The way you do a voting system that works is by copying Canada's way. We don't need computers in voting.
Step one: Public list of every single polling location.
Step two: Communication to the public that observers are freely admitted. Post a notice that some extra women will be needed in some areas since some Muslim female voters only identify themselves to women.
Step three: Public voters list that show who in the county is eligible to vote.
Step four: Communicate the polling day well in advance. Hire people from the local community to handle the actual taking of ballots.
Step five: Polling day. Starts off with every observer verifying that the serial numbered ballot box is empty. This happens for every box. Person walks in. Every observer increments the number of total people coming in. Person identifies themselves at the registration table with government ID and as a backup, utility bills or statements of note from public members for the homeless (A priest could verify that a homeless person lives in the area, for example. In some places the homeless do not even need to be verified), every observer crosses that person off their own copy of the list. If the person is a female Muslim, only women observers get to verify the identity of the voter. The voter then gets a piece of paper with the options clearly printed in large print and goes to a private place that has a poster that shows how to fill out the ballot. The voter puts an X by the person they wish to vote for. Folds the ballot and brings it to the ballot box. The observers see that the voter put the vote in the ballot box. Once the box is full, it is sealed with a tape that matches the serial number of the box and is left in open view to observers until it is time to open them and count them.
It is now known that how many votes is in each box, how many people voted, and the total number of votes for each candidate all with open access to Observers from the public (but more usually, the political parties).
How fucking complicated is that? Paper, pens, ballots, observers meanwhile we satisfy the only possible complaint (Covered Muslim women) while never ever having allegations of ballot stuffing. The only allegation that comes every now and then is the homeless vote, but it really doesn't matter in the grand picture.
Do we have other problems? Sure, of course, yeah. But things like this: http://en.wikipedia.org/wiki/Robocall_scandal happen everywhere and if the public were more informed to our process then they wouldn't happen at all. You can always call elections Canada to verify a polling station relocation.
Keep computers out of voting. I want every vote counted by humans. Not just paper ballot receipts held to check in case of allegations of voter fraud. No. Observers and humans do the counting. I don't see the point of public encrypted votes.
We don't "need" computers for preparing office documents either, but they sure come in handy. The system you are describing is not perfect and it's misguided to reject suggested improvements out of hand, just because they involve computers. An open, well-designed electronic system can offer mathematical certainty that votes are well formed and well counted (no uncertain marks on the ballot, no miscommunication and mistakes among tired workers at the end of a long day), while vastly reducing costs and human effort.
The beauty of pen and paper is that every person is able to fully understand what is happening. Additionally you do not need to have a strong trust in the implementation of the cryptography or someone discovering a flaw in it.
Large scale voting fraud on pen and paper systems is probably very hard, since you need to bribe a lot of people.
For a large scale attack on computer based voting, you would need to bribe way less people.
If you can proof to yourself after the election that your correct vote went into the system, you can proof this to other people too. "end-to-end verifiable" sounds good at the beginning but makes buying votes possible.
F*ups are just more likely while doing computer based voting.
While paper and pen voting is expensive, it is for sure something I am willing to pay for.
>If you can proof to yourself after the election that your correct vote went into the system, you can proof this to other people too.
The receipt doesn't prove who you voted for, just that the associated vote was counted.
>every person is able to fully understand what is happening. Additionally you do not need to have a strong trust in the implementation of the cryptography
Are you sure you fully understand what is happening with paper based systems? You don't know which people looked at your vote, who they reported to, how the votes were summed up locally, how the information was transmitted to be centralized, who handled this info and how they made their decisions etc. It's actually much easier to understand and trust an open-source computer system than the mesh of social institutions, obscure regulations and personal idiosyncrasies that make the paper systems run. And you do trust your entire wealth to cryptography each time you make an online purchase, you know.
>For a large scale attack on computer based voting, you would need to bribe way less people
No amount of bribes will break cryptography, and proof that the system worked correctly is easy to supply by opening up the machines and software for public inspection. By contrast, we'll never know what, for instance, half a dozen election officials may have discussed in a tiny room (Florida 2000, Iowa 2012) and how they arrived at their decisions.
You are correct, but I want to point out that opening the machine or software for public inspection is not the case.
