I'm sure this cannot be subverted by an attacker with the resources of USA/China/India/.., or with access to the supply chain from the chip fab onward (don't forget about malware hidden in USB cables!), or or,...
And you'd have to be dead sure, because, unlike with physical votes, there will be few-to-none signs of subversion. You can vote physically, but what do a few physical votes matter when the attacker can change the vote of 30, 50, 70% of the population.
And how do you change the system, when all parties promising to do so can't get enough votes?
Edit: Example of what a voting system must be resistant against: https://www.schneier.com/blog/archives/2018/03/adding_backdo...
My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
I, personally, love a lot of e-Estonia initiatives, but consider electronic voting to be a bad idea, unless you are ready to get rid of the anonymity of the vote (you can have secure non-anonymous remote voting)
In other words: It doesn't help at all against malware on the computer.
> The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
In other words: If the USB firmware is infected, it's still not secure.
> With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
So, if you are using secure devices ... then you can have secure elections on insecure devices? In this scenario you aren't actually using the insecure device, other than for establishing a connection to the internet.
Or rather, as you described it, it also functions as the input device--but that is a security problem because it can be used to violate the secrecy of the vote, so it's not actually secure that way either. The only way to make it secure (sort-of) is to not use the insecure device.
> However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
And that is the reason why electronic voting is not an option. Elections have to be able to remove a government from power against its will. An election process that depends on the integrity and honesty of the government that you want to remove from power is inherently broken. An election process that only works when there is no conflict is not a useful election process.
In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.
If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
So, could you point to any one election in Estonia's history where electronic voting would have been any better?
> The Soviet era showed that election fraud happens anyway.
That's just bullshit. Just because a solution for a problem is not perfect, does not mean it's useless and that every non-perfect approach is equally bad.
> The problem with paper voting is that mistakes in counting happen very often.
Which is irrelevant to the discussion of security. Mistakes are a very different thing from intentional manipulation, both in how you can prevent them and in the effects. In particular, mistakes tend to average out, which is why they usually don't matter for elections as long as they happen at a reasonably low rate.
> In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.
... which is why we should employ a voting process where only the election officials have any insight into what is going on, so we minimize the chance that a citizen discovers any errors?
> If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
... and how would an election process that is completely opaque to the public possibly help with any of that?
With electronic voting nothing stops sysadmin from doing UPDATE votes SET vote = 'Good Candidate' WHERE vote = 'Bad Candidate'.
Also, they cannot store signatures with votes because that would disclose voter's identity and their choice. They have to store signatures separately from the votes and it means that the votes can be freely modified.
Here is what Wikipedia says :
> This criticism was underscored in May 2014 when a team of International computer security experts released the results of their examination of the system, claiming they could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers.
Of course, the government can install enything on its servers.
Here is a quote from a report on vulnerabilities :
> The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.
> The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.
Read: the government can "draw" any outcome they would like. Maybe they already did it, who knows.
You can check who you cast your vote for through online voting. You can do it 3 times for half an hour after you voting. You cast your vote on a PC and at the end the voting software shows you a QR code. You can then use an app on your phone provided by the government to check who your vote was counted for.
Read more here: https://www.valimised.ee/en/internet-voting/checking-i-vote
You have no way of asserting that that was the vote that was actually counted in the reported result.
Of course you need monitors
from all interested parties to prevent ballot stuffing, but that's true in every election. It's up to monitors to read the voter list and verify that (probabilistically) there are no/few fake voters on it.
> Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection.
are not immune to attack either. Unless you go to the extraordinary lengths of making your own hardware in a facility you secure and keep secured for the duration of your democracy, there is no such thing as a 'secure device'. Not when the prize is something so hugely lucrative and advantageous as control over an entire country.
All assuming you trust your government. With opposition parties monitoring vote counts, that's easy. But what about when they have to look for dopant-level chip defects?
This feels safe, and as they have the original paper, they can revote - but they have all the ones in the district in a box somehow.
It is not without reason that most common fraud here in Sweden (around 80%) is someone calling under false pretense asking a victim to use the hardware token in order for the fraudsters to create a new electronic id which is then used to empty the bank account, create credit accounts, and so on. So far those security tokens has had a perfect track record from a hardware perspective, as much good that does. Maybe that is a bomb waiting to explode but it is hard to see a stronger incentives for criminals than what already exist.
