In Switzerland, some states have ran internet voting trials. Recently, the state of Geneva ran one and a citizen was able to vote twice[1]. The administration then fixed the problem by removing the duplicate vote and then told everybody how e-voting was a success.
Of course, some people complained because a system that allow someone to vote twice doesn't work. The biggest problem though was that they were able to fix it by removing a vote, meaning they could identify the votes and remove it without problems.
The bottom line is : from a technical/cryptographical perspective, the system is a joke (and they don't want to give access to the code). And that's my fear with e-voting : it seems like governments agencies (and their contractors) have a tendency to screw up very badly when it comes to new technology, at least in Switzerland. And I don't want to vote through an half-assed online system using MD5 and a 64 bits RSA key.
With the going rate of botnets ($0.02 per computer from some quick googling?) and everyone would be voting online.... How much do you want to pay to be the president?
As if nobody would develop rootkits to fiddle with the HTTPS post (or whatever) going to the voting server...
You are making a wrong assumption here. It's no problem that you can identify that someone has voted twice. It would be a problem if that person could prove that he voted for a certain person.
If my vote is encrypted and put in an envelope that has my name on it, then it very very much matters.
If you cam find two envelopes with my name, you can find out what my vote is ( I mean somewhere there is a decryption key)
Physical voting strips most links out from who voted and what they voted (you prove who you are at the desk then walk in and vote on a piece of paper in no way related to your name.
That is either impossible electronically or relies on unverifiable trust in the code. I know if someone looks over my shoulder. I cannot look at the code running - even if it is open source I cannot see what is really running.
Not sure how it will apply, but in the US, by Federal law, the process for voting in any state cannot be changed any closer than 30 days before the election. The voter ID law in PA was in limbo a month before the election, and had to be deferred because the challenges couldn't be resolved by the early October deadline.
Regardless of how this is couched, I can see the potential for challenges.
I was under the impression that was because the PA law was challenged on discrimination/disenfranchisement grounds which falls under the Voting Rights Act. I want to say certain states do have to get pre-approval before any voting changes under the VRA due to a history of voter discrimination, but I'm pretty sure PA isn't one of them.
Not aware of any blanket deadline on changing voting processes, do you know which law that's in?
There is some stuff in Title 42 Chapter 20 Subchapter I-A section 1973c about alterations that might restrict, but these changes in NJ probably would be construed as extending or preserving the franchise.
My knowledge on the matter is a bit fuzzy and goes back to 2000 with Florida's electors. Title 3 Section 5 seems to cover this, but only lists 6 days before appointment of electors, and 6 days before meeting of electors; and only when controversy arises.
A bit too dense with commas, prepositional phrases and conjunctions for me to decipher. I find D&D easier to understand than US election law.
My problem with "e-voting" has never been the security aspect, but how easy it would be to manipulate. Given how even some elections can be, just getting that last 1% of votes (I know the American system is somewhat different, as you need mandates, not votes, but I'm talking generally) could tip it in your direction. With traditional voting, a person usually has to meet, in person, to vote. With "e-voting" you could easily forge tons of votes, even with actual people, just by social engineering and forging of documents.
Arguably having a "correct" winner matters the least in tight elections. If the margin of victory is as-low as 1% then it hardly matters which candidate wins - that election is already subject to the influence of weather, chance, accident and human counting error.
There really is no supernatural magic to democracy that invests within the winner a moral or judgemental superiority. The ceremony and culture we surround democracy with can create that illusion. In an almost holy way, we anoint the winner and assign to them a minor god-like status. Their choice is said to reflect the will of the people, to be the personification of a mandate. But rationally, we should realise that a candidate who wins by 1% is about as likely to lose if the election was run the next day.
What's scary about e-voting is that democracy is really only very good at preventing complete tyranny. Potential tyrants are unlikely to gain enough votes. But with e-voting, errors of 50% are as easy and as likely as errors of 1%.
one problem is that when last-lousy-point fraud is used to tip a tight election one way rather than the other, the election has now provably gone to the party that was willing to win it by unethical means.
What makes you think you have anonymous voting now? You must identify yourself when entering a polling station and each vote is tracked, in the event of a recount.
The same type of anonymity can be provided by an automated program parsing emails that I can write in about an hour.
I'm proud that my state will be among the first to move in this obvious direction. Unfortunate that it had to be under such circumstances.