Cryptography and End-to-End Verifiable Voting, give you the privilege not to trust anyone with the results, not even the designers of the system, (not because you can see the code, most people won't understand what it does anyway) and even if you don’t know anything about software you can always find a professional of your choice that would do the verification for you (simply write a program that counts the votes and verify zero-knowledge proofs. after the election is over (before it's over the key is unknown) (much alike the way people can choose their own doctors).
You are right about "end-to-end verifiable". I misunderstood that.
About understanding what is happening, I have to say: No, I do not know every detail on how we do it in Germany. But I would say that I have a pretty good overview and trust in the system. We had minor election related scandals, but never on a larger scale. Everything happens under the eyes of many. Those many consist of volunteer. When I go to vote, I know some of them personally.
If somebody does not know how our system works, it is at least possible for him/her to find out and fully understand. There are some complains about our system, but none are about the risk of large scale fraud.
I don't know much about on how you do it in the US. I heard that it is more complicated than ours, and that using a computer would help a lot. But as I said, I would prefer to get the job done manually. It is possible. It worked before.
About online shopping. It is a trade-off.
I know I should not trust my computer. I know the current state of how we use ssl and our trust in different CAs is pretty bad. But I am still doing it, since I hate to go shopping in real live. For me it would be much more risky to get into my car and drive to a shop.
I would not want to trust my computer and the current state of how we use crypto with everything in any case.
I was more about bribing people to make mistakes during the implementation. And do you know for sure that there is not yet a quantum computer in some kids basement? :)
In some cases like "xor" with a random key, you can proof that the crypto is unbreakable. But the way people use it is often faulty. There are certain requirements that apply to the key and without them, the method is not secure any more. In other cases like RSA, there is no real proof that it is working. It is hard to proof that nobody will figure out an highly efficient way to do prime factorization. All we know is that many people tried and failed.
Public inspection of those computers is not really possible. How do you trust the hardware? It is more easy to show that something does something. But it is hard to proof that something is not doing something.
We would use computers to do the calculations that prove that our votes are ok.. so we need to trust those machines again..
In the worst scenario the privacy of the system may be breached but the integrity of the system is always preserved. Let us emphasize this a bit more. Let us consider the unlikely, worst-case scenario where a hacker gets full control of both the software and all the secret keys of the system. Even in this case, the system guarantees that if the hacker tries to change the posted votes or the tallied result, then auditors would detect the attempt and reveal the forgery. Thus, if the elections pass audit and are successfully verified by voters, then voters can be assured that the election results are correct.
The problem with this strategy is that people can create boxes filled with votes in advance. Add/remove/swap boxes to shift the election in your favor.
Also when there are reports of voter fraud it's really difficult to figure out who cheated and in which regions/districts. You can't tell by the ballots (pieces of paper) if they got there legitimately.
Electronic voting, if done right, should be a lot safer than a paper ballot system.
Voting by paper as described is how it's done in most western countries for years and years. In general there are very few accusations of voting fraud.
This is because - among other things - that the system is transparent to everyone involved.
You are trying to fix a problem which don't exist - and you are fixing it the wrong way. E-voting opens up a huge amount of possibilities of cheating and worst of all it is going to be even more difficult to find out when it happens.
Worst of all the entire process will end to be transparent to the layman...
I agree. Voting is not a technical endeavor. It's a human endeavor. Trust.
I suspect it might have the added benefit of putting some of the partisans in the same room and making them work together. It's hard to vilify someone to their face, and/or when you are working with them for the entire day.
As for the convenience factor. If we are truly to govern ourselves, surely that endeavor merits a bit of time and effort. To borrow an aphorism, "Penny wise, pound foolish".
We should be sure to make time for people to engage in the process, and to ensure to their satisfaction that it is fair.
I trust code I can see and analyze much more than 1000's of strangers of dubious intellect, ethics and often clear partisan motives and incentives for fraud.
Creating boxes filled with votes (and swapping them out for actual ballot boxes) would be a lot harder than you'd think. As someone who's spent a lot of time scrutineering elections, here's how the day runs down.
1. I show up before the polls open, sign myself in, and have the opportunity to look inside each of the ballot boxes. Once I (and other people from other parties doing this) all agree they're empty, the boxes are taped up and the polls open.
2. Over the course of the day, people come and go and vote. At any time, I can continue to be sitting and walking around the room supervising things.
