, look at someone like Jumio).

Not speaking to anything else related to this at all, it does sound like they are quite a fly by night operation based on everything that is being dug up.

However, the technology mentioned above is not something they came up with themselves, and in fact see wide spread use for purposes of fraud prevention for financial systems (which sees active attacks against verification tools). Its not as easy to fool as you are making it seem.

I don't think photo ID is really the worst attack vector for Voatz. It appears they're storing credentials in the code and are lying about their security audits.

This tweet chain is pretty interesting:


yeah, i'm not speaking to their other claims or security practices, which by all accounts appear terrifying. Given apparently whats happening, who even knows if they have actually integrated with a vendor or not.

I'm just speaking about the technology as described. Its not a novel id verification method, plenty of other companies use it and there are multiple vendors / providers of the service.

> technology mentioned above is ... in fact see wide spread use for purposes of fraud prevention for financial systems

Different organizations have different security needs

Financial systems can use the relative cost of a security measure compared to the cost of a breach to decide whether to implement the security; they consciously accept a certain level of failures. Also, they can use insurance to mitigate exploits after they happen.

Voting systems cannot tolerate failures, at least in theory. Every vote must count. Also, at least for some elections, the value to the attacker is much higher than what can be gained from financial institutions; a foreign intelligence service has much more to gain than money from controlling a US presidential election, for example, and an investor could make billions by knowing the outcome ahead of time. Finally, there is no mitigation after a breach: Insurance won't save a fraudulent election.

Sure, whether the ID verification tool in question is appropriate or enough of a mitigation for election purposes is arguable. In fact it could very well be that no electronic verification process would be enough, since as you say, every vote can potentially be crucial and therefore ANY margin of risk might be unacceptable.

The point I am making is that its not as simple as described to "spoof" this tool, and to give some background on its usage since it seemed to be a novel verification tool for the OP

I meant to add to your point, not disagree with it. Sorry if I gave the wrong impression.

> every vote can potentially be crucial

I'll also add that every vote is important because the number of votes is important. Winning 70-30 will get much different behavior than winning 50.01-49.99; the latter representative had better pay attention to the 49.99's needs. And that can matter down to the smallest geographical levels - if everyone in your neighborhood votes, politicians will pay much more attention.

You don't have to go as far as in your last two paragraphs to get secure, verifiable elections. See https://en.wikipedia.org/wiki/Scantegrity and http://scantegrity.org/

If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

Why? Do we have a history of securing computers and keeping them secure over time? No.

Are computerized elections understandable to laypersons? No. Worse; even if the election was tallied faithfully by a computerized system, a demagogic candidate can whip up fervour and call the election into question.

And without bug bounties there is no legal way for whitehats to pentest these things. We're stuck with shitty scans and guessing at best. Even so, from what I've seen I fail to see why we should trust these votings systems.

But the public doesn't care. They don't understand that code is just data and it can alter itself. The voting machine industry has lobbyists. The paper ballot industry doesn't exist.

Because, to the popular perception, computers are infallible constructs and humans are fallible constructs. Imagine a human being counting thousands of paper ballots, what's the likelihood that the count will be off by one or two?

It's also a case of different concerns cropping off: with paper ballots, there's a risk of miscounting, or disagreement on what constitutes a mark (remember the 2000 election, where the outcome of the election depends on the standards of how much of a mark you need for it to be indicated as a recordable vote). With computer ballots, the concern is over people hacking the tabulating machines or other computerized machinery. You're comparing vastly different risk profiles, and I suspect that most people don't have sufficiently-grounded knowledge to adequately compare them.

There's still the same dispute about miscalibrated touchscreens on electronic voting machines - the difference is that paper provides an audit trail, such that it can actually be disputed.


Also the "attack surface" of paper is so large as to be humanly impractical. A computer system howevever complex always has an attack surface that is actually practical.

Its almost if there is a group of folks who want elections to be easily hacked and manipulated.

IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation. Even if manipulation is discovered, you can chalk it up to a "bug" and re-run the manipulated election again. People are stupid, and most ordinary people only want to believe there's malice involved when they've run out of more pleasing cognitive options.

I believe that if this site enumerated all the ways that you can maliciously use computerized vs. paper voting systems, we would show a hell of a lot more benefits to a manipulator than a voter.

> IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation.

I think if you bring up Occam's Razor you also need:

1. Somebody gets to make money selling crap to the government

2. Somebody in government thinks it'll mean cost-savings

Occam's Razor is not a real logical principle. It would also lead to the conclusion that the reason not much of substance is ever done about computer security in general is because there is someone or some group who earnestly wants to see the rise of action-movie-style supervillains who can walk down the street and see society unwind into chaos around them as ATMs jackpot into the street, airplanes careen out of the sky, power stations blink and surge, all the doors to prison cells fling wide open, and modern cars lock the steering while maxing out the accelerator. Never attribute to malice what can be adequately explained by incompetence. And that's the case here. Electronic voting, if it were magically secure, would be cheaper and more accessible. And it would make some companies like Diebold a bunch of money. So of course it gets pursued.

