Hacker News new | comments | show | ask | jobs | submit login

If there were one aspect of electronic voting I could change it would be the following: allow electronic votes to be reviewed by each individual at a later date, from two independent organizations. Each vote gets sent to two independent electronic counting organizations, and each let you verify your vote after the election, with an (anonymous) confirmation number issued at voting time.

If enough people cry foul to rule out a large group collectively lying or forgetting their confirmation numbers, fraud would be much easier to establish and localize. Moreover, requiring each independent database of votes to match to within some margin would also decrease the likelihood of fraud by requiring collusion between both organizations.

EDIT: Note that the confirmation number would be issued to you anonymously and sans receipt - there would be no way to prove your vote - you could have found some random confirmation number, and no recourse for a single citizen crying foul. The point, rather, is that if several hundred or thousand individuals noticed that their vote seemed to have changed, the likelihood that they were all making it up or forgetting their confirmation numbers would decrease substantially.

Definitely not! It's a secret ballot -- you cannot have any way to prove which candidates you voted for.

There is plenty of research and sample implementations of electronic voting schemes in which the final outcome is verifiable without anyone being able to see anyone else's vote.

As an example, I worked with Michael Clarkson on an implementation of Civitas: http://www.cs.cornell.edu/andru/papers/civitas-tr.pdf

Agreed. There are a couple of other papers as well.

The problem is they are far too complicated to explain to voters which makes them unlikely to be adopted and unlikely to be trusted. Having a secure vote is obviously the primary goal, but having a vote that people trust is pretty important too.

They're not necessarily so complicated. For example: you get a receipt, check it, and put it in a box. Another voter takes it home and can validate it against the official count.

This system was designed by a couple cryptographers, one of them Ron Rivest of RSA fame. For details on this and a couple other simple voting systems, see here: http://rangevoting.org/RivSmiPRshort.html

Here's one FROM Romney to Obama



Breitbart is much less credible than a reddit poster with video.

Actually, he'd be much less credible than an anonymous 4chan poster without video.

Do you have anything more than that? I can't accept an unsourced story from that site at face value given its past editorial failures.

it's from krdo. and there is also a video.


There is a video, but it doesn't demonstrate anything. Did you even watch it??

Yeah but now you can't use this reddit video as proof of voter fraud when Romney wins.

The original video isn't proof of anything but that a machine didn't work. Surprise! Not. Your video didn't prove anything. It's noise.

I'd argue that people from Pueblo don't know how use a touch interface

I haven't looked at Civitas. The other crypto based voting systems I did study don't actually hide voter's identity in real world elections.

The trick to these systems is there's some one-way hash done. This requires a lot of ballots, with enough hash collisions to ensure one's ballot gets lost within the herd.

Alas, elections in the USA are precinct-based, typically 1 to 1,000 voters in size. And our ballots are complicated. My ballot this election had 20 issues.

So combinatorially, it's very likely my ballot will be utterly unique within my precinct. Meaning my ballot is not secret.

Edit: Clarification at end.

This is all totally irrelevant - I speak as a former candidate for both the UK and Scottish Parliaments.

The count needs to be verifiable, and needs to be simply comprehensible.

The paper process has the following check points:

* the ballot box is seen to be empty at the beginning of the process

* the turnout can be collected and collated by the candidates nominees during the day

* the first count is the ballot count which the candidate's nominees can check against the recorded turnout

* the papers are sorted for the second count, publically - and the candidates nominees do what is called 'a box count' from which we can predict the final result

* the ballots are bundled and tallied in public

* disputed papers are agreed by the candidates and the candidates representatives

* the candidates have an automatic right of recount if the margin is below a certain amount, and at the returning officers discretion otherwise

On top of that we have collected voter id information and Reading cards so we can estimate the result based on the marked register after the event.

What this means is that not only is the result verifiable, it is publicly verifiable by almost anyone with basic high school maths.

The reason this is important because I have worked elections with Nazi candidates - and I worked in Belfast when the civil war was on and the degree of trust across the political communities was very low.