3. At the end of the day (when the polls close) the deputy returning officer closes the doors, leaving only the election workers and any observers inside the room. At that point we (the DRO and the scrutineers) go from table to table verifying that the tape is intact, cutting it open, dumping the pile of ballots on the table, and verifying that the box is empty.
4. The clerks for each poll count the ballots. It's rare for there to be disagreements on who a vote should count for (all ballots look like http://www.elections.ca/content.aspx?section=vot&dir=yth..., with that circle on the right being about an inch in diameter), thought it happens. When it does, we (the representatives of the parties) discuss who we think the vote was for, but ultimately the poll clerk decides. Generally one of the partisan observers objects to this, which his noted in the log.
5. Once all the ballots are counted, the poll clerks fill out a mathematical worksheet to make sure all the numbers (ballots counted, electors checked off, unused ballots, and ballot stubs) match. About half the time these numbers don't, so we recount everything a few times until they do.
5. Each partisan representative gets a carbon copy of the official return form (specifying the result of the poll), and witnesses the DRO calling the results into the regional office.
6. Everything is packaged up on a per-poll basis (used and unused ballots, paperwork, etc.) into a nested series of plastic envelopes, which everyone signs along the seals. These are kept for a few years for auditing.
One of the main benefits of this system is that it's dead-simple, and the counting can be explained to anyone - which is something that many proponents of cryptographic voting don't sufficiently take into account. As for making ti difficult to trace back where fraud took place, I'd say that's almost a selling point. If you could work backwards to exactly where someone faked something, it seems like it would be only a small step further to be able to work out who people individually for.
What happens if someone covertly breaks the seal on a box with the intention of simply invalidating the ballots inside? In some areas, votes tend to go one way or the other depending on the time of day. You might be able to exploit this fact and attempt to invalidate boxes that favor a particular party.
Yep, this is an endemic problem with end-to-end verifiable elections everywhere: it is easy to invalidate whole segments of votes. For example, in the wombat voting scheme, if one of the people who holds a decryption key refuses to divulge it, perhaps by "losing" their key, they can invalidate the whole election. Typically to minimize the chance of this happening you make sure that everyone with a key has a strong commitment to the election and make not divulging the key a public shaming event. "OMG, the Democratic Party refuses to decrypt the vote in this Republican-dominated area -- they must be corrupt!"
It's an awfully sticky situation, because the A (availability) in the CIA principle is so critical in elections, where it typically is compromised the most in encryption schemes. (i.e. Quantum Key Distribution ensures that Eve can't listen in on communication, but doesn't do much to stop Eve from making communication impossible).
Wombat is using threshold cryptography. Threshold cryptosystem, works like this (in short), in order to decrypt an encrypted message a number of parties exceeding a threshold is required to cooperate in the decryption protocol. Meaning, before the election has started a threshold is set, let's say there are 4 candidates, you can agree that 3 of the candidates is enough to decrypt the votes.
Also... Don't forget the paper backup, you can simply count those.
This is what I DON'T like about paper and pen methods of voting: "About half the time these numbers don't, so we recount everything a few times until they do."
There are errors. How can you guarantee that when the numbers finally do match, that there still isn't any errors on the count? Maybe +1 was added to a candidate, -1 for another, and now the numbers match.
You don't need to copy canada's voting if you want to have a successful election. The Wombat's system is very simple to the voter since he does exactly what he would do in any other normal voting system (e.g. Canada's). But here is where everything gets even better, using the Wombat's system, any voter can verify that the machine didn't fool him, meaning, that every voter, after he votes get a a paper with 2 things printed on it, 1st is the voter's choice encrypted and the 2nd is the voter's choice in cleartext. The Voter folds the cleartext so no one will see what he picked, and then, after the voter voted using the old system of putting the vote in a box with all the other votes, he is left with a receipt, the encrypted cleartext part. This way, he can verify later that his vote has been counted. Wombat gives the power to the voters, they don't need to "believe" or "trust" that their vote was counted. They can VERIFY it.
Using the Wombat system, your encrypted vote (Not the plaintext!) was uploaded to the site, no one knows WHO voted this way, and no one knows whose vote that is but you. You get a hash (a short sequence of a-z A-Z 0-9 characters) that you submit into the site, and the site "fetch" your encrypted vote. Remember, no one (not even the Wombat system) can decrypt your vote. This can be done ONLY when all the candidates are gathered together, everyone share their secret key and Wombat combine all the secret keys into one key that can decrypt the votes and count them. And not even then does one can know what you! voted because all the votes are detached from any "owner".