When people here discuss electronic voting, security of the hardware tokens is not usually brought up. It is rather all the other elements which makes it a bad choice. There would be no physical ballots that can be verified, questionable anonymity, and a loss of a controlled voting environment. All the common solutions to those problems usually results in the conclusion that it then easier to just keep the current system as is.
"The authority might just lie about the count or throw away or counterfeit votes, or coerce voters other vote a certain way" is not solved by paper voting either, as seen in Russia and many other places.
Listen, if an attacker can subvert 30% of the votes, don’t you think they would also be able to subvert 30% of bank accounts which would use the same security? Banks let use an app to withdraw $100,000. Why not for voting which is far less valuable?
Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way. If you are concerned about the vote being illegitimate then have everyone submit an encrypted video of themselves saying the vote along with the vote, and the app recognizes what is said, displays it on the screen and the person clicks OK.
EDIT: To the automatic downvoters - why do you trust your bank’s app to manage a lot of money but not an app for voting?
If such a system could be made that it somehow was able to verify that you are actually the individual registered to vote, but also anonymous so no-one could possibly trace what you voted for. Then you need to be able to setup a secure and verified connection (but still anonymous) but unlike your bank account, isn't the target of multi-international efforts to subvert democracy to gain political favour. Deciding what compatible devices and technology should be used and to ensure that all of the voting population has access to it is another challenge.
Another thing required is for there to be a presence of the candidates or representatives on behalf of them that can monitor the voting process and call out any foul play, which would require people with the right expertise to examine the system so they know it properly counts the votes. Which means a open-source system is required, but the exact details of how it verifies voters will also be exposed.
And what happens to the votes, are they not stored at all or stored temporarily? How do you do a recount if they are not stored and if they are, how do you make sure that data is destroyed completely once the result has been declared?
These are all questions that nobody seems to have a practical answer to.
You have to sign the outer envelope, which can be verified (and is not anonymous).
> Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way.
There are a lot of controls in place that prevent that. Number one, the ballot box is never attended by just one person. Number two, the count of ballots has to match the number of people whose identity were verified and voted, and that verification is done by different people.
To stuff the ballot box, you'd have to buy off every poll worker in that precinct, get the list of everyone who didn't vote, pretend to vote for them, and make sure your ballot counts lined up. Since each precinct only serves a few hundred people at most, you'd at best get to put maybe 300-500 ballots in the box. You'd have to do that at every precinct.
You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
All the matching of counts etc. can be done electronically too.
Unless your device is compromised.
> Either way, someone can theoretically forge your signature.
They could forge your signature, but to be effective, they need to forge thousands of signatures.
> You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
No, the ballots all have unique numbers and the list of numbers is stored separately. You'd have to buy off all the poll workers to pull that off, and you'd have to reconstruct all the records to match your fake ballots.
> All the matching of counts etc. can be done electronically too.
Sure it can be, but not securely, and security (and integrity) is the number one goal of a voting system. Convenience and speed are secondary.
Let's put it this way -- the State of California only does paper ballots. No voting machines are allowed in the most populous state. Why? Because they engaged many security consultants and couldn't figure out a way to vote electronically that was safer than paper.
It takes over a month to certify a California election, because every ballot is cross checked with the precinct records, they randomly recount various boxes of ballots, they check that the outcomes are in line with the polling data, and they verify every single signature on every absentee envelope.
I think that, once you start there, you will see that you can compromise those just as easily as a bunch of random iPhones.
I think you're too enamored with technology to see that in this case it isn't being luddites about it that is the problem -- it's that very smart people have tried to solve this for a long time and come up with nothing.
It may be time to admit that the hundreds of security professionals with thousands of years of combined experience may just know more than you about election security.
For a bank, you have a PIN that is tied to your identity. You may also have a second factor that is tied to your identity. The bank can use this to positively identify that you are the one making the transaction, and tie it back to you.
You can also verify the transactions after the fact because it isn't anonymous. You can log into your account and check to make sure what the bank thinks happened actually happened. And if it didn't happen the way you say, you can contest it.
Also, the risk is actually lower because the bank assumes liability. If a false transaction is made you can protest it and if you prove that it wasn't you who made the transaction, you get your money back. With voting, you can't get your vote back.
One thing the Estonian system does is that you can verify your vote on a mobile device by scanning a qr code that you see when you cast the digital vote. A vote can be checked after i-voting for up to three times during half an hour.
I imagine if any mismatch was detected the country would shut off i-voting immediately.
Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote
You could make it so you can view your vote and check it was registered the way intended. If you voted A and it came out B that would be a sign.