That is more or less correct. It is a way for state governments to enable "their side" to win easier. It will get worse as the demographic shift continues to strangle the GOP's support in swing states.

Which group would that be?

Historically in the United States (at least for the last 50 years), the Republican political party has taken the most actions to restrict access to voting, unfairly redistrict to give them an advantage (gerrymandering), or simply screw with the voting system (to their advantage). Fringe local Democrats sometimes play with gerrymandering[0], but not nearly at the same rate. [1][2][3][4]

Given that the current party with federal power is the Republican party, I would argue there is no better time for them to pass as many vote-restriction laws as possible. Vote restrictions typically target the poor and minorities, who typically are Democrat party voters. The wikipedia article I linked is actually a remarkably good overview of the recent history of this issue in the USA.

[0] https://www.washingtonpost.com/news/wonk/wp/2018/03/28/how-m...

[1] https://www.brennancenter.org/new-voting-restrictions-americ...

[2] https://www.npr.org/2017/03/09/519500312/state-republicans-p...

[3] https://www.rollingstone.com/politics/politics-news/how-the-...

[4] https://en.wikipedia.org/wiki/Voter_suppression_in_the_Unite...

Except making it easier to vote and register to vote is Democrats’ shtick. Republicans were just fine with paper ballots that young people couldn’t be bothered to use.

It doesn't matter. Any of them.

Somewhere, in a corner office on the higher floors, an "Americans for Prosperity" PR manager reads this comment and smiles.

> Are computerized elections understandable to laypersons?

What do you mean "No"? The ubiquity of cell phones alone makes it self-evident. What YOU mean is not described by your assertion.

> Worse; even if the election was tallied faithfully by a computerized system, a demagogic candidate can whip up fervour and call the election into question.

That's not worse. That's part of the path to acceptance.

> The paper ballot industry doesn't exist.

Tell that to the Lottery machine makers and ticket manufacturers. It's a much stronger lobby than the "e-voting" block (if you can even cobble together such an alliance).

> What YOU mean is not described by your assertion.

I've ran a paper election for a federal race here in Canada. Anyone with the ability to form a complete sentence could understand the security of our election. We're talking 2 standard deviations below median or worse here.

The number of people that can understand the security of an electronic voting system is vanishingly small. The only security mechanisms that make the election trustable are the ones that are analogous to paper elections:

On premise ballot counts by humans with public observers and physical artifacts retained by receiving officers and other poll workers.

Come tell me how a machine with a touch screen is as understandable to someone that can't even explain how electricity works, much less hashing algorithms or compilers.

> That's not worse. That's part of the path to acceptance.

It is worse that a fair election is distrusted than it is for us to be unsure of the veracity of an election yet proceed as if it were honest despite misgivings. The subversion of truth is an anathema to our democratic process. Our social fabric depends on collective reasoning operating on shared understanding. Minds operate by cohering senses into understanding and understanding into action. Discordancy is doubt's inferior. Under stress it trades quiet, humble investigation for paroxysmal rage.

> Tell that to the Lottery machine makers and ticket manufacturers.

These are not the people that manufactured our paper ballots and they never were.

> if you can even cobble together such an alliance

A lobbyist requires incentive, not alliance.

That's nonsense.

Having a cellphone != understanding the technology and how it works. People don't get this stuff, and something as fundamental as your civil liberties should not be predicated on a black box no one person can understand.

Re: ballot lobby:

If there's any paper ballot lobby it's HP - when I've voted it was on ballots printed by a traditional office printer/Xerox.

You don't need bizarre forms and crank levers to make a ballot, just a piece of paper and a marking device.

> Having a cellphone != understanding the technology and how it works

That wasn't the assertion made, nor related directly to the assertion I responded to. Having an understanding of "how it works" is a weak way of couching a ton of assumptions without explaining what you mean. There's no point in trying to argue about what's in your head.

The statement I take issue with is:

> Are computerized elections understandable to laypersons?

Yes. How they work at a cursory level of practical operation and effect, is less sophisticated than any cellphone since flip-phones.

> If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

The part that gets me is that there is no organic, grassroots push from the people who actually vote to implement electronic voting.

Usually when someone, or many people, advocate for a cause, they have something to gain from it.

Who is advocating for electronic voting and what do they stand to gain?

After it took a few weeks to find out the result of our last election there was a push to electronicify it. (I think some people were also upset that they had to stand in a queue and why can't we just do it from our phone?)

The push was rejected since (a) the body responsible for running the elections believes it would be less secure and (b) it would still take two weeks to finalise since postal votes can come in up to two weeks after the election as long as they're postmarked before the election.

But people are interested in fast results. And they're lazy.

There’s always people complaining how backwards it is that we don’t have electronic voting, how it suppresses the youth vote, etc.

Interesting! I'd never heard the idea that the lack of electronic voting suppresses the youth vote. Do you have a link for someone arguing that position?


> Online voting is a good way to engage with younger voters, busy workers, and even Estonians living abroad, Mr Koitmae says.

There are several miles of difference between what they said and 'claiming that not having it suppresses the youth vote.'

