Hacker News new | past | comments | ask | show | jobs | submit login
In Estonian parliamentary election, 44% of the votes were cast online (zdnet.com)
157 points by atlasunshrugged 44 days ago | hide | past | web | favorite | 201 comments



"The system has been designed to ensure that voters' computers are not infected by any kind of malware that could change or block their vote."

I'm sure this cannot be subverted by an attacker with the resources of USA/China/India/.., or with access to the supply chain from the chip fab onward (don't forget about malware hidden in USB cables!), or or,...

And you'd have to be dead sure, because, unlike with physical votes, there will be few-to-none signs of subversion. You can vote physically, but what do a few physical votes matter when the attacker can change the vote of 30, 50, 70% of the population.

And how do you change the system, when all parties promising to do so can't get enough votes?

Edit: Example of what a voting system must be resistant against: https://www.schneier.com/blog/archives/2018/03/adding_backdo...


Typically, the way this is done is through a smartcard, secured and provided by state officials. A vote has to be signed by the key that never leaves this device. So even if you computer is infected by malware down to its USB firmware, it won't be able to fake many things. Just prevent you from voting.

My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.

With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.

However it requires trust in the officials to do their jobs correctly and to not tamper the tally.

I, personally, love a lot of e-Estonia initiatives, but consider electronic voting to be a bad idea, unless you are ready to get rid of the anonymity of the vote (you can have secure non-anonymous remote voting)


> My main criticism is that as it is it could still feed the card with the wrong vote to sign.

In other words: It doesn't help at all against malware on the computer.

> The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.

In other words: If the USB firmware is infected, it's still not secure.

> With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.

So, if you are using secure devices ... then you can have secure elections on insecure devices? In this scenario you aren't actually using the insecure device, other than for establishing a connection to the internet.

Or rather, as you described it, it also functions as the input device--but that is a security problem because it can be used to violate the secrecy of the vote, so it's not actually secure that way either. The only way to make it secure (sort-of) is to not use the insecure device.

> However it requires trust in the officials to do their jobs correctly and to not tamper the tally.

And that is the reason why electronic voting is not an option. Elections have to be able to remove a government from power against its will. An election process that depends on the integrity and honesty of the government that you want to remove from power is inherently broken. An election process that only works when there is no conflict is not a useful election process.


Considering Estonia's history, paper voting isn't exactly amazing either. The Soviet era showed that election fraud happens anyway. The problem with paper voting is that mistakes in counting happen very often. During the election that just happened in Estonia officials wrote the candidate number into the box that said how many votes they got.[1]

In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.[2]

If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?

[1] https://news.err.ee/916525/vote-miscount-in-narva-may-cost-e...

[2] https://www.votingjustice.us/tags/election_integrity


> Considering Estonia's history, paper voting isn't exactly amazing either.

So, could you point to any one election in Estonia's history where electronic voting would have been any better?

> The Soviet era showed that election fraud happens anyway.

That's just bullshit. Just because a solution for a problem is not perfect, does not mean it's useless and that every non-perfect approach is equally bad.

> The problem with paper voting is that mistakes in counting happen very often.

Which is irrelevant to the discussion of security. Mistakes are a very different thing from intentional manipulation, both in how you can prevent them and in the effects. In particular, mistakes tend to average out, which is why they usually don't matter for elections as long as they happen at a reasonably low rate.

> In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.

... which is why we should employ a voting process where only the election officials have any insight into what is going on, so we minimize the chance that a citizen discovers any errors?

> If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?

... and how would an election process that is completely opaque to the public possibly help with any of that?


Paper voting is hundred times more secure than electronic. With paper voting observers can see all the ballots and verify the results; these results are usually published so if you have observers at all polling stations you can verify that all votes have been counted correctly.

With electronic voting nothing stops sysadmin from doing UPDATE votes SET vote = 'Good Candidate' WHERE vote = 'Bad Candidate'.


Except the sysadmin's inability to generate valid signatures for those votes.


The signatures are generated by government-issued cards. Doesn't it mean that it can issue any number of new cards and generate signatures using them?

Also, they cannot store signatures with votes because that would disclose voter's identity and their choice. They have to store signatures separately from the votes and it means that the votes can be freely modified.

Here is what Wikipedia says [1]:

> This criticism was underscored in May 2014 when a team of International computer security experts released the results of their examination of the system, claiming they could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers.

Of course, the government can install enything on its servers.

Here is a quote from a report on vulnerabilities [2]:

> The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.

> ...

> The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.

Read: the government can "draw" any outcome they would like. Maybe they already did it, who knows.

[1] https://en.wikipedia.org/wiki/Electronic_voting_in_Estonia

[2] https://estoniaevoting.org/findings/summary/


Except the sysadmin can update the database of valid signing keys as well?


Do you mean the public database of everyone's public keys? Tampering with that would get noticed really fast and anything like that would greatly erode the trust in the system and wreak havoc on the economy since most stuff is signed digitally.


>My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.

You can check who you cast your vote for through online voting. You can do it 3 times for half an hour after you voting. You cast your vote on a PC and at the end the voting software shows you a QR code. You can then use an app on your phone provided by the government to check who your vote was counted for.

Read more here: https://www.valimised.ee/en/internet-voting/checking-i-vote


You can check that the reporting app tells you that you voted for who you think you voted for.

You have no way of asserting that that was the vote that was actually counted in the reported result.


I don't know what Estonia does, but there are ways to publish the votes in a secure way that prevents anyone from decrypting a single vote, but lets anyone verify their vote was correctly counted using their own secret key.

httpp://news.mit.edu/2009/rivest-voting

Of course you need monitors from all interested parties to prevent ballot stuffing, but that's true in every election. It's up to monitors to read the voter list and verify that (probabilistically) there are no/few fake voters on it.


According to this report [1], they published the source code and provided a video recording of installing the software (sounds like a joke):

> Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection.

[1] https://estoniaevoting.org/findings/summary/


So much for a secret ballot


You can vote multiple times though and the previous votes are discarded. You can even show up on election day at the end and it well override your online vote.


> a smartcard, secured and provided by state officials [..] The (state-provided) USB reader [..]

are not immune to attack either. Unless you go to the extraordinary lengths of making your own hardware in a facility you secure and keep secured for the duration of your democracy, there is no such thing as a 'secure device'. Not when the prize is something so hugely lucrative and advantageous as control over an entire country.

All assuming you trust your government. With opposition parties monitoring vote counts, that's easy. But what about when they have to look for dopant-level chip defects?


In Washington state, all voting is via paper ballots mailed or dropped off at a voting location. You sign them. People end up having different ballots because your ballot is customized for the district you live in (unique city, school district, county, state combinations is a reasonable size). They verify your signature. You can track if you ballot was received (it's inside an inner envelope) and if your signature was confirmed or not.

This feels safe, and as they have the original paper, they can revote - but they have all the ones in the district in a box somehow.


Who create the security tokens that banks use? I could see few things more lucrative and advantageous than a perfect backdoor into that hardware, especially since here in Sweden you can create electronic government ID from said token which can be used for everything except voting.

It is not without reason that most common fraud here in Sweden (around 80%) is someone calling under false pretense asking a victim to use the hardware token in order for the fraudsters to create a new electronic id which is then used to empty the bank account, create credit accounts, and so on. So far those security tokens has had a perfect track record from a hardware perspective, as much good that does. Maybe that is a bomb waiting to explode but it is hard to see a stronger incentives for criminals than what already exist.

When people here discuss electronic voting, security of the hardware tokens is not usually brought up. It is rather all the other elements which makes it a bad choice. There would be no physical ballots that can be verified, questionable anonymity, and a loss of a controlled voting environment. All the common solutions to those problems usually results in the conclusion that it then easier to just keep the current system as is.