I can do this multiple times. Each time I void my previous ballot, betraying my previous customer.
Then comes election day, then I show up in person and cast a physical ballot for the party that I favor. As a buyer, my customers have no way of knowing I didn’t void the preliminary ballot by showing up on election day.
Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
- If every time you vote you get a receipt for that vote that can be checked if it's still valid then you can send that receipt to the buyer and he can then check that your vote is still according to his purchase
- If you can only check that the receipt was registered but not if it's still valid you can't check that your vote was correctly counted because you don't know if the vote has been changed after in multiple possible ways
- If you can check that the vote actually is for candidate A at any time you can sell that access to the buyer for him to confirm
- If the only way to avoid all this is to also cast an actually secret vote on election day the buyer now just needs to make sure you don't go to the polling place. Posting spotters at the door is not too hard.
I don't see a way for you to actually be able to confirm your vote was counted and not having at the same time the ability to sell your vote in a verifiable way. Perfect verification isn't needed either. If you're selling your vote to the mob you'll have second thoughts about failing to deliver. If you make the process easier "honest" sellers will create the market.
> Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
Most I know are actually harder because you only get the single mail-in ballot so you can't do the double or triple voting. If you can show up on the day and invalidate your mail-in then part of same can be done. Depending on how the invalidation of the mail-in is done it can be even sketchier. But I don't consider mail-in and absentee paper votes to have enough security guarantees either way. Paper ballots, in a box, counted by adversaries is the gold standard. Everything else has a high burden of proof.
Someone with a paper ballot can photograph their ballot with a phone of spycam, to prove their vote to a buyer.
It's easy enough to deploy spotters without being found out. Just deploy spotters as exit pollers, they're already part of any modern election :)
And thinking about it some more the Estonian system seems perfect for vote selling. You just provide your ID card and PIN in the last day of early voting and get it back the day after the election. The buyer can vote in your name and hold your ID card to make sure you can't vote in the booth.
Not necessarily. It is possible to have verifiability and receipt freeness:
> The demands of voting are incredibly unsuited to digital systems and definitely to any online voting.
Clearly you need to do more research before making such sweeping claims.
I know these methods, but they were not used in OPs suggestion. They fix this issue and introduce others.
> Clearly you need to do more research before making such sweeping claims.
On the contrary, I'm willing to double down on my claim. I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
Electronic/Online voting is like catnip for programmers. We can consistently overcomplicate things and create these horribly complex constructs because we're sure there must be a solution. After all software is eating the world. Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.
> I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
> Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.
> There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
There are plenty of systems in the literature, even ones I am happy to stipulate right now are 100% cryptographically sound for the purpose of the discussion. The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election. Once you do that you no longer have a functioning democracy.
> This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
eCommerce and eBanking have very different needs, so the query/replace doesn't work. In banking you both accept that some people in the banks have access to your data and that transactions can be reverted. None of that applies to voting where the process has to at the same time avoid leaking who you're voting for, provide accurate counts, and be trusted by the average citizen. Those properties are simply not possible without a traditional paper count done by adversaries.
Feel free to point out where you previously discussed receipt freeness. And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
> The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election.
You're going to have to be more specific about what you mean.
> the process has to at the same time avoid leaking who you're voting for
This is called receipt freeness, which we just discussed.
> provide accurate counts
This is called universal verifiability, which is also perfectly attainable by e-voting systems.
> be trusted by the average citizen
You've provided no reason to think that citizens will never trust e-voting systems. The very article of this thread provides a counterexample, and it's not even the most secure.
> Those properties are simply not possible
This is just flat-out wrong. It is perfectly possible to have all of the above properties simultaneously.
I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.
> And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
The point of my comment was to explain that what appears to be a common solution to a problem that we'd use in any kind of electronic system breaks down other stuff in electronic voting. I wasn't about to go 10 rounds of "but you could do X and then be broken by Y". My point isn't that there aren't clever ways to engineer digital systems for electronic voting, is that however you do that you end up with something that can be attacked in horrible ways. See below for an example.
> You're going to have to be more specific about what you mean.
Since you haven't provided a voting system for me to attack I'll try with what I consider to be a very good one:
- You vote by pressing a button or touchscreen at your polling place
- A paper ballot is printed with your vote that you verify and drop into a traditional ballot box to be counted as usual
- A receipt is printed with some code that you can later use to check that your vote was counted in a cryptographically secure way
- Paper ballots are tallied locally as usual, electronic results are sent encrypted to a central server that can be later used for vote count verifications
- The electronic count and the paper count are done in parallel and both published. You expect small differences in the count (mostly from human error in the paper count) but as long as the results match up to a low difference you trust your election.