I think we can safely assume that the number of votes inaccurately counted is not statistically significant. In the cases where a tie is present a second or even third count usually takes place.
I will trust this system of humans counting any day over a sum function in a database implemented by a private company with their own agenda
> I will trust this system of humans counting any day over a sum function in a database implemented by a private company with their own agenda
How about over an open source one? I have occationally thought of starting a kickstarter for an open-source voting system. It would be completely open- even down to choosing an open-source processor, and completely and transparently audited.
The point is not open source code. You still have to place trust in the system and the people executing it. While this is also true for a paper based manual-counted system the later is so transparent to anyone that cheating becomes very very difficult.
Source code will never be transparent to anyone but programmers.
I admittedly don't know much about crypto voting. What I do know is this:
When the entire process is analog I (and everyone else) can transparently verify what is going on. From I submit my vote to it is counted so many people are involved from all political parties that cheating becomes virtually impossible.
Once you start to digitize the process you loose transparency completely. I can not see what is going on. The counting is computerized. I have to place trust in however implemented the algorithm. Also since I don't know much about crypto I even have to place trust in the guy telling me he did it right.
I loose my ability to verify that the process is running untampered...and I'm a clever guy. I know CS and math and what not. Imagine the alienation of common people without IT education
Voting is just one of those things that should not be computerized - there is no benefit. The current model is even costless since the people involved in the administration of votes and counting are volunteers (at least in DK).
As we do it in Spain and i think in most western countries, there is more than one person counting the votes and each one controls the others and verifying that is correct.Even there are people from different parties surveying the count.
And the non-party people are chosen at random from inhabitants of the area, they pay you a misery and most of them don't want to be there, they just want to finish and if no one says nothing and everything is correct they go home if not maybe they have to begin again to count so they are motivated to do it right.
you are right, you can't(!!!) count on people to count the votes correctly. Many of those people have better things to do, and simply want to go home to their families. That's where the Wombat system excel!
If the plain text does not match the cipher-text on the ballot printed in Step 2, the inconsistency is revealed and the voting machine is disqualified.
Otherwise, the ballot is consistent. The voter goes back to Step 2 to vote with another ballot (because an audited ballot cannot be used for voting).
So... how do you know that your current vote was recorded correctly? If auditing destroys your vote, then you have to go back and do it again, trusting that this time it will be correct. Since you'd have to go vote again, I doubt very many people would actually audit the results, so you could probably still sneak bad machines into the smaller and less techy areas of a country.
edit:
>A simple statistical calculation shows that very few audits (of about 1-2% of the votes) suffice for catching a cheating (or bogus) machine.
Seriously? You think 1-2% of voters will press the audit button and perform their own side decryption process with a trusted device?
You verify the votes to ensure that the system is working correctly, Wombat allows voters who suspect that the machine is not work correctly to audit, but it is not necessary for voters to verify. It is sufficient that supervisors do so occasionally and that having inspectors randomly audit about 1-2% of the ballots is very reasonable.
Because supervisors are never suspect. It's not the machines people worry about, it's the people programming and tending the machines. So to catch a supervisor, you'd need 1-2% of voters to audit the machine... which I find extremely unlikely to ever occur.
you seems to be confused about the role of a supervisor. It is the supervisor that is supposed to make sure that the programmers and tenders did not do something improper.
One big problem with voting (as seen in the last couple of contested elections (everywhere)) is that we mostly witness how people vote in big cities, leaving small towns unattended, where most of the fraud occurs.
Fraudsters will leave big cities untouched so people's choice win by close margin and therefore they can't complain about the voting system, inflating ballots everywhere else, sometimes seeing statistically improbable 80% or 90% votes favoring the surprisingly elected incumbent candidate.
I think that for voting to work well it has to be completely anonymous. So you can vote the way you want and nobody can prove you voted for the wrong guy.
Otherwise your Friendly Neighborhood Thug can drop by the day before the election and kindly ask everybody to vote B. He'll come back the day after the election to check the receipts and punish those who didn't vote the right way.
Using Wombat you can't convince someone ELSE that you voted the way he wanted you to vote, but you CAN convince yourself that your vote was counted!