Diebold salespeople.

Graft, paper systems cost less to develop so it's harder to skim money from them.

Electronic systems have the nominal advantage of handling disabilities and different languages more easily.

Systems can be easily developed for multi-lingual and disabled access that still produce a paper ballot that can be easily verified by the voter and counted by the election judges. There's no reason to electronicify the entire voting process to meet this (legitimate) need.

> If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

Not that I'm disagreeing with you, but why would you expect anything different? As a layperson, why would I treat computerized voting any differently than online shopping or ordering an Uber or something like that?

The software engineering community deserves more blame for this type of thing. It's unreasonable to expect laypeople to be experts on every technology they use, and this crappy voting system didn't exactly write itself.

But it's perfectly reasonable to expect the people tasked with evaluating voting systems to be experts on voting systems.

> This crappy voting system didn't write itself.

One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.

> One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this.

I guess that's what I was getting at. There never used to be a standards body for civil engineers, either, but after a while society got tired of bridges falling down and buildings collapsing. When will we get to that point with computer software?

It's kind of funny (or sad) that barbers and hair stylists need a license, but software engineers don't.

It isn't sufficient that people are upset about problems caused by people in a profession/trade. Instead a major source of regulation is the professionals/tradies themselves. "I spent five years at university, so they should too." "I'm a member of the Association of Software Professionals, so they should be too".

Since there's an unhealthy obsession with libertarian small government is software circles, it seems relatively unlikely this will happen any time soon. And we would rightly fear for our jobs if this happened, because I can't imagine the regulation applying to imported code.

If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

It goes back to the "hanging chad" election. The losing side decried paper ballots as unreliable in every form and fashion, and the only way to have a fair election was to make it all electronic.

Thus, an industry was born.

No, it goes back well before that, I think. Have a look at https://catless.ncl.ac.uk/Risks/19/06#subj1

> It goes back to the "hanging chad" election.

Didn't this only happen because of an attempt to elctronic-ify the election and have machines tabulate the results?

I’m not sure how it was handled in Florida (where the infamous chad incident happened), but in at least some other states it was more electromechanical than electronic.

FWIW, the place I voted during that election was straight up mechanical.

The cynic in me says the goal of making software controlled elections is to make them easier to manipulate. Given how insecure all these systems always are, I can’t believe the goal is improved security.

There is a belief that technology can solve any problem.

Agreed. Computerising enterprises like this is a way to make them more efficient, but the inefficiency of paper ballot voting is a feature - it means that rigging the vote is equally inefficient.

> If there is one thing I fail to understand it is the impulse to electronic-ify our elections.

Two words: "hanging chad."

And hanging chads were a problem why exactly?

I.e. why do we need to have machines do something badly that humans can do well?

I assume it's because Americans have too many elections on one day. Most other countries run local and state elections on separate days, and have far fewer elected officers (usually just legislative). Most of those which do have elected executive officers hold those elections on another day (since the result is better for the president if they are elected a few weeks before the legislature).[1] I think only the US has elected judicial and law enforcement officers, which is actually scary to foreigners.

If you have half the number of elections on two days, you can count all the ballots with half the number of people and still get a result by the end of the night.

[1]: There's a few reasons for this. One is that a lot of people will say "okay, i'll give this person a chance" and even though they voted for the losing candidate, they decide to vote for the president's party in the legislature. Another is that if you ask people who they voted for, more people say the winner than actually voted for the winner. It seems there is some sort of problem of memory reliability here. Since more people believe they voted for the president than actually did, more people will happily support the presidents party than otherwise would have, had the election been synchronised.

I think history shows that we don't actually do it that well, I gave one example from recent history and I think a quick study will show that elections, in general, are easily undermined.

We want machines because they are indifferent. We can develop machine based voting systems that have a voter-verifiable receipt. We can reduce the cost of our elections and reduce the number of trusted people that must be involved with them. It removes the most common sources of error from our current flawed implementation of our democratic ideals.

Expanding upon this, if we make voting cheap and easy enough, we may actually be able to expand our democracy for more direct participation at all levels of government and reduce our reliance on the currently flawed implementation of our representative system.

Why would we _not_ want this? The major problem, as I see it, is that states are not assembling expert panels to either purchase or work with other states to collaboratively build a good system directly. The government purchasing process certainly plays a factor here as well, and voting systems should be classified as critical infrastructure to allow a more rational approach to their procurement and/or development.

Objection: machines are only as indifferent as the people who make or control them.

On top of that, they are opaque: it's very hard to verify that a machine does what it claims to do and nothing else.

If you like machines, I present you a perfect machine: it's a clear box into which you throw paper ballots. It even counts the ballots: invariably, the result is "akira2501 won" - that is written on the outside; it works instantaneously. Any party that finds it suspicious can challenge and recount the paper ballots inside, in presence of independent observers.

Since there's no better way to verify the work of a voting machine other than counting papers, this machine is as good as any machine you just described - and is definitely cheap.

As for the cost - citation needed that machines actually provide any savings here.

TLDR: Outsourcing our election administration is the second biggest threat to election integrity.