- There are no flaws in any of the crypto and all the polling officials are honest (this last part is something the paper system does not depend on)
So this seems strictly better than a paper election right? You get the electronic count just as the polls close, the safety that you can later check that your vote was counted electronically, and the double-check of the paper count to fall back on. So here's how I attack it if I'm just a skilled hacker working alone:
- Work as a tech at one of the polling places and intentionally miscalibrate touchscreens. People will register wrong results and get some stories out that strange things happened in some polling places.
- Pick polling places where a minority is heavily represented and break those machines in particular. At worst some extra coverage, at "best" the election gets skewed because those polling places start having long lines and people walk away.
- Spread some malicious code to the general population through any of the normal means (Android apps, unpatched vulnerabilities, etc). I just need to get a small number of common citizens. Have that code intercept the place where you check if your vote was counted and tell you it was not. Hopefully you'll recheck in a clean machine and be satisfied. If possible target politicians and the actual losing candidates in the election so that they are particularly worried that the election was stolen from them.
- Finally hack into the central server where you do the checks to see if your vote was counted and make checks fail randomly.
At the end of this you have seeded pretty deep distrust over the election. Depending on how skilled the hacking is it may be enough to break down the trust in your democracy. I'm not willing to take that risk. But now if you're a very well funded hacker group or a state actor you can do more:
- Hack the network providers and selectively DoS the verification server for minorities or parts of the country that voted against the winner.
- Infiltrate the supply chain of a few of the thousands of suppliers of the voting machines and plant hardware level bugs that are time coded or just cause random errors (e.g., the touchscreen bugs)
- Hack the networks used to communicate votes from polling places and DoS those so that the count is delayed
- If you can hack the power grid have power cuts in polling places. If you were voting on paper it wouldn't matter but now you can't vote
- Do all those again in targeted polling places looking for minorities and/or populations that are very skewed from the national average to entice maximum distrust
- After enough doubt is created manipulate social networks based on those cases to nudge the population into thinking the election is rigged. It only takes a small percentage of the population believing that before you have a crisis on your hands (think yellow vests in Paris).
At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.
The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today. I'm willing to hope that the US case is just pure incompetence, but the attack surface is very large and we've seen that foreign state actors are extremely motivated to meddle with elections. I expect more examples of this in the future, particularly since the actual systems deployed are incredibly poor compared to this one.
> This is called receipt freeness, which we just discussed.
> This is called universal verifiability, which is also perfectly attainable by e-voting systems.
Yep both of these are possible as long as the crypto is sound. No current electronic voting system actually clears that bar, most have no crypto at all. But there's no reason you couldn't do it at enormous extra cost if you had enough extremely competent people dedicated to the problem. I still haven't seen a good argument why you'd want to though. Which is the second part of this problem. If there are no advantages why do it? Proper paper counts are cheap, well tested and get results 2 or 3 hours after the polls close. The US is notorious for not being able to do that but it's routinely done across the world with no issues.
> You've provided no reason whatsoever to believe that citizens will never trust e-voting systems, and there is strong evidence against this from the fact that they are perfectly willing to engage in e-commerce and e-banking.
See the above attack scenarios for why I definitely think citizens should never trust any electronic voting system. The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions. You can't do that with your vote. Once the verification system fails the whole election fails and the faith in your democracy plummets. None of those attacks are specific to this system either. They're just relying on the flexibility of computers versus the extreme lack of features of pen and paper.
> This is just flat-out wrong and reflects your ignorance of the subject. It is perfectly possible to have all of the above properties simultaneously.
At this point it's on you. Feel free to improve on the above system to try to get the three properties. It's extremely unlikely you'll be able to just from the nature of computers and computer networks. We put up with all their extra complexity for all the extra value they bring. I couldn't be having this discussion with a person I don't know that is most likely half way across the world without the internet. But all that complexity plays against you when you're trying to secure a vote. You don't need to change the vote to destroy an election. You just have to seed enough distrust that the process is no longer accepted.
The most important characteristic of the voting process is that you are able to convince those who lost that they've really lost and what computers/networks have in abundance is failure modes and corner cases. Couple that with the lack of knowledge of the general population (and certainly of most politicians) about technology and it's very easy to attack an election by just engineering doubt over the whole system even if all the failures that you induce were designed for.