The fact that I just asked two people who work for the election commission and they confirmed for me that they know that I did vote (which makes obvious sense) but not who I voted for.
You identify yourself to one person that is checking the registry. That person is supervised by another person to make sure there is nothing strange going on there. If OK, you're given a ballot in a plastic holder. After marking ballot, you slide your paper ballot into the secured box by letting it drop out of the plastic container. This means nobody but you saw your choice and now it is mixed in with all of the others. Later, during a recount, they can see who indeed voted, but not who they voted for. They only get the numbers.
Don't worry, I do mean the "cannot" version. Reread my post and note how I described the process. Asking the people I knew who had worked at the election commission in the last few years was only to confirm what I had concluded from my own experiences voting. The method used (in my state at least) does not have a way to identify me personally, even if a corrupt politician stole all the boxes post election and emptied them in his office. So that takes care of the "won't" case vs the "cannot" case.
We cool. Thanks for following up. I assumed too much about your circumstances.
Paper ballots cast at a poll site is the only way to absolutely ensure voter privacy. The Australian Ballot method. The reason it works is because the ballot box scrambles the order of ballots, so they can't be tied to individual voters. (There are some exceptions, like very small precincts.)
Voting electronically eliminates that anonymizing scrambling. If it scrambled the order, they'd never be able to audit the process.
Postal ballots (aka vote by mail) has to be done just right to protect voter privacy. Many jurisdictions don't scramble the ballots because of the added expense.
The difference is that with the current system it takes a significant amount of extra effort (and avoiding monitoring and oversight) to track someone's voting preferences. Whereas with email based voting it takes a significant amount of extra effort and a lot more oversight to create systems which ensure that voting preferences aren't tracked.
Total anonymity is one of those things a perfect voting system would provide, but in reality you have to pick a balance. In the real world, total anonymity is at odds with preventing fraud.
I believe our current system is somewhere in the middle, with moderate anonymity and moderate fraud protection.
Anonymity in voting only applies to your vote, not the fact that you voted. Physical paper-voting gets this right: it's trivial to see how your vote is kept secret and counted, while each entry on the voting lists only gets to vote once.
> The integrity of your centralized program cannot.
Open source it. And not in the traditional sense, either. I mean setup the server to expose source code. Have a 3rd party verify security and integrity.
This is actually much easier to do than in the traditional process.
Please explain how you envision this being implemented.
(Warning: while 'remote attestation' is a valid answer for some assertions, it means that we are once again back to trusting the central signing authority. which might seem less scary, but we'd really be having the same argument at a much more technical and nitpicky level)
> Please explain how you envision this being implemented.
Make the directory containing source code read-accessible using your web server?
There is nothing you can truly implement that can guarantee that the code being executed is the same as the code being exposed, but you can hire a 3rd party to audit the server and verify as much.
So to paraphrase, your answer is "give up, forget about the property that every voter can audit the system, and fall back to relying on a trusted third party to certify the opaque process" ? But yet you call it an "obvious direction" ? And we haven't even talked about coercion resistance.. Hurricane madness indeed.
Please read up on actual electronic voting systems, what properties are expected of them, and what properties the state of the art ones can actually provide.
Diverse double compiling is not "checksums and versioning". You need other compilers from sufficiently different sources as to minimize the chance that they all were subject to the same modification.
Edited to add:
Which is to say, it's actually a pretty cool idea, and not super complicated[1], and amazing it took 20ish years to spot.
[1] Though do be careful; I'm amazed at the number of comments that misunderstand it.
>Diverse double compiling is not "checksums and versioning". You need other compilers from sufficiently different sources as to minimize the chance that they all were subject to the same modification.
I was assuming you would write your own.
Of course, if you keep going along this line of thinking, you end up wire wrapping your own computer and writing your OS and other utilities in assembly.
That only works if you do it in machine code (and your hex-editor is clean). The point of the whole thing is that you can use compilers from untrusted sources, just provided you use several of them, and trust that at least one of the compilers you are checking won't have the same modifications as the others.
> That only works if you do it in machine code (and your hex-editor is clean).
Not necessarily. It would be very hard to get a ken trojan to propagate if you were to write your compiler in a high-level language such as python and then use a C compiler to Compile the Java runtime which you would use to run a C compiler to compile say go, then use the go-based c compiler to compile the python source, which you would then use to compile gcc. Gcc would then compile itself, resulting in an almost certainly clean gcc. If the gcc were compiled by the go compiler, presumably that gcc would be functionally equivalent to any other gcc binary of the same version. If it's functionally equivalent then when you compile the clean gcc with your go compiled gcc, it should be binary equivalent to any other gcc binary compiled with the same compiler, flags, and version.
EDIT: Now that I think about it, you wouldn't need to write your own compiler at all at that point, making your earlier point correct. But I meant something else when I was talking about checksums and versioning.
You then compare the checksum of your final result with the one on the server, if they don't match theres probably a problem.
Another approach would be to use assembly to implement a higher level language such as scheme, and then use that to write a C compiler.
Also, I would pay $50 to see a hex editor or assembler that can detect that it is writing a C compiler in all possible cases and bug the users final program.
Of course, none of that matters if your hardware has a backdoor in it. So everything enumerated here depends on the assumption that your hardware is trustworthy.
Voting is important. (Taking that as a given, I'm not actually sure anymore.)
For a one-off like this, unplanned, I think it's fine to risk a reduction in anonymity, compared to not being able to vote at all. They are where they are, and they have to deal with it today.
To be fair, voters have more to vote on than the presidential election. Maybe that still means lawsuits should be flowing, but I don't thing it being a swing state or not is really the issue here.
From what I can tell about this, it seems to work like:
1.) Overseas / abroad resident has to apply for the email ballot. This should go through some sort of human approval process, making sure that the names for those particular voters voting in this method are recorded - to compare against in-person voting locations and ensure no double-voting. Hopefully should any double+ voting occur, this ballot will be invalidated.
2.) They are either faxed or sent, via email, an electronic PDF form based ballot. These PDF forms are true forms in that they allow for the voter to type in entries and save the new version (complete with entered information).
3.) The faxed form would be faxed back, with entries. The PDF version would be sent back, with entries, via email.
Unless Adobe has (once again) extended the PDF format to include encryption of PDF form entries, then yes, the emailed returned ballot will expose the voter's preferences via plaintext transmission.
The only way they'd be able to avoid that would be to have, for instance, an https accessible website that allows for PDF ballot upload. Somehow I doubt this is what they're doing.
That doesn't sound much less secure than how I voted, as an expat.
I did the following:
1) Applied for a ballot by email, using a scanned Federal Post Card Application (FPCA) sent to the county clerk of the county I last resided in.
2) A ballot was sent to me by post. This is just a big piece of paper with some stuff printed on it.
3) I check the boxes I want to vote for.
4) I mail back my ballot.
Overall it doesn't seem much harder to spoof the existing process, since there's no verification of who sent back the ballot. The only security is that there might be various codes (or bar-codes) on that paper ballot which you'd have to know something about to fake.
Computers change the scale of things. with that you would have to print out many forms on paper that was not normal copy paper with identifying barcodes on it and then mail each ballot back after signing the form and marking each form individually. With an electronic version a lot of that hassle is taken out of the equation.
That sounds problematic, but it’s probably also important to note that absentee ballots always have prioritized the ability to vote over secrecy and being tamper proof. When it comes to absentee ballots I think that’s acceptable as long as they do not become the default of common way to vote.
Whether that, however, should also apply to electronic means of voting is questionable. Everyone understands papers and pencils. Computers are too much of a black box for me to ever feel comfortable with voting mediated by them.
I love the idea and how this moves us forward. Instead of mailing an absentee ballot, you have identical authentication of e-mailing that ballot instead of placing it in the mail. Despite the complications for privacy, tracking and disenfranchisement, an ID system similar to Estonia's[1] with private-key cryptography would make online voting much more authentic than we currently use (most US districts do not require photo identification at the voting booth).
I've been studying election administration in the USA for a few years, having worked as a pull judge, pull inspector, and observer. I've attended HAVA hearings, EAC hearings, and testified many times. Etc.
New Jersey is now issuing and CASTING ballots electronically. In the clear.
By "complications for privacy", you must mean the complete lack of privacy. There is no privacy. Zero. None. Zilch.
The only balloting system in the USA that preserves the secret ballot is a dropping your ballot into the ballot box at a poll site. Because the box scrambles the order. Postal balloting can partially preserve the secret ballot (on the receiving end) if proper rules are followed (but generally aren't). Exactly no electronic system preserves the secret ballot.
You misrepresent the photo identification requirement. Meaning it's a complete non-issue trumped to scare people. In the USA, everyone must first be registered (except in North Dakota?), which establishes your eligibility to vote. On election day, until recently, voters merely have to prove who they are with any form of identification showing their current address. This is mostly to ensure voters are issued the correct ballot (for their precinct).
Knowing what I know about the history of election administration and its current direction, I'm curious to learn what you'd consider "moves us forward"? I'll even give you an out: Anyone advocating any form of electronically mediated voting must admit that it eliminates all voter privacy (secret ballot) and most of the public vote count (ability to audit). So the challenge is to create the digital successor to the Australian Ballot system used in the USA. Something that will give all observers confidence that elections are run clean and fair, despite the lose of voter privacy.
Any thing short of that, you're just blowing smoke.
It certainly moves us forward, but I'm not sure I like the direction.
With the traditional (paper ballot) voting there are several principles that are key to the legitimacy of the election process:
1) The paper ballot could be verified by any citizen and doesn't require any specific knowledge. Any voter could be sure that his vote is accounted for correctly. The ballots could be counted and re-counted without any technical obstacles and alterations. Various NGOs, organizations and individuals could act as guardians of the fair and independent process. This is very important as it provides trust in the process by making it more open. It's technically impossible to make the electronic process easily verifiable and tamper-proof. Any verification will require specialized knowledge, automatically barring a majority of the citizens from any verification. In most democratic elections the process is open to participation by the members of the general public as either observers (controllers) or counters.
And I'm not even talking about gaping security problems that have been discovered in the past with eg. Diebold's e-voting machines [1][2][3] - I never quite understood how the citizens of USA and the government could accept such a thing in the first place as this undermines the whole election process.
2) The paper ballot leaves a trail that is easy to verify and rather difficult to falsify on a large scale without leaving a ton of traces. This process has been refined and improved for a long time and is quite durable if followed properly. Electronic voting (either remote or using e-voting machines) on the other hand provides lots of opportunities for errors and fraud - software bugs, accidental or deliberate software modifications, poor UX choices, etc. The incentives and the payout of fraud are simply too big.
3) It provides decent protection against double-voting. Double voting with paper ballot is still possible, but is so hard to implement on a scale of any significance, that it's almost pointless.
4) Paper ballot guarantees the secrecy of the voting. This might not seem very important for countries like USA where oppressive regimes are not the norm, but is crucial for other places where vote bullying or outright buying are rampant. Even if I was in USA I'd prefer to keep my political preferences and whom I vote for to myself. I wouldn't want elected officials to use my competitor's services only because the CEO enticed his employees to vote for a particular candidate (yes, I do realize that lobbying and political campaign financing are closely tied in USA, but that's tangential).
The Germans have considered electronic voting in 2009 and their Constitutional Court has declared electronic voting as non-constitutional. The motives, in English, could be found on the court's press pages [4].
The technical details of the Estonian system in English could be found on their site [5].
It's a good book. I love the quote about "electronic voting being crack for conspiracy theorists". But the conclusion is correct: Electronic voting cannot preserve voter privacy or ensure the public vote count. So it shouldn't be used. Note that Rubin also worked on the SERVE project for the DoD, reaching the same conclusion. But the money people keep the dream alive.
Ultimately this will end up benefiting the Democrats, since they tend to have a harder time turning out voters, and anything that makes voting easier tends to help them.
We also have Republicans favoring and Democrats opposing laws requiring voters to show ID, because they both know which side benefits in relative terms from making voting more difficult.
I'd love to be able to vote thru the internet, with a state-issued certificate to authenticate me. It'll be a while before society's tech savvy enough for this tho so I won't hold my breath.
That sounds like fun, until the old man in the house makes everyone sit down in front of the computer and submit their votes for the "correct" party...
Certs would be fantastic; in my view, they could actually improve the system, because ballots would become read-only, and with the right system in place it would be impossible to "lose" them.
Of course, some people complained because a system that allow someone to vote twice doesn't work. The biggest problem though was that they were able to fix it by removing a vote, meaning they could identify the votes and remove it without problems.
The bottom line is : from a technical/cryptographical perspective, the system is a joke (and they don't want to give access to the code). And that's my fear with e-voting : it seems like governments agencies (and their contractors) have a tendency to screw up very badly when it comes to new technology, at least in Switzerland. And I don't want to vote through an half-assed online system using MD5 and a 64 bits RSA key.
[1] http://www.tdg.ch/high-tech/web/Un-citoyen-a-pu-voter-deux-f... (in French)