The driver is profit motive.

The push for touchscreens was because vendors wanted to juice their valuations (from 3x revenue for services to 7x for products).

The push for postal balloting, internet voting, etc is because now vendors are back to pitching themselves as services companies, the difference this time being the are now charging per registered voter (vs per ballot counted).

Reliability, security, appropriateness are not even part of the conversation.

Because we can.

It's cheaper.

No, it's definitely not cheaper to buy, maintain, properly secure, audit, and continually replace inherently insecure electronic systems that are used two or three times a year at most. Elections are also not a place I personally think we should be cheaping out.

you forgot store. The state has to distribute, and collect voting machines 2-3 times a year and then what, they sit for 4 months? With armed guards and audit logs?

Paper vote by mail, when the ballot is ready, the print and mail it to you, you have 3-4 weeks to fill it out and send it back. High voter turn out, easy access for people with difficult schedules, No need for transportation. keep the ballots until the election has been certified

I'm immediately mistrustful of anyone who wants to electronic-ify our elections. No sensible person with even a cursory knowledge of how bad the state of computer security is could recommend this.

Why not? You just need to have a cursory knowledge of how little elections and security actually matter. We already use computers to manage our finances, social lives, and health. If they get hacked they get hacked. Life goes on.

That's a frighteningly cavalier attitude about the integrity of elections.

I think it's a realistic one. Is the integrity of your votes more important to you than your bank account? Or your medical history? It's not to me.

If your prevailing attitude is that all of society has already failed, then I suppose, no, the integrity elections are not important.

But that's a disturbingly cynical outlook, and if the general attitude of the whole populace was as such, there must be something awful at play.

As noted later in the thread, this is specifically for people who are overseas at the time of the election and not broadly.

That said, this system seems like a bizarre choice given the apparent security issues discussed in the thread.

€54 million spent in Ireland. End result:

"In 2012, KMK Metals Recycling paid €70,267 for 7,500 e-voting machines; 1,232 transport/storage trolleys; 2,142 hand trolleys and 4,787 metal tilt tables."


Electronic voting has been tried in a bunch of countries, and subsequently scrapped. We had these abominations in the Netherlands too, they turned out to be insecure, and now we're back to pencil and paper.

And still, despite all the solid arguments against electronic voting and the actual experience with those machines, a certain class of influential people keeps bringing it up. Sometimes they're gadget-crazy policy makers who just can't fathom why we're still using a pencil in 2018 (because it works, is transparent, can be understood by any layperson, and instils trust). Sometimes they're politicians who absolutely must have the all the results of an election the same night, and only computers can do that (despite exit polls working pretty well, and there really is no rush).

Recently, some are arguing for electronic voting because it would mean people with sight impairments can vote assisted by headphones rather than by a trusted person (there a solutions for the classic paper ballot in the form of a Braille-embossed mould that work pretty well in Germany, you don't need a computer for this).

It's a constant battle to keep the public informed about the problems with, and undesirability of, electronic voting after each assault in the media. Why can't we keep this cornerstone of democracy a process powered by pencils, paper, and people instead of opaque IT solutions?

See: https://en.wikipedia.org/wiki/Electronic_voting_by_country#N...

You don’t even need pencil, just different paper ballots. In most cases at least.

What the hell kind of a company name is "Voatz"? Can you buy Voatz with Flooz and Beenz Bux?



I thought it was that Reddit alternative for fascists.

They added a 'z'.

Considering their security practices and cluelessness, they also seem to be mostly for fascists.

What exactly does the blockchain part of the voting app provide here? Are there any details known about how this is supposed to work, especially how to ensure that votes are actually anonymous in this case?

And using facial recognition to make sure the right person votes just sounds like it'll end up either trivially exploitable or just cause many legitimate people to be denied as their faces can't be matched.

What exactly is wrong with voting by mail? It's pretty easy to do, and it ensures anonymity by wrapping two envelopes inside each other.

>What exactly does the blockchain part of the voting app provide here?

It was essential for bilking investors out of $2.4 million.



>A Boston-based start-up promises to let West Virginians vote via app. Critics call it “the Theranos of voting.”

>Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is a mobile election-voting-software start-up that wants to let you vote from your phone.

Also, doesn't facial recognition historically have worse accuracy with people of color?

The blockchain part of the voting app provides a buzzword.

Everyone here that I've read so far is close to going fringe conspiracy theorist on this issue. Electronic machines in the US are hard to hack en masse, because they require you to take them apart...and most neighboring jurisdictions don't even have a matching processes or voting systems. You all seem to say that paper ballots are safer and more transparent...but that's just factually wrong. Where do you think the term "ballot stuffing" comes from? There are videos of the Russian election just this past year of boxes being stuffed with paper ballots. It happened in the 1800s in the US, especially around the time when black Americans could begin voting.

The solution is simple and most places already do this, but each voting machine prints a matching paper receipt that can be matched with an electronic record. My jurisdiction already does this, it prints out of the back of the machine when you're done, but my vote is also electronic.

Those of you insinuating that Republicans (generally this is what people are hinting at) or Democrats are conspiring to rig elections via electronic voting are acting insane. If either party wanted to rig the election they could do it with paper or electronic ballots...and I highly doubt the vote tallies would be so close or that both parties would have so many seats flip every 8-10 years in toss up areas.

Ballot stuffing is a diagnosable problem. Electronics obfuscate. It's the principle that matters.

Not really? Because we don't pool the votes together into a mass pool, we can see a county by county break down of votes, if the votes are off people are going to notice in the electronic world. Not just that but as I said, you can have both a paper and digital ballot for verification. You can also have "check-in" numbers (which I believe most polling places do) to make sure the number of check-ins match the vote tally.

Wait it's called what?

Sounds very professional. Sounds like the system I want counting my votes. Maybe they won out over v0tr.io and Votester?

Voat.co was also already taken.

I feel like all these solutions right now are very business driven. Is there a legit open source alternative?

Voting is a legit hard problem but it influences you more than you realize. The setup of the election basically determines the outcome of the election.

I think that the one thing that could improve democracy globally is an internationally agreed upon open-source verified voting system.

None of these startups will last long enough to have an impact.

There are many problems, voter identity is definitely one. You need some sort of public ledger (the blockchain isn't the worst idea, however proceed with caution).

I wrote this up:


They're sloppy with security, and they're ludicrously unable to scale.

And they've put this out in an environment with state-backed hackers. It's very blockchain.

Never heard of voatz before. AIUI https://en.m.wikipedia.org/wiki/Helios_Voting is the closest we have to working electronic voting.

Helios works pretty well, and I believe is in actual use for some college elections with people trying to break it.

I'm curious to see an implementation of a variant called 'BeleniosRF'[1], which adds the requirement that voting be receipt-free (RF)

[1]: https://eprint.iacr.org/2015/629.pdf

Voting presents uniquely difficult challenges, you need integrity, strong authentication, verifiability, and anonymization.

As others have stated, this particular scheme's weakness to tampering lies at the receiving end of the app's server.

There are other privacy problems with the "send a selfie" of the on-duty soldiers I won't get in to.

But ultimately, voting has unique constraints. The voter needs to be able to verify their vote was counted correctly, outside observers need to be able to verify totals, but not identify individual votes, and the whole system needs assurances only those who are supposed to vote, do so.

They literally based their entire software off of IBM's "Marbles" program.

That's just a Blockchain PoC. The fact that they're trying to take the simplest, most exploitable form of Blockchain and dressing it up as an innovation already puts a bad taste in my mouth, but the fact that this garbage software is now being used for a federal election is horrifying.

It also doesn't help that more than one of the leaders of this company are Russian nationals...

>Note that the article is pretty clear: this is only for those people overseas, mostly troops stationed abroad. Still a terrible idea, but somewhat less terrible than statewide voting via mobile phone.

^Tweet in sub...chain (how the fuck do we describe twitter comments?)

It's horrible, but I almost hope somebody hack these votes in the most disruptive, obvious way. I think the country could use a good slap in the face when it comes to both infosec and voting security.

What happens when we receive more votes then the population of West Virginia? Will this information be hidden from the public until it doesn't matter anymore?

This sounds like that someone/group needs to make very obvious invalidating changes to this. Of course, you'd be tampering with federal systems... But take your pick: secret plausible tampering vs 'Votey McVoteface' and 'Iluv Dems' combined with 100m votes in a state with 8m people

I initially read that as "Voat to be used in West Virginia elections" and became immediately alarmed. Always google your company name first folks.

Obligatory why electronic voting is a bad idea: https://www.youtube.com/watch?v=w3_0x6oaDmI

Obligatory "I rigged an electronic vote" video: https://www.youtube.com/watch?v=DzBI33kOiKc

Seems to me that voter IDs should be based on PKI, and the rolls should be self-published under a per-voter key.

That would enable people to prove what they have voted, which in turn enables vote-selling and/or for the head of the family to force other family members to vote a certain way.

Not enough voters would handle their keys securely. Maybe if every voter was given some kind of hardware which could sign their votes offline. That's a big, risky, upfront expense, though.

Still wouldn't work probably -- think of how many times the average person misplaces their car keys in a given year. Now give them a piece of hardware, that they're only going to use every 2 years (which is a stretch given Americans' voting patterns, so realistically it's every 4 years if ever), and tell them to (1) keep it safe and (2) remember where they put it.

An automated voting system is very efficient. You only need one person to change all the votes...

A good thing about so much people involved in voting is that is harder to cheat. Even an state agent like Russia can influence elections only so much. It was very effective because it just needed to change a few percentage points to tip the balance.

The bi-partisan system, gerrymandering and sub-standard education makes democracy fragile. Automated voting systems are much more dangerous.

> "It's internet voting on people's horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote."

This is a good summary of a few of the problems.

Someone else said the same thing and got downvoted to hell, but let’s be clear: while it’s very obvious that Russia assisted the Trump campaign and bought ads for Trump, there has never been any evidence or even suspicion that they were involved in direct vote manipulation regardless of what clickbait headlines may imply.