Whether it's incompetence or foreign attack, the damage done will be the same in both cases, so it's a terrible system to use either way.
You're asking me to prove a negative. I merely said I doubted you knew about receipt freeness because you didn't even mention it as an obvious counterpoint to your claim, which is a reasonable conclusion. If you consider that an “extremely aggressive attack”, fine. It is easy for you to prove me wrong, you just have to point out the comment in question.
In the meantime, I'll continue to assume you either had no idea what receipt freeness was, or deliberately created the false impression that a verifiable voting system cannot be receipt free.
> I wasn't about to go 10 rounds of "but you could do X and then be broken by Y".
You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
> So here's how I attack it if I'm just a skilled hacker working alone:
So you just assume you can achieve all of this for any e-voting system. Fantastic argument. Really convincing. You may as well have said "Here's how I would attack and infiltrate banking networks or current voting systems surreptitiously. See, we can never trust either of these!" That's just laughable.
> At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.
Clearly wrong as evinced by Estonia's voting system, even in the face of its demonstrated security flaws.
> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today.
...and it hasn't led to the collapse of the voting system.
> If there are no advantages why do it?
Are you asking what the advantages of e-voting are?
> The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions.
You're assuming banks are always aware of attacks, which is just not true.
> At this point it's on you.
It's not "on me". It's been mathematically proven that a system can possess these properties simultaneously. For example, see
> You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
The issues that are introduced are exactly all that attack surface that I described how to exploit. You keep insisting that the math checks out but that's not in dispute. The mathematical properties of a well designed electronic system are fine. It's the actual engineering realities of such a system that makes it massively easier to exploit. All those examples I gave and many more are now failure modes you have and didn't before.
> Are you asking what the advantages of e-voting are?
Yes. I live in a country that has heavily invested in e-government but runs very efficient paper elections. I go in on a Sunday at my convenience and get the results for the whole country 2 or 3 hours after the polls close, extremely accurate predictions maybe an hour after. I know of no advantage electronic voting would bring that would be worth the extra cost, let alone the risk and complexity. It's a (very poor) solution looking for a problem.
It's also important to realize that the mere suspicion of other people selling their votes is enough to undermine confidence in the system.
And confidence in the system is pretty much the only thing you have to optimize for.
But that is still pointless cause the person you sold your vote can be physically next to you, or you can film yourself voting.
Online voting is unsafe, and should only be used if any other option is unfeasible.
If you get 10 years in prison for trying to buy votes, and the government offers a standing reward of say, $100,000 for evidence that leads to a conviction, all of the sudden you have to pay substantially more than $100k/vote, which means that it's completely impractical to engage in.
It's not a problem because there is too much "friction". Vote buying is already not impossible but way too hard to establish itself. When it becomes gradually easier it still won't be a problem, because it is still not yet established. So you allow even more changes that make it easier, because it's not a problem yet. Call it a slippery slope argument all you like, but there is a crazy amount of inertia in the absence of vote buying that is protecting democracy now, but that will turn against us once it is overcome. When barriers are lowered so far that the inertia is overcome, the same inertia will make it incredibly hard to get rid of vote buying again. Keeping honest people honest is orders of magnitude easier than making them if they are not. I would not want to risk it without a promises of truly significant gains and I just don't see those with e-voting.
But vote buying is not even the problem I would focus on. Much more pressing is the form of soft coercion that is enabled by allowing voting in what I would call "unchecked privacy": imagine you are part of a group where everybody assumes that all would vote the same. There is a documented tendency (proudly showing off your ballot on Twitter) to scrap vote secrecy in favor of virtue signaling for "the cause", whatever cause that might be. As soon as there is a group with supposedly aligned opinions, the true believers will tend to erode secrecy and establish an expectation that the others follow. Maybe your spouse won't beat you, maybe your friends won't shun you for insisting on voting in secret, but the easy path is to just go with the flow and play along. "What difference does a single vote make?" Optional secrecy is a serious weakness to the democratic process.
A countermeasure might be an undisclosed deadline lottery: a guaranteed voting window until some time t, then allow corrections until an individually randomized cutoff moment t+x, with a sufficiently big range for x (up to two days, perhaps?). Don't provide feedback wether a correction went through or not to make it even more opaque to a possible buyer.
There is. In the Estionial election it is something like the day before election day. But even if there wasn’t if you need to spend the time and effort to coerce your agent for anything longer then few hours, buying enough votes to sway any election is going to be unfeasible.
People free from interference would simply make their first vote their real one, cast safely before the earliest possible deadline.
That entails basically going to people, buying a voting slip and casting it on their behalf. Or better, buying packs of slips from officials. For e-voting it would be the same.
Sure, you can increase jail time and reward revealing it, but that is not a panacea, as the existence of _any criminal activity_ proves.
Politicians also tend to do all sorts of crazy, risky and/or illegal things to get elected or for personal profit. Nixon and Trump spring readily to mind.
If the reward is large enough, someone will risk it. Sometimes the reward doesn't even have to be large at all -- witness rich celebrities shoplifting, for instance.
People can also be compromised and blackmailed in to committing crimes, or otherwise feel desperate and at the end of their ropes, so they'll try anything.
That's to say that such laws shouldn't be made, but I am skeptical that they'll be enough.
There are no circumstances where online political voting should be used. Ever.
Keep in mind that you need to check the vote on a different device than what you voted on.
Then you have to trust the system to tell you the truth.
These systems can be hacked or just designed to give you false results in the first place.
I don't know of any reason why it could be accessed, though since parliament is sovereign "if a judge agrees" is always a safe disclaimer to add since the underlying law can be set.
It's hard for me to express what a terrible idea this is. Pray you never get a government that would exploit this.
Historically, vote buying in the UK and the US used to be rife until it was cracked down upon (which came after it was made illegal). Once that happened it completely disappeared.
For voters to sell their votes, somebody needs to advertise that they are willing to buy their votes. That advertisement makes them easy to detect, track down and prosecute.
Vote buying doesn't worry me in this system but hacks certainly do. It gives the impression of being a very insecure system.
Postal voting should be restricted to the certifiably homebound, if it's open to everyone the opportunity for abuse will be taken.
Vote buying could still re-emerge but it can only flourish in an environment where you can do it openly with impunity - i.e. it's legalized or the cops for some reason think they can't touch you.
Your first link doesn't appear to be about vote buying (looks like low level postal fraud which is something else), the second is only about allegations (and again, postal fraud) and the third link looks like a 404 to me. I would be surprised if anybody's seriously attempted vote buying in the UK in the last 70 years.
That isn't necessary to prevent vote buying. Vote buying is easy to detect because advertising in secret is impossible. All that's required is the political will to look for people wanting to buy votes and come down hard on them when they're detected.
Moreover, if you do do away with the ability to track then you open up the electoral system to other forms of abuse that can't be trivially eliminated with police and stiff sentences.
>it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up
If I were to define "secretive electoral fraud that could never possibly scale" I would define it as "I promise not to beat you up if you vote for me".
How big is Estonia?
Do you think every election ever held that can be worth money and power is the size of the U.S National Election?
As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
I mean definitely making it not worthwhile to buy votes because you will not be able to tell if you got what you paid for seems a more foolproof strategy than make it possible for people to determine what they paid for but threaten to throw them in prison if they do.
on edit: corrected second use of word money to power.
Are you saying that it's small enough that you can sway the election by threatening to beat up every voter?
That's a brave claim.
>As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
there is ZERO profit to be made in vote buying if you are thrown in prison after purchasing your 9th vote. You'd have to be enormously stupid to even try.
that's why vote buying doesn't exist. that's why it's not like drugs. It's not because you "can't tell people" who you voted for. It's because it's trivial to detect, easy to crack down on and there's nothing to be gained by risking it. The only time when there was something to be gained by doing it, it was because it was COMPLETELY LEGAL.
Let me repeat that: the only time in history it was ever a problem, it was because it was LEGAL.
I want proof that my vote counted because that helps protect against the kind of threats which DON'T disappear just because they're made illegal. I don't need people like you telling me that I'm not responsible enough to get proof because I might sell it.
>That's a brave claim.
No, generally the way it works is letting the word get out that if people vote for X you will come kick their ass later. For example if go beat up vocal supporters of X before the election and shout we're going to kill you if you vote for X, we know who votes for who because our hackers can see it online fools. Then people might be, oh I don't want anyone coming by my house and kicking my ass after X wins. So I will either not vote, or I will vote for Y so I don't get my ass kicked or even killed, sob.
If we think you voted for X and we come by your house you better be able to convince us you voted for Y! That actually scales pretty good because you only have to publicly hurt a few people before the election, and then hurt a few people after the election if X actually loses so the next election people will be well I better vote for Y and prove I did it. And people now have to actually vote for Y and show they did.
For example, take the following paper into consideration https://www.aisre.it/images/old_papers/MafiaViolence_Oli&Sbe... and then think, huh what would it be like if they could tell who voted for whom?
I mean the thing you're saying about the only time people ever bought votes was when it was completely legal, maybe that was true - was it also possible to prove who you voted for? I mean I don't know what you are actually referencing with your completely legal vote buying line but the implication that people would not buy votes to get power seems if it were illegal to do so seems incredibly silly given all the other illegal things people do to get power.
Not necessarily. See https://news.ycombinator.com/item?id=19355603
Of course that requires having the opportunity to vote again, so the solution won't deter anyone determined enough.
With paper ballots that problem exists too when you can authorize another citizen to vote on your behalf (this tends to be limited to one or two extra votes per person).
How does this help you? If some one can coerce you once, they can coerce you again (and coerce you in showing when you voted last). Your assumption seems to be that the person forcing one does not understand the system.
Again, this is no different from using another citizen's mandate to vote for them, and it doesn't scale.
Of course there are plenty of other problems with e-voting that remain unaddressed.
By contrast, I do think high level integrity of a vote is something we should be constantly vigilant towards. Was your vote counted? Was it for whom you wanted it to be? Integrity and validation are areas where e-voting could pull far ahead of traditional paper voting. As a nice thing you'd also have instantaneous and 100% accurate results instead of this silly 'Let's have the supreme court decide who won.' type affair.
To further inculcate the importance of the matter, taking pictures is usually prohibited inside the polling station.
The characteristics of paper elections are well understood and can be shown to be sound very easily to any common citizen. The massive attack surface of electronic elections is poorly understood even by technical people. It's a massive amount of complexity and expense for exactly zero gain.
If I wanted to see paper ballots, how is that different from wanting to see electronic ballots? I'm not confident that I could successfully petition Government for paper ballots just as much as I could sue a given contractor for same electronic records.
I have no such confidence in electronic messages. Unless they're plaintext.
Electronic voting always requires trust in the administrators.
This is not allowed in many jurisdictions. You can watch the before and after part easily, though.
Also, I am a bit worried that online voting might give young tech-savvy people an advantage over old and poor people who don't have access to computers or mobile phones. Has there been studies about demographies in these elections?
Same smart card is used every online service in Estonia.
96% taxes are done online.
So online voting is not something new for older people. It is just like every other online service.
Rest in peace, democracy in Estonia.
Well, no they the main proponents of e-voting figured a long time ago that it's easier to eliminate those concerns using propaganda. For example if you are against e-voting media will brand you as a backwards russkie who hates Estonia.
But the very basic problems are not talked about, namely:
* Votes should be counted by independent parties while preserving anonymity
* Certificate issuance should be actually monitored by CT logs, every vote that is not in a CT log is dismissed and logged
* Voting code should be actually readable and audited (only opsec has been audited so far)
There are a few other problems but I've forgotten them for the time being. These are the problems we should be talking about, not some bogus like, "Omg how can ten grannies vote quickly online".
> former USSR citizens who lived in Latvia and Estonia and were deprived of the right to receive its citizenship after the collapse of the USSR
What right? Merely living in Estonia doesn't give you any right to citizenship. What's more, it's not that difficult to get citizenship. The main obstacle is learning the local language, as that's part of the test to gain citizenship. All these non-citizens refuse to do so. They take pride in being Russian and speaking Russian. They are openly talking about how great Russia is and how they are waiting for Russia to unite them with the motherland.
Estonia gained independence in 1918. Just because USSR occupied us  and transported a bunch of people here doesn't give them any rights to citizenship. The Russian population in Estonia grew from about 23,000 people in 1945 to 475,000 in 1991.  Now making up for a whopping 30% of the whole population! This is due to systematic transporation of people as part of Russification  where the Russians attempt to eradicate native cultures.
After the collapse of USSR it was possible for them to go back to Russia and/or get a Russian citizenship. Some did that, but all of these non-citizens still left are people who decided that life with fewer rights than citizens in Estonia is better than becoming a Russian citizen and living in Russia.
(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's interesting.)
It might be prudent to point out that Estonia is one of the better e-voting systems. Voters can override their e-vote with a regular one on election day. However that just means that other systems are mostly even worse.
Citizens are lead to believe the voting system still works as usual but in the fact the results are manipulated to keep the same person or group of people in power. Which can probably last for a while. Meanwhile the person/group in power can take control of all parts of the state until it slowly fades into an obvious dictature.
This works because most people don't understand technology well enough to understand that electronic voting is very far from secure.
Unless you inspect every voting machine, smart-card reader, internet connection, encryption algorithm, etc. for every election completely, you can potentially manipule millions of votes from your home from the other side of the planet. Or on a smaller scale, change all votes of one or multiple voting machines.
You don't need to inspect every internet connection, there's HTTPS.
The key is that one should be able to verify one's vote to ensure that it was properly recorded. If everyone can verify their own vote, then they can verify that the voting wasn't hacked. With paper voting, it is impossible to verify your own vote - it is equivalent to tossing it into a black box.
One might say "then people can sell votes!", but as Estonia has done, you can have it so that one can vote multiple times. And of course there should be extraordinarily stiff penalties on anyone buying/selling votes (I'd say minimum $30k or 20% of one's total wealth fine + prison time).
Needing paper ballots is holding back democracy. E-voting would revolutionize democracy and for the first time in history allow a true direct democracy at scale. Of course e-voting cannot be conducted by emailing votes or some other insecure nonsense like that, but it is ludditism to suggest that it cannot be achieved, which many seem to suggest. This kind of thinking is literally holding society back.
Each reporting station must accept observers and counters authorised by each of the interested parties with local representation. It's a big deal when this process is compromised and always makes the news. And these counters and observes are generally your neighbours from the local community so there is some amount of trust already. Further the section count is acknowledged back from the central counter.
HTTPS doesn't have the proper guarantees for this application.
Changing votes doesn't have the proper guarantees that people won't be buying or extorting votes. Not that it matters, because that's not really the biggest concern with evoting.
Penalties also don't matter against a malicious state actor for any abuse. As an example, Chinese spies go after the relatives in China of US tech employees to force cooperation. A state actor can stack the deck without anybody to prosecute even if caught.
I also think this is one thing that also gets more young people to vote. They are familiar with technology and so used to doing everything online. For example I would have not voted for the last couple of elections if digital voting would not have been available.
Also, no method of voting is ever going to be 100% safe. It's not like there haven't been any unfair elections using paper ballots.
See Halter Vote:
https://media.ccc.de/v/31c3_-_6344_-_en_-_saal_1_-_201412281... (starts at 20:26)
They failed on quite some points, I cannot believe they fixed all issues.
TL;DR: It's not that good.
People want convenience. Citizens would like to vote online, and are largely ignorant of the technical challenges that make it impossible to secure, at least on your average everyday Internet connected consumer device.
Its the job of us techies to keep shouting from the rooftops how all these implementations of online voting are deeply flawed and exploitable the same way climatologists have to keep screaming from the rooftops about the damage rising co2 is causing to our biosphere.
You would have to have an allowance for certain Disabled and Housebound voters and maybe be allowed to miss one election.
I think we have moved beyond that sort of limited franchise.
Btw "active citizens" is a reference to the French revolution
Why are physical barriers restricting public engagement a desirable trait in a democracy?
We could have more direct democracy, with high-frequency referendums, reversible proxies, publicly submitted or endorsed bills. The democracies we have were designed around mechanical limitations, so it stands to reason that (at least some) democracies would change when those limits go away.
That said... there seems to be a dearth of ideas, at least few seemingly useful ones that I ever hear.
If you were making a new constitution for a village or city, what could be done with electronic voting and how does it make it better?
BRTW, links welcome.
Bottom line is:
Conservatives / nationalists are preferred by older folks and these parties lobby against anything that can give votes to liberals. They also know that youngster might skip the voting after all if we would go back to paper voting all together. Also there will be major reputation loss. But since conservatives are against EU, open-trading and anything outside our teeny-tiny pond they don't give a flying fuck about that.
Just to avoid people collating together all e-voting (voting machines and similar) with the tech that Estonia uses (they call it i-voting for that reason), could the title be changed from "e-voting" to "i-voting"?
Edit: actually, just using the word 'online' seems to make the distinction more clearly.
This would be a vast improvement over our current representative democracy model since we'd be able to hold politicians accountable more easily, lobbyists would be less influential and we could put our voting power behind domain experts for issues of importance.
The German Pirate Party tried liquid democracy, and the result was similar to what's going in Wikipedia: There's a small set of people with more time on their hands than it good for them or others, and it doesn't take long for them to take over.
She was taking about the FCS and People like Guido Fawkes.
Oh "Yahoos" refers to Jonathon Swifts Yahoos not any one employed by Yahoo
It's amazing how short-sighted people are.