Wombat also offer a verification mechanism, if the voter is unsatisfied that the system actually counts correctly. What it does is it encrypts the vote and then asks you if you want to verify that it was correct. If you do, it will print the decrypt key onto the ballot, rendering the ballot unvotable (because it can be decrypted), but you can then decrypt the encrypted text and see that it matches the plaintext. You don't even need to trust the machine itself :)
It is not the voting system that needs to be changed -- counting and sorting is an embarrassingly parallel problem -- it is the voter or at least the distribution of votes. It is simply insane to give a homeless alcoholic the same influence on how the country should be run as you give a chemistry professor, a factory worker or a librarian.
I challenge you (or any HN reader) to describe the implementation of a function that would accept an individual and yield the weight their vote should carry.
I wonder why no body had think of all year online secure voting season. Like, GRE tests are taken, you are allowed to vote anytime you want and you will get 10 vote per season ( 4 year etc ). There will be public voting booth for people who do not have internet access, rest all will use some security protected website.
I contacted them; but I don't see how I can implement this in my city.
I think the key to something like this ever taking off at the national level is smaller progressive towns impelementing it locally and people eventually demanding it.
Brazil has been using electronic voting machines since 1996. The ballots are used for both local and national elections, and the 2005 disarmament referendum.
You don't get any receipt to check later (aside from the one that proves you voted, because voting is mandatory), and yet I don't remember the population ever distrusting the electronic system.
TV covers the election with up-to-the-minute results as the ballots are closed, and the winner is known on the same day, which is a nice plus.
the big issue I see with this system is that the audit ballots are invalid. this means the developer only has to ensure that the audit system works. they can do whatever they want with the rest if the ballots since they can not be audited
I'm glad you raised this question, because I'm sure most people will think that. The fact is, that the system doesn't act any different in the 2 cases (audit and real), in both cases it FIRST prints the encrypted vote (and now the voter can actually see the his vote hanging out of the machine, but he still can't touch it), and now it asks the voter if he would like to verify (audit) or not (real), if he chooses to verify, the machine will print the key to decrypt the encrypted text and then the voter can verify that what was encrypted was really what he voted for. If he chooses not to verify, it will print the cleartext (unencrypted). Notice that for the machine to "fool" the voter it needs to predict when a voter will choose to verify or not in 100% accuracy because if 1 voter finds that what was encrypted wasn't really his choice, then the whole election is a shame and can be closed ignoring all votes.
Step one: Public list of every single polling location.
Step two: Communication to the public that observers are freely admitted. Post a notice that some extra women will be needed in some areas since some Muslim female voters only identify themselves to women.
Step three: Public voters list that show who in the county is eligible to vote.
Step four: Communicate the polling day well in advance. Hire people from the local community to handle the actual taking of ballots.
Step five: Polling day. Starts off with every observer verifying that the serial numbered ballot box is empty. This happens for every box. Person walks in. Every observer increments the number of total people coming in. Person identifies themselves at the registration table with government ID and as a backup, utility bills or statements of note from public members for the homeless (A priest could verify that a homeless person lives in the area, for example. In some places the homeless do not even need to be verified), every observer crosses that person off their own copy of the list. If the person is a female Muslim, only women observers get to verify the identity of the voter. The voter then gets a piece of paper with the options clearly printed in large print and goes to a private place that has a poster that shows how to fill out the ballot. The voter puts an X by the person they wish to vote for. Folds the ballot and brings it to the ballot box. The observers see that the voter put the vote in the ballot box. Once the box is full, it is sealed with a tape that matches the serial number of the box and is left in open view to observers until it is time to open them and count them.
It is now known that how many votes is in each box, how many people voted, and the total number of votes for each candidate all with open access to Observers from the public (but more usually, the political parties).
How fucking complicated is that? Paper, pens, ballots, observers meanwhile we satisfy the only possible complaint (Covered Muslim women) while never ever having allegations of ballot stuffing. The only allegation that comes every now and then is the homeless vote, but it really doesn't matter in the grand picture.
Do we have other problems? Sure, of course, yeah. But things like this: http://en.wikipedia.org/wiki/Robocall_scandal happen everywhere and if the public were more informed to our process then they wouldn't happen at all. You can always call elections Canada to verify a polling station relocation.
Keep computers out of voting. I want every vote counted by humans. Not just paper ballot receipts held to check in case of allegations of voter fraud. No. Observers and humans do the counting. I don't see the point of public encrypted votes.