I'm curious if you consider a phishing attack a "hack."

More clear: is calling a company, pretending to be their IT, and getting their root credentials, "hacking?"

I don't. It's fraud. A hack is technical. The fact that you get access to a computer system isn't what makes a hack a hack.

In terms of democracy.

People can be mislead whether by internal or external sources.

Democracy works slowly. The important thing is that they have another chance to vote in a few years to vote in their interest.

Things that affect the effectiveness of a democracy include a limited franchise (e.g. a test to ensure only "educated" voters are allowed, restrictions on people who have previously been jailed, precinct voting[1] with voting on a working day); ballot stuffing; gerrymandered districts and excessive malapportionment; insufficient sensitivity to changes in public opinion (e.g. not enough legislators); supermajority requirements (on ordinary bills) and vetoes for small groups.

[1]: Since not everyone will be aware of what precinct voting is, it's a system where you are allocated to a certain voting centre. So you live in Ballotsville South: therefore, you're only allowed to vote at the Ballotsville South Primary School.

Other jurisdictions permit people the freedom to select the voting centre based on convenience. Every voting centre in some district will have a ballot and a record for you. In some broader district they may not have a record for you but they still allow you to vote by keeping your ballot inside a sealed envelope: then they can confirm your entitlement and open your ballot or destroy it as appropriate.

Just to be clear: There has never been any real evidence put forth that Russia tampered with the US elections in any direct manner. They had some bots of Facebook that attempted to sway public opinion, and that's about it. Whether they had individual agents placed as poll workers have never been proven.

My own take is that there is corruption in the US voting system and that major cities have some badly corrupted districts that could be fixed if we wanted to: Voter ID, limit absentee ballots, and place neutral observers from outside the county. It's not a matter of being able to fix the problem, it is a matter of will because voter fraud is institutional.

There was never any real evidence they didn't tamper with the elections, either. No forensics on voting machines; no recounts; no risk limiting audits in the target areas.

How about a video of Obama saying there was no tampering?


I'm not sure how you can claim there isn't evidence of tampering with elections in a "direct" manner, and then claim there's tampering without evidence.


Georgia did delete it's election data right after it was sued for being hacked: http://www.slate.com/articles/technology/future_tense/2017/1...

Yea, it’s a likely candidate for vote meddling. Even if you’re not looking for fraud it looks like they covered up for some type of bad mistake. If you are looking for fraud, there were many penetrated election systems in that fall.

Any data / reporting on that?

The firmest case is the Mueller indictment which mentions Georgia, but does not go into depth: https://d3i6fh83elv35t.cloudfront.net/static/2018/07/Mueller...

For background on the suit and wiping of the data: https://www.apnews.com/877ee1015f1c43f1965f63538b035d3f.

Preaching to the choir here, but somebody should be fucking jailed for that.

There were concerns, there has been several inquiries into it, right after the vote happened. And it's been known for has long as democracy that we shouldn't mechanize voting.

That video is from 2014 well before the 2016 US election was a thing : https://www.youtube.com/watch?v=w3_0x6oaDmI

edit : interesting how in the recent comments under this video there's cryptoblockchain enthusiasts who have completely missed the point about lack of trust.

When did voting security advocates stop raising alarm bells exactly? I think people just stopped listening.

I guess I was surprised when there was a huge chorus of "no one is saying the vote was compromised" the day after the '16 election.

I would have thought that the way there election went down with multiple narrow state wins just above the recount level would have had at least some people wanting to take a second look.

I'm not sure where you're going with this; the same small number of people have been complaining about poor vote security of these machines for years. It just got drowned in all the other noise of the election.

The best possible result of all the current furor would be a critical examination of voting machines that was actually visible to the general public. Anyone who cares already knows that there are major problems. The general public seems distracted from the issue.

I do remember hearing of a recount from one polling station in one county in the 2016 election being done on the paper backups, where they found there were many more electronic ballots counted than recorded on paper. It was explained away as user error (attempting to start over somehow not erasing your original vote), which I find worse than the stories about voting machine hackability...

Are these problems documented somewhere? I must admit I'm part of the general public that is not familiar with this.

Ed Felten's blog is a good place to start.

People love bleating about vote manipulation, in the sense of outright voter fraud (people voting twice, or voting under fake names, etc.), or ballot stuffing (changing the count after the fact). The evidence of this kind of manipulation tends to put it at around 1 vote in a million or so.

There are two more common voter issues, that each amount to much higher errors. No voting system can accurately register the vote of an individual; the 2000 election in Florida was an example where the margin of victory was on the order of this inaccuracy, one of the reasons its result was so contentious. Furthermore, there's good old voter intimidation and similar techniques: tell people the wrong polling place, deny them the ability to cast their votes, etc. I don't know the prevalence of the latter case, but it is far more than 1 in a million, based on evidence.

> No voting system can accurately register the vote of an individual

What do you mean by this? Do voting machines have an error rate? I would assume the county would be notified and these ballots counted by hand during a recount (which is what happened in 2000).

I think 2000 was contentious because the Florida AG stopped the recount as Gore's numbers were steadily improving and threatening to overtake Bush's.

There are several ways that this can happen. For example, instructions can be misleading. Consider boilerplate instructions such as "vote on every page" combined with a race whose possible candidates extends to multiple pages. How many people are going to be confused by those instructions?

Another possibility is that labels and voting regions might not line up properly. The infamous butterfly ballots of 2000 had the property that, if you viewed from the appropriate oblique angle, the arrow next to Al Gore's name very neatly lines up to the hole next to Pat Buchanan. Unsurprisingly, in Palm Beach, there was an unexpectedly high vote count for Buchanan in a region which most observers would think highly unlikely to vote for him.

What happened during the 2000 recount was that Gore asked for a recount of specific counties that he felt would improve his tally; the Bush campaign countered that all the counties should be recounted, since recounts in other places might improve his tally. The Bush campaign also argued that the varying standards of what constituted a vote (did you need to have at least two corners of the chad hanging, or did you merely need a dimple, to constitute a vote?) also was too lenient a standard for the recount.

The general consensus of most observers, after the election furor died down, is that Al Gore would have won the state under a 100% accurate vote counting mechanism. A full recount likely would have been to Gore's favor, but the recounts that Gore asked for do not appear to have been sufficient to get that result.

When the results of the election change depending on the exact measure you use to determine the intended vote, it is fair to say that, in a statistical sense, the election is a tie. I would argue that election laws should treat such cases as a tie, even if the numbers aren't actually identical.

I really like the idea of a tie within a margin of error.

I didn't know that Gore asked for recounts in specific counties while observers thought a state wide recount would have helped him as well. What a blunder...

I think GP was referring to the “hanging chads” generated by the voting machines in 2000. The machines punched physical holes in paper ballots, but for some “hanging chads” it was unclear which hole was meant to be punched. So I suppose that qualifies as failing to “accurately register the vote of an individual.” Although I am skeptical of the assertion that no voting machine can do so.

There's an article "On Conspiracy Theories and Election Hacking [Updated]" that kind of looks at what went on. Voting security advocates have been raising alarm bells but those with the power to examine the systems have mostly not wanted to do so.


There doesn't seem that much enthusiasm for investigating. The first hard evidence that "Russian government coordinated a spear-phishing attack on computers at an American voting machine company and compromised at least one email account" was leaked in June 2017 by Reality Leigh Winner who was prosecuted for leaking that and is now in prison in Georgia.

These theories never make much sense, because while it's easy to see after the fact that a few key counties could be flipped to change the election, it's completely impossible to predict which ones in advance.

That's not how it works. Votes are typically collected and tabulated in a county, but that state's electors are generally allocated by a majority popular vote, aggregating all counties (a few states do proportional). "Winning" a county doesn't matter; winning the state does. You could get the extra votes to win a state from a big county without flipping it.

I know, but as I've said in other comments, hacking a big county is much harder. There are hundreds of polling places and machines, thousands of officials, news organizations conducting exit polls and watching live results, and probably good polls conducted just before the election. It's much more appealing to pick a few smaller counties with limited to no polling and easily exploitable systems, so you can remain undetected. If you concentrate your efforts in a few highly populated and highly watched counties, it'll be obvious.

That's assuming polling and research don't exist. That's also assuming that votes can't be flipped as results come in. It's also assuming that a voting machine must flip votes if it's hacked. If the conspiracy is true, the more likely result is these machines can be programmed to only flip a small number of votes, just enough to change the outcome, and only if they need to. Most of the votes will be counted as they were cast, only just enough would need to be flipped.

I think we can all imagine that computers can be programmed to perform this logic fairly trivially.

I'm not talking about a theoretical world where the whole country could be hacked, monitored, and adjusted as results come in. Every state has a different system, and very few states have the worst case of digital machines with no paper trail: https://ballotpedia.org/Voting_methods_and_equipment_by_stat...

We can all imagine that computers can be hacked the way you describe, but such computers don't exist everywhere a hacker would need them. Take Michigan as an example, since it was key to Trump's victory and only a handful of counties swayed the results. The entire state uses paper ballots. How can this system be hacked without a massive social engineering conspiracy involving hundreds of people?

>without a massive social engineering conspiracy


Social engineering meaning hundreds of election officials committing felonies and never talking about it for the rest of their lives. Cambridge Analytica is not a relevant comparison.

Digital misinformation is totally different than forging paper ballots at scale.

The results of the 2016 election tell me that polling can be hilariously inaccurate and cannot account for things like the shy tory effect[1].

Everything else you're saying is spot on, though.

[1]: https://en.wikipedia.org/wiki/Shy_Tory_Factor

The 2016 polling wasn't close to hilariously inaccurate.

The average of the 13 final national polls had Clinton ahead by ~3 points, Clinton won the national vote by ~2. Some individual state polls were more wrong, but they were conducted less frequently and so many of them didn't fully factor in the latest news cycle developments.

If those polls were measuring just raw voter preference rather than controlling for state (since the electoral college is what elects the President), we can add "intentionally dishonest" to the list of problems. "Who will win the popular vote" can be a datapoint since more often than not they line up, but it is absolutely less important overall.

Even if we exclude mendacity and downgrade that to mere irresponsibility, terms like "98% chance of Hillary winning" were being thrown around left and right on election day. That speaks to something very, very wrong in how that data was being collected.

>That speaks to something very, very wrong in how that data was being collected

The problem was mostly with how it was analyzed, not how it was collected. Some publications were making bad assumptions that state by state polling errors would end up being independent. 538, who didn't make that assumption, gave trump close to 1/3 chance of winning.

Trump won by less than 80k votes in 3 states. Even the state polls weren't that far off--unlikely events happen.

> The results of the 2016 election tell me that polling can be hilariously inaccurate

The polling was fairly accurate; given the nature of the electoral college and the fact that state-by-state deviations from polling results tend to be correlated rather than independent, and how close many of the state contests were, the winner was different than the expected winner (and this was very surprising to people who followed predictors who based their odds on the assumption that state variation was independent, less so those who followed those like 538 that pointed out that that was a mistake), but the polling was not particularly inaccurate.


Ohio has 88 counties, Michigan has 83, etc. You know which ones to target in advance? You can't just bribe the Secretary of State or something, you need to infiltrate at a county level and modify the original results or it will be trivial to find out something went wrong.

Gerrymandering is a thing because politicians and those in the election-economy do have this data.

I agree it's a big problem to try to rig the vote in each rural county. But, to go into a metropolitan area and boost or suppress the vote would be easier, especially in states that have only a few big cities.

For example, a 10% adjustment in Phoenix might be enough to swing Arizona, as it has about 1/4 of the state's population.

The bigger the county, the tougher the job. That's why I'm saying this is so difficult; for a realistic hack you'd want to change as few votes as possible. If you really could predict the whole election in advance, you could pick and choose small counties with defeatable systems.

Targeting big cities solves the prediction problem, but makes your hack infeasible. Phoenix is in Maricopa County, which used two different types of voting machines in 2016. One of them is a paper ballot optical scanner, which prints out a paper tally at the end of the day. So you'd need to hack hundreds of these airgapped machines, and predict the results well enough to not trigger a recount with your changes, since there are paper ballots to compare against. I think this is just as impossible as choosing key counties in advance.

I guess I'm not familiar with how votes are tallied. Are results visible to election officials in real time as people cast ballots or only at the end? Wouldn't it be feasible to look at a midterm election or registered voters (say you had a 70/30 D/R split) and pre-set a machine to return a 60/40 result?

Depends on the system, but Maricopa County used this machine in 2016, where a polling place official only sees a tally at the end: https://www.verifiedvoting.org/resources/voting-equipment/se...

Your idea is feasible if you can break into a warehouse and hack hundreds of these machines, but do you think it's possible to change ~150,000 votes, resulting in a a 10 point swing from recent polls and exit polls, and remain undetected? Remember you're in a big city with lots of news organizations and big elections departments.

If your only full time job was to guarantee an election win for a candidate, you would know exactly which counties to target nationwide. There are only so many of them and we have these things called computers...

No you wouldn't. Many people have full-time jobs trying to predict elections, and they are not nearly accurate enough to zero in on a small number of essential districts. They don't even do very well on the state level. Also, the election landscape shifts constantly, so you can't do this work very far in advance. How long will it take you to set up a system to "hack" Michigan's paper ballots? Even if you somehow perfectly predict the 12 counties necessary to flip the result a year in advance, which again is impossible, can you really infiltrate those counties thoroughly enough to be undetectable?

Edit: "your only full time job was to guarantee an election win for a candidate"

What you're describing is a campaign manager. You'll notice that during presidential elections, the candidates always have different theories of the electorate and will pick different places to focus their efforts. So either: the losing campaign is always so massively incompetent that they don't even know which states to target, even though you say predicting counties is pretty easy when "we have computers", or elections are actually quite difficult and unpredictable.

Sure, but I think in this theoretical example of someone trying to manipulate an election, they'd pick the top X swing states, which are pretty well known. Of those, they'd pick the top X most populated cities in each swing state.

Again, I have not heard anyone say this happened, but I think it's reasonable to assume that the potential attack surface might be fairly small (a few heavily populated counties in a few states) if someone were to want to try.

FiveThirtyEight has county by county election data and it's widely discussed on election nights how certain counties vote heavily R or D. You wouldn't be flipping any counties political preference, just minimizing the win % in urban areas might be enough.

Now you're trading a prediction problem for an implementation problem as I explained in another comment. A few heavily populated counties is not a small attack surface. You need to hack hundreds of airgapped optical scanners in each state (and they all use different machines), not too much or too little, because then you'll trigger a recount using the real paper ballots. You still need basically perfect prediction to win and stay undetected, and you're up against big election departments with tons of employees and lots of integrity checks.


It is definitely a marketing issue that they have basically the same name as that site.

Are we sure? Did you read the thread? Or is my sarcasm meter broken this morning? reaches for another coffee

It is only for overseas military from WV using mobile devices for voting on foreign soil.

No cause for concern.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact