So it sounds like they verify your identity based on two photos that you provide? So if two photos provided by an unknown person match, then they become a trusted person? Even if there's a separate step that matches that to the DMV database or something... all you actually need is a photo of the person you want to impersonate.
But pretending to be someone else for remote voting is already a weak point, and one that would be expensive to exploit on a large enough scale to make a difference. The much much bigger risk is that we have absolutely no way to verify that the votes recorded are correct. This company's app sends the vote to the company's server which stores it in this company's database. That's three steps at which the votes can be easily changed.
The question to ask with any proposed voting system is: how can we verify that the counts are accurate? The _only_ way to do that in anything close to a trustworthy manner, is by having an established network of trusted agents (one or more witnesses from each interested party organization at each physical voting location) monitor a human-visible process for collecting paper ballots which can be counted and recounted at will by multiple groups of interested parties.
Any system where the votes are ever hidden away from witnesses and accessible, say, in a back room with an unlocked door leading to an empty alleyway ... or on any computer system, is inherently insecure.
I recently signed up for two different mobile banks (Monzo and bunq). Both of them verified my identity by having me take a photo of my passport, but then also recording a video of myself (with my face clearly visible) saying an exact phrase they specified, in one case “My name is $legalname and I'd like to open a Monzo account” and in the other a sequence of random numbers.
That seems way more secure.
The problem with voting is not and has never been physical people people voting fraudulently. It is the alteration of the votes on a central machine. (For example as an easily editable excel file on at least on occasion)
The extra barriers to confirm the physical person standing at the booth is a redirection of a serious problem with Putin into a little more voter suppression.
Face2Face would defeat this: anyone with enough images of the victim (and copy of ID) could impersonate them in this scheme.
It's kinda' not, because of practicality. There's enormous risk and time involved to get that one erroneous vote. Who's going to do that for a vote that has a smaller chance of swinging an election than you have of winning the lottery?
If you have a stray actor doing that on election day they maybe vote 10 times if they're a logistical genius doing an Ocean's 11 of voter fraud. That's enormous risk of actual jail for still almost zero chance of actually swaying an election. That's why no one does that.
And the idea that you're going to coordinate that effort? You've increased the odds of possibly being statistically significant a tiny iota but have exponentially increased the chances of being caught.
This is why voter fraud arguments are complete bullshit and just cover for voter suppression.
Not speaking to anything else related to this at all, it does sound like they are quite a fly by night operation based on everything that is being dug up.
However, the technology mentioned above is not something they came up with themselves, and in fact see wide spread use for purposes of fraud prevention for financial systems (which sees active attacks against verification tools). Its not as easy to fool as you are making it seem.
This tweet chain is pretty interesting:
I'm just speaking about the technology as described. Its not a novel id verification method, plenty of other companies use it and there are multiple vendors / providers of the service.
Different organizations have different security needs
Financial systems can use the relative cost of a security measure compared to the cost of a breach to decide whether to implement the security; they consciously accept a certain level of failures. Also, they can use insurance to mitigate exploits after they happen.
Voting systems cannot tolerate failures, at least in theory. Every vote must count. Also, at least for some elections, the value to the attacker is much higher than what can be gained from financial institutions; a foreign intelligence service has much more to gain than money from controlling a US presidential election, for example, and an investor could make billions by knowing the outcome ahead of time. Finally, there is no mitigation after a breach: Insurance won't save a fraudulent election.
The point I am making is that its not as simple as described to "spoof" this tool, and to give some background on its usage since it seemed to be a novel verification tool for the OP
> every vote can potentially be crucial
I'll also add that every vote is important because the number of votes is important. Winning 70-30 will get much different behavior than winning 50.01-49.99; the latter representative had better pay attention to the 49.99's needs. And that can matter down to the smallest geographical levels - if everyone in your neighborhood votes, politicians will pay much more attention.
Why? Do we have a history of securing computers and keeping them secure over time? No.
Are computerized elections understandable to laypersons? No. Worse; even if the election was tallied faithfully by a computerized system, a demagogic candidate can whip up fervour and call the election into question.
And without bug bounties there is no legal way for whitehats to pentest these things. We're stuck with shitty scans and guessing at best. Even so, from what I've seen I fail to see why we should trust these votings systems.
But the public doesn't care. They don't understand that code is just data and it can alter itself. The voting machine industry has lobbyists. The paper ballot industry doesn't exist.
It's also a case of different concerns cropping off: with paper ballots, there's a risk of miscounting, or disagreement on what constitutes a mark (remember the 2000 election, where the outcome of the election depends on the standards of how much of a mark you need for it to be indicated as a recordable vote). With computer ballots, the concern is over people hacking the tabulating machines or other computerized machinery. You're comparing vastly different risk profiles, and I suspect that most people don't have sufficiently-grounded knowledge to adequately compare them.
I believe that if this site enumerated all the ways that you can maliciously use computerized vs. paper voting systems, we would show a hell of a lot more benefits to a manipulator than a voter.
I think if you bring up Occam's Razor you also need:
1. Somebody gets to make money selling crap to the government
2. Somebody in government thinks it'll mean cost-savings
Given that the current party with federal power is the Republican party, I would argue there is no better time for them to pass as many vote-restriction laws as possible. Vote restrictions typically target the poor and minorities, who typically are Democrat party voters. The wikipedia article I linked is actually a remarkably good overview of the recent history of this issue in the USA.
What do you mean "No"? The ubiquity of cell phones alone makes it self-evident. What YOU mean is not described by your assertion.
> Worse; even if the election was tallied faithfully by a computerized system, a demagogic candidate can whip up fervour and call the election into question.
That's not worse. That's part of the path to acceptance.
> The paper ballot industry doesn't exist.
Tell that to the Lottery machine makers and ticket manufacturers. It's a much stronger lobby than the "e-voting" block (if you can even cobble together such an alliance).
I've ran a paper election for a federal race here in Canada. Anyone with the ability to form a complete sentence could understand the security of our election. We're talking 2 standard deviations below median or worse here.
The number of people that can understand the security of an electronic voting system is vanishingly small. The only security mechanisms that make the election trustable are the ones that are analogous to paper elections:
On premise ballot counts by humans with public observers and physical artifacts retained by receiving officers and other poll workers.
Come tell me how a machine with a touch screen is as understandable to someone that can't even explain how electricity works, much less hashing algorithms or compilers.
> That's not worse. That's part of the path to acceptance.
It is worse that a fair election is distrusted than it is for us to be unsure of the veracity of an election yet proceed as if it were honest despite misgivings. The subversion of truth is an anathema to our democratic process. Our social fabric depends on collective reasoning operating on shared understanding. Minds operate by cohering senses into understanding and understanding into action. Discordancy is doubt's inferior. Under stress it trades quiet, humble investigation for paroxysmal rage.
> Tell that to the Lottery machine makers and ticket manufacturers.
These are not the people that manufactured our paper ballots and they never were.
> if you can even cobble together such an alliance
A lobbyist requires incentive, not alliance.
Having a cellphone != understanding the technology and how it works. People don't get this stuff, and something as fundamental as your civil liberties should not be predicated on a black box no one person can understand.
Re: ballot lobby:
If there's any paper ballot lobby it's HP - when I've voted it was on ballots printed by a traditional office printer/Xerox.
You don't need bizarre forms and crank levers to make a ballot, just a piece of paper and a marking device.
That wasn't the assertion made, nor related directly to the assertion I responded to. Having an understanding of "how it works" is a weak way of couching a ton of assumptions without explaining what you mean. There's no point in trying to argue about what's in your head.
The statement I take issue with is:
> Are computerized elections understandable to laypersons?
Yes. How they work at a cursory level of practical operation and effect, is less sophisticated than any cellphone since flip-phones.
The part that gets me is that there is no organic, grassroots push from the people who actually vote to implement electronic voting.
Usually when someone, or many people, advocate for a cause, they have something to gain from it.
Who is advocating for electronic voting and what do they stand to gain?
The push was rejected since (a) the body responsible for running the elections believes it would be less secure and (b) it would still take two weeks to finalise since postal votes can come in up to two weeks after the election as long as they're postmarked before the election.
But people are interested in fast results. And they're lazy.
> Online voting is a good way to engage with younger voters, busy workers, and even Estonians living abroad, Mr Koitmae says.
Electronic systems have the nominal advantage of handling disabilities and different languages more easily.
Not that I'm disagreeing with you, but why would you expect anything different? As a layperson, why would I treat computerized voting any differently than online shopping or ordering an Uber or something like that?
The software engineering community deserves more blame for this type of thing. It's unreasonable to expect laypeople to be experts on every technology they use, and this crappy voting system didn't exactly write itself.
One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.
I guess that's what I was getting at. There never used to be a standards body for civil engineers, either, but after a while society got tired of bridges falling down and buildings collapsing. When will we get to that point with computer software?
It's kind of funny (or sad) that barbers and hair stylists need a license, but software engineers don't.
Since there's an unhealthy obsession with libertarian small government is software circles, it seems relatively unlikely this will happen any time soon. And we would rightly fear for our jobs if this happened, because I can't imagine the regulation applying to imported code.
It goes back to the "hanging chad" election. The losing side decried paper ballots as unreliable in every form and fashion, and the only way to have a fair election was to make it all electronic.
Thus, an industry was born.
Didn't this only happen because of an attempt to elctronic-ify the election and have machines tabulate the results?
FWIW, the place I voted during that election was straight up mechanical.
Two words: "hanging chad."
I.e. why do we need to have machines do something badly that humans can do well?
If you have half the number of elections on two days, you can count all the ballots with half the number of people and still get a result by the end of the night.
: There's a few reasons for this. One is that a lot of people will say "okay, i'll give this person a chance" and even though they voted for the losing candidate, they decide to vote for the president's party in the legislature. Another is that if you ask people who they voted for, more people say the winner than actually voted for the winner. It seems there is some sort of problem of memory reliability here. Since more people believe they voted for the president than actually did, more people will happily support the presidents party than otherwise would have, had the election been synchronised.
We want machines because they are indifferent. We can develop machine based voting systems that have a voter-verifiable receipt. We can reduce the cost of our elections and reduce the number of trusted people that must be involved with them. It removes the most common sources of error from our current flawed implementation of our democratic ideals.
Expanding upon this, if we make voting cheap and easy enough, we may actually be able to expand our democracy for more direct participation at all levels of government and reduce our reliance on the currently flawed implementation of our representative system.
Why would we _not_ want this? The major problem, as I see it, is that states are not assembling expert panels to either purchase or work with other states to collaboratively build a good system directly. The government purchasing process certainly plays a factor here as well, and voting systems should be classified as critical infrastructure to allow a more rational approach to their procurement and/or development.
On top of that, they are opaque: it's very hard to verify that a machine does what it claims to do and nothing else.
If you like machines, I present you a perfect machine: it's a clear box into which you throw paper ballots. It even counts the ballots: invariably, the result is "akira2501 won" - that is written on the outside; it works instantaneously. Any party that finds it suspicious can challenge and recount the paper ballots inside, in presence of independent observers.
Since there's no better way to verify the work of a voting machine other than counting papers, this machine is as good as any machine you just described - and is definitely cheap.
As for the cost - citation needed that machines actually provide any savings here.
The driver is profit motive.
The push for touchscreens was because vendors wanted to juice their valuations (from 3x revenue for services to 7x for products).
The push for postal balloting, internet voting, etc is because now vendors are back to pitching themselves as services companies, the difference this time being the are now charging per registered voter (vs per ballot counted).
Reliability, security, appropriateness are not even part of the conversation.
Paper vote by mail, when the ballot is ready, the print and mail it to you, you have 3-4 weeks to fill it out and send it back. High voter turn out, easy access for people with difficult schedules, No need for transportation. keep the ballots until the election has been certified
But that's a disturbingly cynical outlook, and if the general attitude of the whole populace was as such, there must be something awful at play.
That said, this system seems like a bizarre choice given the apparent security issues discussed in the thread.
"In 2012, KMK Metals Recycling paid €70,267 for 7,500 e-voting machines; 1,232 transport/storage trolleys; 2,142 hand trolleys and 4,787 metal tilt tables."
And still, despite all the solid arguments against electronic voting and the actual experience with those machines, a certain class of influential people keeps bringing it up. Sometimes they're gadget-crazy policy makers who just can't fathom why we're still using a pencil in 2018 (because it works, is transparent, can be understood by any layperson, and instils trust). Sometimes they're politicians who absolutely must have the all the results of an election the same night, and only computers can do that (despite exit polls working pretty well, and there really is no rush).
Recently, some are arguing for electronic voting because it would mean people with sight impairments can vote assisted by headphones rather than by a trusted person (there a solutions for the classic paper ballot in the form of a Braille-embossed mould that work pretty well in Germany, you don't need a computer for this).
It's a constant battle to keep the public informed about the problems with, and undesirability of, electronic voting after each assault in the media. Why can't we keep this cornerstone of democracy a process powered by pencils, paper, and people instead of opaque IT solutions?
Considering their security practices and cluelessness, they also seem to be mostly for fascists.
And using facial recognition to make sure the right person votes just sounds like it'll end up either trivially exploitable or just cause many legitimate people to be denied as their faces can't be matched.
What exactly is wrong with voting by mail? It's pretty easy to do, and it ensures anonymity by wrapping two envelopes inside each other.
It was essential for bilking investors out of $2.4 million.
>“A HORRIFICALLY BAD IDEA”: SMARTPHONE VOTING IS COMING, JUST IN TIME FOR THE MIDTERMS
>A Boston-based start-up promises to let West Virginians vote via app. Critics call it “the Theranos of voting.”
>Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is a mobile election-voting-software start-up that wants to let you vote from your phone.
The solution is simple and most places already do this, but each voting machine prints a matching paper receipt that can be matched with an electronic record. My jurisdiction already does this, it prints out of the back of the machine when you're done, but my vote is also electronic.
Those of you insinuating that Republicans (generally this is what people are hinting at) or Democrats are conspiring to rig elections via electronic voting are acting insane. If either party wanted to rig the election they could do it with paper or electronic ballots...and I highly doubt the vote tallies would be so close or that both parties would have so many seats flip every 8-10 years in toss up areas.
Sounds very professional. Sounds like the system I want counting my votes. Maybe they won out over v0tr.io and Votester?
Voting is a legit hard problem but it influences you more than you realize. The setup of the election basically determines the outcome of the election.
I think that the one thing that could improve democracy globally is an internationally agreed upon open-source verified voting system.
None of these startups will last long enough to have an impact.
There are many problems, voter identity is definitely one. You need some sort of public ledger (the blockchain isn't the worst idea, however proceed with caution).
They're sloppy with security, and they're ludicrously unable to scale.
And they've put this out in an environment with state-backed hackers. It's very blockchain.
I'm curious to see an implementation of a variant called 'BeleniosRF', which adds the requirement that voting be receipt-free (RF)
As others have stated, this particular scheme's weakness to tampering lies at the receiving end of the app's server.
There are other privacy problems with the "send a selfie" of the on-duty soldiers I won't get in to.
But ultimately, voting has unique constraints. The voter needs to be able to verify their vote was counted correctly, outside observers need to be able to verify totals, but not identify individual votes, and the whole system needs assurances only those who are supposed to vote, do so.
That's just a Blockchain PoC. The fact that they're trying to take the simplest, most exploitable form of Blockchain and dressing it up as an innovation already puts a bad taste in my mouth, but the fact that this garbage software is now being used for a federal election is horrifying.
It also doesn't help that more than one of the leaders of this company are Russian nationals...
^Tweet in sub...chain (how the fuck do we describe twitter comments?)
It's horrible, but I almost hope somebody hack these votes in the most disruptive, obvious way. I think the country could use a good slap in the face when it comes to both infosec and voting security.
A good thing about so much people involved in voting is that is harder to cheat. Even an state agent like Russia can influence elections only so much. It was very effective because it just needed to change a few percentage points to tip the balance.
The bi-partisan system, gerrymandering and sub-standard education makes democracy fragile. Automated voting systems are much more dangerous.
> "It's internet voting on people's horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote."
This is a good summary of a few of the problems.
More clear: is calling a company, pretending to be their IT, and getting their root credentials, "hacking?"
In terms of democracy.
People can be mislead whether by internal or external sources.
Democracy works slowly. The important thing is that they have another chance to vote in a few years to vote in their interest.
Things that affect the effectiveness of a democracy include a limited franchise (e.g. a test to ensure only "educated" voters are allowed, restrictions on people who have previously been jailed, precinct voting with voting on a working day); ballot stuffing; gerrymandered districts and excessive malapportionment; insufficient sensitivity to changes in public opinion (e.g. not enough legislators); supermajority requirements (on ordinary bills) and vetoes for small groups.
: Since not everyone will be aware of what precinct voting is, it's a system where you are allocated to a certain voting centre. So you live in Ballotsville South: therefore, you're only allowed to vote at the Ballotsville South Primary School.
Other jurisdictions permit people the freedom to select the voting centre based on convenience. Every voting centre in some district will have a ballot and a record for you. In some broader district they may not have a record for you but they still allow you to vote by keeping your ballot inside a sealed envelope: then they can confirm your entitlement and open your ballot or destroy it as appropriate.
My own take is that there is corruption in the US voting system and that major cities have some badly corrupted districts that could be fixed if we wanted to: Voter ID, limit absentee ballots, and place neutral observers from outside the county. It's not a matter of being able to fix the problem, it is a matter of will because voter fraud is institutional.
For background on the suit and wiping of the data: https://www.apnews.com/877ee1015f1c43f1965f63538b035d3f.
That video is from 2014 well before the 2016 US election was a thing :
edit : interesting how in the recent comments under this video there's cryptoblockchain enthusiasts who have completely missed the point about lack of trust.
I would have thought that the way there election went down with multiple narrow state wins just above the recount level would have had at least some people wanting to take a second look.
There are two more common voter issues, that each amount to much higher errors. No voting system can accurately register the vote of an individual; the 2000 election in Florida was an example where the margin of victory was on the order of this inaccuracy, one of the reasons its result was so contentious. Furthermore, there's good old voter intimidation and similar techniques: tell people the wrong polling place, deny them the ability to cast their votes, etc. I don't know the prevalence of the latter case, but it is far more than 1 in a million, based on evidence.
What do you mean by this? Do voting machines have an error rate? I would assume the county would be notified and these ballots counted by hand during a recount (which is what happened in 2000).
I think 2000 was contentious because the Florida AG stopped the recount as Gore's numbers were steadily improving and threatening to overtake Bush's.
Another possibility is that labels and voting regions might not line up properly. The infamous butterfly ballots of 2000 had the property that, if you viewed from the appropriate oblique angle, the arrow next to Al Gore's name very neatly lines up to the hole next to Pat Buchanan. Unsurprisingly, in Palm Beach, there was an unexpectedly high vote count for Buchanan in a region which most observers would think highly unlikely to vote for him.
What happened during the 2000 recount was that Gore asked for a recount of specific counties that he felt would improve his tally; the Bush campaign countered that all the counties should be recounted, since recounts in other places might improve his tally. The Bush campaign also argued that the varying standards of what constituted a vote (did you need to have at least two corners of the chad hanging, or did you merely need a dimple, to constitute a vote?) also was too lenient a standard for the recount.
The general consensus of most observers, after the election furor died down, is that Al Gore would have won the state under a 100% accurate vote counting mechanism. A full recount likely would have been to Gore's favor, but the recounts that Gore asked for do not appear to have been sufficient to get that result.
When the results of the election change depending on the exact measure you use to determine the intended vote, it is fair to say that, in a statistical sense, the election is a tie. I would argue that election laws should treat such cases as a tie, even if the numbers aren't actually identical.
I didn't know that Gore asked for recounts in specific counties while observers thought a state wide recount would have helped him as well. What a blunder...
There doesn't seem that much enthusiasm for investigating. The first hard evidence that "Russian government coordinated a spear-phishing attack on computers at an American voting machine company and compromised at least one email account" was leaked in June 2017 by Reality Leigh Winner who was prosecuted for leaking that and is now in prison in Georgia.
I think we can all imagine that computers can be programmed to perform this logic fairly trivially.
We can all imagine that computers can be hacked the way you describe, but such computers don't exist everywhere a hacker would need them. Take Michigan as an example, since it was key to Trump's victory and only a handful of counties swayed the results. The entire state uses paper ballots. How can this system be hacked without a massive social engineering conspiracy involving hundreds of people?
Everything else you're saying is spot on, though.
The average of the 13 final national polls had Clinton ahead by ~3 points, Clinton won the national vote by ~2. Some individual state polls were more wrong, but they were conducted less frequently and so many of them didn't fully factor in the latest news cycle developments.
Even if we exclude mendacity and downgrade that to mere irresponsibility, terms like "98% chance of Hillary winning" were being thrown around left and right on election day. That speaks to something very, very wrong in how that data was being collected.
The problem was mostly with how it was analyzed, not how it was collected. Some publications were making bad assumptions that state by state polling errors would end up being independent. 538, who didn't make that assumption, gave trump close to 1/3 chance of winning.
Trump won by less than 80k votes in 3 states. Even the state polls weren't that far off--unlikely events happen.
The polling was fairly accurate; given the nature of the electoral college and the fact that state-by-state deviations from polling results tend to be correlated rather than independent, and how close many of the state contests were, the winner was different than the expected winner (and this was very surprising to people who followed predictors who based their odds on the assumption that state variation was independent, less so those who followed those like 538 that pointed out that that was a mistake), but the polling was not particularly inaccurate.
I agree it's a big problem to try to rig the vote in each rural county. But, to go into a metropolitan area and boost or suppress the vote would be easier, especially in states that have only a few big cities.
For example, a 10% adjustment in Phoenix might be enough to swing Arizona, as it has about 1/4 of the state's population.
Targeting big cities solves the prediction problem, but makes your hack infeasible. Phoenix is in Maricopa County, which used two different types of voting machines in 2016. One of them is a paper ballot optical scanner, which prints out a paper tally at the end of the day. So you'd need to hack hundreds of these airgapped machines, and predict the results well enough to not trigger a recount with your changes, since there are paper ballots to compare against. I think this is just as impossible as choosing key counties in advance.
Your idea is feasible if you can break into a warehouse and hack hundreds of these machines, but do you think it's possible to change ~150,000 votes, resulting in a a 10 point swing from recent polls and exit polls, and remain undetected? Remember you're in a big city with lots of news organizations and big elections departments.
Edit: "your only full time job was to guarantee an election win for a candidate"
What you're describing is a campaign manager. You'll notice that during presidential elections, the candidates always have different theories of the electorate and will pick different places to focus their efforts. So either: the losing campaign is always so massively incompetent that they don't even know which states to target, even though you say predicting counties is pretty easy when "we have computers", or elections are actually quite difficult and unpredictable.
Again, I have not heard anyone say this happened, but I think it's reasonable to assume that the potential attack surface might be fairly small (a few heavily populated counties in a few states) if someone were to want to try.
FiveThirtyEight has county by county election data and it's widely discussed on election nights how certain counties vote heavily R or D. You wouldn't be flipping any counties political preference, just minimizing the win % in urban areas might be enough.
No cause for concern.