The critical purpose of the public count is not to establish who has won the election, but to bind the losers, and their voters into the result.

If I had to stand up on a platform and the Nazi said "they used these machines to take away our vote" and my only response is to start talking about how there are some papers that show if you have hard to factor prime numbers you can generate some low-collision hash or some other random klingon space talk, then it is game over.

The proportion of the UK who withdrew their consent to be governed during the 30 years of the war in Ireland was less than 1% - rising to 10% of Northern Ireland. Making it easy for a tiny number of people to be pulled out of consent by political extremists is crazy, crazy, crazy.

The 2007 Scottish Parliament election in the UK had a crappy ballot (edited originally said 9% which was wrong an error rate 4 times higher than expected - think of Florida's hanging chads across the whole country). If 26 votes had gone another way in one constituency we would have had a Labour Government not a Scottish National Party one.

This ballot paper was combined with electronic counting and it was a total shambles.

As a tallyman on the night I could not endorse or verify the result at all - we had no idea what the result was - except what the machine said it was. Everyone was all geared up for legal challenges - but the leadership of the two parties got together and agreed that everyone should walk away and we would let the chips fall as they did.

I never want to see that again - and we don't hate each other in Scotland like you American's do.

Paper ballots, paper counting is the way to go. (Don't get me started on how your electoral boundaries operate - or the fact that you don't have an independent electoral commission).

Please put info in your profile.

I strongly agree with everything you said, and am thus interested in learning more. I had no idea the Scottish election was so ridiculously bad. Is there anyone campaigning against this in the UK I can donate money to, or lend my support to?

Paper ballet (and the process you outlined behind it) is important to prove beyond all reasonable doubt to the losers and their voters that the election was fair. The primary purpose of an election is to be seen as fair. Any reasonable doubt at all and legitimacy is quickly eroded and then you may as well not have bothered with democracy at all.

There was an independent inquiry - the results can be read here: http://www.electoralcommission.org.uk/__data/assets/electora...

On reading it I see that I have misrepresented the figures from memory: 2.88% of regional/list ballots were invalid 4.075% of constituency ballots were invalid 1.83% of local government ballots were invalid

These were against a historical spoilt paper rate of about 0.66%

(I have edited the original post to correct it)

The regional and constituency ballots were on the same physical piece of paper and if you voted a full ticket (eg SNP/SNP or Labour/Labour) there was only one way to do it.

For small parties (Greens, SSP) which only ran on the regional list you had to split the ticket. And there was one valid way to vote Labour/Green and one invalid way - so the small parties were much more liable to get invalid votes. The number of independent/small party MSP's was lower than expected.

Thanks for the link.

Yup. I'm totally, utterly against electronic voting of any form.

I'll weakly support ballot optical devices at poll sites in many USA jurisdictions, because our ballots can be quite complicated, until someone shows me that hand counting is generally feasible. With 30 issues on a ballot, sort / stack / count can get ugly.

Aside: Thank you for your work on elections. I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems.

The key observation is that, since counting votes is an inherently distributed problem (with a comparatively simple centralized step at the end), you can always deal with it by adjusting the number of polling stations.

I can speak for what happens in Portugal. We use the d'Hondt system with paper ballots, and it is not uncommon to have around 15 candidates on a ballot in certain elections, though we have no write-ins - only one checkbox per candidate.

In the last elections there were about 4,000 polling stations. Since about 6,000,000 people are allowed to vote, this is around 1,500 people per polling station on average (obviously, the distribution is not uniform). Turnout seldom exceeds 50%, so in practice the number of votes is much smaller.

Votes are counted by hand - no automation at all - at each polling station. Usually, within about 5-6 hours 99% of the votes have been tallied, with the remainder done with by the morning after.

I would say it is demonstrably workable to count votes by hand, even with a large number of candidates. I concede that write-ins may present a difficulty, but honestly: since (afaik) in the USA you can only vote on designated candidates, how difficult can it be to have all of their names appear on the ballot?

It's not that simple.

In the US, I think most places let you write in whoever you want. If they get enough votes, they win. Google "Lisa Murkowski".

The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is. These are some of the things on the ballot:

1. President & VP 2. Senator 3. Congress Representative 4. Judges 5. Ballot measures

Unless each of these is on a different sheet of paper, counting them might be hard. Don't get me wrong though. I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.

> In the US, I think most places let you write in whoever you want. If they get enough votes, they win. Google "Lisa Murkowski".

Yes, I would imagine write-ins could complicate the situation considerably (thanks for the link, btw!) - though, if the proportion of write-ins is small, it probably won't matter much.

> The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is.

This also happens in Portugal; we do use different pieces of paper (and different ballot boxes) for each of the positions we are voting for.

> I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.

Yes, I totally agree with you. There are more important things than a speedy count, and resilience to fraud is certainly one of them. And as far as costs go, they are probably dwarfed by the amount spent on the campaign. I really don't understand why anyone would be so eager to speed up the process, except for shady motives.

In Sweden people can also write whichever party they like and there are no problems counting those votes by hand. We get the preliminary result after 3 or 4 hours, and then they are all recounted the next day.

And, yes, we use one sheet of paper per election. On election day there are three separate elections (municipal, provincial, parliament) and optionally one or more referendums.

You have a much higher number of elected officials than we do in Scotland - we actually have the lower proportion of the population as elected officials in Europe - so I sympathise. Some of our elections use the de Hondt system which is a nightmare to count as well...

> I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems

Its the same every election - a hundred irrelevant cryptographically schemes...

> "So combinatorially, it's very likely my ballot will be utterly unique within my precinct."

I don't think this is true, since there's a massive correlation between ballot positions and they're not randomly distributed. Since the parties tend to take positions on amendments, bonds, and issues, that correlation extends to those as well.

There are certainly going to be unique ballots per precinct, and really tiny precincts like Hart's Location and Dixie Notch or whatever are subject to it too, but it's not "very likely" for the average US voter.

Unless you have an absentee ballot (e.g., everyone in WA state). You give your filled out (or empty!) ballot to the mafia to drop at the polling station, with the signed outer envelope (declaring under penalty of perjury that this is your vote), and collect your reward.

I dropped off my wife's ballot. It is totally normal for one person to drop off multiple ballots at the box. It would even be hard for you to notice multiple ballots being dropped. I did our two with one gesture.

The vote buying cow has already left the barn.

So it's far more important to let citizens verify that their vote was counted accurately, with some sort of anonymizing hash.

I dropped off my wife's ballot. It is totally normal for one person to drop off multiple ballots at the box.

I did the same thing with my wife's ballot this morning, and I saw multiple other people dropping more than one ballot as well.

Federal District Judge Christine Arguello denied the existence of a constitutional right to a secret ballot. http://www.denverpost.com/breakingnews/ci_21601455/federal-j...

Given that

a) the secret ballot was introduced into the US (originally as the "Australian ballot") many years after the ratification of the Constitution b) no amendment has prescribed it

I find it hard to quarrel with the judge. I do consider the secret ballot an excellent idea, but I don't see it as constitutionally mandated.

You guys really should have copied preferential voting while you were at it. Or skipped over us entirely and gone with proportional representation.

This entire thread is interesting because our typical programming instincts - making sure user actions are linked to user desires via digital signatures, etc - get completely thrown out the window when you talk about voting and secret ballots. You need to be able to ensure the voter is able to make their choice independently, without pressure or publicity - but you can not perform any kind of integrity check that would link the vote back to the voter.

Nicely said. I have been pondering the comments and wondering if there is an over riding problem. From my (less than perfect) understanding of the US electoral system, it is possible to have a president elected who has been voted for by considerably less than half of valid votes. This part of the systems seems more broken to a non-US citizen than a (hopefully) single voting machine being caught on camera breaking.

Yup. There is exactly no way to ensure the secret ballot (voter privacy) or public count (auditable results) with any form of electronic voting.

This is actually not quite true. See http://www.cs.cornell.edu/andru/papers/civitas-tr.pdf

Skimmed that paper. Thanks for link.

Nice to see Civitas would use a tamper evident log file (rolling temporal hash). Alas, generally, encoding the order of the ballots cast destroys voter privacy.

I stand by my earlier comment (cross thread): These crypto based voting systems rely on hash collisions to hide individual ballots within a herd of ballots. Because Civitas encodes votes as ranked preference (to support winner takes all, Condorcet, approval voting), there's even more information contained within each ballot, decreasing the likelihood of a hash collision, increasing the likelihood of inferring each voter's unique ballot.

Something did occur to me, however. Right now, all races are encoded onto a single ballot. Making it more likely that every ballot within a precinct is utterly unique.

But if each race was split onto its own ballot, then a crypto based voting system might be workable.


As loathe as I am to validate a crypto-based scheme in any way, these schemes aren't going away, no small part because the geeks keep pushing technological fixes for perceived societal problems. So I'm somewhat resigned that I should make the most of it, help make sure the worst parts are mitigated.

One way hash with secret salt would work. You enter a secret password as a salt and get a hash code from all your votes so you have a provable record your vote got counted that you can verify but no body can reverse to know it's you.

Then stick all the votes up on a server somewhere. Let us go and check our votes are in the list. We could then have informal verification and audits of the counts.

No dice. One of the goals is that you can't prove how you voted (i.e. so you can't sell your vote).

>you can't prove how you voted (i.e. so you can't sell your vote). //

I assumed that if anything it was to prevent people being pressured in to voting a particular way (eg an abusive spouse) - what' wrong with selling your vote, surely that's still democratic: you've chosen to accept a particular candidate based on the outcome for you.

Vote buying is not about a voluntary market in a tradeable commodity - it is about your boss not being able to say 'prove you vote my way or I will sack you' or your landlord saying 'prove you vote may way or I will evict you'.

Nonsense. Existing laws protecting employees from employer retribution (e.g. for sexual orientation, or religion, or...) are still enforceable (and the judgments for plaintiffs are large, too).

There is no reason to prevent someone from verifying that their vote was counted -- not vote buying (or the presumed ease thereof), not vote tampering or stuffing (really?), not potential outside coercion of any kind. Laws exist for all of these things already, and would not suddenly become unenforceable or ineffective in the presence of vote verification.

Simply not true.

Coercive voting has disappeared because it is impossible for the coercee to prove to the coercer that they complied.

My granny used to tell of tying red ribbons (red being for the left) on the goats in the country and her mother getting a lift to the polls from the Tories (when women first got the vote) and voting Labour.

Verifying your vote cannot relate to ballot stuffing at all - so you can prove to yourself that you voted X, but I have 1,000,000 made-up votes for Y.

what's wrong with selling your vote, surely that's still democratic

Besides just being distasteful, just handing over powerful positions in our society to the highest bidder seems like a formula for brazen abuse.

But it would only be handed over to the highest bidder if the individuals chose to hand it over ... which is how democracy is supposed to work isnt it? Arguably the current system favours a cadre of the super-rich already. People now can vote for whichever party will make them individually richer. It just seems to me like a logical extension of capitalist economics.

No one can prove I voted with a one way hash either. That's the point. Only I can verify myself.

You are still missing the point. Voters can't be given a receipt for how they voted, because then they can sell their vote.

Voters can sell their vote with or without a receipt. Furthermore, they can sell with a reasonable degree of certainty (if the buyer demanded it) already by submitting to a lie detector test.

There is no valid reason, moral or technical, for preventing voters from verifying their votes were accurately counted, and verification does not enable any new crimes – but it does prevent the current crime where someone's vote is either miscounted or not counted at all.

If voters are given a receipt, buyers of votes can demand to see said receipt to verify they voted the correct way. boss/abusive family member/mafia can demand to see the vote receipt on threat of your job/safety/family returning safely tonight. The potential for a vote receipt means that these 3rd parties can reward/punish you based on the way you voted. Without it, they have no way of knowing if their coercion/blackmail worked or not.

Personally, I would like to have a receipt because I think the danger of my vote not having been recorded is greater than the danger of someone demanding my vote receipt off me.

Without it, they have no way of knowing if their coercion/blackmail worked or not.

Sure they do: use a lie detector and ask them.

Honestly, the situation you describe is the problem, not the presence or absence of verifiable voting. If you've got the mafia threatening your family, voting is the least of your problems.

What is this mythical lie detector you speak of? No trustworthy lie detector exists. If you disagree: does yours work for all mental variations (psychopaths, autism, retardedness, ...) and physical variations (Down syndrome, a score of other genetic abnormalities, ...)? Have you actually verified the research or trust someone who did?

No lie detector exists that is effective to the standards we demand in a court of law, but that doesn't mean there isn't one effective enough for the purposes of an organized crime syndicate looking to buy votes.

Make the receipt optional for each voter. Assholes will still be assholes regardless of the existence of receipts. If someone is extorting you to vote a certain way, I doubt the outcome of an election will affect your life very much. You have bigger problems.

Yes, you can prove which way you voted. That could potentially commoditise votes.

Total nonsense.

What happens when I stuff the ballot box with a million non-existent votes?

Oh, so you voted correctly and you can prove it. Whoopy do!

> Let us go and check our votes are in the list. We could then have informal verification and audits of the counts.

You have the square root of bugger all - the integrity of the total count is what counts - not the individual votes.

Vote stealing and ballot rigging is a well understood human phenomenon - it is a solved problem.

Sprinkling some poorly thought out computer pixie dust on it is not even the beginning of an answer.

Yes. Proof of who you voted for is an invitation to vote-buying.

What about, e.g. taking a video of your vote as the original Reddit poster did?

I think this verification may already be a reality. The alternative is to disallow any form of verification, as with the Reddit poster, but then we lose the ability to perform checks on the voting procedure, and would never have known about this current anomaly.

What's missing, though, is the proof that who you voted for is who the vote was internally counted for.

Due to anonymity you can't individually prove a confirmation number belongs to you - you could have found one on the street or made up some random number, but if 10000 people claim that their initial vote does not match the confirmed vote, it's worth looking into more carefully.

> What about, e.g. taking a video of your vote as the original Reddit poster did?

That'd be a felony in Wisconsin, presumably for that sort of reason. http://www.nbc15.com/home/headlines/Wisconsin_GAB_Is_Felony_...

Even taking video is illegal, as that could also be used as evidence of voting for a particular candidate, allowing candidates to buy votes.

Taking video is not illegal in all states.


Well, we wouldn't want money to be part of the political process!

Oh wait.

It amazes me how complicated electronic voting becomes. The current paper based system is far better.

You don't need to compromise secrecy. Are we ever going to stop complaining and call for using 3ballot or one of the any other methods? http://rangevoting.org/Rivest3B.html

Incorrect. You can combine a personal secret code with the output of the vote-teller in order to determine who you voted for. The vote-teller would have no way of determining who you actually voted for without your personal code. Even more secure would be to have two personal codes, one a "real" code, which outputs the actual candidate you voted for, and one "duress" code, which outputs a candidate you didn't vote for(in case someone is holding a gun to your head to confirm you voted for their candidate)

Wouldn't the person with the gun just demand both codes? And typically a ballot has multiple offices to elect. Would you flip all of them for the "duress" code? It seems like it gets complicated really quickly.

The duress code and real code would be indistinguishable. You could simply tell the person your duress as your real one, and your real one as the duress.

Another possibility is to make the duress an option. You can fill out a fake ballot for your duress code if you want, but you aren't forced to(since most people don't need to worry about it)

I was not the best civics student.. What is the significance of it being secret? Being able to verify your vote seems like a pretty simple, good thing ( I would think ).

Someone can give you money to vote for a specific candidate and verify that you voted correctly via the confirmation code.

> What is the significance of it being secret?

So that people can't bribe or blackmail you into voting a particular way.

Or rather, it makes the purchase of votes much less attractive.

So say if some party were to gain power and start harassing people that voted for the other party...

In Spain in 1936 the Francoists shot a proportion of people on the voter lists of the Government Parties.

If this is the reason, there is a bigger problem in America then simple voter fraud...

Ever dealt with a union election? That's exactly the problem with non secret ballots. You vote against unionization and thugs show up at your house. Union activists are among the most violent people around.

You could make your point without rabid partisanism. There is violence on all sides of unionization.


Gosh. Ever dealt with a union election? That's exactly the problem with non secret ballots. You vote for unionization and libertarians show up at your house. Libertarians are among the most violent people around.

Perhaps you know libertarians that I don't.

The ones I know are well armed, but about as non-violent as you can be and not be a Quaker.

Just to make it clear: This was sarcasm. I never have dealt with armed libertarians beating somebody up because he supported unionization.

The point is: Neither has he encountered union thugs beating somebody up because he was against unionization. It's a ridiculous myth.

I missed the sarcasm at first - my bad!

But I don't know about 'union thug' being a myth: lots of actual violence back in the dark days of the last century. Carnegie brought in an army to bust up the union and it wasn't because they were meek lambs.

> This was sarcasm

No, it was irony.

mea culpa, mea culpa, mea maxima culpa

There are all sorts of laws that protect us from various government abuses, such as requiring search warrants, trial by jury, freedom of speech, etc. Voter secrecy is a prudent safeguard along those same lines.

The short answer is you can buy votes then. If you can prove to me who you voted for, I'll give you $5 or whatever.

Which is trivially easy with the availability of camera-phones (just include your ID in the shot).

I know it's not foolproof as you could request a new ballot, but I'm guessing those buying votes aren't the smartest folk. Plus you'd be crazy to not accept the money upfront, as there's no way they're actually going to pay out after the fact and it's not like you can take someone to court for not upholding their end of an illegal bargain.

What you're buying isn't a vote, but a receipt. What if we could increase the supply of valid receipts enough to make them effectively worthless?

For example, voting machines could drop duplicate receipts into a bucket that voters are free to rummage around in.

How would you tell the difference between a valid and invalid receipt when the voter came to verify it?

Or just not have receipts and avoid the issue altogether.

Sure, but there's a benefit to receipts: you can verify that your vote was counted correctly.

Well, you can verify that the receipt says your vote was counted correctly. That assumes you both trust the receipt system and believe that whatever tampering was done to cause your Obama vote to become a Romney vote couldn't have possibly also resulted in the receipt providing incorrect information as well.

Ideally, I think the complete list of votes (with receipt confirmation numbers, but no names, obviously) would be available for inspection.

What about this system covered a while back on TED: http://www.youtube.com/watch?v=izddjAp_N4I

See http://en.wikipedia.org/wiki/Punchscan for an example of one such system which preserves the secret ballot property.

From reading the wiki article it seems that Punchscan allows the voter to prove which way they voted.

That is incorrect. Why do you think so? Are you thinking of this: ". The voter can look up her ballot by typing in the serial number and she can check that information held by the election authority matches her ballot. "

The voter must retain her vote (A or B) in human memory, which cannot be externally verified, except by brain scan, etc... but that detail is rather unsolvable.

Punchscan is a bit impractical for verifying large ballots, but large contested ballots are rare.

You're right, only the piece you've already kept, which by itself is not enough to prove which way you voted is kept. I was confused because it said that it showed you something which could prove that a vote was 'counted as cast', and I don't see how you can prove that without the system proving to you that it knew how you cast your vote.

Wow! That is a really elegant solution.

I wonder what (if any) pitfalls it has, other than the increased complexity and less obvious correctness (i.e. it would be hard to convince a non-mathematically inclined person that it works properly).

This system kind of does what you're asking:


I think all the electronic machines should print a recepit, deposit the receipt on a box, and at the end of the day, count all physical votes. If they don't match the electronic machine, then audit them.

You could give voters a receipt with the time, machine, and candidate they voted for. Checking for voter fraud would be as simple as comparing some receipts against the voter logs.

Or just let anyone grab a copy of the database so that any independent organization can host a lookup service so you can verify that your vote went through correctly.

Define an "independent" organization. There's no such thing. All organizations are partisan.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact