I ask myself time and again why voting systems aren’t federally regulated “critical infrastructure,” with source code available for public review.
We can't predict all of the problems that come up and that alone tells us we need to be in the best position to anticipate changes, hence respecting software freedom for all computer owners. Therefore not being able to inspect that the running voting machine is running trusted software is no reason to deny any computer own their software freedom. That's no justification for pushing voting districts into buying new voting equipment which ostensibly supports the needed change.
So in the end the solution remains the same: anyone who cares about software freedom (as we all should) would care that their voting machines run on free software.
Paper ballots, electronic tabulation. Can be recounted by hand if necessary.
Or, pencil and paper ballots.
IANAL but the Constitution. States run their own elections.
Cynic: the problem of voters choosing the wrong candidate.
The only "problem" voting machines solve (and the only somewhat compelling reason pro-voting-machine voices raise) is that the results could be out faster (it takes about a day with the manual counting).
I'm a dual citizen: in my other country, every five years I can vote on two ballots (to choose a party list for national government and one for regional government) and the following year again two ballots (to choose a party list and an individual representative for local government). In the US, I can vote for n state judges, state governor, state lieutenant governor, state treasurer, state secretary of state, state representative, state senator, presidential primary, president, federal senate primary, two senators, federal representative primary, representative, mayor, n members of the school district board, n local referenda, n state referenda. Some of these offices have terms as short as two years (e.g. representatives), or non-aligned terms (e.g., in a six year cycle there are two separate elections for federal senators). While in the other country there are two election days in every five year cycle, in the US I vote once or twice a year, and there are half a dozen to a dozen ballots on each occasion.
It could be done by hand, but the scale is very different to a more typical democracy.
Another benefit of electronic voting systems that mark and/or verify voter-verified paper ballots with the voter is allowing the blind and illiterate to vote alone and retain their privacy. Sighted literate voters take for granted that they don't have to reveal their vote to anyone else.
This doesn't get any discussion or support in the article (quite the contrary, there's some language about how such machines are second-best to voters marking their own ballots). The paragraph discounting "BMDs" (ballot-marking devices) contains no pointer to evidence to back the assertion that voters don't check their machine-marked voter-verifiable paper ballot. This is solved with voter education -- tell voters to verify their ballots no matter how they're marked. By the logic of this claim, it's worth pointing out that humans make mistakes writing on paper too. So better to have the voter verify their own ballot. There's also no evidence given of "the dispute-resolution mechanism" for a malicious or errant machine mismarking a ballot. This excuse seems particularly reaching to me as all roads lead to the same outcome -- the voter should spoil the ballot and get a new ballot. No proof is needed to justify spoiling the ballot because in the end they're not committing fraud. Even if the voter spoils multiple ballots, that's not a big deal. I'll need evidence to see that this is a serious concern but the article presents none.
A small number could be sent to polling locations each cycle, to account for loss and damage too.
This would be a far better use of resources then trying to make electronic voting not a disaster of security problems.
And I have yet to see the expense directly compared. How much do the machines cost to purchase and maintain? How much does the overtime for election officials to count the ballots?
> Elections are usually in November, winners take office in January. Plenty of time to sort it out if there's a question.
This is an issue as you reach larger offices in particular the presidency where there's an entire transition process that has to happen where the incoming president has to pull together the team to run the state and get read into all the various secret programs so that day 1 they're ready to run the country.
What could possibly be better audited than a public count that any concerned citizen can visit to oversee? Digital machines are as opaque as it gets for auditing.
Whereas computers stay silent by default, and let one person in the right place potentially control everything.
To me it seems the benefit of full electronic is avoiding paper both for environmental effects and physical annoyance of moving it around.
I'm not even convinced that at face value the development, manufacture, distribution and protection of these voting machines are remotely close as cheap as just counting votes the good old way.
I am a technophile, but the only sane way to vote is with pen and paper with manual counting.
Laws aren’t worth a damn if you’re not willing to enforce them.
In my job as a prosecutor, something I see over and over again is juries wanting to believe the defendant, even when their story isn't credible. If you have a likeable defendant and there's any doubt, reasonable or not, juries will acquit.
So when the little old lady government worker who could be your grandmother says that she was just doing what she thought she was supposed to and golly gee she doesn't understand this whiz-bang computer stuff ("They keep talking about digital evidence, and I just feel hopeless putting up my defense... I don't even know what digital evidence is!")... it's very hard to convince a jury it was intentional.
Shredding paper ballots is a lot more of a compelling narrative to put in front of a panel.
For more. We absolutely should be using these systems and the fact that we have allowed electronic voting machines to be used that do not conform to these protocols is an absolute travesty of democracy, considering how easy it would be.
All voting is vulnerable to hacks, even paper and pen. The key is to make it as expense as possible to hack a vote. In-person paper voting is pretty much as expensive as it gets.
Never mind that the general public will never understand what you said or ever implement anything like it.
> Never mind that the general public will never understand what you said or ever implement anything like it.
They don't need to understand it. It just needs to be in place, so that we can audit votes properly.
In reality land what we actually build IT wise is normally hot garbage.
We know how to hold honest paper elections. Let's do that instead of hoping that 10 years from now and 10 billion later we can have a secure election.
> It seems unlikely that any system will constructed any time soon which doesn't involve onerous secret key distribution, is provably correct, doesn't allow someone to prove after the fact to a third party that they voted a certain way, is secure against insider and outside manipulation,
Paper ballots aren't secure against insider or outsider manipulation and they definitely aren't provably correct. I don't see any reason why it should be necessary for the average person to understand how the system works. It should be sufficient that they can verify it, given sufficient knowledge.
It’s important so people have faith in the system. Yes, verifiability can help with that, but trust in math that few can really understand is a barrier. This can be exacerbated as distrust in algorithmic feed generation and social media manipulation grows. You’re savvy enough to see beyond this, but that’s not the point: that trust needs to be solid and widespread for people to have faith in the process. This is a human issue, not a technical one.
And I never believe someone who says something is unhackable... social engineering is a non-removable threat vector.
Eroding all trust in the democratic system is just as bad as actually changing the results.
These systems cost tens of thousands each, are the standard, and probably still too complicated for anybody in your local elections office to actually inspect.
If you think switching this to a cryptographic proof of vote is somehow easy, or easier then moving to slices of dead trees and a pen, then it's time to put down the keyboard and go outside.
It's just that nobody uses them.
We the citizenry can probably resist and discover interference which has to be done in a fashion that is broadly distributed and plainly comprehensible by common people. Ditital systems are commonly found to be vulnerable to manipuluation that can be done by one or a small number of actors and only discoverable by a tiny portion of the population if and only if the people that compromised our democracy allow you to audit them. It seems like the best case real world system would be an unacceptable risk and astoundingly unlikely that the real world result would be any better than ACTUAL existing government IT projects which as mentioned are hot garbage.
As far as I can tell its already entirely possible if laborious to prevent malfeasance at scale. The only possible benefit to the system you are describing would in decreased cost of operating the election after we pay off the billions required to build the system and slightly quicker results. We are short on neither money or time. This is still one of the wealthier nations and transitions from one group of assholes to the next in practice takes months from reasons that have nothing to do with tabulating votes.
We cannot risk our democracy so that you or others like yourself can work on a neat new IT project. Our fearless leader will just have to find another way to deter millions of imaginary illegals from voting for his opponent next go round.
They aren't designing it. It's already been designed by academics. In the paper that I linked. Please read it.
> We the citizenry can probably resist and discover interference which has to be done in a fashion that is broadly distributed and plainly comprehensible by common people.
No, we can't. Paper ballots are ridiculously insecure. They are just paper. Anyone, anywhere can throw them away, change them, insert thousands of fake ones, etc. I don't even see how you can argue in seriousness that paper ballots are a reasonable solution to the problem of elections. They're a joke.
Too often this fallacy is used to criticize e-voting:
1) find a flaw with electronic voting,
2) support paper ballots.
Opportunity costs are completely missing. If paper offered perfect security, that would make sense, but it doesn't.
I would have enormous respect for anyone willing to build an honest list of pros and cons on both sides.
Let me take a first naive stab:
- Electronic voting complicates auditing (in the worst cases making it all but impossible).
- Machine manufacturers have a poor record of discovering and correcting vulnerabilities.
- Mechanisms to force corrections of vulnerabilities are weak or unenforceable, or raise impossible policy dilemmas if vulnerabilities are discovered near an election.
- Paper ballots are sometimes ambiguous in ways that skew results.
- Paper ballots have no mechanism to guarantee "availability." ie, ballot boxes have gone missing, switching recount totals, or sometimes aren't counted at all in close races.
- Tabulation is more costly, and often involves separate systems or equipment than recording and storage. "Introduce more unique systems and complexity!" is not usually a good way to guarantee security.
On the pro side for both too:
+ Paper trails improve auditing (but what do you do if there are discrepancies, given the history of both lost paper and flaws in electronics?)
+ Estonia has had some flaws in their system, but also has tried some innovative solutions to guarantee identity (private keys for all citizens) and prevent coercion/vote buying (votes are revocable up to election day)
Everything has flaws, risk mitigation is about shifting those flaws around. Pointing out a flaw in one system isn't a security analysis. Too often that's how people treat it.
Second, usually in a paper voting system, the ballot box and the counting of the votes is always done in the presence of the election officer, and the representatives of at least two major political parties. All have conflicting aims, and to manipulate an election, you have to corrupt all three of them at many many polling stations.
And paper ballots often have moments where they have single points of failure, like the examples I cited of missing ballot boxes. There weren't three corrupt parties involved in those.
Did you even read my original comment? It is not a single piece of software that can be hacked. It is a deterministic independently, cryptographically verifiable algorithm. You receive a receipt that allows you to personally and independently verify that your vote was counted correctly.
Paper voting, with manual counting, scales well, and has far fewer attack vectors than electronic voting.
Elections, on the other hand, happen once or twice a year, can’t be reversed in the event of fraud, and need to protect the voter’s privacy to such an extent that even giving them, and only them, confirmation of how they voted is considered far too dangerous.
> can’t be reversed in the event of fraud
Counterexamples from one country:
> need to protect the voter’s privacy
And you are convinced that there are no algorithmic solutions?
Here is an attempt from a famous computer scientist whose algorithms book most of us have read.
(This one turned out to be cumbersome to implement because of bad UX, but worked rather well.)
I’m sure there are solutions. My point isn’t that it’s impossoble, it’s that banking and voting are so different that the existence of solutions for one tells us nothing at all about the other.
As history shows, double-entry bookkeeping does not entirely prevent fraud, but as history also shows, it does significantly raise the bar.
Other people reference other cryptographic possibilities but it's still not clear you get that counterparty advantage or any equivalent as cleanly from any of them.
I try to speak precisely, so I chose not to say that it does not on purpose. Maybe someone could convince me. But I've seen too many games and incredibly subtle backdoors to have too much confidence in such things. Nor am I sure how to convince the general public that they are correct, whereas convincing them paper ballots work is easy, and they intuitively understand the requisite security measures. It is not sufficient for a voting scheme merely to obtain the right number, it must also be trusted by the losers, or it's a waste of time.
There is no voting scheme that is trusted by the losers. With paper ballot, you can easily claim ballot stuffing or biased counting.
When you can't audit what is in a voting machine, you can't guarantee if it works.
You can make this argument against literally any programmable machine.
Also, checksums of reproducible builds (a feature a lot of compilers in production now support) are a good way to know the software wasn't altered. Securing the hardware is more of a protocol issue than a technical one here.
Nobody will agree to doing that. I just said that.
> Securing the hardware is more of a protocol issue than a technical one here.
I wouldn't agree. Because the binary being run, isn't being run in isolation, making verifying the database difficult. 
If we're not allowed to verify any of the internal workings of the voting machine... How can we say it actually has a copy of a verified binary on it?
Random verification of a voting machine is far more intense, costly, and time-consuming than verifying that a bunch of people at the voting place are doing their jobs correctly.
Yes, there is. You can tell by the way they don't grab people and guns and start shooting.
The purpose of voting is not to prevent hurt feelings or a bit of grousing. Despite the lies you may have been told, hurt feelings are inevitable. It's to prevent people who think they won, but didn't, from shooting people. And some other things too, like convincing them they'll have a fresh fair chance next time and that loss isn't permanent, but not shooting people is the main one.
I am a little bit surprised that people at Hackernews are so hostile against technology. Sure, there are some attack vectors, but we have 4-5 decades of security research and engineering to mitigate or at least detect that.
Don't throw away the baby with the bathwater.
If I want to zoom in further I can click the little book icon for reader view in Firefox, and the content will wrap without scrollbars to my heart's content.
So again, evil in the same way a BDFL maintainer is a tyrant.
And the problem is cleared right up.