The thing is that bank security is at least theoretically possible. Banks and/or governments act as a central sources of trust in such systems and trust for can be derived from this source. I.e. a bank could build the hardware tokens from scratch themselves. With an election the trust model is inverted. I'm not sure there is any practical way to allow the trust sources (every voter) to audit the hardware tokens.


Also importantly, banks don't have to be anonymous. Every transaction has the identities of the people involved.


Electronic votes can be secured cryptographically. Votes can be counted per precinct instead of centrally, and then summed. The security factors of paper voting can be replicated electronically.

"The authority might just lie about the count or throw away or counterfeit votes, or coerce voters other vote a certain way" is not solved by paper voting either, as seen in Russia and many other places.


Really, it strikes me how luddite people are when it comes to voting. In every other case, people welcome technology making stuff easier. But in this area, all I hear is complaints how far the voting booth is, how you need ID, how there is no national holiday and so on. What about absentee ballots? How do you make sure they were mailed by the right person?

Listen, if an attacker can subvert 30% of the votes, don’t you think they would also be able to subvert 30% of bank accounts which would use the same security? Banks let use an app to withdraw $100,000. Why not for voting which is far less valuable?

Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way. If you are concerned about the vote being illegitimate then have everyone submit an encrypted video of themselves saying the vote along with the vote, and the app recognizes what is said, displays it on the screen and the person clicks OK.

EDIT: To the automatic downvoters - why do you trust your bank’s app to manage a lot of money but not an app for voting?


I trust the bank because it has zero interest in subverting it’s own security. A government that doesn’t want to be removed from power has both motive and ability to do so. Paper Ballots allow Opposition Parties to count votes, an electronic voting system (wich would require the production of custom hardware in a government–owned facility to be remotely secure) would require the opposition to check for dopant-level chip defects.


The Soviet Union had paper ballots.


You're being facetious and you know it. It wasn't paper ballots that enabled the communists to hold on to power, it's that they didn't have any opposition, and their elections wouldn't be recognized as fair and valid by any modern standard.


Half-facetious. If a government really wants to hold on to power by force, they can do it one way or another - elections end up being theatre in that case anyways.


Except in Soviet Union terrorizing all the opposition parties/majority of voters was long, costly and brutal process. Online voting makes the whole thing cheap, easy, and undetectable.


And they got caught. Everyone knew the elections were rigged. With electronic vote you can get away with the crime and nobody's wiser.


Vote results are always really close to pre-election poll results. You can't really manipulate the results too much unless you somehow prohibit polling.


In online banking the bank knows who you are. In this case that would be the government, this is not and should not be allowed.

If such a system could be made that it somehow was able to verify that you are actually the individual registered to vote, but also anonymous so no-one could possibly trace what you voted for. Then you need to be able to setup a secure and verified connection (but still anonymous) but unlike your bank account, isn't the target of multi-international efforts to subvert democracy to gain political favour. Deciding what compatible devices and technology should be used and to ensure that all of the voting population has access to it is another challenge.

Another thing required is for there to be a presence of the candidates or representatives on behalf of them that can monitor the voting process and call out any foul play, which would require people with the right expertise to examine the system so they know it properly counts the votes. Which means a open-source system is required, but the exact details of how it verifies voters will also be exposed.

And what happens to the votes, are they not stored at all or stored temporarily? How do you do a recount if they are not stored and if they are, how do you make sure that data is destroyed completely once the result has been declared?

These are all questions that nobody seems to have a practical answer to.


> What about absentee ballots? How do you make sure they were mailed by the right person?

You have to sign the outer envelope, which can be verified (and is not anonymous).

> Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way.

There are a lot of controls in place that prevent that. Number one, the ballot box is never attended by just one person. Number two, the count of ballots has to match the number of people whose identity were verified and voted, and that verification is done by different people.

To stuff the ballot box, you'd have to buy off every poll worker in that precinct, get the list of everyone who didn't vote, pretend to vote for them, and make sure your ballot counts lined up. Since each precinct only serves a few hundred people at most, you'd at best get to put maybe 300-500 ballots in the box. You'd have to do that at every precinct.


You can cryptographically sign things with your private key on your device also, which is put there when you register to vote. Either way, someone can theoretically forge your signature.

You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.

All the matching of counts etc. can be done electronically too.


> You can cryptographically sign things with your private key on your device

Unless your device is compromised.

> Either way, someone can theoretically forge your signature.

They could forge your signature, but to be effective, they need to forge thousands of signatures.

> You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.

No, the ballots all have unique numbers and the list of numbers is stored separately. You'd have to buy off all the poll workers to pull that off, and you'd have to reconstruct all the records to match your fake ballots.

> All the matching of counts etc. can be done electronically too.

Sure it can be, but not securely, and security (and integrity) is the number one goal of a voting system. Convenience and speed are secondary.

Let's put it this way -- the State of California only does paper ballots. No voting machines are allowed in the most populous state. Why? Because they engaged many security consultants and couldn't figure out a way to vote electronically that was safer than paper.

It takes over a month to certify a California election, because every ballot is cross checked with the precinct records, they randomly recount various boxes of ballots, they check that the outcomes are in line with the polling data, and they verify every single signature on every absentee envelope.


And how do they verify every single signature on every absentee envelope?

I think that, once you start there, you will see that you can compromise those just as easily as a bunch of random iPhones.


They pull the physical signature card from when you registered and compare them by hand. Then they have a second person do it another room.

I think you're too enamored with technology to see that in this case it isn't being luddites about it that is the problem -- it's that very smart people have tried to solve this for a long time and come up with nothing.

It may be time to admit that the hundreds of security professionals with thousands of years of combined experience may just know more than you about election security.


Banks aren’t anonymous.


Also, banks can react to observed attacks quickly, but changes to voting systems has to go through slow political processes (for good reason).


What does that have to do with anything? Can you elaborate so we can see if your argument holds up?


Voting requires anonymity, so you lose a lot of the security because of that.

For a bank, you have a PIN that is tied to your identity. You may also have a second factor that is tied to your identity. The bank can use this to positively identify that you are the one making the transaction, and tie it back to you.

You can also verify the transactions after the fact because it isn't anonymous. You can log into your account and check to make sure what the bank thinks happened actually happened. And if it didn't happen the way you say, you can contest it.

Also, the risk is actually lower because the bank assumes liability. If a false transaction is made you can protest it and if you prove that it wasn't you who made the transaction, you get your money back. With voting, you can't get your vote back.


> there will be few-to-none signs of subversion

One thing the Estonian system does is that you can verify your vote on a mobile device by scanning a qr code that you see when you cast the digital vote. A vote can be checked after i-voting for up to three times during half an hour.

I imagine if any mismatch was detected the country would shut off i-voting immediately.

Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote


You're not supposed to be able to verify votes after the fact because that would enable buying votes.


You can vote multiple times through online voting. This means that buying votes like this wouldn't be very effective. Online voting also ends a few days before election day at which point a person can go and vote in person. The vote in person counts over the online vote.


As if democracies aren't buying votes already en masse?! Lobbying is just that, on a scale that actually matters more (directly at policy decision making point).


>few-to-none signs of subversion

You could make it so you can view your vote and check it was registered the way intended. If you voted A and it came out B that would be a sign.


Now you can demonstrate to anyone what you voted. That's how you get people selling votes. In any reasonable election system you need to be able to be sure your vote is being counted without at the same time being able to prove who you voted for. The demands of voting are incredibly unsuited to digital systems and definitely to any online voting. For every layer of extra complexity you add there's either a way to subvert it to break another of the essential guarantees of voting or to use it to DoS your election.


Say I sell my vote. The person picks a party I don’t agree with. I will simply vote for them anyway in the prelimenaries, screengrap my proof, and send to my customer.

I can do this multiple times. Each time I void my previous ballot, betraying my previous customer.

Then comes election day, then I show up in person and cast a physical ballot for the party that I favor. As a buyer, my customers have no way of knowing I didn’t void the preliminary ballot by showing up on election day.

Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.


I can't see a way of that working without breaking down somehow:

- If every time you vote you get a receipt for that vote that can be checked if it's still valid then you can send that receipt to the buyer and he can then check that your vote is still according to his purchase - If you can only check that the receipt was registered but not if it's still valid you can't check that your vote was correctly counted because you don't know if the vote has been changed after in multiple possible ways - If you can check that the vote actually is for candidate A at any time you can sell that access to the buyer for him to confirm - If the only way to avoid all this is to also cast an actually secret vote on election day the buyer now just needs to make sure you don't go to the polling place. Posting spotters at the door is not too hard.

I don't see a way for you to actually be able to confirm your vote was counted and not having at the same time the ability to sell your vote in a verifiable way. Perfect verification isn't needed either. If you're selling your vote to the mob you'll have second thoughts about failing to deliver. If you make the process easier "honest" sellers will create the market.

> Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.

Most I know are actually harder because you only get the single mail-in ballot so you can't do the double or triple voting. If you can show up on the day and invalidate your mail-in then part of same can be done. Depending on how the invalidation of the mail-in is done it can be even sketchier. But I don't consider mail-in and absentee paper votes to have enough security guarantees either way. Paper ballots, in a box, counted by adversaries is the gold standard. Everything else has a high burden of proof.


Screencaps are trivial to counterfeit. Every computer has a screen cap editor.

Someone with a paper ballot can photograph their ballot with a phone of spycam, to prove their vote to a buyer.


Iceland doesn’t have e-voting, but they do have absentee voting. You can vote as often as you want during the absentee ballot, and your most recent will count (or none if you also show up during election day). If you need to physically be present to make sure your agent does’t show up during election day, buying enough vote to sway any election is going to be hard. I suppose if you are a part of a larger organization, you can post several spotters around every voting station. But that will increase the chance of them being spotted and spoofed by the police.


> I suppose if you are a part of a larger organization, you can post several spotters around every voting station. But that will increase the chance of them being spotted and spoofed by the police.

It's easy enough to deploy spotters without being found out. Just deploy spotters as exit pollers, they're already part of any modern election :)


Exit polls are not done everywhere, and in some countries they are even illegal. Just make soliciting around poll stations is illegal and the problem is solved.


Eliminating exit polls seems like a really bad idea. They're one of the only ways to validate an election system that doesn't depend on the system itself. When you have wild discrepancies, particularly in some precincts, you know to investigate. And it seems you'd want that particularly when you've implemented a complex electronic voting system.

And thinking about it some more the Estonian system seems perfect for vote selling. You just provide your ID card and PIN in the last day of early voting and get it back the day after the election. The buyer can vote in your name and hold your ID card to make sure you can't vote in the booth.


You might be right about the exit polls. Perhaps this can only be applied in countries that have strong independent monitors (which Estonia should have being an EU member). Regarding vote selling, I don’t know how it is in Estonia, but in Iceland voter ID is pretty lax. You can provide an ID in the form of passport, drivers license, bank issued debit cards, etc. As a buyer I have no way of knowing if I'm witholding all possible IDs from my agent since they might have several debit cards from several banks, more then one passport (through dual-citizenship), etc.


It should be noted that ID+PIN is not just for the elections: it covers all of the e-services from online health records to online banking, also including digitally signing documents in your name. So I would assume that people wouldn't trust their ID+PIN to strangers.


This is exactly how the Estonian voting system works.


> Now you can demonstrate to anyone what you voted.

Not necessarily. It is possible to have verifiability and receipt freeness:

https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...

> The demands of voting are incredibly unsuited to digital systems and definitely to any online voting.

Clearly you need to do more research before making such sweeping claims.


> Not necessarily. It is possible to have verifiability and receipt freeness

I know these methods, but they were not used in OPs suggestion. They fix this issue and introduce others.

> Clearly you need to do more research before making such sweeping claims.

On the contrary, I'm willing to double down on my claim. I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.

Electronic/Online voting is like catnip for programmers. We can consistently overcomplicate things and create these horribly complex constructs because we're sure there must be a solution. After all software is eating the world. Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.


> I know these methods, but they were not used in OPs suggestion.

You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.

> I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.

There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?

> Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.

This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”


> You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.

This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.

> There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?

There are plenty of systems in the literature, even ones I am happy to stipulate right now are 100% cryptographically sound for the purpose of the discussion. The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election. Once you do that you no longer have a functioning democracy.

> This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”

eCommerce and eBanking have very different needs, so the query/replace doesn't work. In banking you both accept that some people in the banks have access to your data and that transactions can be reverted. None of that applies to voting where the process has to at the same time avoid leaking who you're voting for, provide accurate counts, and be trusted by the average citizen. Those properties are simply not possible without a traditional paper count done by adversaries.


> This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.

Feel free to point out where you previously discussed receipt freeness. And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?

> The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election.

You're going to have to be more specific about what you mean.

> the process has to at the same time avoid leaking who you're voting for

This is called receipt freeness, which we just discussed.

> provide accurate counts

This is called universal verifiability, which is also perfectly attainable by e-voting systems.

> be trusted by the average citizen

You've provided no reason to think that citizens will never trust e-voting systems. The very article of this thread provides a counterexample, and it's not even the most secure.

> Those properties are simply not possible

This is just flat-out wrong. It is perfectly possible to have all of the above properties simultaneously.


> Feel free to point out where you previously discussed receipt freeness.

I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.

> And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?

The point of my comment was to explain that what appears to be a common solution to a problem that we'd use in any kind of electronic system breaks down other stuff in electronic voting. I wasn't about to go 10 rounds of "but you could do X and then be broken by Y". My point isn't that there aren't clever ways to engineer digital systems for electronic voting, is that however you do that you end up with something that can be attacked in horrible ways. See below for an example.

> You're going to have to be more specific about what you mean.

Since you haven't provided a voting system for me to attack I'll try with what I consider to be a very good one:

- You vote by pressing a button or touchscreen at your polling place

- A paper ballot is printed with your vote that you verify and drop into a traditional ballot box to be counted as usual

- A receipt is printed with some code that you can later use to check that your vote was counted in a cryptographically secure way

- Paper ballots are tallied locally as usual, electronic results are sent encrypted to a central server that can be later used for vote count verifications

- The electronic count and the paper count are done in parallel and both published. You expect small differences in the count (mostly from human error in the paper count) but as long as the results match up to a low difference you trust your election.

- There are no flaws in any of the crypto and all the polling officials are honest (this last part is something the paper system does not depend on)

So this seems strictly better than a paper election right? You get the electronic count just as the polls close, the safety that you can later check that your vote was counted electronically, and the double-check of the paper count to fall back on. So here's how I attack it if I'm just a skilled hacker working alone:

- Work as a tech at one of the polling places and intentionally miscalibrate touchscreens. People will register wrong results and get some stories out that strange things happened in some polling places.

- Pick polling places where a minority is heavily represented and break those machines in particular. At worst some extra coverage, at "best" the election gets skewed because those polling places start having long lines and people walk away.

- Spread some malicious code to the general population through any of the normal means (Android apps, unpatched vulnerabilities, etc). I just need to get a small number of common citizens. Have that code intercept the place where you check if your vote was counted and tell you it was not. Hopefully you'll recheck in a clean machine and be satisfied. If possible target politicians and the actual losing candidates in the election so that they are particularly worried that the election was stolen from them.

- Finally hack into the central server where you do the checks to see if your vote was counted and make checks fail randomly.

At the end of this you have seeded pretty deep distrust over the election. Depending on how skilled the hacking is it may be enough to break down the trust in your democracy. I'm not willing to take that risk. But now if you're a very well funded hacker group or a state actor you can do more:

- Hack the network providers and selectively DoS the verification server for minorities or parts of the country that voted against the winner.

- Infiltrate the supply chain of a few of the thousands of suppliers of the voting machines and plant hardware level bugs that are time coded or just cause random errors (e.g., the touchscreen bugs)

- Hack the networks used to communicate votes from polling places and DoS those so that the count is delayed

- If you can hack the power grid have power cuts in polling places. If you were voting on paper it wouldn't matter but now you can't vote

- Do all those again in targeted polling places looking for minorities and/or populations that are very skewed from the national average to entice maximum distrust

- After enough doubt is created manipulate social networks based on those cases to nudge the population into thinking the election is rigged. It only takes a small percentage of the population believing that before you have a crisis on your hands (think yellow vests in Paris).

At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.

The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today. I'm willing to hope that the US case is just pure incompetence, but the attack surface is very large and we've seen that foreign state actors are extremely motivated to meddle with elections. I expect more examples of this in the future, particularly since the actual systems deployed are incredibly poor compared to this one.

> This is called receipt freeness, which we just discussed. > This is called universal verifiability, which is also perfectly attainable by e-voting systems.

Yep both of these are possible as long as the crypto is sound. No current electronic voting system actually clears that bar, most have no crypto at all. But there's no reason you couldn't do it at enormous extra cost if you had enough extremely competent people dedicated to the problem. I still haven't seen a good argument why you'd want to though. Which is the second part of this problem. If there are no advantages why do it? Proper paper counts are cheap, well tested and get results 2 or 3 hours after the polls close. The US is notorious for not being able to do that but it's routinely done across the world with no issues.

> You've provided no reason whatsoever to believe that citizens will never trust e-voting systems, and there is strong evidence against this from the fact that they are perfectly willing to engage in e-commerce and e-banking.

See the above attack scenarios for why I definitely think citizens should never trust any electronic voting system. The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions. You can't do that with your vote. Once the verification system fails the whole election fails and the faith in your democracy plummets. None of those attacks are specific to this system either. They're just relying on the flexibility of computers versus the extreme lack of features of pen and paper.

> This is just flat-out wrong and reflects your ignorance of the subject. It is perfectly possible to have all of the above properties simultaneously.

At this point it's on you. Feel free to improve on the above system to try to get the three properties. It's extremely unlikely you'll be able to just from the nature of computers and computer networks. We put up with all their extra complexity for all the extra value they bring. I couldn't be having this discussion with a person I don't know that is most likely half way across the world without the internet. But all that complexity plays against you when you're trying to secure a vote. You don't need to change the vote to destroy an election. You just have to seed enough distrust that the process is no longer accepted.

The most important characteristic of the voting process is that you are able to convince those who lost that they've really lost and what computers/networks have in abundance is failure modes and corner cases. Couple that with the lack of knowledge of the general population (and certainly of most politicians) about technology and it's very easy to attack an election by just engineering doubt over the whole system even if all the failures that you induce were designed for.


> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today. I'm willing to hope that the US case is just pure incompetence, but the attack surface is very large and we've seen that foreign state actors are extremely motivated to meddle with elections.

Whether it's incompetence or foreign attack, the damage done will be the same in both cases, so it's a terrible system to use either way.


> I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.

You're asking me to prove a negative. I merely said I doubted you knew about receipt freeness because you didn't even mention it as an obvious counterpoint to your claim, which is a reasonable conclusion. If you consider that an “extremely aggressive attack”, fine. It is easy for you to prove me wrong, you just have to point out the comment in question.

In the meantime, I'll continue to assume you either had no idea what receipt freeness was, or deliberately created the false impression that a verifiable voting system cannot be receipt free.

> I wasn't about to go 10 rounds of "but you could do X and then be broken by Y".

You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).

> So here's how I attack it if I'm just a skilled hacker working alone:

So you just assume you can achieve all of this for any e-voting system. Fantastic argument. Really convincing. You may as well have said "Here's how I would attack and infiltrate banking networks or current voting systems surreptitiously. See, we can never trust either of these!" That's just laughable.

> At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.

Clearly wrong as evinced by Estonia's voting system, even in the face of its demonstrated security flaws.

> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today.

...and it hasn't led to the collapse of the voting system.

> If there are no advantages why do it?

Are you asking what the advantages of e-voting are?

> The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions.

You're assuming banks are always aware of attacks, which is just not true.

> At this point it's on you.

It's not "on me". It's been mathematically proven that a system can possess these properties simultaneously. For example, see

https://link.springer.com/chapter/10.1007/978-3-540-24691-6_...

https://link.springer.com/chapter/10.1007/11818175_22


This seems pointless but I'll clarify the main thing in case you really haven't understood my point.

> You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).

The issues that are introduced are exactly all that attack surface that I described how to exploit. You keep insisting that the math checks out but that's not in dispute. The mathematical properties of a well designed electronic system are fine. It's the actual engineering realities of such a system that makes it massively easier to exploit. All those examples I gave and many more are now failure modes you have and didn't before.

> Are you asking what the advantages of e-voting are?

Yes. I live in a country that has heavily invested in e-government but runs very efficient paper elections. I go in on a Sunday at my convenience and get the results for the whole country 2 or 3 hours after the polls close, extremely accurate predictions maybe an hour after. I know of no advantage electronic voting would bring that would be worth the extra cost, let alone the risk and complexity. It's a (very poor) solution looking for a problem.


> That's how you get people selling votes.

It's also important to realize that the mere suspicion of other people selling their votes is enough to undermine confidence in the system.

And confidence in the system is pretty much the only thing you have to optimize for.


You can avoid that, by having your vote correspond to multiple potential entries.

But that is still pointless cause the person you sold your vote can be physically next to you, or you can film yourself voting.

Online voting is unsafe, and should only be used if any other option is unfeasible.


You can film yourself voting now. Vote buying is not a serious problem, and can be readily solved by stiff jail time for attempting it, and large monetary rewards for reporting on people doing it.

If you get 10 years in prison for trying to buy votes, and the government offers a standing reward of say, $100,000 for evidence that leads to a conviction, all of the sudden you have to pay substantially more than $100k/vote, which means that it's completely impractical to engage in.


> Vote buying is not a serious problem

It's not a problem because there is too much "friction". Vote buying is already not impossible but way too hard to establish itself. When it becomes gradually easier it still won't be a problem, because it is still not yet established. So you allow even more changes that make it easier, because it's not a problem yet. Call it a slippery slope argument all you like, but there is a crazy amount of inertia in the absence of vote buying that is protecting democracy now, but that will turn against us once it is overcome. When barriers are lowered so far that the inertia is overcome, the same inertia will make it incredibly hard to get rid of vote buying again. Keeping honest people honest is orders of magnitude easier than making them if they are not. I would not want to risk it without a promises of truly significant gains and I just don't see those with e-voting.

But vote buying is not even the problem I would focus on. Much more pressing is the form of soft coercion that is enabled by allowing voting in what I would call "unchecked privacy": imagine you are part of a group where everybody assumes that all would vote the same. There is a documented tendency (proudly showing off your ballot on Twitter) to scrap vote secrecy in favor of virtue signaling for "the cause", whatever cause that might be. As soon as there is a group with supposedly aligned opinions, the true believers will tend to erode secrecy and establish an expectation that the others follow. Maybe your spouse won't beat you, maybe your friends won't shun you for insisting on voting in secret, but the easy path is to just go with the flow and play along. "What difference does a single vote make?" Optional secrecy is a serious weakness to the democratic process.


All of those things are possible now, yet they don't happen. I see no reason to think electronic voting would make it more likely. And in fact, we have a test case: Estonia. Is there any evidence of any of this happening there?


By definition, electronic voting is easier to game. Simple example: you just asked for evidence on a procedure that didnt have a physical paper trail.


I asked for evidence of a specific phenomenon. The specific phenomenon I requested evidence of would be no easier to have evidence for in the electronic or paper case.


It takes much less energy and time to modify something electronically. Once physical items are required to be collected, edited or destroyed then evidence becomes significantly more durable.


You don’t even need that. In many systems, you can vote multiple times, and only your most recent vote counts. As a buyer you have no way of knowing if your agent didn’t vote after they photographed them self voting for the party you picked.


That's definitely a good improvement over a single final commit, but there has to be some cut-off time and it would be perfectly possible to control the voter's ability to make last moment corrections. Buy/coerce the vote close to the deadline, then keep them occupied until it's over.

A countermeasure might be an undisclosed deadline lottery: a guaranteed voting window until some time t, then allow corrections until an individually randomized cutoff moment t+x, with a sufficiently big range for x (up to two days, perhaps?). Don't provide feedback wether a correction went through or not to make it even more opaque to a possible buyer.


> but there has to be some cut-off time and it would be perfectly possible to control the voter's ability to make last moment corrections

There is. In the Estionial election it is something like the day before election day. But even if there wasn’t if you need to spend the time and effort to coerce your agent for anything longer then few hours, buying enough votes to sway any election is going to be unfeasible.


That means my real vote might not get counted, thanks to the random deadline.


But that only happens when for some contrived, malicious reason you felt pressure to cast a vote that did not reflect your real opinion. The random deadline extension weakens that attack.

People free from interference would simply make their first vote their real one, cast safely before the earliest possible deadline.


That's an excellent point, I hadn't thought of that.


we have evidence of widespread irregularities in casting votes via mail for people abroad in italian elections (there are a ton of italian citizens abroad, due to ius sanguinis rules).

That entails basically going to people, buying a voting slip and casting it on their behalf. Or better, buying packs of slips from officials. For e-voting it would be the same.

Sure, you can increase jail time and reward revealing it, but that is not a panacea, as the existence of _any criminal activity_ proves.


Those kinds of penalties and worse don't stop organized crime, for instance.

Politicians also tend to do all sorts of crazy, risky and/or illegal things to get elected or for personal profit. Nixon and Trump spring readily to mind.

If the reward is large enough, someone will risk it. Sometimes the reward doesn't even have to be large at all -- witness rich celebrities shoplifting, for instance.

People can also be compromised and blackmailed in to committing crimes, or otherwise feel desperate and at the end of their ropes, so they'll try anything.

That's to say that such laws shouldn't be made, but I am skeptical that they'll be enough.


None of that makes any kind of sense. You can't risk it when the equilibrium is that bad for you. Remember, to make any appreciable dent in an election outcome, you need to convince thousands of people to vote for you, and not turn you in, despite the 100k reward. There is zero chance of that ever succeeding.


If there is a $100k incentive for framing someone for vote buying, people will do it.


That's what we have investigative agencies for. We already offer these kinds of monetary incentives to criminals all the time. We also offer them for reporting tax evasion. Seems to work fine there.


Unfeasible? Simple, just call it unfeasible. It's a undefined word, perfect for manipulation.

There are no circumstances where online political voting should be used. Ever.


Can't you hash a signature of some manner to your vote in a manner only the individual can know how they voted? After all this is exactly how login/passwords work.


Then you can extract that information from the voter in the same way you can extract a password; with a blunt object and enough force.


You could select voters at random, say one in a hundred gets and email saying would you like to check your vote?


They can already check their online vote, but some restrictions apply: https://www.valimised.ee/en/internet-voting/checking-i-vote

Keep in mind that you need to check the vote on a different device than what you voted on.


They've done this, you can download a phone app for iOS or Android, where you can scan a QR code you see when you vote to verify your vote. A vote can be checked after i-voting for up to three times during half an hour.

Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote


"You could make it so you can view your vote and check it was registered the way intended."

Then you have to trust the system to tell you the truth.

These systems can be hacked or just designed to give you false results in the first place.


It seems simple for theoretical malware to show you the vote you believe you cast, so you'd have to log in and check your vote on a second device?


This is actually what is done, you can download a phone app for iOS or Android, where you can scan a QR code you see when you vote to verify your vote. A vote can be checked after i-voting for up to three times during half an hour.

Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote


This makes voter intimidation much easier though. Nobody without a court order can check how I've voted, and can't ask me to show how I've voted.


Then vote for the party your intimidator picked, show them you voted for them when asked. Then simply vote again for the party you want (during election day if you are afraid they will show up unexpectedly again before election day), voiding your intimidated vote. Your intimidator will never know who you voted for during election day (unless they spied on you, but you also have that problem for non-digital votes)


What in this is stopping the intimidator checking with you after the vote closes?


Then lie to your intimidator and tell them you didn’t vote in the physical election, only in the absentee.


It should be impossible even with a court order, and I think most voting systems are set up like that. How else do you guard against the party in power, that can get all the court orders it wants?


It's entirely possible in the UK, while "court order" is probably the wrong terminology, the core meaning is still there. Ballots are numbered and the number recorded against your name. You would need access to both to work out who voted for whom.

I don't know of any reason why it could be accessed, though since parliament is sovereign "if a judge agrees" is always a safe disclaimer to add since the underlying law can be set.


> Ballots are numbered and the number recorded against your name.

It's hard for me to express what a terrible idea this is. Pray you never get a government that would exploit this.


Yes, that downgrades the election from secret vote to concealed open vote.



This is one of the reasons why Netherland has banned voting machines completely. We're back to paper and pencil because it's easy to verify that all votes have been counted.


Why are you searching attackers outside? I don't know how it works in other countries, but in Russia the elections are always "hacked" by the government. You don't need any special resources or a backdoor, you just need a loyal sysadmin.


That is worrying. How do you know that the voter could vote freely and didn't sell their vote? Corruption around vote-selling is a concern in certain ethnic enclaves in Britain, and there were even elections annulled over that. The foremost concern shouldn't be convenience, it should be that the vote is safe and secret.


>That is worrying. How do you know that the voter could vote freely and didn't sell their vote?

Historically, vote buying in the UK and the US used to be rife until it was cracked down upon (which came after it was made illegal). Once that happened it completely disappeared.

For voters to sell their votes, somebody needs to advertise that they are willing to buy their votes. That advertisement makes them easy to detect, track down and prosecute.

Vote buying doesn't worry me in this system but hacks certainly do. It gives the impression of being a very insecure system.


When did they stomp out vote-buying in the UK? There is a steady stream of substantiated irregularities around postal ballots (like this: http://news.bbc.co.uk/2/hi/uk_news/england/west_midlands/440..., this: http://news.bbc.co.uk/2/hi/uk_news/politics/election_2010/86..., and this: https://www.bbc.com/news/uk-england-lancashire-19397157).

Postal voting should be restricted to the certifiably homebound, if it's open to everyone the opportunity for abuse will be taken.


I think 19th century? Not too sure of the exact dates. I do know that it persisted for a while after it was made illegal and then disappeared completely once it actually started being prosecuted.

Vote buying could still re-emerge but it can only flourish in an environment where you can do it openly with impunity - i.e. it's legalized or the cops for some reason think they can't touch you.

Your first link doesn't appear to be about vote buying (looks like low level postal fraud which is something else), the second is only about allegations (and again, postal fraud) and the third link looks like a 404 to me. I would be surprised if anybody's seriously attempted vote buying in the UK in the last 70 years.


It also became much less cost effective after the franchise was extended - when UK Constituencies had a small number of voters it was more practicable - see the Blackadder episode "Dish and Dishonesty"


yeah but part of cracking down on vote buying has to do with making it difficult to track if you actually did vote for who you said you would, with online voting it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up, allow you to keep your job etc. etc.


>yeah but part of cracking down on vote buying has to do with making it difficult to track if you actually did vote for who you said you would

That isn't necessary to prevent vote buying. Vote buying is easy to detect because advertising in secret is impossible. All that's required is the political will to look for people wanting to buy votes and come down hard on them when they're detected.

Moreover, if you do do away with the ability to track then you open up the electoral system to other forms of abuse that can't be trivially eliminated with police and stiff sentences.

>it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up

If I were to define "secretive electoral fraud that could never possibly scale" I would define it as "I promise not to beat you up if you vote for me".


how far did Tammany Hall have to scale?

How big is Estonia?

Do you think every election ever held that can be worth money and power is the size of the U.S National Election?

As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.

I mean definitely making it not worthwhile to buy votes because you will not be able to tell if you got what you paid for seems a more foolproof strategy than make it possible for people to determine what they paid for but threaten to throw them in prison if they do.

on edit: corrected second use of word money to power.


>How big is Estonia?

Are you saying that it's small enough that you can sway the election by threatening to beat up every voter?

That's a brave claim.

>As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.

there is ZERO profit to be made in vote buying if you are thrown in prison after purchasing your 9th vote. You'd have to be enormously stupid to even try.

that's why vote buying doesn't exist. that's why it's not like drugs. It's not because you "can't tell people" who you voted for. It's because it's trivial to detect, easy to crack down on and there's nothing to be gained by risking it. The only time when there was something to be gained by doing it, it was because it was COMPLETELY LEGAL.

Let me repeat that: the only time in history it was ever a problem, it was because it was LEGAL.

I want proof that my vote counted because that helps protect against the kind of threats which DON'T disappear just because they're made illegal. I don't need people like you telling me that I'm not responsible enough to get proof because I might sell it.


>Are you saying that it's small enough that you can sway the >election by threatening to beat up every voter?

>That's a brave claim.

No, generally the way it works is letting the word get out that if people vote for X you will come kick their ass later. For example if go beat up vocal supporters of X before the election and shout we're going to kill you if you vote for X, we know who votes for who because our hackers can see it online fools. Then people might be, oh I don't want anyone coming by my house and kicking my ass after X wins. So I will either not vote, or I will vote for Y so I don't get my ass kicked or even killed, sob.

If we think you voted for X and we come by your house you better be able to convince us you voted for Y! That actually scales pretty good because you only have to publicly hurt a few people before the election, and then hurt a few people after the election if X actually loses so the next election people will be well I better vote for Y and prove I did it. And people now have to actually vote for Y and show they did.

For example, take the following paper into consideration https://www.aisre.it/images/old_papers/MafiaViolence_Oli&Sbe... and then think, huh what would it be like if they could tell who voted for whom?

I mean the thing you're saying about the only time people ever bought votes was when it was completely legal, maybe that was true - was it also possible to prove who you voted for? I mean I don't know what you are actually referencing with your completely legal vote buying line but the implication that people would not buy votes to get power seems if it were illegal to do so seems incredibly silly given all the other illegal things people do to get power.


> with online voting it becomes totally possible to track you did the vote

Not necessarily. See https://news.ycombinator.com/item?id=19355603


ok it is true that with sufficient technical prowess one could fake that they did the vote, but as a general rule hold your iphone up in front of the monitor and make a video of you doing the vote would be a good enough solution for most criminals.


Prohibition of vote buying does not prevent Bulgarian train style attacks.


The article answers that. You can cast your vote as often as you want; only the last vote cast counts. So someone could coerce you to vote A (often a spouse), but afterwards you just go and vote again for B.

Of course that requires having the opportunity to vote again, so the solution won't deter anyone determined enough.

With paper ballots that problem exists too when you can authorize another citizen to vote on your behalf (this tends to be limited to one or two extra votes per person).


> You can cast your vote as often as you want; only the last vote cast counts. So someone could coerce you to vote A (often a spouse), but afterwards you just go and vote again for B.

How does this help you? If some one can coerce you once, they can coerce you again (and coerce you in showing when you voted last). Your assumption seems to be that the person forcing one does not understand the system.


Not my understanding; just how the system is explained there. I would guess that after casting the vote you can only see that you voted, not when. The only way to ensure someone votes the way you want them to is to wait until the very last moment (or just take away their identifiers).

Again, this is no different from using another citizen's mandate to vote for them, and it doesn't scale.

Of course there are plenty of other problems with e-voting that remain unaddressed.


How exactly do you propose vote buying would work? Somebody has to advertise it, somehow validate results, and then engage in widescale monetary transactions in a method that would appeal to a significant number of voters. All while also somehow avoiding all legal issues in the process. And this all needs to somehow be more effective than the typical pattern of just dumping millions/billions into half truths, mudslinging, and the other noble arts of modern politicking.

By contrast, I do think high level integrity of a vote is something we should be constantly vigilant towards. Was your vote counted? Was it for whom you wanted it to be? Integrity and validation are areas where e-voting could pull far ahead of traditional paper voting. As a nice thing you'd also have instantaneous and 100% accurate results instead of this silly 'Let's have the supreme court decide who won.' type affair.


Are you implying that vote buying and voter coercion are theoretical threats? They are real and very common problems even in old fashioned paper ballot elections.


You don't. Which is why this should definitely not be used for important votes like these. It may work fine at first but the attack surface on your election (and thus on your democracy) has just increased massively.


How do you avoid it with paper ballots? When your union boss tells you, "send me a picture of your ballot and ID from the booth, if I don't see a mark next to the Foo party, you'll have a problem", you either can spoil your ballot or vote for the Foo party.


There's no way to prove that the photographed ballot is the one cast. The voter could have thrown that one away and cast another.

To further inculcate the importance of the matter, taking pictures is usually prohibited inside the polling station.


In Denmark at least you can get a new ballot by returning the unused one.


How do you know they don't change your physical ballots?


Because the count is done by representatives of each party together and each of them won't let the others steal for their side.

The characteristics of paper elections are well understood and can be shown to be sound very easily to any common citizen. The massive attack surface of electronic elections is poorly understood even by technical people. It's a massive amount of complexity and expense for exactly zero gain.


I the UK system each party has monitors who observe the count and also get involved in any disputes.


You can inspect and watch the ballots.


What is stopping The Public from watching electronic ballots just as equally as electronic ballots?

If I wanted to see paper ballots, how is that different from wanting to see electronic ballots? I'm not confident that I could successfully petition Government for paper ballots just as much as I could sue a given contractor for same electronic records.


When someone writes something on a piece of paper, puts that piece of paper in a box, and later I see someone reopens that piece of paper then I can be reasonably confident I see whatever the original person wrote on the piece of paper.

I have no such confidence in electronic messages. Unless they're plaintext.


If I want, I can go down to my polling place before it opens, inspect all the boxes to be empty, watch as people put their ballots in, then watch as the boxes are emptied and the ballots counted. If I'm not allowed to do all this, I can't trust the vote unless I trust the people that administered it.

Electronic voting always requires trust in the administrators.


> watch as people put their ballots in

This is not allowed in many jurisdictions. You can watch the before and after part easily, though.


Usually online voting supporters say that it would increase voter turnout. It seems that it hasn't happen in Estonia: 64.2% in 2015 and 63.7% in 2019 [1][2].

Also, I am a bit worried that online voting might give young tech-savvy people an advantage over old and poor people who don't have access to computers or mobile phones. Has there been studies about demographies in these elections?

[1] https://en.wikipedia.org/wiki/2015_Estonian_parliamentary_el... [2] https://en.wikipedia.org/wiki/2019_Estonian_parliamentary_el...


Online voting statistics are available here: https://www.valimised.ee/en/archive/statistics-about-interne...

Same smart card is used every online service in Estonia. 96% taxes are done online.

So online voting is not something new for older people. It is just like every other online service.


Currently older people vote in much larger numbers than younger people, so I don't see how that's a major concern. Clearly the current setup advantages the elderly in practice.


Essentially, Estonia gives 44% influence of their country to a system that cannot be verified to have almost any relation to what people actually have voted for. The people have will just look at the results and have to think "well, I hope weren't hacked this time" and move on.

Rest in peace, democracy in Estonia.


>The people have will just look at the results and have to think "well, I hope weren't hacked this time" and move on.

Well, no they the main proponents of e-voting figured a long time ago that it's easier to eliminate those concerns using propaganda. For example if you are against e-voting media will brand you as a backwards russkie who hates Estonia.


I'm not a supporter of i-voting, but it is true that most of the "concerns" given are pure FUD/bullshit. Studies that consider guest WiFi password being vital information, studies that collate e-voting and i-voting and a lot of other shit I can't recall at the moment.

But the very basic problems are not talked about, namely: * Votes should be counted by independent parties while preserving anonymity * Certificate issuance should be actually monitored by CT logs, every vote that is not in a CT log is dismissed and logged * Voting code should be actually readable and audited (only opsec has been audited so far)

There are a few other problems but I've forgotten them for the time being. These are the problems we should be talking about, not some bogus like, "Omg how can ten grannies vote quickly online".


That's not true. Estonian Conservative National Party is against e-voting also and nobody is calling them "russkies".



That's some nice Russian propaganda you have there. With some pretty serious factual mistakes. It claims that non-citizens can't vote in local government elections, but this is false. Citizenship isn't a requirement to vote in local elections.

> former USSR citizens who lived in Latvia and Estonia and were deprived of the right to receive its citizenship after the collapse of the USSR

What right? Merely living in Estonia doesn't give you any right to citizenship. What's more, it's not that difficult to get citizenship. The main obstacle is learning the local language, as that's part of the test to gain citizenship. All these non-citizens refuse to do so. They take pride in being Russian and speaking Russian. They are openly talking about how great Russia is and how they are waiting for Russia to unite them with the motherland.

Estonia gained independence in 1918. Just because USSR occupied us [1] and transported a bunch of people here doesn't give them any rights to citizenship. The Russian population in Estonia grew from about 23,000 people in 1945 to 475,000 in 1991. [2] Now making up for a whopping 30% of the whole population! This is due to systematic transporation of people as part of Russification [3] where the Russians attempt to eradicate native cultures.

After the collapse of USSR it was possible for them to go back to Russia and/or get a Russian citizenship. Some did that, but all of these non-citizens still left are people who decided that life with fewer rights than citizens in Estonia is better than becoming a Russian citizen and living in Russia.

--

[1] https://en.wikipedia.org/wiki/Occupation_of_the_Baltic_state...

[2] https://en.wikipedia.org/wiki/Russians_in_Estonia

[3] https://en.wikipedia.org/wiki/Russification


While the situation in ex-USSR republics is complicated, it is not a good idea to force someone to learn and use some other language.


Certainly and nobody is being forced to learn languages in Estonia, as being an Estonian citizen isn't a requirement to live in Estonia. What's more, citizenships often come with language requirements when we're talking naturalization. Indeed you need to speak Russian to get a Russian citizenship via naturalization. [1]

--

[1] https://en.wikipedia.org/wiki/Citizenship_of_Russia#Citizens...


It is no better or worse than electronic voting machines in Georgia.


Online voting in elections has been around since 2005 in Estonia. I think you're making it seem worse than it is. On the other hand, I wish Estonia did not have online voting as well. There are some attack vectors you can't defend against.


Here's a video on an interesting talk about Estonia's e-voting system: https://youtu.be/PT0e9yTD2M8

(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's interesting.)

It might be prudent to point out that Estonia is one of the better e-voting systems. Voters can override their e-vote with a regular one on election day. However that just means that other systems are mostly even worse.


Seems like e-voting is used as a way to transition between a democracy to an hidden totalitarianism.

Citizens are lead to believe the voting system still works as usual but in the fact the results are manipulated to keep the same person or group of people in power. Which can probably last for a while. Meanwhile the person/group in power can take control of all parts of the state until it slowly fades into an obvious dictature.

This works because most people don't understand technology well enough to understand that electronic voting is very far from secure.


"Video unavailable This video is no longer available because the YouTube account associated with this video has been terminated." :-(


Thanks, link fixed.


Wasn't it compromised a few years ago?

[1] https://edri.org/estonian-eid-cryptography-mess-750000-cards...


Those certificates were replaced and/or revoked.


They have also changed the wifi password that they had made public in one of their youtube videos via a note on the wall. (Sure, it was the guest-wifi but still)


All these "e-voting can never work" comments just scream ludditism. Estonia has already demonstrated that it works, we have online banking and cryptocurrencies worth billions of dollars in market cap, and people want to say it's not possible. Yeah, ok. Feel free to express your views, but don't pretend to represent the software engineering community.


Nobody said it's impossible. It's just insecure, unverifiable, and non-anonymous.

Unless you inspect every voting machine, smart-card reader, internet connection, encryption algorithm, etc. for every election completely, you can potentially manipule millions of votes from your home from the other side of the planet. Or on a smaller scale, change all votes of one or multiple voting machines.


Paper ballots aren't secure either, who's to guarantee that your paper ballot was recorded correctly? In many countries paper ballots have been tampered with, altering elections (Venezuela, South Korea). Remember Bush vs. Gore in 2000? I don't understand why people are so trusting of paper ballots, I would much prefer an e-voting system where my vote can be verified afterwards.

You don't need to inspect every internet connection, there's HTTPS.

The key is that one should be able to verify one's vote to ensure that it was properly recorded. If everyone can verify their own vote, then they can verify that the voting wasn't hacked. With paper voting, it is impossible to verify your own vote - it is equivalent to tossing it into a black box.

One might say "then people can sell votes!", but as Estonia has done, you can have it so that one can vote multiple times. And of course there should be extraordinarily stiff penalties on anyone buying/selling votes (I'd say minimum $30k or 20% of one's total wealth fine + prison time).

Needing paper ballots is holding back democracy. E-voting would revolutionize democracy and for the first time in history allow a true direct democracy at scale. Of course e-voting cannot be conducted by emailing votes or some other insecure nonsense like that, but it is ludditism to suggest that it cannot be achieved, which many seem to suggest. This kind of thinking is literally holding society back.


> Who's to guarantee that your paper ballot was recorded correctly?

Each reporting station must accept observers and counters authorised by each of the interested parties with local representation. It's a big deal when this process is compromised and always makes the news. And these counters and observes are generally your neighbours from the local community so there is some amount of trust already. Further the section count is acknowledged back from the central counter.

HTTPS doesn't have the proper guarantees for this application.

Changing votes doesn't have the proper guarantees that people won't be buying or extorting votes. Not that it matters, because that's not really the biggest concern with evoting.

Penalties also don't matter against a malicious state actor for any abuse. As an example, Chinese spies go after the relatives in China of US tech employees to force cooperation. A state actor can stack the deck without anybody to prosecute even if caught.


Online banking and cryptocurrencies are not equivalent technologies. Just because you can solve those problems with software doesn't mean you can solve every problem in the world with software.


Yes they are not equivalent, my point is that if we can handle money online, there's no reason that voting can't. Bitcoin's market cap is something like $80b, yet nobody has ever hacked it.


Correct, online banking is in the stone age compared to even the crudest cryptos.


Relevant Computerphile episode (w/ Tom Scott): https://www.youtube.com/watch?v=w3_0x6oaDmI


Although not witout issues, the overall trust seems to be pretty high for e-voting(and voting numbers confirm it). And when voting, papervote always triumps digital one as last resort.

I also think this is one thing that also gets more young people to vote. They are familiar with technology and so used to doing everything online. For example I would have not voted for the last couple of elections if digital voting would not have been available.


Think of what this means for voter representation. You just made it much easier for people with computer access to vote, compared to those without who still must trek to the polling place. I doubt the demographics represented in this vote were the same as the last comparable one.


I think you have it the wrong way around. This actually improves voter representation. It's now a lot easier for people with disabilities, the elderly, etc to cast a vote — they don't have to organize transport, they can just vote from home. Getting people to actually go to the polling stations and cast a vote is something that all democracies struggle with to a certain extent, this helps alleviate that issue.


90% of Estonian households have access to the internet. [1] The percent is still increasing. On top of that, it's possible to request the government to send an official to your home if you wish to cast a paper vote from home.

--

[1] https://ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&...


It is a pretty smooth system. Voting in the last elections took me about 60 seconds.

Also, no method of voting is ever going to be 100% safe. It's not like there haven't been any unfair elections using paper ballots.


It's not about being safe, it's about being provably shareable. When the option of privately sharing your vote is there, it doesn't take long before a malicious candidate forces you to do it or face consequences.

See Halter Vote:

https://books.google.com.br/books?id=7gPvCgAAQBAJ&pg=PT144&l...

https://translate.google.com/translate?source=osdd&sl=auto&t...


But couldn't you just take a photo of the ballot? Considering that not submitting the ballot after taking it is not allowed here.


I think you have to reliably prove that it's your ballot and that it wasn't tampered with after the photo. Halter Voters would sometimes include a specific marking on the ballot that confirmed it was a succesfully bought vote so people could be personally rewarded accordingly.


Same here. Last time I went to regular voting was ~10 years ago. Once tried online voting I will never go back to regular one.


Any more in-depth treatment on the properties of the system and how it resists various attacks?


"Security Analysis of Estonia's Internet Voting System" @31C3 (December 2014)

https://media.ccc.de/v/31c3_-_6344_-_en_-_saal_1_-_201412281... (starts at 20:26)

They failed on quite some points, I cannot believe they fixed all issues.


Any analysis written not this year is out-of-date.


https://estoniaevoting.org/findings/paper/

TL;DR: It's not that good.


As I replied to the another guy under this parent, any analysis done on previous years it absolutely out-of-date by now. We'd need new reviews to make a proper assessment how (in)secure it is.


Online voting seems like such a bad idea to me. If people want convenience couldn't voting by post be a good compromise? Sure you still have to bring your letter to the post office but that's a more mild inconvenience and it seems more secure than e or i voting.


You get problems like "granny farming"


Newver understood the fascination with e-votes. E-votes are great when you vote for reality shows but for a normal election I think walking to the local booth and vote is a much better idea because it is hackers proof and also only citizens with enough motivation will vote.


> Newver understood the fascination with e-votes.

People want convenience. Citizens would like to vote online, and are largely ignorant of the technical challenges that make it impossible to secure, at least on your average everyday Internet connected consumer device.

Its the job of us techies to keep shouting from the rooftops how all these implementations of online voting are deeply flawed and exploitable the same way climatologists have to keep screaming from the rooftops about the damage rising co2 is causing to our biosphere.


Don't vote = don't get any benefits.

You would have to have an allowance for certain Disabled and Housebound voters and maybe be allowed to miss one election.


That is worse. It means people on welfare might be willing to vote more and hence peters would vote to steal from paul. Probably an argument that only those who pay certain amount of tax alone should be able to vote.


Lovely so who gets to decide who the "active citizens" are.

I think we have moved beyond that sort of limited franchise.

Btw "active citizens" is a reference to the French revolution


> and also only citizens with enough motivation will vote.

Why are physical barriers restricting public engagement a desirable trait in a democracy?


I'm curious about what we can do with digital voting, in terms of evolving democracy. If, hypothetically, all mechanical issues are solved...

We could have more direct democracy, with high-frequency referendums, reversible proxies, publicly submitted or endorsed bills. The democracies we have were designed around mechanical limitations, so it stands to reason that (at least some) democracies would change when those limits go away.

That said... there seems to be a dearth of ideas, at least few seemingly useful ones that I ever hear.

If you were making a new constitution for a village or city, what could be done with electronic voting and how does it make it better?

BRTW, links welcome.


Oh well as an Estonian that topic is staring to become really tiring especially because we just passed to voting season.

Bottom line is: Conservatives / nationalists are preferred by older folks and these parties lobby against anything that can give votes to liberals. They also know that youngster might skip the voting after all if we would go back to paper voting all together. Also there will be major reputation loss. But since conservatives are against EU, open-trading and anything outside our teeny-tiny pond they don't give a flying fuck about that.


I understand the cost appeal of such a voting system but it's pretty low security for an election. I wouldn't even worry about foreign actors as much as I would worry about domestic actors controlling the digital ballot box by fucking with the online voting system.


@Moderators

Just to avoid people collating together all e-voting (voting machines and similar) with the tech that Estonia uses (they call it i-voting for that reason), could the title be changed from "e-voting" to "i-voting"?


Ok, we'll do that.

Edit: actually, just using the word 'online' seems to make the distinction more clearly.


That's nothing, once e-voting is legal in Chicago, it will be 144% of the vote.


The title is incorrect, it's i-voting, not e-voting, there's a difference.


i-voting is e-voting too.


All i-voting is e-voting but not all e-voting is i-voting.


I like this trend towards e-voting since it seems to be influenced by trends in cutting edge blockchain technology like decentralised autonomous organisations. It means that novel types of national governance may follow from blockchain governance models, such as liquid democracy.

This would be a vast improvement over our current representative democracy model since we'd be able to hold politicians accountable more easily, lobbyists would be less influential and we could put our voting power behind domain experts for issues of importance.


> such as liquid democracy

The German Pirate Party tried liquid democracy, and the result was similar to what's going in Wikipedia: There's a small set of people with more time on their hands than it good for them or others, and it doesn't take long for them to take over.


I'm confused, why would a small set of people with time on their hands be able to compromise a liquid democracy? Are there not workarounds to the problems encountered? Interesting how we iterate so often, yet are so concrete in our conclusions about improvements to our own governance.


I think because we can't afford to 'break things' with governance so we prefer not to 'move fast'. Seems like good thinking...


As one of my friends (and no a local councillor) who was involved in Conservative politics at uni in the UK said it gets taken over by "a bunch of drunken yahoos".

She was taking about the FCS and People like Guido Fawkes.

Oh "Yahoos" refers to Jonathon Swifts Yahoos not any one employed by Yahoo


A lot of these proposed solutions in first sight look like solutions, but I've yet to find a "blockchain" (or any other buzzword) system that offers clear advantages. In practice most of the times it's plain old ploutocracy or founderocracy disguised under the veil of a new tech (with the help of an "innocent non-profit foundation")


As is often the case, by far the best comment is the least popular.

It's amazing how short-sighted people are.


Mention blockchain around here and everyone loses their minds.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: